Computing Profession

Security Education Can Really Work (but Only If It’s Done Right)

Carnegie Mellon Associate Professor Jason Hong

One of the privileges of being a professor at a research university is that you get to serve on the dissertation committees of some really amazing students. This past week, I sat on two different committees of students that did outstanding work. 

In this and the next post, I report on their work. Note that I obviously have a conflict of interest here, but the work of these students is worth reporting in a more public forum. Also, both of them are on the job market, looking for academic and industrial research positions.    (-;

Ponnurangam Kumaraguru (PK) discussed his work on educating people so that they do not fall for phishing scams, those fake "please update your account" emails that lead to identity theft. The analogy he used here is that educating people about security is like nailing jello to a wall, because of difficulties in motivating people, because security is a secondary task, and because of potential for increase in false positives.

One key insight behind PK’s work is that we (the good guys) can educate users by sending out simulated phishing attacks. If people fall for the simulated phishing, then it crates a "teachable moment" that makes people more aware that they are vulnerable, and  much better at learning how to protect themselves. The other key insight is that a simple compact format, in this case comic strips, can be used to teach people about security in a fun and effective manner.

PK demonstrated the effectiveness of this simple idea through a series of lab studies as well as field trials at large companies. The most compelling study was actually conducted with over 500 people at my university, Carnegie Mellon, showing that there is a dramatic decrease in people falling for our simulated phish over time, while not having an increase in just deleting any email with links. As a baseline, people who didn’t receive training did not have any real decrease in vulnerability to phish.

My biggest takeaway here for me is that, security education can really work, but only if it’s done right. Most security education consists of having people go to day-long security seminars, which are a bad use of time and money because they don’t really tell people what the risks are and how to protect themselves. PK’s results showed that people were really positive about this kind of training, with 80% of people saying they would recommend that CMU continue this kind of training.

My other takeaway from PK’s talk is that, apparently if you make jello right, you really can nail it to a wall!

Join the Discussion (0)

Become a Member or Sign In to Post a Comment

The Latest from CACM

Shape the Future of Computing

ACM encourages its members to take a direct hand in shaping the future of the association. There are more ways than ever to get involved.

Get Involved

Communications of the ACM (CACM) is now a fully Open Access publication.

By opening CACM to the world, we hope to increase engagement among the broader computer science community and encourage non-members to discover the rich resources ACM has to offer.

Learn More