Breaches of data security are serious matters for businesses around the world. A single data breach can result in significant expenses for the company experiencing a breach. For example, in 2013 the Ponemon Institute conducted a study which found that the average cost of a data breach incident to United States businesses was $5.4 million. When intangible costs such as loss of consumer trust and bad publicity are added, it is clear that businesses have a financial incentive to improve their data security.
Corporate data breaches commonly occur due to carelessness of corporate employees. Employees may fall for phishing emails or text messages, access websites hosting malware, or fall for other lures that lead them to disclose sensitive data or compromise computer systems. Similarly, individuals and households, or users of non-corporate systems such as university students, can be subject to data breaches. Even responsible users can unwittingly be lured by a phishing attack. IBM recently cited in their 2014 Security Services Cyber Security Intelligence Index that over 95 percent of all security incidents investigated recognize “human error” as a contributing factor.
Accordingly, businesses seek better ways of mitigating data breaches, and especially solutions that can help prevent data breaches.
This document describes methods and systems that address at least some of the issues described above, or additional issues.
In an embodiment, a cybersecurity training system includes a processor and one or more data storage device portions that store programming instructions, a library of brand items (i.e., candidate brands and/or branded content), and a library of training actions such as cybersecurity lures. Each lure includes a prompt that, if responded to by a user of an electronic device, will trigger the system to direct a cybersecurity training action to the user. The programming instructions are configured to cause the system to implement a policy manager system that generates a query to the library of cybersecurity training actions; retrieves a template for a cybersecurity training action from the library in response to the query, selects a brand item that is available for use in the template from the library of brand items, automatically modifies the template to include a brand or branded content that corresponds to the selected brand item, and causes the template for the cybersecurity training action according to the modified template to be sent to a second electronic device
The system may cause an electronic device to output an administrator interface that presents selectable options, such as training campaign actions, categories of training campaign actions, users, and/or historical training data for one or more users. When the system receives a selection from an administrator via the administrator interface, then in response the system queries the library of cybersecurity training interventions, retrieves at least one of the training interventions from the library of cybersecurity training interventions, and presents each retrieved lure to the administrator via the administrator interface. The training interventions will also present, to the administrator via the administrator interface, at least one available brand item for each of the retrieved lures. When the system receives a selection of one of the available brand items, it will select a first one of the retrieved lures and automatically modify the retrieved training intervention to include branded content that corresponds to the selected brand item. The system will then cause the selected training intervention with the branded content to be sent to a trainee—user of an electronic device.
As used in this document, any word in singular form, along with the singular forms “a,” “an” and “the,” include the plural reference unless the context clearly dictates otherwise. Unless defined otherwise, all technical and scientific terms used in this document have the same meanings as commonly understood by one of ordinary skill in the art. All publications mentioned in this document are incorporated by reference. As used in this document, the term “comprising” means “including, but not limited to.” The word “plurality” is intended to mean “more than one.”
For the purposes of this document, the terms “electronic device” and “computing device” interchangeably refer to a device or system of one or more devices that includes at least one processor and non-transitory, computer-readable memory. The memory may contain programming instructions that, when executed by the processor, cause the device to perform one or more operations according to the programming instructions. Examples of computing devices include personal computers, gaming systems, televisions, wearable electronic devices (such as smart watches), implantable electronic devices, and portable electronic devices such as smartphones, personal digital assistants, cameras, tablet computers, laptop computers, global positioning service (GPS) navigation devices, media players and the like. Where appropriate for the context, the term “electronic device” also may refer to a software application configured to operate on an electronic device, or firmware that is installed in an electronic device. In some embodiments, specialized electronic devices other than general purpose computing devices may be used. Examples include a smartphones having transceiver that may generate and receive messages via wireless communications capability; a computing device having a wireless network transceiver that can connect to and exchange communications with other devices via a wireless network access device; a GPS navigation device; a media player; a wearable electronic device such as a smart watch or smart eyewear having a processor, display and user interface; and the like.
When used in this document, unless specifically stated otherwise the term “processor” component of one or more electronic devices can refer to a single processor or to multiple processors that together implement various steps of a process. Similarly, unless specifically stated otherwise, a “memory device,” “data storage device” or “database” can refer to a single device or databases or multiple devices or databases or portions thereof across which programming instructions and/or data are distributed.
An “administrator” is a person or system who is authorized to initiate and/or modify lures and/or training interventions in a cybersecurity training campaign.
