Research Publications

A Security Officer Debate: Are simulated phishing attacks an effective approach to security awareness and training? Wombat Security Technologies, April 2013.

The Habits of Highly Successful Security Awareness Programs: A Cross-Company Comparison S. Manke, I. Winkler, Internet Security Advisors Group, October 2102.

The State of Phishing Attacks Looking past the systems people use, they target the people using the systems.
J. Hong. Communications of the ACM, Vol. 55 No. 1, January 2012, Pages 74-81

Measuring password strength by simulating password-cracking algorithms.
Patrick Gage Kelley, Saranga Komanduri, Michelle L. Mazurek, Rich Shay, Tim Vidas, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, Julio Lopez. Guess again (and again and again): CyLab Technical Report cmu-cylab-11-008, August 21, 2011.

Of passwords and people: Measuring the effect of password-composition policies.
Saranga Komanduri, Richard Shay, Patrick Gage Kelley, Michelle L. Mazurek, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, and Serge Egelman. In CHI 2011: Conference on Human Factors in Computing Systems, May 2011.

Teaching Johnny Not to Fall for Phish
P. Kumaraguru, S. Sheng, A. Acquisti, L. Cranor, and J. Hong. ACM Transactions on Internet Technology, Vol. V, No. N, September 2009, Pages 1–31.

School of Phish: A Real-Word Evaluation of Anti-Phishing Training.
P. Kumaraguru, J. Cranshaw, A. Acquisti, L. Cranor, J. Hong, M.A. Blair, and T. Pham. SOUPS 2009. [Originally published as CyLab Technical Report CMU-CyLab-09-002, 2009]

Anti-Phishing Landing Page: Turning a 404 into a Teachable Moment for End Users
P. Kumaraguru, L. Cranor, and L. Mather. CEAS 2009.

Lessons from a real world evaluation of anti-phishing training.
P. Kumaraguru, S. Sheng, A. Acquisti, L. Cranor, and J. Hong. In Proceedings of the third eCrime Researchers Summit (eCrime 2008), October 15-16, 2008, Atlanta, GA.

Anti-Phishing Phil: The Design and Evaluation of a Game That Teaches People Not to Fall for Phish
S. Sheng, B. Magnien, P. Kumaraguru, A. Acquisti, L. Cranor, J. Hong, and E. Nunge. In Proceedings of the 2007 Symposium On Usable Privacy and Security, Pittsburgh, PA, July 18-20, 2007.

CANTINA: A content-based approach to detecting phishing web sites
Y. Zhang, J. Hong, and L. Cranor. In Proceedings of the 16th International conference on World Wide Web, Banff, Alberta, Canada, May 8-12, 2007.

Getting Users to Pay Attention to Anti-Phishing Education: Evaluation of Retention and Transfer
P. Kumaraguru, Y. Rhee, S. Sheng, S. Hasan, A. Acquisti, L. Cranor and J. Hong. In Proceedings of the 2nd Annual eCrime Researchers Summit, October 4-5, 2007, Pittsburgh, PA, p. 70-81.

Protecting People from Phishing: The Design and Evaluation of an Embedded Training Email System
P. Kumaraguru, Y. Rhee, A. Acquisti, L. Cranor, J. Hong, and E. Nunge. In CHI 2007: Conference on Human Factors in Computing Systems, San Jose, California, 28 April – May 3, 2007, p. 905-914. [Originally published as CyLab Technical Report CMU-CyLab-06-017, 2006]

Learning to Detect Phishing Emails
I. Fette, N. Sadeh, and A. Tomasic. In Proceedings of the 16th International Conference on World Wide Web, Banff, Alberta,
Canada, May 8-12, 2007.