The Center for Education and Research in Information Assurance and Security (CERIAS)

The Center for Education and Research in
Information Assurance and Security (CERIAS)
Center for Education and Research in Information Assurance and Security

A Human Factors perspective on better phishing defenses

Research Areas: Human Centric Security

Principal Investigator: Jamie Davis

Social engineering attacks delivered via email, commonly known as phishing, represent a persistent cybersecurity threat leading to significant organizational incidents and data breaches. Although many organizations train employees on phishing, often mandated by compliance requirements, the real-world effectiveness of this training remains debated. Past work has demonstrated the ineffectiveness of training, but reproduction across different organizations, training approaches, and with a standardized threat assessment will help the generalizability of this phenomenon.

This project has several goals:

1. Measure the effectiveness of state-of-art phishing trainings in real-world settings

2. Explore opportunities for email defense system optimization through improved and faster feedback loops

3. Trial new phishing attacks in real-world settings

Personnel

Students: Andrew Rozema, PhD student (he is also a professor)

Representative Publications

  • Anti-Phishing Training (Still) Does Not Work: A Reproduction of Phishing Training Inefficacy Grounded in the NIST Phish Scale

    Rozema & Davis, arXiv'25