Born from Research

Wombat Security Technologies is a company born from research. In 2008 our cofounders Norman Sadeh, Lorrie Cranor, and Jason Hong pioneered the concept of teaching users how to avoid unsafe links with their research papers and subsequent educational game Anti-Phishing Phil. To view our white papers or case studies, visit our White Papers page. The concept of interactive training that improves learning and retention is still active today.

Read below some of the related research from our founders that were the genesis for Wombat Security and today’s security awareness and training offering.

 

Research Papers

 

2016 Beyond the Phish

A Wombat Security Research Report, September 2016.

https://info.wombatsecurity.com/beyondthephish

 

2016 State of the Phish

A Wombat Security Research Report, January 2016.

http://info.wombatsecurity.com/state-of-the-phish

 

The Cost of Phishing & Value of Employee Training

A Ponemon Institute and Wombat Security Research Report, August 2015.

http://info.wombatsecurity.com/cost-of-phishing

 

The Last Mile in IT Security: Changing User Behaviors

An Aberdeen and Wombat Security Research Report, January 2015.

http://info.wombatsecurity.com/changing-end-users-behavior

 

Security Awareness Training: It’s Not Just for Compliance

David Monahan. An ENTERPRISE MANAGEMENT ASSOCIATES® (EMA) Research Report, April 2014.

http://info.wombatsecurity.com/hs-fs/hub/372792/file-1842832356-pdf/EMA_Wombat-SecurityAwarenessTraining_2014-RR_SUMMARY.pdf

 

DEF CON 21 Social Engineering Capture the Flag Contest Results

Social-Engineer.org, November 2013.

http://info.wombatsecurity.com/hs-fs/hub/372792/file-1840242268-pdf/DC21_SECTF_Final_Wombat.pdf

 

Qrishing: The Susceptibility of Smartphone Users to QR Code Phishing Attacks

Timothy Vida, Emmanuel Owusu, Shuai Wang, Cheng Zeng, Lorrie Cranor. CMU CyLab, November 2012.

https://www.cylab.cmu.edu/files/pdfs/tech_reports/CMUCyLab12022.pdf

 

The State of Phishing Attacks: Looking Past the Systems People Use, They Target the People Using the Systems

J. Hong. Communications of the ACM, Vol. 55 No. 1, January 2012, Pages 74-81.

http://cacm.acm.org/magazines/2012/1/144811-the-state-of-phishing-attacks/fulltext

 

Measuring Password Strength by Simulating Password-Cracking Algorithms

Patrick Gage Kelley, Saranga Komanduri, Michelle L. Mazurek, Rich Shay, Tim Vidas, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, Julio Lopez. Guess again (and again and again): CyLab Technical Report cmu-cylab-11-008, August 21, 2011.

https://www.ece.cmu.edu/~lbauer/papers/2012/oakland2012-guessing.pdf

 

Of Passwords and People: Measuring the Effect of Password-Composition Policies

Saranga Komanduri, Richard Shay, Patrick Gage Kelley, Michelle L. Mazurek, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, and Serge Egelman. In CHI 2011: Conference on Human Factors in Computing Systems, May 2011.

http://www.ece.cmu.edu/~lbauer/papers/2011/chi2011-passwords.pdf

 

School of Phish: A Real-World Evaluation of Anti-Phishing Training

P. Kumaraguru, J. Cranshaw, A. Acquisti, L. Cranor, J. Hong, M.A. Blair, and T. Pham. SOUPS 2009. [Originally published as CyLab Technical Report CMU-CyLab-09-002, 2009].

http://cups.cs.cmu.edu/soups/2009/proceedings/a3-kumaraguru.pdf

 

Teaching Johnny Not to Fall for Phish

P. Kumaraguru, S. Sheng, A. Acquisti, L. Cranor, and J. Hong. ACM Transactions on Internet Technology, Vol. V, No. N, September 2009, Pages 1–31.

http://info.wombatsecurity.com/hs-fs/hub/372792/file-1842962461-pdf/acquisti-ACMTOIT.pdf

 

Anti-Phishing Landing Page: Turning a 404 Into a Teachable Moment for End Users

P. Kumaraguru, L. Cranor, and L. Mather. CEAS 2009.

http://ceas.cc/2009/papers/ceas2009-paper-37.pdf

 

Lessons From a Real-World Evaluation of Anti-Phishing Training

P. Kumaraguru, S. Sheng, A. Acquisti, L. Cranor, and J. Hong. In Proceedings of the third eCrime Researchers Summit (eCrime 2008), October 15-16, 2008, Atlanta, GA.

http://www.cs.cmu.edu/~ponguru/eCrime_APWG_08.pdf

 

Getting Users to Pay Attention to Anti-Phishing Education: Evaluation of Retention and Transfer

P. Kumaraguru, Y. Rhee, S. Sheng, S. Hasan, A. Acquisti, L. Cranor and J. Hong. In Proceedings of the 2nd Annual eCrime Researchers Summit, October 4-5, 2007, Pittsburgh, PA, p. 70-81.

http://repository.cmu.edu/cgi/viewcontent.cgi?article=1045&context=isr

 

Anti-Phishing Phil: The Design and Evaluation of a Game That Teaches People Not to Fall for Phish

S. Sheng, B. Magnien, P. Kumaraguru, A. Acquisti, L. Cranor, J. Hong, and E. Nunge. In Proceedings of the 2007 Symposium On Usable Privacy and Security, Pittsburgh, PA, July 18-20, 2007.

http://repository.cmu.edu/cgi/viewcontent.cgi?article=1024&context=isr

 

CANTINA: A Content-Based Approach to Detecting Phishing Web Sites

Y. Zhang, J. Hong, and L. Cranor. In Proceedings of the 16th International conference on World Wide Web, Banff, Alberta, Canada, May 8-12, 2007.

http://www2007.org/papers/paper557.pdf

 

Learning to Detect Phishing Emails

I. Fette, N. Sadeh, and A. Tomasic. In Proceedings of the 16th International Conference on World Wide Web, Banff, Alberta, Canada, May 8-12, 2007.

http://www.cs.cmu.edu/~tomasic/doc/2007/FetteSadehTomasicWWW2007.pdf

 

Protecting People From Phishing: The Design and Evaluation of an Embedded Training Email System

P. Kumaraguru, Y. Rhee, A. Acquisti, L. Cranor, J. Hong, and E. Nunge. In CHI 2007: Conference on Human Factors in Computing Systems, San Jose, California, 28 April – May 3, 2007, p. 905-914. [Originally published as CyLab Technical Report CMU-CyLab-06-017, 2006].

http://repository.cmu.edu/cgi/viewcontent.cgi?article=1062&context=hcii