1.
Köhler, D., Pünter, W., Meinel, C.: We have Phishing at Home: Quantitative Study on Email Phishing Susceptibility in Private Contexts. International Conference on Information Security. bll. 246–265. Springer (2024).
Phishing is among the most common attack vectors against organizations, institutions, and individuals. However, previous research on phishing susceptibility has usually primarily been performed in professional or academic contexts, thus rendering the target domain of private persons understudied. We explore this domain by conducting a large-scale study with participants in Germany, attempting to translate findings from previous research in academic or professional contexts to the private context. We sent over 14,000 phishing emails to approximately 4,700 recipients throughout four months. We observed increased susceptibility for younger and older persons and those with lower education degrees. Further, we identify that a previous reaction to phishing emails is the best indicator of future susceptibility. We highlight that various vectors identified in previous research translate to the private context.
2.
Köhler, D., Serth, S., Meinel, C.: Promoting Content Variety in MOOCs: Increasing Learning Outcomes with Podcasts. Frontiers in Education. 9, 1339142 (2024).
Online education has become an integral part of everyday life. As one form of online education, traditional Massive Open Online Courses mostly rely on video-based learning materials. To enhance accessibility and provide more variety of the learning content, we studied how podcasts can be integrated into online courses. Throughout three studies, we investigated the acceptance and impact of podcasts made available to learners on the online education platform openHPI. Throughout the studies we applied different methodologies, such as a Posttest-Only Control Group study, and a Static-Group Comparison. In the initial two studies, we identified that podcasts can serve as reasonable addition to MOOCs, enabling additional learning just as well as videos, and investigated the optimal podcast design for our learners. In one of our six-week courses on cybersecurity with more than 1,500 learners, alongside the third study, we identified that consuming an additional podcast can increase learning outcomes by up to 7.9%. In this manuscript, we discuss the applied methodologies and provide reasoning behind design decisions concerning, e.g., the podcast structure or presentation to be taken as inspiration for other educators.
3.
Köhler, D., Büßemeyer, M., Meinel, C.: POSTER: Cybersecurity Awareness Education: Just as Useful for Technical Users. Applied Cryptography and Network Security Workshops. Springer Nature, Abu Dhabi (2024).
4.
Köhler, D., Meinel, C.: The Right Tool for the Job: Overview, Comparison and Assessment of Methods for Cybersecurity Awareness Education and Verifications. Proceedings of the 10th International Conference on Information Systems Security and Privacy ICISSP - Volume 1 (2024).
Today, cybersecurity attacks are one of the significant threats companies face. Therefore, most companies employ various technical measures and systems, such as firewalls and anti-virus scanners, to enhance their resiliency against attacks. On the other hand, employees , as the weakest link in the chain, are one of the major entry points for cybercriminals. Hence, most companies implement cy-bersecurity awareness and education programs to sensitize their employees to threats in cyberspace. Obligatory quizzes often rate the success of those education measures and exams employees must take. Those, however, do not accurately depict actual employee behavior, they only test knowledge. Companies often lack efficient and accurate measures to validate the success of cyber-security awareness measures. In this work, we review previous literature studying measures for education and assessment in the context of cybersecurity. We present a compact overview of 19 education and nine assessment measures, categorizing them for their context, applicability, and effort while summarizing advantages and disadvantages identified by previous research. This summary gives decision-makers and researchers a concise overview of previously studied and unstudied cybersecurity awareness education and assessment methods.
5.
Köhler, D., Pünter, W., Meinel, C.: How Users Investigate Phishing Emails that Lack Traditional Phishing Cues. In: Pöpper, C. en Batina, L. (reds.) Lecture Notes in Computer Science. Springer (2024).
Phishing is still one of the prevalent threats targeting private persons and organizations alike. Current teaching best practices often advocate cue-based investigation methods. In our large-scale mixed-methodology study, we evaluated the phishing performance of 4,729 participants across four phishing emails and surveyed them on their behavior and observed triggers. The sent phishing emails concerned entirely fictitious entities and therefore lacked any technical cues for phishing. We apply the human-in-the-loop model for interaction with phishing content to investigate participant behavior when their learned best practices for detection fail. The primary indicator of enhanced phishing resiliency in our study is awareness of missing context to the supposed entity. Such context is often successfully enhanced by performing web searches, which thereby significantly contribute to decreased phishing susceptibility.
6.
Köhler, D., Pünter, W., Meinel, C.: How Vulnerable is the Average Population? Advocating for Cybersecurity Awareness Education in People’s Private Lives, (2023).
Cybersecurity attacks cover countries, institutions, companies, employees, and private persons. Companies can protect against known threat vectors through technical or organizational measures. Organizational measures, such as education of the employees, have shown to yield success in securing companies' perimeters. It is often assumed that knowledge and experiences from a person's professional life impact their private life. As such, (security) awareness should translate between a person's leisure and work life. We performed a phishing study across more than 4,700 participants in Germany. Our study did not observe significant positive correlations between previously participating in cybersecurity programs and phishing susceptibility. Quite contrary, we observed that participants of classroom-based training performed worse than the average population. A more significant effort is required to be put into the education of laypersons for online cybersecurity threats in their private life.
