Investigating factors and good practices to improve the effectiveness of phishing awareness

Detalhes bibliográficos
Ano de defesa: 2024
Autor(a) principal: MADEIRA, Diego Augusto de Araujo
Orientador(a): Não Informado pela instituição
Banca de defesa: Não Informado pela instituição
Tipo de documento: Dissertação
Tipo de acesso: Acesso aberto
Idioma: eng
Instituição de defesa: Universidade Federal de Pernambuco
UFPE
Brasil
Programa de Pos Graduacao em Ciencia da Computacao
Programa de Pós-Graduação: Não Informado pela instituição
Departamento: Não Informado pela instituição
País: Não Informado pela instituição
Palavras-chave em Português:
Phishing
Cibersegurança
Segurança da Informação
Link de acesso: https://repositorio.ufpe.br/handle/123456789/62580
Resumo: Phishing is a targeted attack that uses fraudulent messages to deceive users to obtain restricted information or install malicious software, making it one of the main tools cybercriminals use in the digital environment. Employees from various organizations are often the target of phishing attacks, representing a significant threat to themselves and their organizations. In response, organizations invest resources, time, and effort in structured initiatives aimed at enhancing users’ ability to identify and respond to such threats, described as Security Awareness Training (SAT), which includes simulated phishing attacks and training to help individuals recognize phishing attempts. However, the actual effectiveness of these initiatives remains underexplored. To investigate the factors contributing to the effectiveness of SAT programs, we conducted a case study at a public organization, allowing us to assess the impact of the intervention on users’ ability to recognize phishing attempts. The case study was performed in four phases. In the first phase, we planned the design, implementation, and evaluation processes of the intervention. In the second phase, we conducted a quantitative study with 4,457 participants to measure individuals' susceptibility to phishing attacks and their engagement with Security Awareness Training designed for phishing prevention using the KnowBe4 platform. In the third phase, we conducted qualitative interviews with 20 participants from the studied organization to analyze their experiences, perceptions, and motivations regarding phishing prevention efforts within the SAT program. In the fourth phase, we proposed a set of good practices informed by the findings from both the quantitative and qualitative studies. Our case study highlights the main factors influencing SAT effectiveness and presents good practices designed to improve phishing prevention strategies.
id UFPE_4104108d364600e6799d3e2e988eeae7
oai_identifier_str oai:repositorio.ufpe.br:123456789/62580
network_acronym_str UFPE
network_name_str Repositório Institucional da UFPE
repository_id_str
spelling Investigating factors and good practices to improve the effectiveness of phishing awarenessPhishingCibersegurançaSegurança da InformaçãoPhishing is a targeted attack that uses fraudulent messages to deceive users to obtain restricted information or install malicious software, making it one of the main tools cybercriminals use in the digital environment. Employees from various organizations are often the target of phishing attacks, representing a significant threat to themselves and their organizations. In response, organizations invest resources, time, and effort in structured initiatives aimed at enhancing users’ ability to identify and respond to such threats, described as Security Awareness Training (SAT), which includes simulated phishing attacks and training to help individuals recognize phishing attempts. However, the actual effectiveness of these initiatives remains underexplored. To investigate the factors contributing to the effectiveness of SAT programs, we conducted a case study at a public organization, allowing us to assess the impact of the intervention on users’ ability to recognize phishing attempts. The case study was performed in four phases. In the first phase, we planned the design, implementation, and evaluation processes of the intervention. In the second phase, we conducted a quantitative study with 4,457 participants to measure individuals' susceptibility to phishing attacks and their engagement with Security Awareness Training designed for phishing prevention using the KnowBe4 platform. In