The Design And Implementation Of Information Security Awareness Education Program Based On RSS

Social engineering is a hacker attack technique,which takes full use of the weakness in human nature as well as the lack of safety awareness.Nowadays,more and more cyber threats trend to exploit social engineering to target end-users’confidential and sensitive data stored in different types of information systems.As a typical technique of social engineering,phishing attacks and its variants have grown up into the most serious cyber threats today.They have caused huge economic losses to consumers and enterprises,and led to negative social consequences,even threatened national security.Information security awareness education,an important part of information security management solution,can fix the weakness in human nature and increase safety awareness.Therefore,this thesis explores a new way to study it,which focuses on the types,collection and delivery methods of the material and personalized information services.Firstly,this thesis introduced the principle and workflow of phishing attacks as well as its evolution in new circumstances,such as social networking service,mobile internet.And it analyzed the techniques(e.g.firewalls,antivirus software,and intrusion detection system)and information security awareness education solutions,and concluded that they couldn’t fully prevent against different types of phishing attacks.Then,users’ demands for information security awareness delivery methods and Maslow’s hierarchy of needs are analyzed.Above all,we built a hierarchy model of security awareness adapting to user requirements evolution.The model could help end-users to be aware of the harmful consequences of reactions to cyber threats with cyber security events,to make effective decisions with the responding information security knowledge,to enhance the ability to actively protect personal and business confidential sensitive information assets with higher level of security awareness.We also designed an information security awareness education system based on the above model,named APIPS.The system has four function modules,such as acquiring and processing information from different sources,user personalization service,RSS service and system management.We introduced APIPS in three aspect,including training material collecting and producing,delivery channels and personalized information services providing.Training material mainly has two types of document formats,xml and html,so we used different ways to collect them,vertical crawler for xml documents,focused crawler for html documents that have to produce xml document after collecting.Delivery channels not only have existing desktop RSS reader,but also have android-based mobile RSS reader that we developed.The mobile reader could help end-users to subscribe and obtain the latest information on phishing attacks,anywhere,anytime.Personalized information services are implemented based on FFCA theory.We make the impact evaluation to assess the feasibility of the proposed method and the effectiveness of APIPS.The selected sample materials are closer to reality,and two control groups are set to clearly demonstrate the effectiveness of the system.Finally,the experimental results show that participants in APIPS group have distinctly higher correctness than other participants.There are two reasons.Firstly,APIPS could timely provide rich and comprehensive training materials on phishing attacks,and allow end-users learn about these attacks and their prevention approaches anytime,anywhere by RSS technique.Secondly,APIPS could meet the needs of different end-users at different levels of security awareness with personalized information services.As a result,participants can quickly enhance the ability to protect themselves and to defend personal and business information assets from the wide variety of threats.