A “brand” means a trademark, service mark, product or service name, logo, corporate name, organization name (including government and non-profit organizations) or other identifier of a product (whether offered or proposed), service (whether offered or proposed), or organization (whether a corporation, non-profit entity or other organization that offers goods or services to others).
“Branded content” means textual content, multimedia content, addresses (e.g., URL, email address, alphanumeric telephone number) or any other type of content or identifier that refers to a brand, whether by directly including a brand name, referring to commonly recognized attributes of a brand (e.g., a URL or logo), or variations of the above that are intended to be reminiscent of the brand (e.g., microsoft.com or Microsoftware instead of microsoft.com or Microsoft) or a larger set of content to be sent or otherwise presented to a user, wherein the content includes a brand in a context and/or format such that the content appears as if it originated from the owner of the brand or from one who acted under authority of the owner of the brand. Branded content may be used in lures, training content, and/or other messages as described in more detail below.
A “brand item” means a brand or branded content.
A “lure” means an item that may be acted upon by a user of an electronic device, such that if the user uses the electronic device or another electronic device to perform a particular action in response to receiving the lure (such as using a touch screen, mouse or other user interface of the electronic device to click a hyperlink in a mock phishing email to connect to a mock malicious WiFi access point, or more generally, to act upon information or a prompt conveyed with the help of the electronic device itself or with the help of some other electronic device), the electronic device, or data available through the electronic device or some other device or system, or other hardware with which the device interacts could be exposed to a cybersecurity threat. A lure may also be an item that simulates a cybersecurity threat to the device, or to data accessible through the device or some other device, system, or organization where the cybersecurity threat, if it were real, would materialize if the user failed to perform an expected action on the electronic device in response to receiving the lure (such as a user failing to use an interface of the device to cause a telephone or messaging application available on the device to notify a system administrator about the lure within a specified period of time after receiving the lure). Examples of lures include: (i) electronic messages (e.g., emails, SMS, MMS, instant messages, in-channel message delivered by a service such as a social networking site, a message delivered using some other messaging technology) containing a prompt intended to lure the user to click a mock malicious hyperlink, open a mock malicious attachment, call a mock malicious number, or disclose sensitive information; (ii) a post on a social media site to which the user subscribes, wherein the post contains a prompt such as those described above; (iii) a telephone call (optionally automatically placed with prompts that interact with the user through an automated menu or some automated dialogue functionality such as Interactive Voice Recognition technology, multi-modal interactive technology, voice over Internet protocol (VOIP) technology, automated speech recognition technology, some other automated dialogue functionality) prompting the user to disclose sensitive information or perform a risky action (iv) a memory device (such as a universal serial bus storage device) containing an executable file with mock malware that will activate if the memory device is inserted into the user's electronic device and/or the executable file is opened by the user; (v) a barcode (such as a quick-response QR Code® or other matrix code) that, when scanned by an electronic device having scanning and decoding capability, causes the device to be directed to a mock malicious website or service, or to initiate the download of mock malware (e.g., a mock malicious software app) on the user's electronic device; (vi) a short-range communication device such as a near field communication (NFC) or radio frequency identification (RFID) tags containing instructions that, when read by a mobile electronic device, causes the device to be directed to a mock malicious website or service, or to initiate the download of mock malware; (vii) a piece of mock malware that is downloadable from a file transfer site or other website or from a software application service; or (viii) the deployment of a wireless communication service such as a mock malicious Wi-Fi access point intended to lure the user to connect to it with his electronic device.
A “positive cybersecurity communication” means a message that includes content that notifies a user or an administrator that the user has exercised good cybersecurity practices.
A “training intervention” means a message or action designed to improve a user's cybersecurity awareness and result in the elimination of or reduction in the likelihood that the user engages in activities or behaviors that create a cybersecurity risk. Training interventions can come in many formats including, but not limited to, an interactive software training module, a training video, training game or other multimedia training content delivered through one or more output devices. Training interventions may also come in the form of assignments to be completed by a specified deadline. Training interventions can be initiated in multiple ways, including, but not limited to, user actions, administrator actions, and system defined actions.
A “training action” means a lure, a training intervention, a positive reinforcing message directed to a user, or some other action that contributes to the assessment of users and/or their training. Training actions, whether lures, training intervention, positive reinforcing messages or other types of training actions may come in the form of templates that can be customized. For instance, a “change your password” phishing email lure may come in the form of a template that can be customized with parameters such as the brand and logo of a particular organization.