7.
Köhler, D., Pünter, W., Meinel, C.: The ’’How’’ Matters: Evaluating different Video Types for Cybersecurity MOOCs. In: Viberg, O., Jivet, I., Muñoz-Merino, P., Perifanou, M., en Papathoma, T. (reds.) Responsive and Sustainable Educational Futures. bll. 149–163. Springer Nature Switzerland (2023).
Teachers and educators are usually required to transfer knowledge to groups of learners simultaneously. However, not all students necessarily learn in the same way. In cybersecurity education, severe differences between understanding and applying knowledge are observed. In our study, we performed Randomized Controlled Trials with more than 1,500 participants to compare different educational videos: a presentation with slides, an interview, and a short animation. We evaluate learning success for the three dimensions of cybersecurity: Perception, Protection, and Behavior and observe that traditional presentations with slides perform best for achieving fundamental understanding (Perception), tested in recall exercises. Animation videos achieve the best learning success in transfer tasks, such as for assessing protective measures. While statistically insignificant, we observe a slight tendency of animation video learners to apply the learned behavior best, while learners of the interview videos performed worst.
8.
Köhler, D., Serth, S., Meinel, C.: On Air: Benefits of weekly Podcasts accompanying Online Courses. Proceedings of the Tenth ACM Conference on Learning @ Scale. (2023).
Podcasts are a widely-used medium for communication and learning. One advantage of them is the possibility to pursue other activities while listening. Contrasting, Massive Open Online Courses (MOOCs) employ video-based teaching methods. Current research, however, challenges the interactivity and variation of teaching content in established MOOCs. This manuscript presents an experiment conducted with a podcast series deployed alongside a MOOC on cybersecurity. In our Static-Group Comparison, we identified a significant increase in learning success in weekly graded exercises (6.3%) and the course's final examination (6.4%) for learners exposing themselves to the podcast. Our first study results are promising in favor of multimedia learning. Hence, we present ideas for additional analysis and briefly outline which aspects of the results should be discussed in more depth.
9.
Koehler, D., Serth, S., Steinbeck, H., Meinel, C.: Integrating Podcasts into MOOCs: Comparing Effects of Audio- and Video-Based Education for Secondary Content. In: Hilliger, I., Muñoz-Merino, P.J., Laet, T.D., Ortega-Arranz, A., en Farrell, T. (reds.) Educating for a New Future: Making Sense of Technology-Enhanced Learning Adoption (EC-TEL 2022). bll. 131–144. Springer, Toulouse, France (2022).
Multimedia learning methods can enrich any online learning scenario. However, traditional Massive Open Online Courses (MOOCs) often put the learner into classroom-like situations without considerably varying presentation formats. By conducting a study and analysis of multimedia elements such as interviews and podcasts, we lay a foundation for future research in the field of multimedia learning. This research studies video-based and audio-based education methods for secondary learning content. We explore both the conscious and subconscious effects of the different formats. In our quantitative assessment of more than 900 learners, we did not observe any significant differences in quiz performance between learners of the two groups. Although our recurring learners are used to video-based learning methods, the audio-based teaching methods were accepted and rated “easy to follow” by more than 80% of our learners. However, we observe that the learners enjoy traditional podcasts with a single presenter the least. Our work adds to the field of multimedia online teaching and shows that enriching courses with audio-based education methods proves beneficial for asynchronous learning offers.
10.
Koehler, D., Serth, S., Meinel, C.: Consuming Security: Evaluating Podcasts to Promote Online Learning Integrated with Everyday Life. Proceedings of the World Engineering Education Forum. IEEE (2021).
Traditional (online) teaching approaches put the student into a video-based, classroom-like situation. When asked to reproduce the content, the student can consciously remember what he learned and answer accordingly. Contrasting, knowledge of IT-security aspects requires sensitization for the topic throughout the daily life of a learner. We learned from interactions with former learners that they sometimes found themselves in situations where they --- despite knowing better --- still behaved in an undesired way. We thereby conclude that the classroom-based presentation of knowledge in Massive Open Online Courses (MOOCs) is not sufficient for the field of IT-Security Education. Therefore, this work presents an approach to a study to assess and analyze different audio-based methods of conveying knowledge, which can integrate into a learner's everyday life. In the spirit of Open Research, we therefore publish our research questions and chosen methods in order to discuss these within the community. Following, we will study the perception of the proposed education methods by learners and suggest possible improvements for subsequent research.
11.
Koehler, D., Klieme, E., Kreuseler, M., Cheng, F., Meinel, C.: Assessment of Remote Biometric Authentication Systems: Another Take on the Quest to Replace Passwords. Proceedings of 2021 IEEE 5th International Conference on Cryptography, Security and Privacy (CSP 2021). IEEE (2021).