Bibliografia
Ostatnia aktualizacja: 2026-05-27
Pełna lista referencji dla projektu badawczego. Publikacje z [PDF] posiadają pełne podsumowanie w bazie wiedzy.
A. Empiryczne RCT — Skuteczność symulacji i treningu
[1] Rozema, A. T., & Davis, J. C. (2025). [PDF]
Anti-Phishing Training (Still) Does Not Work: A Large-Scale Reproduction of Phishing Training Inefficacy Grounded in the NIST Phish Scale.
arXiv:2506.19899
→ publications/with-pdf/rozema-antiphishing-training-inefficacy-2025/
RCT (N=12,511, fintech); brak istotnego efektu treningu (p=0.450); NIST Phish Scale przewiduje difficulty. Kluczowy baseline empiryczny dla H1 i punktu wyjścia projektu.
[2] Ho, G., Mirian, A., Luo, E., Tong, K. et al. (2025).
Understanding the Efficacy of Phishing Training in Practice.
IEEE S&P 2025. DOI: 10.1109/SP61157.2025.00076
→ publications/references/ho-phishing-training-healthcare-2025/
8-miesięczny RCT (10 kampanii, 19,500+ pracowników healthcare); embedded training minimalne korzyści; powtórzenie zwiększa failure rates. Luka: brak manipulacji personalizacją jako zmienną niezależną.
[3] Hillman, D., Harel, Y., & Toch, E. (2023). Evaluating Organizational Phishing Awareness Training on an Enterprise Scale. Computers & Security (Elsevier). DOI: 10.1016/j.cose.2023.103364 [47 cytowań] Enterprise-scale evaluation; spersonalizowane frazy statystycznie zwiększają CTR — bezpośrednie wsparcie H1.
[4] Lin, T., Capecci, D. E. et al. (2019). Susceptibility to Spear-Phishing Emails. ACM TOCHI. DOI: 10.1145/3336141 [162 cytowania] 21-dniowa symulacja longitudinalna (N=158); różnice wiekowe; design follow-up kluczowy dla PSE-1.
[5] Williams, E., Hinds, J., & Joinson, A. (2018). Exploring Susceptibility to Phishing in the Workplace. International Journal of Human-Computer Studies. DOI: 10.1016/j.ijhcs.2018.06.004 [198 cytowań] Symulacja na 62,000 pracownikach; authority/urgency cues; most cited workplace simulation study.
[6] Carella, A., Kotsoev, M., & Truta, T. M. (2017).
Impact of Security Awareness Training on Phishing Click-Through Rates.
IEEE Big Data 2017. DOI: 10.1109/bigdata.2017.8258485 [28 cytowań]
→ publications/references/carella-security-awareness-impact-2017/
Bezpośredni pomiar zmiany CTR po treningu; historyczny baseline.
[7] Sutter, T., Bozkir, A. S., Gehring, B., & Berlich, P. (2022). Avoiding the Hook: Influential Factors of Phishing Awareness Training on Click-Rates. IEEE Access. DOI: 10.1109/access.2022.3207272 [31 cytowań] Czynniki wpływające na redukcję click-rate po treningu; data-driven difficulty modeling.
[8] Kiely, T., McCarthy, P., & Sammon, D. (2026). Evaluating the Effectiveness of SETA Programmes on Positively Influencing Human Behaviour Towards Phishing Emails. Journal of Decision Systems. DOI: 10.1080/12460125.2026.2668570 Najnowsza (2026) ocena SETA na outcomes behawioralnych.
B. Retencja i feedback po symulacji
[9] Yin, D., Mullarkey, M. T., de Vreede, G., & Limayem, M. (2025). Learning by Phishing via Post-Simulation Feedback: From Embedded to Non-Embedded Training. MIS Quarterly. DOI: 10.25300/misq/2025/19354 Trzy randomizowane eksperymenty; embedded vs. non-embedded feedback; design follow-up 3–6 miesięcy dla PSE-1.
[10] Cohen, O., Bitton, R., Shabtai, A., & Puzis, R. (2024). ConGISATA: A Framework for Continuous Gamified Information Security Awareness Training and Assessment. Springer LNCS. DOI: 10.1007/978-3-031-51479-1_22. arXiv:2604.14996 Continuous gamified ISA z poprawą przy wielokrotnych ekspozycjach; retencja efektu uczenia.
[11] Bada, M., Sasse, A. M., & Nurse, J. R. C. (2019). [PDF]
Cyber Security Awareness Campaigns: Why Do They Fail to Change Behaviour?
arXiv:1901.02672
→ publications/with-pdf/bada-security-awareness-fail-2019/
Psychologiczne wyjaśnienie dlaczego kampanie zawodzą: attitude change, fear appeals, behavior change models.
C. Etyka badań i framework IRB
[12] Bernstein, M. S., Levi, M., Magnus, D., Rajala, B., Satz, D., & Waeiss, C. (2021). [PDF]
ESR: Ethics and Society Review of Artificial Intelligence Research.
arXiv:2106.11521
→ publications/with-pdf/bernstein-esr-ethics-ai-research-2021/
IRB vs. ESR dla badań AI; cybersecurity research wykracza poza tradycyjny zakres IRB — bezpośrednio stosowalne do PSE-3.