the third phase, we conducted qualitative interviews with 20 participants from the studied organization to analyze their experiences, perceptions, and motivations regarding phishing prevention efforts within the SAT program. In the fourth phase, we proposed a set of good practices informed by the findings from both the quantitative and qualitative studies. Our case study highlights the main factors influencing SAT effectiveness and presents good practices designed to improve phishing prevention strategies.Phishing é um ataque direcionado que utiliza mensagens fraudulentas para enganar usuários, com o objetivo de obter informações restritas ou instalar softwares maliciosos, tornando-se uma das principais ferramentas utilizadas por cibercriminosos no ambiente digital. Funcionários de diversas organizações são frequentemente alvos desses ataques, representando uma ameaça significativa tanto para si mesmos quanto para suas organizações. Como resposta, as organizações investem recursos, tempo e esforço em Treinamento de Conscientização em Segurança (SAT) voltado para a prevenção de phishing. Os programas de SAT incluem simulações de ataques de phishing e treinamentos para ajudar os indivíduos a reconhecerem tentativas de phishing. No entanto, a efetividade real dessas iniciativas permanece pouco explorada. Para investigar os fatores que contribuem para a eficácia dos programas de SAT, realizamos um estudo de caso em uma organização pública, investigando como a utilização de simulações de phishing e a aplicação de treinamentos impacta a capacidade dos colaboradores de identificar essas ameaças. O estudo de caso foi realizado em quatro fases. Na primeira fase, planejamos os processos de design, implementação e avaliação da intervenção. Na segunda fase, conduzimos um estudo quantitativo com 4.457 participantes para medir a suscetibilidade dos indivíduos a ataques de phishing e seu engajamento com o SAT voltado à prevenção de phishing, utilizando a plataforma KnowBe4. Na terceira fase, realizamos entrevistas qualitativas com 20 participantes da organização estudada para analisar suas experiências, percepções e motivações relacionadas aos esforços de prevenção de phishing no âmbito do programa de SAT. Na quarta fase, propusemos um conjunto de boas práticas fundamentadas nos achados dos estudos quantitativo e qualitativo. Nosso estudo de caso destaca os principais fatores que influenciam a eficácia do SAT e apresenta boas práticas projetadas para melhorar as estratégias de prevenção contra phishing.Universidade Federal de PernambucoUFPEBrasilPrograma de Pos Graduacao em Ciencia da ComputacaoALVES, Carina Frotahttp://lattes.cnpq.br/1259105829065283http://lattes.cnpq.br/7752481318432762MADEIRA, Diego Augusto de Araujo2025-04-24T20:33:02Z2025-04-24T20:33:02Z2024-12-16info:eu-repo/semantics/publishedVersioninfo:eu-repo/semantics/masterThesisapplication/pdfMADEIRA, Diego Augusto de Araujo. Investigating factors and good practices to improve the effectiveness of phishing awareness. 2024. Dissertação (Mestrado em Ciência da Computação) – Universidade Federal de Pernambuco, Recife, 2024.https://repositorio.ufpe.br/handle/123456789/62580enghttp://creativecommons.org/licenses/by-nc-nd/3.0/br/info:eu-repo/semantics/openAccessreponame:Repositório Institucional da UFPEinstname:Universidade Federal de Pernambuco (UFPE)instacron:UFPE2025-04-25T05:29:54Zoai:repositorio.ufpe.br:123456789/62580Repositório InstitucionalPUBhttps://repositorio.ufpe.br/oai/requestattena@ufpe.bropendoar:22212025-04-25T05:29:54Repositório Institucional da UFPE - Universidade Federal de Pernambuco (UFPE)false
dc.title.none.fl_str_mv Investigating factors and good practices to improve the effectiveness of phishing awareness
title Investigating factors and good practices to improve the effectiveness of phishing awareness
spellingShingle Investigating factors and good practices to improve the effectiveness of phishing awareness
MADEIRA, Diego Augusto de Araujo
Phishing
Cibersegurança
Segurança da Informação
title_short Investigating factors and good practices to improve the effectiveness of phishing awareness
title_full Investigating factors and good practices to improve the effectiveness of phishing awareness
title_fullStr Investigating factors and good practices to improve the effectiveness of phishing awareness
title_full_unstemmed Investigating factors and good practices to improve the effectiveness of phishing awareness
