Visible to the public Combatting phishing: A holistic human approach

TitleCombatting phishing: A holistic human approach
Publication TypeConference Paper
Year of Publication2014
AuthorsFrauenstein, E.D., Von Solms, R.
Conference NameInformation Security for South Africa (ISSA), 2014
Date PublishedAug
Keywordsagency theory, ails, awareness programme, COBIT, Computer crime, computer science education, cyber criminals, design science principles, educational factors, fake warnings, financial awards, holistic human approach, HOT elements, human factors, ISO, lax security behavior, Lead, organisational aspects, organizational aspects, phishing, phishing security controls, security, security education, security education training and awareness, security gaps, security training, security vulnerability, Social Engineering, spoofed-Web sites, technological controls, technology acceptance model, Training, trusted reputation, unsolicited e-mail
Abstract

Phishing continues to remain a lucrative market for cyber criminals, mostly because of the vulnerable human element. Through emails and spoofed-websites, phishers exploit almost any opportunity using major events, considerable financial awards, fake warnings and the trusted reputation of established organizations, as a basis to gain their victims' trust. For many years, humans have often been referred to as the `weakest link' towards protecting information. To gain their victims' trust, phishers continue to use sophisticated looking emails and spoofed websites to trick them, and rely on their victims' lack of knowledge, lax security behavior and organizations' inadequate security measures towards protecting itself and their clients. As such, phishing security controls and vulnerabilities can arguably be classified into three main elements namely human factors (H), organizational aspects (O) and technological controls (T). All three of these elements have the common feature of human involvement and as such, security gaps are inevitable. Each element also functions as both security control and security vulnerability. A holistic framework towards combatting phishing is required whereby the human feature in all three of these elements is enhanced by means of a security education, training and awareness programme. This paper discusses the educational factors required to form part of a holistic framework, addressing the HOT elements as well as the relationships between these elements towards combatting phishing. The development of this framework uses the principles of design science to ensure that it is developed with rigor. Furthermore, this paper reports on the verification of the framework.

DOI10.1109/ISSA.2014.6950508
Citation Key6950508