Institute for Software Research
School of Computer Science, Carnegie Mellon University


PhishGuru: A System for Educating Users
about Semantic Attacks

Ponnurangam Kumaraguru

April 2009

Ph.D. Thesis
Computation, Organizations and Society


Keywords: Social engineering, semantic attack, phishing, learning science, human computer interaction, design and implementation, and real-world studies

Online security attacks are a growing concern among Internet users. Currently, the Internet community is facing three types of security attacks: physical, syntactic, and semantic. Semantic attacks take advantage of the way humans interact with computers or interpret messages. There are three major approaches to countering semantic attacks: silently eliminating the attacks, warning users about the attacks, and training users not to fall for the attacks. The existing methods for silently eliminating the attack and warning users about the attack are unlikely to perform flawlessly; furthermore, users are the weakest link in these attacks, it is essential that user training complement other methods. Most existing online training methodologies are less successful because: (1) organizations that create and host training materials expect users to proactively seek out such material themselves; (2) these organizations expect users to have some knowledge about semantic attacks; and (3) the training materials have not been designed with learning science principles in mind.

The goal of this thesis is to show that computer users trained with an embedded training system – one grounded in the principles of learning science – are able to make more accurate online trust decisions than users who read traditional security training materials, which are distributed via email or posted online. To achieve this goal, we focus on "phishing," a type of semantic attack. We have developed a system called "PhishGuru" based on embedded training methodology and learning science principles. Embedded training is a methodology in which training materials are integrated into the primary tasks users perform in their day-to-day lives. In contrast to existing training methodologies, the PhishGuru shows training materials to users through emails at the moment ("teachable moment") users actually fall for phishing attacks.

We evaluated the embedded training methodology through laboratory and field studies. Real-world experiments showed that people trained with PhishGuru retain knowledge even after 28 days. PhishGuru training does not decrease users' willingness to click on links in legitimate messages. PhishGuru is also being used in a real-world implementation of the Anti-Phishing Working Group Landing Page initiative. The design principles established in this thesis will help researchers develop systems that can train users in other risky online situations.

197 pages

Return to: SCS Technical Report Collection
School of Computer Science homepage

This page maintained by