title_sort Investigating factors and good practices to improve the effectiveness of phishing awareness
author MADEIRA, Diego Augusto de Araujo
author_facet MADEIRA, Diego Augusto de Araujo
author_role author
dc.contributor.none.fl_str_mv ALVES, Carina Frota
http://lattes.cnpq.br/1259105829065283
http://lattes.cnpq.br/7752481318432762
dc.contributor.author.fl_str_mv MADEIRA, Diego Augusto de Araujo
dc.subject.por.fl_str_mv Phishing
Cibersegurança
Segurança da Informação
topic Phishing
Cibersegurança
Segurança da Informação
description Phishing is a targeted attack that uses fraudulent messages to deceive users to obtain restricted information or install malicious software, making it one of the main tools cybercriminals use in the digital environment. Employees from various organizations are often the target of phishing attacks, representing a significant threat to themselves and their organizations. In response, organizations invest resources, time, and effort in structured initiatives aimed at enhancing users’ ability to identify and respond to such threats, described as Security Awareness Training (SAT), which includes simulated phishing attacks and training to help individuals recognize phishing attempts. However, the actual effectiveness of these initiatives remains underexplored. To investigate the factors contributing to the effectiveness of SAT programs, we conducted a case study at a public organization, allowing us to assess the impact of the intervention on users’ ability to recognize phishing attempts. The case study was performed in four phases. In the first phase, we planned the design, implementation, and evaluation processes of the intervention. In the second phase, we conducted a quantitative study with 4,457 participants to measure individuals' susceptibility to phishing attacks and their engagement with Security Awareness Training designed for phishing prevention using the KnowBe4 platform. In the third phase, we conducted qualitative interviews with 20 participants from the studied organization to analyze their experiences, perceptions, and motivations regarding phishing prevention efforts within the SAT program. In the fourth phase, we proposed a set of good practices informed by the findings from both the quantitative and qualitative studies. Our case study highlights the main factors influencing SAT effectiveness and presents good practices designed to improve phishing prevention strategies.
publishDate 2024
dc.date.none.fl_str_mv 2024-12-16
2025-04-24T20:33:02Z
2025-04-24T20:33:02Z
dc.type.status.fl_str_mv info:eu-repo/semantics/publishedVersion
dc.type.driver.fl_str_mv info:eu-repo/semantics/masterThesis
format masterThesis
status_str publishedVersion
dc.identifier.uri.fl_str_mv MADEIRA, Diego Augusto de Araujo. Investigating factors and good practices to improve the effectiveness of phishing awareness. 2024. Dissertação (Mestrado em Ciência da Computação) – Universidade Federal de Pernambuco, Recife, 2024.
https://repositorio.ufpe.br/handle/123456789/62580
identifier_str_mv MADEIRA, Diego Augusto de Araujo. Investigating factors and good practices to improve the effectiveness of phishing awareness. 2024. Dissertação (Mestrado em Ciência da Computação) – Universidade Federal de Pernambuco, Recife, 2024.
url https://repositorio.ufpe.br/handle/123456789/62580
dc.language.iso.fl_str_mv eng
language eng
dc.rights.driver.fl_str_mv http://creativecommons.org/licenses/by-nc-nd/3.0/br/
info:eu-repo/semantics/openAccess
rights_invalid_str_mv http://creativecommons.org/licenses/by-nc-nd/3.0/br/
eu_rights_str_mv openAccess
dc.format.none.fl_str_mv application/pdf
dc.publisher.none.fl_str_mv Universidade Federal de Pernambuco
UFPE
Brasil
Programa de Pos Graduacao em Ciencia da Computacao
publisher.none.fl_str_mv Universidade Federal de Pernambuco
UFPE
Brasil
Programa de Pos Graduacao em Ciencia da Computacao
dc.source.none.fl_str_mv reponame:Repositório Institucional da UFPE
instname:Universidade Federal de Pernambuco (UFPE)
instacron:UFPE
instname_str Universidade Federal de Pernambuco (UFPE)
instacron_str UFPE
institution UFPE
reponame_str Repositório Institucional da UFPE
collection Repositório Institucional da UFPE
repository.name.fl_str_mv Repositório Institucional da UFPE - Universidade Federal de Pernambuco (UFPE)
repository.mail.fl_str_mv attena@ufpe.br
_version_ 1856042002871746560

Registros relacionados