Educating employees on how to recognize phishing emails, those authentic-looking messages that encourage users to open a malicious hyperlink or attachment that appears harmless usually ends up being an almost impossible task.
At the end of the day, someone always opens the attachment and when that happens all bets are off.
The estimated financial cost from information loss, identity theft, service disruptions and additional security costs related to phishing exceeds $1 trillion. Phishing, one of the most effective attack tools facing businesses today, accounts for more than one-third of the nearly 800 percent increase in cybercrimes since 2007, according to the Government Accountability Office.
That is the bad news, now the good news is a University at Buffalo (UB) cyber security expert may have found the model training method others have been unable to unlock.
Arun Vishwanath, an associate professor in the Department of Communication at UB, whose research specializes in how to stop online deception, developed a groundbreaking comprehensive model, he said, for the first time accounts for the multiple influences that contribute to the success of these attacks.
Vishwanath’s model understands why people fall for these schemes and could finally tilt phishing’s dynamic from successful deception to effective detection.
His study tests a theory-based model that identifies specific user vulnerabilities that arise in a given user.
“When I talk to cyber security experts in companies or even in the U.S. government — and I’ve presented this to many of them — I’m told that the model provides a ready framework to understand why their employees fall prey to such attacks,” Vishwanath said.
The model encourages a new approach to training based on individual, predictive profiles of computer users, rather than relying on the current blanket training approach for everyone, a method that previous research has shown to be of limited effectiveness because people are often victimized hours after they’ve finished their training, Vishwanath said.
“Using this model, organizations can come up with a dynamic security policy, one that takes into account employee cyber behaviors and allows access to systems, software and devices based on these behaviors,” he said. “It can also be used to develop a risk-index that assesses the overall risk threshold of individuals and groups.”
Vishwanath’s study, which is part of a larger research program to understand the people problems of cyber security, tested the model by actually simulating different types of phishing attacks on real-world subjects.
“Calling people into a lab doesn’t work for this kind of research because there is a heightened sense of awareness,” he said. “Subjects in labs look at a screen and are asked if they believe they’re looking at a phishing email. In reality, most people don’t focus on emails and appear to be far less suspicious and far more susceptible than when they are in a lab.
“Methodologically, the premise I work with is that we have to play the role of the ‘bad guys’ in order to study how and why people are victimized.”
The Suspicion, Cognition and Automaticity Model (SCAM) explains what contributes to the origin of suspicion by accounting for a user’s email habits and two ways of processing information: Heuristics, or thumb rules that lead to snap judgments about a message’s content; and a deeper, systematic processing about an email’s content.
“A fourth measure, cyber-risk beliefs, taps into the individual’s perception about risks associated with online behaviors,” he said.
Vishwanath’s model accounts for these layers and the relationships among them with each measure providing a brush stroke that composes an overall portrait of the different reasons people fall victim to such attacks.
“These things matter,” he said. “Once we understand why certain people fall for attacks we can target them with the appropriate training and education.”
Current training teaches people how to recognize a phish that only addresses one of the reasons why people fall for phishing. No wonder training has had limited overall effectiveness in stopping cyber breaches.
The point for Vishwanath is most anti-phishing measures are trying to stop attacks under the assumption they know why people fall prey to such attacks, rather than actually figuring out why the attacks are working.
With phishing losses mounting at alarming rates and the level of phishing sophistication evolving in step, Vishwanath said adopting the model is critical.
Millions of phishing attacks occur daily, many following recurring patterns, such as the emails that come now during tax seasons. These, too, have grown in rate and intensity. For instance, the number of malware-laden IRS phishing emails this month has already gone up by 400 percent.
The malware in these emails open back doors to computer networks that provide hackers with access to people’s personal information. Some intrusions install key loggers that track what the person is typing or the sites they visit. And a new class of “ransomware” encrypts every file on a hard driver or server, holding the data hostage until users pay an untraceable ransom in bitcoin.
“If the Internet were the real world it would be the most dangerous city on earth,” he said.