Advertisement

An Enterprise Anti-phishing Framework

  • Edwin Donald Frauenstein
  • Rossouw von Solms
Conference paper
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 406)

Abstract

The objective of this paper is to report back on an organizational framework, which consisted of human, organization and technology (HOT) dimensions in holistically addressing aspects associated with phishing. Most anti-phishing literature studied either focused on technical controls or education in isolation however; education is core to all aspects in the above-mentioned framework. It is evident, from literature, that little work has been conducted on anti-phishing preventative measures in the context of organizations but rather from a personal user-level. In the framework, the emphasis is placed on the human factors in addressing phishing attacks.

Keywords

Information Security social engineering human factors phishing email scams spam spoofed-websites 

References

  1. 1.
    Beznosov, K., Beznosova, O.: On the imbalance of the security problem space and its expected consequences. Information Management & Computer Security 15, 420–431 (2007)CrossRefGoogle Scholar
  2. 2.
    Cobb, M.: Preventing phishing attacks: Enterprise best practices. SearchSecurity.co.uk. (2010)Google Scholar
  3. 3.
    Colwill, C.: Human factors in information security: The insider threat - Who can you trust these days? Information Security Technical Report 30, 1–11 (2010)Google Scholar
  4. 4.
    Dhamija, R., Tygar, J.D., Hearst, M.: Why phishing works. In: SIGCHI Conference on Human Factors in Computing Systems, pp. 581–590. ACM, Montreal (2006)CrossRefGoogle Scholar
  5. 5.
    Downs, J.S., Holbrook, M., Cranor, L.F.: Behavioral response to phishing risk. In: Anti-Phishing Working Groups 2nd Annual eCrime Researchers Summit, pp. 37–44. ACM, Pittsburgh (2007)CrossRefGoogle Scholar
  6. 6.
    Drake, C.E., Oliver, J.J., Koontz, E.J.: Anatomy of a Phishing Email. In: Conference on Email and Anti-Spam (CEAS). Citeseer (2004)Google Scholar
  7. 7.
    Egelman, S., Cranor, L.F., Hong, J.: You’ve been warned: an empirical study of the effectiveness of web browser phishing warnings. In: 26th Annual SIGCHI Conference on Human Factors in Computing Systems, pp. 106–1074. ACM, Florence (2008)Google Scholar
  8. 8.
    Fette, I., Sadeh, N., Tomasic, A.: Learning to detect phishing emails. In: 16th International Conference on World Wide Web, pp. 649–656. ACM, Banff (2007)CrossRefGoogle Scholar
  9. 9.
    Frauenstein, E.D., von Solms, R.: Phishing: How an organisation can protect itself. In: Information Security South Africa, Johannesburg, South Africa, July 6-8, pp. 253–268 (2009)Google Scholar
  10. 10.
    Frauenstein, E.D., von Solms, R.: The Wild Wide West of Social Networking Sites. In: South African Information Security Multi-Conference, Port Elizabeth, South Africa, May 17-18, pp. 74–88 (2010)Google Scholar
  11. 11.
    Garera, S., Provos, N., Chew, M., Rubin, A.D.: A framework for detection and measurement of phishing attacks. In: 2007 ACM Workshop on Recurring Malcode, pp. 1–8. ACM, Alexandria (2007)CrossRefGoogle Scholar
  12. 12.
    Herzberg, A., Jbara, A.: Security and identification indicators for browsers against spoofing and phishing attacks. ACM Trans. Internet Technol. 8, 1–36 (2008)CrossRefGoogle Scholar
  13. 13.
    Hinson, G.: Human factors in information security (2003), http://www.infosecwriters.com/text_resources/pdf/human_factors.pdf
  14. 14.
    Jakobsson, M.: The Human Factor in Phishing. Privacy & Security of Consumer Information (2007), http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.68.8721&rep=rep1&type=pdf
  15. 15.
    Kraemer, S., Carayon, P., Clem, J.: Human and organizational factors in computer and information security:Pathways to vulnerabilities. Computers & Security 28, 509–520 (2009)CrossRefGoogle Scholar
