Going forward, the researchers plan to expand their research beyond the tested students -- who were all aged 18 and 27 -- to cover professionals in the workplace. They already conducted related studies of employees of an unnamed government agency, although have yet to analyze the results.
How might these findings be applied? Hong's academic profile notes that the goal of the phishing research project is to develop better "phishing susceptibility profiles and anti-phishing tools."
"Many of the anti-phishing tools that are currently available are not based on research with human users, so we think we can do better in developing an effective tool that can be personalized to meet the needs of individual users," said Mayhorn. Such a training tool might require users to respond to a short survey taking 15 minutes or less that gauges their phishing awareness. Another option might be a system along the lines of Amazon.com's artificial intelligence predictive buying algorithms, only tailored to assess what types of risky behaviors people might exhibit as they handle their email.
Either approach would allow a training tool to build a better profile of individual users and target any risky behavior. "If one person is susceptible due to trust-based issues, but another is susceptible due to attacks that cater to their personality traits, it would be useful to have systems that can address specific needs -- not 'one size fits all' systems ... that attempt to address everything, which may not be necessary," said Mayhorn.
Some information security experts, however, have argued that in general, attempting to train users in security is a waste of time. But given the quantity and severity of phishing attacks -- now a favored tool of today's advanced persistent threat (APT) attackers -- as well as the inability of security tools to block all phishing attacks, might not related training be a necessity?
Mayhorn argued that training and technological defenses must supplement each other. "Unfortunately, technological approaches will not always be responsive to new threats," he said. "Cyber-criminals will continue to come up with new ways to attack and security measures will always be reactive rather than proactive. As long as there is a human in the loop, there is always going to be the potential for security breaches so we need to use both approaches -- training and security approaches -- to combat efforts to exploit computer systems."