This document describes a method and system for computer based cybersecurity training, optionally using lures. Prior methods of providing cybersecurity training are disclosed in U.S. Patent Application Pub. Nos. 2012/0258437 and 2013/0203023, as well as U.S. patent application Ser. Nos. 14/215,981 and 14/216,002, each filed by Sadeh-Koniecpol et al., and each of which is fully incorporated herein by reference. In the current method, the system includes or causes an electronic device to output an administrator interface that allows an administrator to manage a cybersecurity training campaign that uses branded messages.
The system includes one or more data stores that hold a library of lures 14, a library of training content 15 for use in training interventions, and libraries of information about various candidate brands 16 and content 18. The content may be branded messages, or message templates that can optionally be customized with brand items. Any or all of these data stores and libraries may be merged, maintained separately, maintained locally on the administrator's computing device, or maintained remotely and served to the administrator by a cloud-based service or a collection of one or more servers. Each of these data stores may include meta-data. For instance, lure meta-data may include the types of devices on which the lure can be delivered, the types of users for which the lure is appropriate, estimates of the effectiveness of the lure (e.g., likelihood that someone falls for it), etc. Meta-data about brands may include the particular formats in which brand items are available (e.g., logo, URL, name of the company, name of products), whether and when consent was obtained to use the brand material in the training system, including constraints on the context within which the brand material can be used (e.g. consent is only for use with customers of a particular brand, or subject to explicit user opt-in, or only with users 18 and older), when the consent expires, etc. Meta-data about training content may again include information about the format in which the training content is available (e.g., HTML, PDF, wmv), the types of devices on which it can be delivered, including possibly parameters such as minimum screen size or requirements for speakers, the language in which it is available, the time it takes to be delivered (e.g., a 1 minute pop-up message versus a 5-minute interactive training module), its effectiveness, etc. The meta-data for any content item, lures, training content, or candidate brands may include information that can be used to constrain the type of content items, lures, training content or candidate brands with which it can be combined. For example, a particular lure may be related to a particular training content item, or to a particular message. For instance a lure in the form of a phishing email template prompting users to click a link may be related to a training intervention template warning users to use a mouse, touch screen or other electronic device of a user interface to hover over the link (or otherwise highlight the link) and inspect its URL prior to clicking (i.e., actuating the link so that a browser accesses the URL contained in the link). Both templates may refer to a brand parameter, which has to assume the same value when the two templates are used together so that when a brand is selected, the brand parameter in the lure template and the one in the training intervention template are instantiated with the same selected brand.
The system may include a policy manager 30 made up of one or more servers or other processors that serve as a hub for various elements of the system. The policy manager 30 will contain and implement programming instructions to interface with the administrator and one or more users 20, 22, 24 of various electronic devices. The policy manager may include or implement programming instructions that causes it to select users to whom lures will be sent or who otherwise are to be trained, lures to be used to train users, brands to be included in the lures, training interventions to be sent to users, and brands to be used in these training interventions. Each of these decisions can either be fully automated, driven by manual decisions made by the system administrator, or a combination. In a hybrid mode, the policy manager may recommend one or more possible decisions and the system administrator may choose from these options. The policy manager also may include or implement programming instructions that causes it to execute the training campaign, which includes delivering lures to users to be trained, monitoring user response or lack thereof, and delivering follow-up training interventions.
The system described in this document may enable an administrator to trigger, or may allow the system to sense, user activity to determine whether a user of an electronic device is susceptible to engage in behavior that exposes devices or data used or controlled by him or others, or by his organization, to a cybersecurity threat.
The system may then customize the lure or other training action to include branded content 205 that is associated with the selected brand item(s). In some embodiments this may be done by selecting a lure that is pre-populated with branded content. Alternatively, the system may retrieve or may have been given a branded content template and may customize it with the brand name or other content that is associated with selected brand item(s). Other examples of how an administrative user may select, or the system's policy manager may select and implement, branded content will be described below. Fully instantiated training actions such as training actions that have been customized to include selected branded content are eventually presented to one or more selected users 206, whether right away or at some later time, using any means discussed in this document such as email that includes the branded content, an SMS message with the branded content, implementation of a rogue wi-fi access point with the brand name, a mock malicious mobile app with the brand name, and the like.