  16. 16.
    Kumaraguru, P., Sheng, S., Acquisti, A., Cranor, L.F., Hong, J.: Teaching Johnny not to fall for phish. ACM Transactions on Internet Technology 10, 1–31 (2010)CrossRefGoogle Scholar
  17. 17.
    Leavitt, N.: Instant Messaging: A new target for hackers, pp. 20–33. IEEE Press (2005)Google Scholar
  18. 18.
    Mitnick, K.D., Simon, W.L., Wozniack, S.: The Art of Deception: Controlling the Human Element of Security. Wiley, New York (2002)Google Scholar
  19. 19.
    Ohaya, C.: Managing phishing threats in an organization. In: 3rd Annual Conference on Information Security Curriculum Development, pp. 159–161. ACM, Kennesaw (2006)Google Scholar
  20. 20.
    Ollman, G.: The Phishing Guide, white paper (2008), http://www.ngssoftware.com/papers/NISR-WP-Phishing.pdf
  21. 21.
    Orgill, G.L., Romney, G.W., Bailey, M.G., Orgill, P.M.: The urgency for effective user privacy-education to counter social engineering attacks on secure computer systems. In: 5th Conference on IT Education, pp. 177–181. ACM, Salt Lake City (2004)Google Scholar
  22. 22.
    Patel, D., Luo, X.: Take a close look at phishing. In: 4th Annual Conference on Information Security Curriculum Development, pp. 1–4. ACM, Kennesaw (2007)CrossRefGoogle Scholar
  23. 23.
    Raffetseder, T., Kirda, E., Kruegel, C.: Building Anti-Phishing Browser Plug-Ins: An Experience Report. In: 3rd International Workshop on Software Engineering for Secure Systems. IEEE Computer Society (2007)Google Scholar
  24. 24.
    Robila, S.A., Ragucci, J.W.: Don’t be a phish: steps in user education. In: 11th Annual SIGCSE Conference on Innovation and Technology in Computer Science Education, pp. 237–241. ACM, Bologna (2006)Google Scholar
  25. 25.
    SANS, Information technology-Security techniques-Code of practice for information security management. ISO/IEC 27002:2005. Standards South Africa (2008)Google Scholar
  26. 26.
    Sheng, S., Magnien, B., Kumaraguru, P., Acquisti, A., Cranor, L.F., Hong, J., Nunge, E.: Anti-Phishing Phil: the design and evaluation of a game that teaches people not to fall for phish. In: 3rd Symposium on Usable Privacy and Security, pp. 88–99. ACM, Pittsburgh (2007)CrossRefGoogle Scholar
  27. 27.
    Sophos, Phishing and the threat to corporate networks (white paper). (2005), http://www.sophos.com/whitepapers/sophos-phishing-wpuk.pdf
  28. 28.
    Thomson, K.-L., von Solms, R., Louw, L.: Cultivating an organizational information security culture. Computer Fraud & Security (2006)Google Scholar
  29. 29.
    von Solms, S.H., von Solms, R.: Information Security Governance. Springer, New York (2009)CrossRefGoogle Scholar
  30. 30.
    Werlinger, R., Hawkey, K., Beznosov, K.: Human, Organizational and Technological Challenges of Implementing IT Security in Organizations. In: Human Aspects of Information Security and Assurance, Plymouth, England, pp. 35–48 (2008)Google Scholar
  31. 31.
    Wu, M., Miller, R.C., Garfinkel, S.L.: Do security toolbars actually prevent phishing attacks? In: SIGCHI Conference on Human Factors in Computing Systems, pp. 601–610. ACM, Montreal (2006)CrossRefGoogle Scholar
  32. 32.
    Zhang, Y., Hong, J.I., Cranor, L.F.: Cantina: a content-based approach to detecting phishing web sites. In: 16th International Conference on World Wide Web, pp. 639–648. ACM, Banff (2007)CrossRefGoogle Scholar

Copyright information

© IFIP International Federation for Information Processing 2013

Authors and Affiliations

  • Edwin Donald Frauenstein
    • 1
  • Rossouw von Solms
    • 2
  1. 1.School of ComputingWalter Sisulu UniversityEast LondonSouth Africa
  2. 2.School of ICTNelson Mandela Metropolitan UniversityPort ElizabethSouth Africa

Personalised recommendations