See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/268412871

Spamming, spoofing and phishing E-mail security: A survey among end-

users

Article · August 2009

CITATIONS READS

0 2,751

3 authors, including:

P.L.T. Hoonakker Pascale Carayon

University of Wisconsin–Madison University of Wisconsin–Madison
173 PUBLICATIONS   3,367 CITATIONS    379 PUBLICATIONS   11,063 CITATIONS   

SEE PROFILE SEE PROFILE

Some of the authors of this publication are also working on these related projects:

Workload View project

Methods View project

All content following this page was uploaded by P.L.T. Hoonakker on 26 February 2015.

The user has requested enhancement of the downloaded file.

 Spamming, spoofing and phishing

E-mail security: A survey among end-users

Peter Hoonakker*, Pascale Carayon* & Nis Bornø#

*
Center for Quality and Productivity Improvement, University of Wisconsin-Madison, USA
#
IT University, Copenhagen, Denmark

Considering that many organizations today are extremely dependent on information technology, computer
and information security (CIS) has become a critical concern from a business viewpoint (Knapp, Marshall,
Rainer, & Morrow, 2006). Much research has been conducted on CIS in the past years. However, the
attention has been primarily focused on technical problems and solutions. Only recently, the role of human
factors in CIS has been recognized (Kraemer & Carayon, 2007). End-user behavior can increase the
vulnerability of computer and information systems. In this study, we present the results of a large study
among end-users and show how end-users’ e-mail behavior can affect computer vulnerability.