If the training action was a lure, then based on the user's response (or lack of a response), the policy manager may select and deliver a training intervention to the user. For example, the policy manager may wait for the user to respond to the lure 207 by taking an action in response to the prompt (e.g., downloading a mock malicious mobile app, connecting to a mock malicious WiFi access point, falling for a mock phishing message). If the user does not fall for the lure within a threshold period of time (or some other meaningful set of constraints), then the system may send the administrator, the user, or both a positive cybersecurity communication 213, which is a message indicating that the user appears to have exercised safe cybersecurity practices by not responding to the lure. If the user does fall for the lure by taking the action that the prompt encouraged the user to take, the policy manager will receive a notification 209 of the user's action and will initiate a training intervention 211 for the user. A training intervention can take many different forms, such as an interactive software training module, a training video, training games or other multimedia training content delivered through one or more output devices available to communicate with the user. It may be delivered in one or more installments. Training interventions may be provided as soon as a particular event is sensed (e.g., a just-in-time training intervention) or may be provided for later delivery to a user, such as the assignment of a software training module or a training activity that has to be completed by a certain date. A training intervention may include multiple iterations such as taking an interactive training module until one reaches a certain level of proficiency. Various training interventions are described in the prior art patent applications filed by Sadeh-Koniecpol et al., listed above, and examples are also discussed below.
As noted above, in some embodiments, when a user takes the bait by responding to a lure's prompt 207, the policy manager will be notified of the action 209. This may happen in any number of ways. For example, the prompt in a mock phishing message may direct the user to actuate a hyperlink and that, when actuated, causes a browser or other application of the user's electronic device to access a particular URL. A sensor used by the system that serves the content located at that URL may then inform the policy manager that the user fell for the lure and visited the URL. Alternatively, that information may be recorded in a separate system, which the policy manager may check on a regular or semi-regular basis to review and analyze the one or more lures a user has fallen for and decide what training interventions to select for that user, if any. In other words, the policy manager may directly receive information from one or more sensors that detect relevant activities of the user or may access sensed information recorded in one or more systems. Activity sensors to determine what lures a user may or may not have fallen for may include systems that access social networking sites, blog or microblog feeds, or other public or semi-public communications by the user. They may include sensors hosted at different URLs to determine whether the user visited particular sites or clicked particular links (e.g., mock malicious mobile app store URL). They may include hardware and/or software that senses whether a user connects to a particular network (e.g. mock malicious WiFi network), email-based sensors to determine whether a user has responded to a particular email, computer vision sensors to detect whether a user has carried out a particular activity, file-based sensor to determine whether a user has opened a particular file (e.g. email attachment or file hosted on a memory device such as a USB), speech recognition sensors to determine how the user responds to a mock malicious phone call (e.g. automated phone call). Some of the sensing may take place directly on the user's electronic device, while other types of sensing may also involve other electronic devices. For example, a user's electronic device may include a processor and programming instructions that processes, analyzes and identifies actions taken by the user that are indicative of whether the user has fallen for a particular lure. Other sensors may include hardware (e.g. antennas, processors) and software configured to discover available wi-fi networks or nearby short-range or near-filed communication-enabled networks or devices and detect which network or device the user attempts to connect to. Someone versed in the art will appreciate that many other types of sensors can be used to determine whether a user falls for different types of lures.
Optionally, a “user action” that triggers recording, notification or intervention may be that the user failed to take an action within a threshold period of time (or within some other meaningful set of constraints such as while being at a given location). For example, instead of a “lure,” the system may send the user a legitimate prompt to change his or her password. If the user fails to change his or her password (or take some other legitimately required action) within the threshold period of time, then the policy manager may be notified or more generally the lack of action may be recorded for future possible analysis by the policy manager, potentially leading to the policy manager eventually selecting an appropriate training intervention for that user.
Just as the system may customize the lure to include branded content, the system also may use a brand item within a training intervention 211 or a positive reinforcing message 213. Methods for doing this will also be described below.
Optionally, when the system detects a response to a lure, it may determine whether the response originated from a known user. A known user is a user for which the system has an entry stored in a data set of known users. Examples of attributes associated with such entries include a username, email address, phone number, assigned electronic device identifier, or the like If the response did not originate from a known user (e.g. in some embodiments, the system may only be allowed to record information about known users and deliver training interventions to these users) the system may not deliver a training intervention to the user, but instead may optionally deliver a different message, take a different action, or take no action at all.
