Designing Ethical Phishing Experiments: A study of (ROT13) rOnl query features

• Markus Jakobsson, School of Informatics, Indiana University, USA
• Jacob Ratkiewicz, Dept. of Computer Science, Indiana University, USA

Full text:

Track: Security, Privacy, and Ethics

Slot: 11:00-12:30, Friday 26th May

We study how to design experiments to measure the success rates of phishing attacks that are ethical and accurate, which are two requirements of contradictory forces. Namely, an ethical experiment must not expose the participants to any risk; it should be possible to locally verify by the participants or representatives thereof that this was the case. At the same time, an experiment is accurate if it is possible to argue why its success rate is not an upper or lower bound of that of a real attack - this may be difficult if the ethics considerations make the user perception of the experiment different from the user perception of the attack. We introduce several experimental techniques allowing us to achieve a balance between these two requirements, and demonstrate how to apply these, using a context aware phishing experiment on a popular online auction site which we call "rOnl". Our experiments exhibit a measured average yield of 11% per collection of unique users. This study was authorized by the Human Subjects Committee at Indiana University (Study #05-10306).

Other items being presented by these speakers

• Invasive Browser Sniffing and Countermeasures (Security, Privacy, and Ethics Track)