Short URL: https://csrc.nist.gov/phishing
Phishing continues to be an escalating cyber threat facing organizations of all types and sizes, including industry, academia, and government.
Our team performs research to understand phishing within an operational (real-world) context by examining user behaviors during phishing awareness training exercises. Our projects provide insights into users’ rationale and role in early detection, and how these might be scaffolded with technological solutions. Recent efforts have focused on the NIST Phish Scale, a method for rating the human detection difficulty of phishing emails considering both the characteristics of the email and the user context of the email's recipient.
NIST Phish Scale User Guide - Shaneé Dawkins & Jody Jacobs. NIST Technical Note 2276 (2023).
How to Scale a Phish: An Investigation Into the Use of the NIST Phish Scale (Poster Abstract) - Shaneé Dawkins & Jody Jacobs. Poster session at Symposium on Usable Privacy and Security (SOUPS) (2023).
Scaling the Phish: Advancing the NIST Phish Scale - Fernando Barrientos, Jody Jacobs, & Shaneé Dawkins. Poster session at International Conference on Human-Computer Interaction (HCII) (2021).
Categorizing Human Phishing Difficulty: A Phish Scale - Michelle P. Steves, Kristen K. Greene, & Mary F. Theofanos. Journal of Cybersecurity (2020)
A Phish Scale: Rating Human Phishing Message Detection Difficulty - Michelle P. Steves, Kristen K. Greene, & Mary F. Theofanos. Proceedings of the Workshop on Usable Security (USEC) at the Network and Distributed Systems Security (NDSS) Symposium (2019)
The NIST Phish Scale: A method for rating human phishing detection difficulty – This presentation is intended for phishing awareness training program implementors. It provides a detailed review of Phish Scale components, a structured walk-through of how to apply the Phish Scale, and an overview of the Phish Scale User Guide.
The NIST Phish Scale: Considering user context in phishing awareness programs – This presentation focuses on the importance of considering user context in phishing awareness programs. It provides a high-level overview of the Phish Scale and its methods of application.
Phishing With a Net: The NIST Phish Scale and Cybersecurity Awareness - Shaneé Dawkins & Jody Jacobs. Presented at RSA Conference (April 25, 2023).
Introducing Phish Scale (2020)
Recognizing and Reporting Phishing - Cybersecurity Awareness Month (2023)
Cybersecurity Awareness Month: Fight the Phish (2021)
The Phish Scale: NIST-Developed Method Helps IT Staff See Why Users Click on Fraudulent Emails (2020)
Staff Spotlight: NIST Usable Cybersecurity Featuring Kristen Greene (2020)
Cybercrime Magazine Podcast: The Phish Scale. A new method for training employees (2020)
Not All Victims Are Created Equal: Investigating Differential Phishing Susceptibility - Matthew Canham, Shaneé Dawkins, & Jody Jacobs, HCI International 2024 Conference (HCII2024)
Peering into the Phish Bowl: An Analysis of Real-World Phishing Cues (Poster Abstract) - Lorenzo Neil, Shaneé Dawkins, Jody Jacobs, & Julia Sharp. Poster session at Symposium on Usable Privacy and Security (SOUPS) (2023).
No Phishing Beyond This Point - Kristen Greene, Michelle Steves, & Mary Theofanos. IEEE Computer (2018)
User Context: An Explanatory Variable in Phishing Susceptibility – Kristen K. Greene, Michelle P. Steves, Mary F. Theofanos, & Jennifer Kostick. Proceedings of the Workshop on Usable Security (USEC) at the Network and Distributed Systems Security (NDSS) Symposium (2018)
Exploratory Lens Model of Decision-Making in Potential Phishing Attack Scenario - Franklin Tamborello & Kristen Greene. NISTIR 8194 (2017)
Can You Spot a Phish? – This presentation is intended for general audiences. It gives an introduction to phishing cues and how to find them, and steps users can take to protect themselves from phishing attacks.
ISPAB presentation - User Context: An Explanatory Variable in Phishing Susceptibility - Kristen Greene, Michelle Steves, & Mary Theofanos. (June 21, 2018)
You've Been Phished (2018)
Security and Privacy: authentication, behavior, cryptography, general security & privacy, privacy, security programs & operations, usability
Applications: cybersecurity education, cybersecurity workforce, Internet of Things, voting