Human-Centered Cybersecurity

Phishing

Phishing continues to be an escalating cyber threat facing organizations of all types and sizes, including industry, academia, and government.

Our team performs research to understand phishing within an operational (real-world) context by examining user behaviors during phishing awareness training exercises. Our projects provide insights into users’ rationale and role in early detection, and how these might be scaffolded with technological solutions. Recent efforts have focused on the NIST Phish Scale, a method for rating the human detection difficulty of phishing emails considering both the characteristics of the email and the user context of the email's recipient.

Publications

NIST Phish Scale

Papers

NIST Phish Scale User Guide - Shaneé Dawkins & Jody Jacobs. NIST Technical Note 2276 (2023).

How to Scale a Phish: An Investigation Into the Use of the NIST Phish Scale (Poster Abstract) - Shaneé Dawkins & Jody Jacobs. Poster session at Symposium on Usable Privacy and Security (SOUPS) (2023).

S caling the Phish: Advancing the NIST Phish Scale - Fernando Barrientos, Jody Jacobs, & Shaneé Dawkins. Poster session at International Conference on Human-Computer Interaction (HCII) (2021).

Categorizing Human Phishing Difficulty: A Phish Scale - Michelle P. Steves, Kristen K. Greene, & Mary F. Theofanos. Journal of Cybersecurity (2020)

A Phish Scale: Rating Human Phishing Message Detection Difficulty - Michelle P. Steves, Kristen K. Greene, & Mary F. Theofanos. Proceedings of the Workshop on Usable Security (USEC) at the Network and Distributed Systems Security (NDSS) Symposium (2019)

Presentations

Can You Spot a Phish? - Jody Jacobs. Presented at Department of the Air Force Blue Cyber Education Series for Small Business (September 26, 2023)

Phishing for User Context: Understanding the NIST Phish Scale Recorded presentation - Shaneé Dawkins. Presented at FISSEA Summer Forum (August 23, 2023).

Phishing With a Net: The NIST Phish Scale and Cybersecurity Awareness Recorded presentation - Shaneé Dawkins & Jody Jacobs. Presented at RSA Conference (April 25, 2023).

The NIST Phish Scale: Method for rating human phishing detection difficulty (tutorial) - Shaneé Dawkins & Jody Jacobs. Presented at Messaging, Malware, and Mobile Anti-Abuse Working Group (M3AAWG) (February 2021).

The New NIST Phish Scale, Revealing Why End Users Click - Shaneé Dawkins, Kristen Greene, & Jody Jacobs. Presented at SecureWorld Expo (2020)

Videos

Introducing Phish Scale (2020)

Blogs

Recognizing and Reporting Phishing - Cybersecurity Awareness Month (2023)

My Research Can Help Protect You -- and Your Company -- From Hackers Trying to Steal Your Money and Information (2023)

Cybersecurity Awareness Month: Fight the Phish (2021)

The Phish Scale: NIST-Developed Method Helps IT Staff See Why Users Click on Fraudulent Emails (2020)

Staff Spotlight: NIST Usable Cybersecurity Featuring Kristen Greene (2020)

Podcasts

Cybercrime Magazine Podcast: The Phish Scale. A new method for training employees (2020)

Phishing Behaviors

Papers

Peering into the Phish Bowl: An Analysis of Real-World Phishing Cues (Poster Abstract) - Lorenzo Neil, Shaneé Dawkins, Jody Jacobs, & Julia Sharp. Poster session at Symposium on Usable Privacy and Security (SOUPS) (2023).

No Phishing Beyond This Point - Kristen Greene, Michelle Steves, & Mary Theofanos. IEEE Computer (2018)

User Context: An Explanatory Variable in Phishing Susceptibility – Kristen K. Greene, Michelle P. Steves, Mary F. Theofanos, & Jennifer Kostick. Proceedings of the Workshop on Usable Security (USEC) at the Network and Distributed Systems Security (NDSS) Symposium (2018)

Exploratory Lens Model of Decision-Making in Potential Phishing Attack Scenario - Franklin Tamborello & Kristen Greene. NISTIR 8194 (2017)

Presentations

ISPAB presentation - User Context: An Explanatory Variable in Phishing Susceptibility - Kristen Greene, Michelle Steves, & Mary Theofanos. (June 21, 2018)