INTRODUCTION Radicati Group estimate the number of e-mails sent per day in
2008 to be around 210 billion (Tschabitscher, 2008). Other
There is very little reliable information about the costs and sources confirm these estimates and show that users are
impact of security breaches to companies and end users. Most sending more than 180 billion e-mails per day. 180 billion
of the information is either anecdotic or stems from messages per day means that more than 2 million e-mails are
commercial surveys among companies and end users. For sent every second. About 70% of them may be spam and/or
example, results of a recent study among 5000 consumers by contain viruses. The genuine e-mails are sent by around 1.3
Javelin Strategy & Research (Monahan, 2007) revealed that billion e-mail users. Results of the Pew Internet & American
identity fraud (defined as access to personal account Life Project Study (Fallows, 2005; Rainie & Fallows, 2004)
information that leads to fraud) affects nearly 5% of show that 60% of employees receive 10 or fewer e-mail
consumers, or nearly 10 million people in the USA per year, messages on an average day; 23% receive more than 20 and
and on average costs more than $6,000 per victim. The total only 6% more than 50. However, there are also disadvantages
one-year cost of identity fraud in the United States was more of using e-mail, such as receiving Spam e-mail (also known as
than $55 billion in 2006 (Monahan, 2007). Contrary to belief, "unsolicited commercial e-mail"), phishing and spoofing
most data compromise still takes place through offline scams.
channels (91%) and not via the Internet (9%). Lost or stolen Spamming is the abuse of electronic messaging systems
wallets, checkbooks or credit cards continue to be the primary to indiscriminately send unsolicited bulk messages. Spam in
source of personal information theft when the victim can e-mail started to become a problem when the Internet was
identify the source of data compromise (30%). Nevertheless, opened up to the general public in the mid-1990s. It grew
computer viruses, spyware or hackers account for more than exponentially over the following years, and today comprises
5% of all identity fraud cases; phishing for 3%; and online some 80 to 85% of all the e-mail in the world, by conservative
transactions for 0.3% (BBBOnline, 2007; Monahan, 2007). estimate (Kanich, et al., 2008). Results of studies by Fallows
(Fallows, 2005; Rainie & Fallows, 2004) on the effects of the
BACKGROUNDS CAN SPAM Act (a law aimed at controlling non-solicited
commercial and pornographic e-mails) in the USA on January
Evidently, using electronic or e-mail has many advantages. 1, 2004, show that the CAN SPAM Act did have some positive
E-mail is usually a faster alternative to other forms of effects. Users who say they have ever received porn spam
communication (i.e. letters, phone calls, meetings, etc.) and have decreased from 71% in 2004 to 63% in 2005. However,
users can decide when to use and respond to e-mails. The results of the study by Rainie & Fallows also show that 52%
popularity of e-mail is shown by its use: extrapolations by the of internet users consider spam a big problem; 22% of e-mail
users say that spam has reduced their overall use of e-mail; The average amount of money consumers recovered from
53% of e-mail users say spam has made them less trusting of phishing attacks in 2005 was 80%, but in 2006, recovery
e-mail; and 67% of e-mail users say spam has made being amounts dropped to 54%. Recently, security vendor
online unpleasant or annoying (Rainie & Fallows, 2004). Cyveillance reported a significant increase in phishing attacks
Apart from annoying, Spam messages can also contain during the last months of 2008. Cyveillance reported that the
malware. Malware (malicious software) are programs average number of phishing attacks in the first quarter of 2008
designed to harm or compromise a computer. Malware was around 400 per day. In September and October that
includes a wide array of computer code that can wreak havoc number rose to over 1,750 with record peaks as high as 13,209
to computers, computer networks and even the Internet itself. phishing attacks in a single day. Techniques, targeted at special
When end-users open an e-mail attachment they can populations, such as spear phishing or context aware phishing,
inadvertently download the malicious computer code on their are targeted scams, where the attacker uses knowledge learned
computer, and it can spread to the computer network or the about an individual victim in order to fool more victims
Internet. Some common forms of malware include: (Jakobsson & Stamm, 2006). For example, a users’ browser
history can be used to determine what websites an user has
• Computer viruses - programs that disable the victim's visited (for example to access his or her bank account) and
computer, either by corrupting necessary files or hogging subsequently an e-mail can be sent to that user, appearing to
the computer's resources come from that particular bank, containing the bank’s logo,
• Worms - programs that spread from one machine to etc., asking the user for sensitive information.
another, rapidly infecting hundreds of computers in a Spoofing, creating hoax websites that closely mimic real
short time sites in order to extract personal information from web visitors,
