Project 5- Garima Pradhan (1)
docx
keyboard_arrow_up
School
University of Maryland *
*We aren’t endorsed by this school
Course
393
Subject
English
Date
Dec 6, 2023
Type
docx
Pages
7
Uploaded by prdgarima
University of Maryland Global Campus
WRTG 393 Advanced Technical Writing 2023
Writing Assignment #5
Briefing Paper
Garima Pradhan
Executive Summary
Phishing is a threat to both individuals and organizations; cybercriminals continue to develop new and sophisticated techniques to trick people into revealing information. In recent years, the use of social engineering methods has become more prevalent, and attackers exploit people's trust in well-established brands and organizations to trick them into revealing their personal information.
One of the biggest challenges in combating phishing is the sheer scale and variety of attacks. Attackers are constantly changing their tactics and using new techniques to circumvent security measures and deceive users. They may use fake websites, emails, or phone calls to lure people into providing their login credentials or other sensitive information. In some cases, attackers may impersonate trusted people or organizations,
such as colleagues, government agencies, or financial institutions, to make their scams appear more legitimate.
Another challenge is that people are often busy and distracted, which makes them vulnerable to social engineering. For example, people are more likely to click on a link in
an email if they are in a hurry or if the email seems urgent or important. Additionally, many people are not aware of the risks associated with phishing and may not take precautions to protect themselves.
To mitigate the risk of becoming a victim of phishing scams, organizations need to raise awareness and provide effective training to their employees on how to identify and prevent such attacks. This can be achieved by providing resources and practical guidance on how to respond to phishing emails and other scams.
The Problem
Phishing training is essential to educate users on how to avoid becoming a victim of these scams. However, the current approach to phishing training often fails to take into account individual differences in people's learning styles, knowledge levels, and behavior patterns. This means that training may not be effective for all users, resulting in
a false sense of security and a higher chance of falling victim to phishing attacks. The following table shows how abruptly these cases grew from 2019 onwards.
Image 5.1: The amount of malware and phishing sites throughout the years (source: Google Safe Browsing)
A major problem with current phishing training is that it tends to be static and inflexible, providing general information that may not be relevant to each user's specific needs and
circumstances. For example, some users may be more technologically savvy than others, or they may have different job roles that require them to handle sensitive information in different ways. To be effective, phishing training must take these differences into account and provide personalized information and guidance. Additionally, a study was conducted, which revealed that younger people are more susceptible to these types of schemes, contrary to what used to be believed.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
Image 5.2: Probability of users falling for phishing schemes
(Source: ETH Zurich, Dept of Computer Science)
In addition, many training programs are delivered through passive methods, such as online modules or videos, that may not engage users or provide sufficient opportunities for practice and feedback. This is backed by the study mentioned in TechRepublic, which also said the following: “A new study at unprecedented scale revealed that embedded phishing training in simulations run by organizations doesn't work well”(TechRepublic, 2022). The study consisted of giving the users different methods to know if an email was malicious. Training in such passive methods--- can lead to a lack of retention and failure to apply the training in real-world situations. To address this problem, training programs must use interactive and engaging methods, such as simulations or games, that encourage active learning and provide immediate feedback.
Another problem with current phishing training is that it often only focuses on awareness, without providing practical guidance on how to recognize and respond to phishing attacks. This can lead to a false sense of security, as users trust they can detect phishing emails, but can still fall victim to more sophisticated attacks. Effective phishing training should not only raise awareness, but also provide practical guidance on how to recognize and respond to phishing attacks, including reporting procedures and how to verify the legitimacy of requests for sensitive information.
Finally, phishing training needs to be enhanced with ongoing coaching and feedback to ensure users remain vigilant and up to date with the latest threats and best practices. This can include regular training sessions, phishing attacks, and real-time feedback on user behavior to identify areas for improvement.
This means that phishing training should be tailored to the individual needs and circumstances of each user, use interactive and engaging methods that encourage active learning, and provide practical guidance on how to recognize and respond to phishing attacks. It should also be improved through continuous training and feedback to ensure that users remain vigilant and up-to-date with the latest threats and best practices.
A Potential Solution
Another important aspect of effective phishing training is keeping the training materials up to date with the latest phishing trends and techniques. Phishing tactics are constantly
evolving, and attackers are becoming more and more sophisticated in their methods. Therefore, training should include the latest phishing trends and technologies, such as phishing attacks, and how to recognize and respond to them.
In addition, it is essential that training be accessible and available to all employees. This
can be done through the use of a variety of training delivery methods, such as in-person
training sessions, webinars, online tutorials, and mobile apps. Training should also be available in different formats, such as audio, video and text, to accommodate different learning styles.
