Understanding and Protecting Against Spear Phishing in Organisations (Advert Reference: RDF19/EE/CIS/NICHOLSON)
Phishing is a highly prevalent form of social engineering where an attacker steals sensitive information by sending fraudulent emails that purport to be from a trustworthy source. Over time, phishing attacks have become both socially and contextually smarter, with the result that phishing continues to be a growing problem for organisations and individuals. In the best-case scenario, phishing results in lost productivity due to users deliberating over the authenticity of the email, but in the worst-case scenario individuals and businesses can suffer serious security, financial and/or reputation loss due to stolen credentials or leaked information.
Spear phishing, unlike general phishing, involves calculated intelligence collection and tailored baiting, making it more challenging to effectively target and prevent. In fact, training aimed at educating users about spear phishing has been rather ineffective. Promising methods include combining reporting, warning, and awareness tools, although the feasibility of such interventions heavily rely on the organisation’s culture and resources.
This PhD project will focus predominantly on understanding and mitigating spear phishing in organisations. While the majority of academic work focuses on identifying and preventing employees from clicking links or downloading attachments, this project will concentrate on an emerging and effective method of phishing which involves the collection of seemingly innocuous information from employees with the view of building a body of knowledge on the organisation and launching a high-stakes attack.
This PhD project has two aims: (i) to identify the most prevalent and effective techniques used for spear phishing and intelligence gathering in organisations and (ii) to develop tools and processes for supporting organisations and users in protecting against these threats.
Prospective candidates should have programming experience and ideally an interest in understanding the human aspects of security.
The principal supervisor for this project is James Nicholson.
Eligibility and How to Apply: Please note eligibility requirement:
• Academic excellence of the proposed student i.e. 2:1 (or equivalent GPA from non-UK universities [preference for 1st class honours]); or a Masters (preference for Merit or above); or APEL evidence of substantial practitioner achievement.
• Appropriate IELTS score, if required.
• Applicants cannot apply for this funding if currently engaged in Doctoral study at Northumbria or elsewhere.
For further details of how to apply, entry requirements and the application form, see
Please note: Applications that do not include a research proposal of approximately 1,000 words (not a copy of the advert), or that do not include the advert reference (e.g. RDF19/EE/CIS/NICHOLSON) will not be considered.
Deadline for applications: Friday 25 January 2019
Start Date: 1 October 2019
Northumbria University is an equal opportunities provider and in welcoming applications for studentships from all sectors of the community we strongly encourage applications from women and under-represented groups.
The studentship is available to Students Worldwide, and covers full fees and a full stipend, paid for three years at RCUK rates (for 2018/19, this is £14,777 pa).
Nicholson, J., Coventry, L., & Briggs, P. (2017). Can we fight social engineering attacks by social means? Assessing social salience as a means to improve phish detection. In Symposium on Usable Privacy and Security (SOUPS).