Returning to
Although the embodiments of
After a training campaign action is selected, the system may present, to the administrator via the administrator interface available brand items 607. If the selection 601 was of a category of mock attacks (e.g., mock phishing emails, mock malicious WiFi access point, mock malicious mobile app), then when selecting and presenting the campaign actions the system may use only brands or branded items available for the selected category of mock attacks (e.g., only a subset of brands or branded items may have consent to be used in the context of a fake phishing email). In addition or alternatively, the system may access profile data for the user and use the profile data to identify, from a library of candidate brands, a brand with which the user is likely to interact (e.g., if three different brands are available for use in a mock phishing email, the system may for each user decide which of these three brands is a best match for the user based on user profile data). The system may determine this in any suitable way. For example, the system may analyze the profile data to determine whether the user has actually interacted with a given brand in the past, or the system may use demographic information (e.g., age of the user, gender) as well as other considerations (e.g., role of the user in the organization, hobbies or interests, country where the user lives, language spoken by the user, etc.) to determine whether the user has likely interacted with a brand or is likely to interact with or be interested in a brand. Interaction may be via a purchase of a good or service that is associated with a brand (e.g., being a subscriber of a particular telecom operator) or accessing a website associated with a brand (e.g., banking online at a particular site).
The system may then present the identified brand item to the administrator. The system may receive a selection of one of the available brand items 609 and modify one or more of the retrieved campaign actions to include branded content that corresponds to the selected brand item 611. Optionally, the administrator interface may restrict the administrator from modifying the branded content that will be included within the training action but may permit the administrator to modify other content of the training action. Optionally, the system may also enable an administrator to enter new brand or brand item for which content has not yet been secured, optionally triggering a process to obtain consent for use of the brand item by the brand owner, as described above and below.
Optionally, when customizing one of the retrieved training actions with a selected brand item, the system may access a library of content to be used in branded messages, where the content may be associated with a brand type and/or a type of training action. The system or the administrator, or a combination of the two, may then query and select, from the library, branded content having an associated brand type that corresponds to the selected brand and an associated campaign action type that corresponds to the selected action.
Optionally, when receiving a selection of one of the available brand items, the system may access a library of candidate brands, each of which may be associated with one or more brand categories (or more generally brand attributes). The system may select, from the library, one of the candidate brands using one or more of the following criteria: (1) a requirement that the selected brand correspond to a category that is also associated with the user; (2) a requirement that the selected brand have branded content that is compatible with a category of the campaign action; or (3) a requirement that all lures, training interventions, and/or other messages initiated by that particular administrator include content compatible with the selected brand.
The system will then cause the customized training action (such as a lure customized with any selected branded content) to be delivered to the user, whether via the user's electronic device 613 or with the help of any other electronic device available to present the lure to the user. If the training action was a lure and the system receives an indication that the user responded to the lure 615, it may automatically generate a training intervention that corresponds to the lure so that the training intervention. The training intervention also may be appropriately customized with any selected branded content, and the system may cause the training intervention to be presented to the user 617. In some embodiments of this process, the training intervention may already have been generated ahead of time and customized to include any selected branded content, prior to the launch of the training campaign, whereas in other embodiments this part of the process may take place after the system senses that the user has fallen for a lure and/or requires training. If the system does not receive an indicator that the user responded to the lure within a threshold period of time 615, the system may automatically generate a positive reinforcing message that may be customized to include any selected branded content, and it may cause the positive reinforcing message to be presented to the user 619. Other variations of the above embodiments are possible, including different ways of deciding whether to customize training actions such as training interventions and positive cybersecurity communications with selected brands and branded items, when to do so, and how.
Any or all of the steps listed above also may be used to generate a training message with branded content. For example, the system may develop a positive cybersecurity communication or a training intervention with branded content, and the process described above may be used for such development. This may allow the owner of the brand to customize the training message to remind and assure the user that the brand owner would not take actions to compromise security, such as with a message stating “we will never ask for your account number and password in an email.”
Prior to or during the steps described above, the system may automatically manage a library of brands and a library of branded content by sending requests for consent to brand owners 651. The owner may be a corporate or other entity that owns the brand, or it may be a person who is associated with such an entity and who has authority to grant the system permission to use the brand or branded content, or to specify brand items for which consent is granted subject to various optional descriptions already described above. If consent is received from the owner within the threshold period of time 653, then the system may include the brand or branded content from the library and create branded content containing a trademark and/or message content that has been approved by the owner 655. If consent is not received from the owner within a threshold period of time 653, then the system may remove or otherwise omit the brand or branded content from the library 657. The term “omitting” does not necessarily mean that an item is deleted from the library, but at a minimum it means that the omitted brand item is no longer available for use in training actions subject to some optional restrictions or in general. This can help ensure that branded content has been pre-approved, and that the brand owner has agreed to the particular use and provided any restrictions that may apply to the use.