In order to make training more effective, it is also important to involve employees in the training process. Employees should be encouraged to ask questions and share their experiences with phishing attacks. This can help identify gaps in training and improve its
effectiveness. Employees should also be encouraged to report any suspicious emails or
incidents to their IT security teams, and training should provide guidance on how to do so.
Finally, it is necessary to create a culture of safety within the organization. Training should emphasize the importance of cyber security and encourage employees to take responsibility for their own security. Employees need to be aware of the potential consequences of being caught in a phishing attack, and training needs to reinforce the message that everyone has a role to play in protecting the organization from cyber threats.
In conclusion, effective phishing training should be tailored to each user's needs, use interactive and engaging methods, provide practical guidance, improve through continuous training and feedback, and keep up with the latest phishing trends and techniques. By creating a culture of security and involving employees in the training process, organizations can reduce the risk of phishing attacks and protect their employees and sensitive data.
Summary We discussed the problem with current phishing training programs and suggested a possible solution to improve their effectiveness. The problem with current training is that
it takes a one-size-fits-all approach and fails to account for individual differences in users' learning styles, knowledge levels, and behavior patterns. Training programs are often delivered through passive methods and focus only on awareness, without providing practical guidance on how to recognize and respond to phishing attacks.
To be effective, phishing training must be tailored to individual needs and circumstances, use interactive and engaging methods, and provide practical guidance. The proposed solution involves assessing each user's current level of phishing awareness and offering targeted training that meets their specific needs. Interactive methods that encourage active learning and hands-on activities should be used. Practical guidance on how to identify and respond to phishing attacks should also be provided. Finally, continuous training and feedback should be provided to ensure that users remain alert and informed of the latest threats and best practices. By implementing these best practices, organizations can reduce the risk of phishing attacks
and protect their employees and sensitive data.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
References
●
Ackerman, R. (2022, April 26). 2021 was another Big Year for hackers and Cyberthreats
. RSAConference. Retrieved May 4, 2023, from https://www.rsaconference.com/library/blog/2021-was-another-big-year-for-
hackers-and-cyberthreats
●
Tessian. (2023, April 10). Phishing statistics 2020 - Latest Report: Tessian Blog
. Tessian. Retrieved May 4, 2023, from https://www.tessian.com/blog/phishing-
statistics-2020/#:~:text=The%20increase%20in%20phishing%20attacks,as
%20the%20primary%20infection%20vector
●
FBI: Cybercrime losses tripled over the last 5 years
. WeLiveSecurity. (2021, March 18). https://www.welivesecurity.com/2020/02/13/fbi-cybercrime-losses-
tripled-last-5-years/
●
Pernet, C., Staff, T. R., Crouse, M., Partida, D., Corrales, E., Ayuya, C., & Kaelin, M. W. (2022, January 13). New study reveals phishing simulations might not be effective in training users
. TechRepublic. Retrieved May 4, 2023, from https://www.techrepublic.com/article/new-study-reveals-phishing-simulations-
might-not-be-effective-in-training-users/
●
What is phishing?: Microsoft security
. What is Phishing? | Microsoft Security. (n.d.). Retrieved May 4, 2023, from https://www.microsoft.com/en-
us/security/business/security-101/what-is-phishing?
&ef_id=_k_Cj0KCQjwr82iBhCuARIsAO0EAZxEbPmiP1aZTLmnS41Jc7oxBLLzn
FDdLiMkuZJ57camGz45yx_fAQ8aAt9yEALw_wcB_k_&OCID=AIDcmmdamuj0p
c_SEM__k_Cj0KCQjwr82iBhCuARIsAO0EAZxEbPmiP1aZTLmnS41Jc7oxBLLzn
FDdLiMkuZJ57camGz45yx_fAQ8aAt9yEALw_wcB_k_&gclid=Cj0KCQjwr82iBhC
uARIsAO0EAZxEbPmiP1aZTLmnS41Jc7oxBLLznFDdLiMkuZJ57camGz45yx_fA
Q8aAt9yEALw_wcB
●
Simister, A. (2022, November 24). 10 ways to prevent phishing attacks
. Lepide Blog: A Guide to IT Security, Compliance and IT Operations. Retrieved May 4, 2023, from https://www.lepide.com/blog/10-ways-to-prevent-phishing-attacks/
●
Hebert, A., Hernandez, A., Perkins, R., & Puig, A. (2022, October 25). How to recognize and avoid phishing scams
. Consumer Advice. Retrieved May 4, 2023, from https://consumer.ftc.gov/articles/how-recognize-and-avoid-phishing-scams
●
FBI. (2020, April 17). Spoofing and phishing
. FBI. Retrieved May 4, 2023, from https://www.fbi.gov/how-we-can-help-you/safety-resources/scams-and-
safety/common-scams-and-crimes/spoofing-and-phishing