An Anti-phishing Training System for Security Awareness and Education Considering Prevention of Information Leakage

Abstract

Phishing is one of the dangerous threats to organisations. A sender of a phishing e-mail pretends to be a trusted person or a system in order to steal valuable information including personal identity data and credentials. In order to deal with this problem, many organisations have implemented an anti-phishing training. However, the outsourcing of an anti-phishing training requires a high cost. Additionally, many anti-phishing training systems provided by vendors save sensitive data such as e-mail addresses and names of trainees to public servers for an anti-phishing training. This architecture has a problem that attacking these public servers increases for the risk of information leakage about trainees. Therefore, this paper proposes an anti-phishing training system which does not save sensitive data such as an e-mail address and a name of trainees to public servers, and it is implementable at a low cost. This proposed system saves sensitive data to a trainer's local computer instead of public servers. A sensitive data saved on a trainer's local computer and trainees' access log data on public servers are associated with a pseudonym generated via pseudonymisation technique. Thus, if attackers try to steal trainees' sensitive data via the Internet, it becomes difficult for attackers by deleting sensitive data on a trainer's local computer.