A controller 720 interfaces with one or more optional memory devices 725 that service as data storage facilities to the system bus 700. These memory devices 725 may include, for example, an external DVD drive or CD ROM drive, a hard drive, flash memory, a USB drive or another type of device that serves as a data storage facility. As indicated previously, these various drives and controllers are optional devices. Additionally, the memory devices 725 may be configured to include individual files for storing any software modules or instructions, auxiliary data, incident data, common files for storing groups of contingency tables and/or regression models, or one or more databases for storing the information as discussed above.
Program instructions, software or interactive modules for performing any of the functional steps associated with the processes as described above may be stored in the ROM 710 and/or the RAM 715. Optionally, the program instructions may be stored on a tangible computer readable medium such as a compact disk, a digital disk, flash memory, a memory card, a USB drive, an optical disc storage medium, a distributed computer storage platform such as a cloud-based architecture, and/or other recording medium.
A display interface 730 may permit information from the bus 700 to be displayed on the display 735 in audio, visual, graphic or alphanumeric format. Communication with external devices may occur using various communication ports 740. A communication port 740 may be attached to a communications network, such as the Internet, a local area network or a cellular telephone data network.
The hardware may also include an interface 745 which allows for receipt of data from input devices such as a keyboard 750 or other input device 755 such as a remote control, a pointing device, a video input device and/or an audio input device.
While specific embodiments of the invention have been described in detail, it should be appreciated by those skilled in the art that various modifications and alternations and applications could be developed in light of the overall teachings of the disclosure. Accordingly, the particular arrangements, systems, devices, and methods disclosed are meant to be illustrative only and not limiting as to the scope of the invention.
This patent document claims priority to, and is a continuation of, U.S. patent application Ser. No. 14/619,520, filed Feb. 11, 2015, titled “Cybersecurity Training System with Automated Application of Branded Content,” which claims priority to provisional patent application No. 62/031,956, filed Aug. 1, 2014, entitled “Automated Cybersecurity Training System with Branded Training Messages.” The disclosures of the priority applications are fully incorporated into this document by reference.
Number | Name | Date | Kind |
---|---|---|---|
6324647 | Bowman-Amuah | Nov 2001 | B1 |
6634887 | Heffernan, III et al. | Oct 2003 | B1 |
6954858 | Welborn et al. | Oct 2005 | B1 |
7092861 | Shteyn | Aug 2006 | B1 |
7325252 | Bunker, V et al. | Jan 2008 | B2 |
7457823 | Shraim et al. | Nov 2008 | B2 |
7486666 | Meyer | Feb 2009 | B2 |
7761618 | Avraham et al. | Jul 2010 | B2 |
8046374 | Bromwich | Oct 2011 | B1 |
8063765 | Johnson et al. | Nov 2011 | B2 |
8146164 | Eshun et al. | Mar 2012 | B2 |
8205255 | Benea et al. | Jun 2012 | B2 |
8220047 | Soghoian et al. | Jul 2012 | B1 |
8255393 | Yu et al. | Aug 2012 | B1 |
8266320 | Bell et al. | Sep 2012 | B1 |
8321945 | Nakagawa | Nov 2012 | B2 |
8341691 | Bezilla et al. | Dec 2012 | B2 |
8402528 | McCorkendale et al. | Mar 2013 | B1 |
8423483 | Sadeh-Koniecpol et al. | Apr 2013 | B2 |
8457594 | Stevens et al. | Jun 2013 | B2 |
