User-Centric Design, Implementation and Evaluation Support for Phishing Interventions

Abstract

Phishing education, training, and awareness interventions are crucial to safeguarding organizations against malicious phishing attacks. However, the effectiveness of phishing interventions can be impeded by a lack of consideration of end-users’ requirements and preferences by the practitioners during the design, implementation, and evaluation of these interventions. Such deficiency can result in user dissatisfaction, ineffectiveness of phishing interventions, and susceptibility of the intended end-users to phishing attacks. Failures to incorporate socio-technical issues during the design, implementation, or evaluation of phishing interventions often result from the unavailability of structured, personalized, and reliable guidance for the developers and practitioners of these interventions. Furthermore, the practical implementation of these guidelines is not without obstacles. To date, no study has provided personalized guidelines to support practitioners in addressing the challenges encountered in the design, implementation, or evaluation of phishing interventions. Additionally, no study has assessed the impediments associated with implementing academic guidelines within real-world settings. The goal of this thesis is to address the current lack of resources and personalized guidelines for the design, implementation, and evaluation of anti-phishing interventions. This thesis systematically groups the scattered recommendations from the academic and grey literature to provide a list of organized and easily accessible recommendations for practitioners. To achieve the aforementioned goal, this research (i) systematically identified 20 challenges and 23 critical success factors within the design, implementation, and evaluation of phishing interventions from 53 academic and 16 grey literature studies; (ii) reports 22 socio-technical factors at the individual, technical, and organizational levels, that affected the effectiveness of anti-phishing interventions and require to tailor the phishing interventions; (iii) presents 41 guidelines personalized across 4 practitioner groups and 14 intervention types to address the identified challenges and socio-technical factors to improve the outcome of phishing interventions; (iv) provides an overview of the current anti-phishing defense mechanisms deployed in the organizations; (v) identifies 8 challenges faced by the practitioners in the design, implementation and evaluation of phishing interventions in real-world settings; (vi) investigates practitioners’ perspectives on the devised guidelines to understand these guidelines’ usefulness and applicability in practice; (vii) extracts features for an envisioned tool for practitioners preferences to easily access the reported guidelines. This thesis can be a valuable resource for the design, implementation, and evaluation of phishing interventions. The overarching goal is to augment the efficacy and success rates of these endeavors, thereby fortifying organizational defenses against sophisticated phishing attacks.