• Trojan horses - programs that claims to do one thing, but is an increasingly popular form of online scam (Dinev, 2006;
actually either damage the computer or opens a back door Federal Bureau of Investigation (FBI), 2003; Felten, Balfanz,
to your system Dean, & Wallach, 1997). In 2000, Ye at al., (Ye, Yuan, &
• Backdoors - methods of circumventing the normal Smith, 2000) estimated that 30 hoax attack sites were detected
operating-system procedures, allowing a hacker to access each day. According to the Anti-Phishing Work Group
information on another computer (Anti-Phishing Work Group (APWG), 2008), that number has
• Rootkits - a collection of programs that permits increased to nearly 1000 sites a day in the first quarter of 2008.
administrator-level control of a computer; not necessarily Network administrators and end-users can protect
malware on its own, but hackers use rootkits to control computer systems in different ways from spamming, spoofing
computers and evade detection and phishing attacks. Some of the soft- and hardware
• Key loggers - programs that record keystrokes made by a protections are described below:
user, allowing hackers to discover passwords and login • Anti-virus software is used to detect and if possible to
codes. remove malware. Typically, anti-virus software works by
maintaining a list of virus signatures which are used for
Apart from the indiscriminately sent unsolicited bulk messages comparison with the content of scanned files. Modern
(Spam) there are more sophisticated ways of getting the users’ anti-virus software uses a real time scanner to protect a
information or access to their computer and network. Phishing, system at all times and is also able to detect possible
or a phishing scam, means that someone or a website tries to threats by analyzing for suspicious program behavior.
get personal information from the end-user, for example by This method can detect some unknown threats.
accidently signing into a website or filling out a form placed • Intrusion detection systems (IDS) are soft or hardware
on web site. It is an example of a social engineering technique solutions used to detect all sorts of attacks, such as
used to fool users. Gartner Inc. (2006) conducted a study intruders and malicious software. This is typically done by
among 5,000 online adults in 2006 on phishing attacks. monitoring systems and networks with sensors and agents.
According to the results of the survey, approximately 109 For example, agents can monitor modifications to system
million U.S. adults have received phishing e-mail attacks in files or analyze network traffic and look for certain
2006, up from 57 million U.S. adults in 2004. The average loss patterns previously known as generated by malicious
per victim has grown from $257 to $1,244 per victim in 2006. traffic. IDS can detect known and some unknown threats.
 • Intrusion prevention systems (IPS) can be considered an programs often have less strict security settings than
extension of the IDS technology. The purpose of an IDS is “corporate” mail. Passwords used for webmail can often be
to detect intruders and make a notification. An IPS takes a simple, and are not updated on a regular basis. Further,
step more and tries to prevent an intruder or attack by allowing employees to use webmail, also means that corporate
taking a prevention action instead of only making a content filters are bypassed. If organizations are subject to
notification. Actions are taken real time and examples of requirements of the Gramm-Leach-Bliley Act, the Health
actions are dropping packets from offending systems and Insurance Portability and Accountability Act (HIPPA) or other
blocking ports or IP addresses. regulatory requirements that limit the types of communications
Despite the technological efforts described above to counteract their employees have with the outside world, they need to
malware, computer and information systems remain consider the legal impact of the decision to grant access to
vulnerable because the systems need to interact with human external Web-based e-mail services. All of the content controls
beings, who have their own needs and preferences. It is the that they place on their "official" e-mail servers may be
human-computer interaction that often creates the biggest rendered moot by an employee's ability to access web-mail.
vulnerabilities. To quote Mitnick and Simon (2002): “A Estimates show that around 30 percent of employees are using
company may have purchased the best security technologies private e-mail accounts in the office, even though the
that money can buy, trained their people so well that they lock company’s Internet policy prohibits it (Stone, 2007). Webmail
up all their secrets before going home at night, and hired is also vulnerable to malicious actions. Examples are session
building guards from the best security firm in the business. hijacking (Noiumkar & Chomsiri, 2008), password cracking,
The company is still totally vulnerable... the human factor is cross-site scripting, worms, viruses, and all sorts of scams.
truly security’s weakest link”. Especially the use of e-mail and Often attached files will never be deleted but remain in the
working from remote locations make computer systems user’s e-mail archive even after employment has been