8464346 | Barai et al. | Jun 2013 | B2 |
8468244 | Redlich et al. | Jun 2013 | B2 |
8468279 | Khosravi et al. | Jun 2013 | B2 |
8478860 | Roberts et al. | Jul 2013 | B2 |
8495700 | Shahbazi | Jul 2013 | B2 |
8532970 | White et al. | Sep 2013 | B2 |
8533847 | Kedem | Sep 2013 | B2 |
8560709 | Shokhor et al. | Oct 2013 | B1 |
8560864 | Chang et al. | Oct 2013 | B2 |
8561134 | Bezilla et al. | Oct 2013 | B2 |
8608487 | Huie et al. | Dec 2013 | B2 |
8615807 | Higbee et al. | Dec 2013 | B1 |
8635703 | Belani | Jan 2014 | B1 |
8646028 | McKenzie et al. | Feb 2014 | B2 |
8656095 | Coulter | Feb 2014 | B2 |
8683588 | Esteban et al. | Mar 2014 | B2 |
8707180 | Butler et al. | Apr 2014 | B2 |
8719925 | Berg | May 2014 | B1 |
8719940 | Higbee et al. | May 2014 | B1 |
8751629 | White et al. | Jun 2014 | B2 |
8763126 | Wang et al. | Jun 2014 | B2 |
8769684 | Stolfo et al. | Jul 2014 | B2 |
8776170 | Bezilla et al. | Jul 2014 | B2 |
8782745 | Stevens et al. | Jul 2014 | B2 |
8793795 | Ravid | Jul 2014 | B1 |
8793799 | Fritzson et al. | Jul 2014 | B2 |
8819825 | Keromytis et al. | Aug 2014 | B2 |
8819858 | Mandava | Aug 2014 | B2 |
8910287 | Belani et al. | Dec 2014 | B1 |
8914846 | Bezilla et al. | Dec 2014 | B2 |
8918872 | Kumar et al. | Dec 2014 | B2 |
8931101 | Baluda et al. | Jan 2015 | B2 |
8943554 | Tran et al. | Jan 2015 | B2 |
8955109 | Satish | Feb 2015 | B1 |
8966637 | Belani | Feb 2015 | B2 |
8978151 | Chamberlain | Mar 2015 | B1 |
9009835 | Yoo | Apr 2015 | B2 |
9015789 | Thomas | Apr 2015 | B2 |
9027134 | Foster | May 2015 | B2 |
9031536 | Fitzgerald et al. | May 2015 | B2 |
9053326 | Higbee et al. | Jun 2015 | B2 |
9065826 | Colvin | Jun 2015 | B2 |
9069961 | Khosravi et al. | Jun 2015 | B2 |
9076132 | Golan et al. | Jul 2015 | B2 |
9118665 | Krahn et al. | Aug 2015 | B2 |
9118702 | MaCaulay | Aug 2015 | B2 |
9141792 | Baluda et al. | Sep 2015 | B2 |
9154523 | Bezilla et al. | Oct 2015 | B2 |
9215250 | Porten et al. | Dec 2015 | B2 |
9246936 | Belani | Jan 2016 | B1 |
9253207 | Higbee et al. | Feb 2016 | B2 |
9262629 | Belani et al. | Feb 2016 | B2 |
9280911 | Sadeh-Koniecpol et al. | Mar 2016 | B2 |
9325730 | Higbee et al. | Apr 2016 | B2 |
9330257 | Valencia et al. | May 2016 | B2 |
9356948 | Higbee et al. | May 2016 | B2 |
9367484 | Hogan et al. | Jun 2016 | B2 |
9373267 | Sadeh-Koniecpol et al. | Jun 2016 | B2 |
9392024 | Bezilla et al. | Jul 2016 | B2 |
9398029 | Sadeh-Koniecpol | Jul 2016 | B2 |
9398038 | Higbee et al. | Jul 2016 | B2 |
9426179 | Keene et al. | Aug 2016 | B2 |
9521160 | Ng | Dec 2016 | B2 |
9558677 | Sadeh-Koniecpol | Jan 2017 | B2 |
9667645 | Belani | May 2017 | B1 |
9674212 | Foster | Jun 2017 | B2 |
9674214 | Foster | Jun 2017 | B2 |
20020091940 | Welborn et al. | Jul 2002 | A1 |
20040107345 | Brandt et al. | Jun 2004 | A1 |
20040123153 | Wright et al. | Jun 2004 | A1 |
20050183143 | Anderholm et al. | Aug 2005 | A1 |
20060037076 | Roy | Feb 2006 | A1 |
20060075024 | Zircher et al. | Apr 2006 | A1 |
20060224742 | Shahbazi | Oct 2006 | A1 |
20060253906 | Rubin et al. | Nov 2006 | A1 |
20070112714 | Fairweather | May 2007 | A1 |
20070180525 | Bagnall | Aug 2007 | A1 |
20070226796 | Gilbert et al. | Sep 2007 | A1 |
20070245422 | Hwang et al. | Oct 2007 | A1 |
20070271613 | Joyce | Nov 2007 | A1 |
20080052359 | Golan et al. | Feb 2008 | A1 |
20080070495 | Stricklen et al. | Mar 2008 | A1 |
20080167920 | Schmidt et al. | Jul 2008 | A1 |
20080222734 | Redlich et al. | Sep 2008 | A1 |
20080254419 | Cohen | Oct 2008 | A1 |
20080288330 | Hildebrand et al. | Nov 2008 | A1 |
20090144308 | Huie et al. | Jun 2009 | A1 |
20090158430 | Borders | Jun 2009 | A1 |
