Design of Security Training System for Individual Users

Research paper by Il-kwon Lim, Young-Gil Park, Jae-Kwang Lee

Indexed on: 01 Jun '16Published on: 01 Jun '16Published in: Wireless Personal Communications


A technique to induce access to a website falsely made through a message figured out as being sent by a trustworthy person or a simple spam, circulate a malicious code and cause additional security damage is called Phishing. According to security company Kaspersky Lab, 3,730,000 people were exposed to Phishing attack between 2012 and 2013. In addition, recently, the mobile malicious code increased eight times in 2012 due to the propagation of Smartphones compared to 2011, so security threats are increasing. Phishing is carried out by e-mail Phishing using the social engineering attack or SMSishing using short message service (SMS). To prevent this, there are preparation methods such as antivirus software or Phishing filtering systems and security preparation training or education. Yet, social engineering attack such as Phishing e-mail or SMSishing uses human psychology, so there is a limit with security software or system, and general individual users cannot possibly understand its seriousness. Therefore, this study aims to propose a security training system for individual users to be prepared for an e-mail Phishing attack or SMSishing attack. The proposed system consists largely of three types of structures such as trainee, Center System and Monitoring and Reporting System, so it plans to try a virtual social engineering attack by using e-mail and SMS through PCs or Smartphones of the trainees. When the trainees are attacked, they will learn a coping method and have an ability to cope with the e-mail Phishing and SMSishing attack. In addition, through a test using this system, it was found that the click rate of virtual Phishing e-mail messages decreased from 47 to 33 %, and the click rate of threatening links decreased from 16 to 4 % so that the usefulness of this study was examined. From this result, training against security threats in Phishing e-mail for individual users would be possible through the proposed security training system and preparation for the Phishing attack as a result would be possible.