vulnerable, partly because it is not under control of the terminated.
organization. Working from remote locations, including using the home
With regard to e-mail, end-users can protect the system computer for work, can also make computer and information
by being careful and not open unknown or suspicious e-mail. systems more vulnerable (Landau, 2005). Many organizations
However, sometimes that is difficult. The latest viruses can depend on mobility of their employees to work from remote
“spoof” the sending e-mail address so that it looks like it is locations such as their home or when on the road (Morgan,
coming from someone other than the computer that infected it. 2004). Opening the organization’s network to employees
If an e-mail is not from someone the end-user knows, it is working from remote locations means greater flexibility as
usually best to simply delete it without looking at it. If the well as an increased amount of security risks (Orme, 2004)
e-mail appears to be from someone they know, end-users and identity and access management is a must for
should read the message carefully before opening any attached organizations of all types and sizes (Witty, Allan, Enck, &
files. Estimates show that more than a million computer users Wagner, 2003).When working from a remote location, the
use Web-based e-mail programs or webmail (Yahoo, Microsoft, exchange of data typically is done through e-mail, USB
AOL, Google, etc.), (Brownlow, 2008). One of the advantages devices or a direct connection to the corporate network, for
of webmail is that you can access your e-mail, everywhere, example through a Virtual Private Network (VPN) connection
anytime. However, webmail creates a security issue for the (Venkateswaran, 2001). Especially using the home computer
organization because sensitive data can easily be transferred to access the organization’s network can increase security risks
outside of the organization’s control and stored on third party (Ellison, 2002). The computer at home obviously is not as well
servers, meaning that the organization will lose track of the protected as the office computer, and is not under the control
data. Often end-users do not use their own computer, but of the organization. Often other members of the family use the
computers in hotels, airports etc., to access their webmail, home computer as well, for playing games, downloading files,
which can involve risks. Some services keep caches of Web etc. This creates the possibility of transferring infected files or
pages accessed on the local system, including those accessed unauthorized connections into the organization’s network
over a secure link. These caches may allow other users of (Dyer, Perez, Sailer, & Van Doorn, 2001). When employees
shared computers to view the e-mail messages other users use external storage devices such as USB keys, these can
viewed over a Web-based link (Chapple, 2005). Webmail easily be forgotten or misplaced (Gorge, 2005).
 Some solutions, most technically, exist to eliminate and are related to CIS deviations: 1) Accessing the computer
lowering the risks of remote access. Examples are to require system and password use; 2) Security settings of the computer;
all communication with the organization’s network to run 3) System maintenance and downloading software; 4)
through encrypted connections, and limiting access to the data Electronic mail; 5) Help with computer problems; 6) Remote
and applications that can be accessed remotely. However, this access and working from home; 7) Sharing the computer and
can cause the user to access restricted data by other means. social networking; 8) CIS training; 9) CIS policy; and 10)
Providing webmail access to the organization’s e-mail account beliefs and attitudes towards CIS. In this paper we focus on
limits the need to use an external webmail service and the results with regard to Electronic mail.
eliminates a potential security risk, but the user can still have
Sample
local copies and caches of sensitive files and it is very difficult
if not impossible to control user behavior at home (Newman, A representative sample of employees of a large organization
2007). Providing secure equipment, such as laptops, which was asked to fill out a web-based survey. The organization
only are intended for work related tasks and restrict the user handles very sensitive private information and has experienced
from, for example, installing applications, is another computer security problems in the past. All employees at the
possibility. Little is known about end-users’ e-mail behavior organization are requested to participate in a Computer and
and how it can increase vulnerability of computer an Information Security training. Totally 836 employees filled out
information systems. Therefore, in this study we examine the questionnaire survey (response rate 52%). More than
end-users’ e-mail behavior and how this behavior can affect two-thirds of respondents are female (70%). Average age is 50
computer security vulnerability. years. On an average, respondents have 18.5 years of
computer experience. Three percent of respondents categorizes
METHODS themselves as novice users (just started using computers); 68%
as average users (use word processors, spreadsheets, e-mail,
Focus Groups surf the Web, etc.); 23% as advanced users (can install