20090319906 | White et al. | Dec 2009 | A1 |
20090320137 | White et al. | Dec 2009 | A1 |
20100010968 | Redlich et al. | Jan 2010 | A1 |
20100146615 | Locasto et al. | Jun 2010 | A1 |
20100235918 | Mizrahi et al. | Sep 2010 | A1 |
20110167011 | Paltenghe et al. | Jul 2011 | A1 |
20110238855 | Korsunsky et al. | Sep 2011 | A1 |
20120124671 | Fritzson et al. | May 2012 | A1 |
20130198846 | Chapman | Aug 2013 | A1 |
20130203023 | Sadeh-Koniecpol et al. | Aug 2013 | A1 |
20130232576 | Karnikis et al. | Sep 2013 | A1 |
20140115706 | Silva et al. | Apr 2014 | A1 |
20140157405 | Joll et al. | Jun 2014 | A1 |
20140165207 | Engel et al. | Jun 2014 | A1 |
20140199663 | Sadeh-Koniecpol et al. | Jul 2014 | A1 |
20140199664 | Sadeh-Koniecpol et al. | Jul 2014 | A1 |
20140201836 | Amsler | Jul 2014 | A1 |
20140230060 | Higbee et al. | Aug 2014 | A1 |
20140230061 | Higbee et al. | Aug 2014 | A1 |
20160164898 | Belani et al. | Jun 2016 | A1 |
Entry |
---|
Kumaraguru et al., “Protecting People from Phishing: The Design and Evaluation of an Embedded Training Email System”, 2007, In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. |
Kumaraguru et al., “Testing PhishGuru in the Real World”, In Proceedings of the 2008 Symposium on Usable Privacy and Security (SOUPS 2008). |
Kumaraguru, et al., “Lessons From a Real World Evaluation of Anti-Phishing Training”, 2008 Anti-Phishing Working Group e-Crime Researchers Summit. |
Sheng, et al., “Anti-Phishing Phil: The Design and Evaluation of a Game That Teaches People Not to Fall for Phish”, Symposium on Usable Privacy and Security (SOUPS) 2007, Jul. 18-20, 2007, Pittsburgh, PA, USA. |
Mitrovic, et al., “Evaluation of a Constraint-Based Tutor for a Database Language”, International Journal of Artificial Intelligence in Education (1999), 10, 238-256. |
Anderson et al., “A Development System for Model-Tracing Tutors”, Nov. 18, 2008, Department of Psychology, Paper 78, Carnegie Mellon University Research Showcase. |
Fette et al., “Learning to Detect Phishing Emails”, World Wide Web Conference Committee, May 8-12, 2007, Banff, Alberta, Canada. |
NIST, Risk Management Framework (RMF) Overview, [online], [Retrieved on Aug. 5, 2015], published Apr. 3, 2013, Retrieved from the internet, http://web.archive.org/web/20130304154402/http://csrc.nist.gov/groups/SMA/fisma/framwork.html, entire document, especially p. 1 and p. 2. |
International Search Report and Written Opinion from Application No. PCT/US2015/15860 dated Jun. 16, 2015. |
Jagaric et al., “Social Phishing” ACM (Dec. 12, 2005). |
The web page http://threatsim.com/how-it-works, as published Jan. 15, 2012. |
“How PhishMe Works”, captured from web.archive.org based on page at www.phishme.com published Dec. 4, 2011. |
Scheeres, Thesis: “Establishing the Human Firewall: Reducing an Individual's Vulnerability to Social Engineering,” presented to Air Force Institute of Technology, Mar. 2008. |
Vishwanath et al., “Why Do People Get Phished? Testing Individual Differences in Phishing Vulnerability with an Integrated, Information Processing Model.” Mar. 3, 2011. |
Ferguson, “Fostering E-Mail Security Awareness: The West Point Caronnade,” published in Educause Quarterly Nov. 1, 2005. |
Information about Related Patents and Patent Applications, see section 6 of the accompanying Information Disclosure Statement Letter, which concerns Related Patents and Patent Applications. |
Number | Date | Country | |
---|---|---|---|
20160301716 A1 | Oct 2016 | US |
Number | Date | Country | |
---|---|---|---|
62031956 | Aug 2014 | US |
Number | Date | Country | |
---|---|---|---|
Parent | 14619520 | Feb 2015 | US |
Child | 15185228 | US |