[论文解读] Phishing in Organizations: Findings from a Large-Scale and Long-Term Study
这项在瑞士公司开展的为期15个月的大规模研究,针对14,773名员工在真实工作环境中使用逼真的模拟钓鱼邮件测试了其对钓鱼攻击的易感性。研究发现,嵌入式培训无效,甚至可能增加脆弱性;而员工报告的钓鱼检测则极为有效、迅速且可持续,为组织提供了一种新颖的、低运维成本的防御策略。
In this paper, we present findings from a large-scale and long-term phishing experiment that we conducted in collaboration with a partner company. Our experiment ran for 15 months during which time more than 14,000 study participants (employees of the company) received different simulated phishing emails in their normal working context. We also deployed a reporting button to the company's email client which allowed the participants to report suspicious emails they received. We measured click rates for phishing emails, dangerous actions such as submitting credentials, and reported suspicious emails. The results of our experiment provide three types of contributions. First, some of our findings support previous literature with improved ecological validity. One example of such results is good effectiveness of warnings on emails. Second, some of our results contradict prior literature and common industry practices. Surprisingly, we find that embedded training during simulated phishing exercises, as commonly deployed in the industry today, does not make employees more resilient to phishing, but instead it can have unexpected side effects that can make employees even more susceptible to phishing. And third, we report new findings. In particular, we are the first to demonstrate that using the employees as a collective phishing detection mechanism is practical in large organizations. Our results show that such crowd-sourcing allows fast detection of new phishing campaigns, the operational load for the organization is acceptable, and the employees remain active over long periods of time.
研究动机与目标
- 了解在大型组织中,哪些员工人口统计特征和职位角色对钓鱼攻击最为脆弱。
- 分析组织在反复暴露于钓鱼攻击后,其整体钓鱼脆弱性随时间的变化趋势。
- 评估常见钓鱼防护工具(如嵌入式培训和邮件警告)的有效性。
- 探究员工是否可作为有效、可持续的钓鱼检测机制。
- 提供生态有效性强的大规模实证证据,揭示组织钓鱼防御中的人因因素,挑战行业普遍做法。
提出的方法
- 在15个月的时间内,对14,773名员工在真实工作环境中开展大规模钓鱼实验,发送模拟钓鱼邮件。
- 在企业邮件客户端中部署报告按钮,实现对可疑邮件的实时、用户驱动式检测。
- 测量关键行为指标:点击率、凭据提交率、宏执行率及报告频率。
- 采用混合处理管道,结合自动化分析与人工甄别,评估所报告的邮件。
- 收集并分析员工的人口统计信息、职位类型、点击模式及报告行为随时间的变化。
- 通过比较不同条件下的点击率和报告率,评估警告和嵌入式培训的影响。
实验结果
研究问题
- RQ1哪些员工对钓鱼攻击最为易感?人口统计因素(年龄、性别、职位类型)与易感性之间有何相关性?
- RQ2随着组织反复暴露于模拟攻击,其整体钓鱼脆弱性如何随时间演变?
- RQ3在真实组织环境中,嵌入式钓鱼培训和邮件警告是否能有效降低员工对钓鱼攻击的易感性?
- RQ4在大型组织中,员工能否作为有效、快速且可持续的钓鱼检测机制?
主要发现
- 行业普遍采用的嵌入式钓鱼培训并未提升员工的防御韧性,反而可能增加其对钓鱼攻击的易感性。
- 邮件警告有效降低了钓鱼点击率,支持了以往研究的发现,且本研究具有更强的生态效度。
- 大量员工(被称为“重复点击者”)持续在长时间内中招,表明其存在持续性的脆弱性。
- 通过员工报告实现的众包钓鱼检测,可在新钓鱼活动启动后数分钟内完成检测。
- 由于自动化与人工甄别相结合,即使面对数千份报告,处理所报告邮件的运维开销依然保持在较低水平。
- 员工的报告率在整个15个月期间保持高位且持续稳定,表明长期参与度高,具备实际可行性。
更好的研究,从现在开始
从论文设计到论文写作,大幅缩短您的研究时间。
无需绑定信用卡
本解读由 AI 生成,并经人工编辑审核。