Because relatively little is known about Computer and software, setup configurations, etc.); and 6% as expert users

Information Security (CIS) behavior of end-users, we first (can setup operating systems; know some computer

conducted focus groups with network administrators and CIS programming languages, etc.). Respondents had varying

experts (Hoonakker, Carayon, Deb, El Desoki, & Veeramani, educational backgrounds: high school or GED (9%); some

2008). Two rounds of focus groups interviews were conducted college (14%); 2-year college (13%); 4-year college (37%);

with the two different groups (CIS experts and network Master’s degree (MA, MS: 21%); professional degree (MD,

administrators). During the first focus group, participants were JD: 3%); and doctoral degree (PhD: 3%). On an average,

asked to describe non-malicious CIS deviations, and elaborate respondents have worked more than 14 years for the

on contributing factors and possible consequences. During the organization. Ninety-five percent of the respondents are

second round of focus groups, we gave feedback on the results normal end-users; 3% super-users (they do have some

of the first focus group and tried to reach a consensus on the administrator rights to change the computer settings); and 2%

most important deviations from the security rules. The focus network administrators.

groups were conducted over the phone, consisted of 5-7

participants and lasted each one-and-a-half hour. The focus RESULTS
groups were audio taped and the tapes were transcribed in
anonymized text files. The text files were analyzed using E-mail behavior
qualitative data analysis software. We use the questions in the questionnaire about e-mail
behavior and questions about vulnerability, i.e. self-reported
Questionnaire Survey occurrences of viruses, spyware, phishing scams and identity
theft. In the questionnaire, 5 questions were asked about e-
Based on the results of the focus groups, we developed a
mail behavior. Table 1 summarizes the results.
survey questionnaire to measure end-users’ deviations from
the rules and possible contributing factors to these deviations.
Analysis of the focus group data showed 10 major areas that
Table 1: E-mail behavior
Yes No DK NA Results show that more than a third of respondents (34%) ever
Do you sometimes open e-mails if you do not had a virus on their computer, nearly a sixth have spyware or
45% 55% 0% 0%
know who the sender is? adware on their computer (16%), 6% have, or believe they
Do you sometimes open e-mail attachments if have, fallen victim to a phishing scam, and 2% think that their
9% 91% 0% 0%
you do not know who the sender is? identity or financial information was stolen.
Do you use web-based e-mail software such as
39% 59% 1% 1%
Yahoo mail, Hotmail, Gmail, etc. at work? E-mail behavior and vulnerability
Do you use web-based calendar software such Table 3 summarizes the relation between e-mail behavior of
7% 92% 1% 0%
as Google calendar at work? end users and vulnerability (viruses, spyware, phishing scam,
If you use web-based e-mail or calendar and identity theft).
software, do you pay attention to the security 20% 22% 5% 54%
settings of the web-based software? Table 3: E-mail behavior (yes/no) and vulnerability for viruses,
spyware, etc in percentages
Results show that more than half of the respondents open Virus Spyware Phishing Identity theft

e-mails and nearly 10% open e-mail attachments if they do not (V) (S) (P) (I)

know who the sender is. Forty percent of respondents use Open Yes No Yes No Yes No Yes No

web-based e-mail software and 7% use web-based calendar e-mails? 50% 40% 26% 19% 9% 6% 2.6% 1.7%

software, while only a small percentage of the respondents Open Yes No Yes No Yes No Yes No

who use web- and calendar based software pay attention to the e-mail 58% 43% 35% 21% 20% 6% 6.9% 1.7%

security settings of the web-based software. attach-

ments?

Vulnerability Use Yes No Yes No Yes No Yes No

In the questionnaire, 4 questions were asked about web-mail 46% 43% 26% 20% 10% 6% 2.9% 1.6%

vulnerability to viruses, spyware and adware, phishing scams software?

and identity theft. The results are summarized in Table 2. Use Yes No Yes No Yes No Yes No
web-based 55% 43% 30% 22% 15% 7% 2.7% 2.1%

Table 2 Self-reported viruses, spy- and adware, phishing scams calendar?

and identity theft Pay Yes No Yes No Yes No Yes No

Yes No DK NA attention 44% 39% 24% 23% 9% 13% 2.2% 3.9%

Have you ever had a virus on your computer? 34% 42% 24% 0.1% to security

Spyware and adware are software programs settings?

that quietly sit on your computer and can Percentages in bold are statistically significant different
deliver pop-ups or other advertisements to
16% 57% 26% 0.5%
you. Based on this description, do you think Results of analysis at group level show that respondents who
you have any spyware or adware on your open e-mail, and in particular respondents who open e-mail
computer right now? attachments if they do not know who the sender is, are more
A phishing scam means that someone or a vulnerable. They report significantly more viruses and
website tries to get personal information from spyware on their computer, and have more often been the
you, for example by accidently signing into a victim of a phishing scam and identity theft. Results show that
6% 81% 13% 0.1%
website or filling out a form placed on web respondents who use web-based software are more vulnerable
site. Have you, or do you believe you have, to phishing scams. However, when analyzing the data at group
ever fallen victim to a phishing scam? level, we did not take individual differences such as gender,
Do you think your identity or financial age, education, years of computer experience, and computer
2% 86% 11% 0.9%
information was stolen online? skills into account. Table 4 summarized the results of logistic
regression analysis, with these factors taken into account.
Table 4 Results of logistic regression of personal - Installing, using and regularly updating anti-virus
characteristics and e-mail behavior on increased vulnerability programs;
for computer and information security risks, statistically - Using the SPAM filters of their e-mail program;
significant Odd’s ratios - Not opening e-mails and in particular attachments to
e-mails if they do not recognize the sender, and even if
V S P I they recognize the sender, think twice before opening the
Gender (1=Male, 2=Female) 2.88 attachment;
Age - When they are not 100% sure that the e-mail attachment is
(1=<25 years, 2=25-34, 3=45-54, 4=≥55 years) from a trusted source, they should save it to their hard
Years of computer experience (0-46 years) disk, scan the file using anti-virus software, and only then
Computer skills (1=Novice user, 2=Average open the file. As an extra precaution they can disconnect
user, 3=Advanced user, 4=Expert user) their computer from the network;
Education (1=less than high school, 2=High - Use their organization’s e-mail account instead of web
school/GED, 3=Some college, 4=2 year college e-mail to access their e-mail, even when working from
degree, 5=4-year college degree, 6=Masters remote locations through a secure (e.g. VPN) connection
degree, 7=Professional degree, 8=PhD) - If the actions above are too complicated, they should ask
Open e-mails (Yes/No) the network or system administrator, or the help desk to
Open e-mail attachments (Yes/No) 3.02 8.96 8.10 help them perform these actions
Use web-based e-mail software? (Yes/No)

