Professor Dr. Melanie Volkamer is the head of the research group “Security * Usability * Society” (SECUSO) at the Karlsruhe Institute of Technology. The Research Group has been part of the Institute for Applied Informatics and Formal Description Languages (AIFB) since 2018. Ms. Volkamer conducts research on various research questions in the context of security and privacy with her group.
The focus of their research is the individual. It explores methods for developing and evaluating user- friendly security and privacy-protecting measures as well as effective awareness, education and training measures.
How long have you been involved in security awareness? What fascinates you about it in particular?
The research group SECUSO (Security-Usability-Society) was established in 2011 by myself at the TU Darmstadt. The initial focus of the research was on the topic of usable security. However, we quickly realized that the usability of security tools is just as important as effective security awareness and that both approaches and measures must go hand in hand. What fascinates me about both research areas is that so many different disciplines are researching the issues.
How significant do you consider the threat posed to companies by phishing emails and other fraudulent messages?
The threat initially exists because the attackers usually send their phishing e-mails to all e-mail addresses available to them. If the e-mail addresses of employees can be accessed via websites and social media, for example, then the phishing e-mails will also reach the company in question. How great the risk of a successful cyber attack is cannot be answered in the same way for all companies in general.
The level of risk depends first of all on the technical protection provided by the e-mail servers; but also on the use of other protective measures (e.g., are the operating systems and the software used up to date and are backups made regularly).
Ultimately, the risk also depends on whether the company has established a functioning question and reporting system within the security context and whether the employees are made aware of the issue of security.
In addition to these general phishing mails, attacks may also be launched via so-called spear phishing attacks, in which the attackers target one specific company and put correspondingly more effort into preparation and execution. These phishing mails are often much more difficult to detect, especially for employees. The probability of becoming the target of such an attack is lower, but the attacker’s probability of success is higher due to the targeted approach.
What developments do you foresee in the area of phishing emails over the last few years?
Phishing mails are increasingly difficult to identify. Consequently, scanning for poor design and incorrect language is no longer sufficient. Both the sender’s email address and the URL behind the link need to be examined. In addition, we repeatedly see that attackers are reacting to current events, such as recently or currently in the context of the pandemic.
What developments do you expect in the area of phishing emails? Particularly in relation to the global pandemic and the work-related consequences (home office, etc.)?
Especially at the beginning of the pandemic, many people worked from private devices in their home offices. This means that there is a lack of technical protection and employees have to make a greater contribution to cyber defense. At the same time, in the home office it is not easy to ask colleagues in the same office for advice and the IT department may not be as accessible. This increases the risk of becoming a victim of a phishing attack.
How can companies make their employees most aware of phishing emails and other fraudulent messages?
From a technical point of view, it is important that protection is maximized (including measures on the e-mail server, updates of operating systems and software are installed, backups are created regularly) and that users are supported in the detection of phishing e-mails by technical measures (e.g. because it is indicated if the e-mail was sent from outside the company or via an extension such as TROEPDO).
In addition, a question and report process should be put in place so that every employee is aware of where to direct questions and the importance of reporting if they do fall for a phishing email.
Once this has been done, it is also clear what the assumptions are regarding the behavior of the employees. These assumptions need to be addressed in the awareness measures, starting with raising awareness of phishing attacks and the fact that adequate protection can only be achieved by working together, and continuing with imparting and training knowledge on how to recognize phishing attacks. We ourselves have also developed and evaluated appropriate measures as part of our research. The focus was on citizens. Accordingly, these measures still need to be adapted to the respective corporate context.
What kind of training is particularly effective?
Our methods were evaluated empirically in different contexts with different user groups. The effectiveness in distinguishing between phishing mails and legitimate mails has been proven in each case. Which of our measures is most effective depends on the context and the user group: We investigated this question in a vocational school. In this case, the interactive lecture performed better, as did the use of a serious game and reading material for self-study. In larger organizations, it is advisable to provide different offerings so that everyone can consume the content in their preferred way. This increases the effectiveness for each and every individual.