Use web-based calendar software? (Yes/No)

With regard to so called cloud computing (using web-based

Pay attention to the security settings of the

program, such as web-based e-mail and calendars), end-users

web-based software? (Yes/No)

can reduce the risk by:
- Not use web-mail, and use their corporate e-mail accounts
instead, and preferably connect to their organization’s
Results of logistic regression analysis show that opening an
network through a secure connection
e-mail without knowing who the sender is, significantly
- If they have to use web-mail, make sure that they adjusted
increases the vulnerability to malware and hacking.
the security settings of the web-based programs. For
Respondents who open en e-mail if they do not know who the
example, end-users do not always realize that if they do
sender is, have a 3 times higher odds to have spyware and
not change the security settings of their Google mail, all
adware on their computer; nearly 9 times higher odds to be
information will be open for everyone.
victim of a phishing scam; and more than 8 times higher odds
to have their identity stolen online.
To summarize, end-users should be more aware that their
e-mail behavior can increase CIS vulnerability and expose their
CONCLUSION
computer and computer network to all kind of security risks.
That does involve sometimes dealing with very user-unfriendly
Until recently, Computer and Information Security (CIS) was
and awkward technology, but it also means using common
predominantly technology-oriented. Only recently, the role of
sense. As pointed out by Reznor (2007):
human factors in CIS has been recognized. Despite all
technological hard- and software to make computer and
• No, you have not won the Irish Lotto, the Yahoo Lottery,
information systems less vulnerable, the interaction of the user
or any other big cash prize.
with his or her specific needs and the computer system, makes
• No, there is no actual Nigerian King or Prince trying to
the system vulnerable. End-users often do not realize that their
send you $10 million.
actions, or lack of actions, can endanger computer and
• No, your bank account details do not need to be
information systems. Therefore, end-users should be made
reconfirmed immediately.
more aware of the potential risks of their behavior, for
• No, you do not have an unclaimed inheritance.
example trough training. End-users can greatly reduce the
• No, you never actually sent that "Returned Mail".
risks by:
• No, you have not won an iPod Nano.
Acknowledgements 2006, Edinburgh, Scotland.
Kanich, Kreibich, C., Levchenko, K., Enright, B., Voelker, G. M., Paxson, V.,
This research was made possible with a grant from the et al. (2008). Spamalytics: an empirical analysis of spam marketing
National Science Foundation (NSF # EIA-0120092, Pascale conversion. Paper presented at the Proceedings of the 15th ACM
Carayon, PI). We would like to thank our respondents and the conference on Computer and communications security.
organization they belong to, for participating in the survey. Knapp, K. J., Marshall, T. E., Rainer, R. K., & Morrow, D. W. (2006). The top
information security issues facing organizations: What can government do
References to help? Information Security and Risk Management, 34(4), 51-58.
Kraemer, S., & Carayon, P. (2007). Human errors and violations in computer
Anti-Phishing Work Group (APWG) (2008). Phishing Activity Trends Report, and information security: The viewpoint of network administrators and
Q1/2008, 2008, from http://www.antiphishing.org/ security specialists. Applied Ergonomics, 38(2), 143-154.
BBBOnline (2007). New Research Shows Identity Fraud Growth Is Contained Landau, S. (2005). Security, wiretapping, and the internet. IEEE Security &
and Consumers Have More Control Than They Think Retrieved February 6 Privacy, 3(6), 26-33.
2007, from http://www.bbbonline.org/IDtheft/safetyQuiz.asp Mitnick, K. D., & Simon, W. L. (2002). The Art of Deception: Controlling the
Brownlow, M. (2008). Email and webmail statistics Retrieved Dec 11, 2008, Human Element of Security. New York, NY: John Wiley & Sons.
from http://www.email-marketing-reports.com/metrics/email-statistics.htm Monahan, M. T. (2007). 2007 Identity Fraud Survey Report: Identity Fraud Is
Chapple, M. (2005). Top five risks of Web-based e-mail. SearchSecurrity.com Dropping, Continued Vigilance Necessary. Pleasanton, CA: Javelin
Retrieved Dec 11, 2008, from Strategy & Research.
http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1087968_tax305 Newman, K. (2007). Home invasion: Securing home access to business
608,00.html networks. Network Security, Secember 2007(12), 8-10.
Dinev, T. (2006). Why spoofing is serious Internet fraud. Commun. ACM, Noiumkar, P., & Chomsiri, T. (2008). Top 10 free web-mail security test using
49(10), 77-82. session hijacking. Paper presented at the 2008 Third International
Dyer, J. G., Perez, R., Sailer, R., & Van Doorn, L. (2001, November). Personal Conference on Convergence and Hybrid Information Technology,
Firewalls and Intrusion Detection Systems. Paper presented at the 2nd Washington, DC.
Australian Information Warfare and Security Conference (IWAR), Perth, Orme, B. (2004). Work anywhere, any time, securely. Infosecurity Today, 1(1),
Australia. 44-45.
Ellison, C. (2002). Home network security. Intel Technology Journal, 6(4), Rainie, L., & Fallows, D. (2004). The impact of CAN-SPAM legislation.
37-48. Washington D.C: Pew/Internet.
Fallows, D. (2005). CAN-SPAM a year later. Washington D.C.: Pew/Internet. Reznor, T. (2007). The 25 Most Common Mistakes In Email Security. Digg
Federal Bureau of Investigation (FBI) (2003). FBI Says Web "Spoofing" Retrieved April 3, 2009, from http://digg.com/d168a2
Scams are a Growing Problem Retrieved Dec 1, 2008, from Stone, B. (2007, January 11). Firms Fret as Office E-Mail Jumps Security
http://www.fbi.gov/pressrel/pressrel03/spoofing072103.htm Walls. The New York Times. from
Felten, E., Balfanz, D., Dean, D., & Wallach, D. (1997, Oct 7-10). Web http://www.nytimes.com/2007/01/11/technology/11email.html?ei=5090&en
spoofing: An Internet con game. Paper presented at the 20th National =b5c526a9fea2200f&ex=1326171600&partner=rssuserland&emc=rss&pag
Information Systems Security Conference, Baltimore, MD. ewanted=all .
Gartner (2006). Number of Phishing E-Mails Sent to U.S. Adults Nearly Tschabitscher, H. (2008). How many Email users are there? About.com
Doubles in Just Two Years Retrieved Dec 8, 2008, from Retrieved Dec 2, 2008, from
http://www.gartner.com/it/page.jsp?id=498245 . http://email.about.com/od/emailtrivia/f/how_many_email.htm
Hoonakker, P. L. T., Carayon, P., Deb, J., El Desoki, R., & Veeramani, R. Venkateswaran, R. (2001). Virtual private networks. Potentials, IEEE, 20(1),
(2008). The use of focus groups to examine human factors in computer and 11-15.
information security. In L. I. Sznelwar, F. L. Mascia & U. B. Montedo Witty, R., Allan, A., Enck, J., & Wagner, R. (2003). Identity and access
(Eds.), Human Factors in Organizational Design and Management - IX (pp. management defined (No. SPA-21-3430). Stamford, CT: Gartner Research.
377-382). Santa Monica, CA: IEA Press. Ye, Z., Yuan, Y., & Smith, S. (2000). Web Spoofing Revisited: SSL and Beyond
Jakobsson, M., & Stamm, S. (2006). Invasive Browser Sniffing and (No. Technical Report TR2002-417). Hanover, NH: Department of
Countermeasures. Paper presented at the World Wide Web Conference Computer Science, Dartmouth College.

View publication stats