[13] Sedenberg, E., & Hoffmann, A. L. (2016). Recovering the History of Informed Consent for Data Science and Internet Industry Research Ethics. arXiv:1609.03266 Ewolucja informed consent w badaniach data-intensive; foundational dla uzasadnienia delayed disclosure.
[14] Barchard, K. A., & Williams, J. E. (2008). Practical Advice for Conducting Ethical Online Experiments and Questionnaires. Behavior Research Methods. DOI: 10.3758/brm.40.4.1111 [109 cytowań] Deception, debriefing, right to withdraw w badaniach online; foundational dla ethical simulation design.
[15] Lin, Z. (2024). [PDF]
Beyond Principlism: Practical Strategies for Ethical AI Use in Research Practices.
AI & Society (Springer). DOI: 10.1007/s43681-024-00585-5. arXiv:2401.15284
→ publications/with-pdf/lin-beyond-principlism-ethical-ai-2024/
User-centered ethics bridging abstract principles i praktykę; Triple-Too problem; stosowalne do design procesu review dla security research.
[16] Llamas, J. M., Vranckaert, K., Preuveneers, D., & Joosen, W. (2025). Balancing Security and Privacy under the GDPR and AI Act. Open Research Europe. DOI: 10.12688/openreseurope.19347.1 GDPR i AI Act compliance przy monitorowaniu użytkowników — mapuje na regulacyjny aspekt kampanii symulacyjnych (#PSE-3).
D. Human factors / Podatność psychologiczna
[17] Zhuo, S., Biddle, R., Koh, Y. S., Lottridge, D., & Russello, G. (2022). [PDF]
SoK: Human-Centered Phishing Susceptibility.
arXiv:2202.07905
→ publications/with-pdf/zhuo-sok-phishing-susceptibility-2022/
SoK paper; trójetapowy Phishing Susceptibility Model (PSM); taksonomia zmiennych podatności. Foundational human-factors framing.
[18] Sarno, D. M., Harris, M. W., & Black, J. (2023). Which Phish Is Captured in the Net? Understanding Phishing Susceptibility and Individual Differences. Applied Cognitive Psychology. DOI: 10.1002/acp.4075 [29 cytowań] Indywidualne różnice (impulsywność, Big-5, wiek) jako predyktory podatności.
[19] Kavvadias, A., & Kotsilieris, T. (2025). Understanding the Role of Demographic and Psychological Factors in Users’ Susceptibility to Phishing Emails: A Review. Applied Sciences (MDPI). DOI: 10.3390/app15042236 Przegląd 27 badań: wiek, osobowość, tendencje behawioralne. Najnowszy review.
[20] Butavicius, M., Parsons, K., Pattinson, M., & McCormac, A. (2016).
Breaching the Human Firewall: Social Engineering in Phishing and Spear-Phishing Emails.
arXiv:1606.00887
→ publications/references/butavicius-social-engineering-phishing-2016/
Authority, scarcity, social proof wpływają na click-rate; spear-phishing najtrudniejszy. Background theory.
E. Platforma i architektura symulacji
[21] Alsaqer, A., Almajed, H., Alarfaj, K. A., & Frikha, M. (2025). Phishing Simulation as a Proactive Defense: A Customizable Platform for Training and Behavioral Analysis. IJACSA. DOI: 10.14569/ijacsa.2025.01606104 Platforma role-based z real-time behavioral tracking; architektura porównywalna do proponowanego systemu LLM-based.
F. Indeks cytowań i powiązań
| ID | Autorzy | Rok | Cytowania | Powiązane idee |
|---|---|---|---|---|
| [1] | Rozema & Davis | 2025 | n/a | PSE-1 (baseline RCT) |
| [2] | Ho et al. | 2025 | n/a | PSE-1 (luka: brak personalizacji) |
| [3] | Hillman et al. | 2023 | ~47 | PSE-1 (personalizacja → CTR) |
| [4] | Lin et al. | 2019 | ~162 | PSE-1 (longitudinal design) |
| [5] | Williams et al. | 2018 | ~198 | PSE-5 (skala kampanii) |
| [6] | Carella et al. | 2017 | ~28 | PSE-1 (historical baseline) |
| [7] | Sutter et al. | 2022 | ~31 | PSE-4 (difficulty modeling) |
| [8] | Kiely et al. | 2026 | n/a | PSE-1 (SETA outcomes) |
| [9] | Yin et al. | 2025 | n/a | PSE-1 (feedback design) |
| [10] | Cohen et al. | 2024 | n/a | PSE-1 (retention design) |
| [11] | Bada et al. | 2019 | n/a | PSE-1 (dlaczego training zawodzi) |
| [12] | Bernstein et al. | 2021 | n/a | PSE-3 (IRB vs. ESR) |
| [13] | Sedenberg & Hoffmann | 2016 | n/a | PSE-3 (delayed disclosure) |
| [14] | Barchard & Williams | 2008 | ~109 | PSE-3 (ethical design) |
| [15] | Lin Z. | 2024 | n/a | PSE-3 (AI ethics practical) |
| [16] | Llamas et al. | 2025 | ~10 | PSE-3 (GDPR/AI Act) |
| [17] | Zhuo et al. | 2022 | n/a | PSE-2 (PSM, susceptibility vars) |
| [18] | Sarno et al. | 2023 | ~29 | PSE-5 (individual differences) |
| [19] | Kavvadias & Kotsilieris | 2025 | ~10 | PSE-5 (moderatory demograficzne) |
| [20] | Butavicius et al. | 2016 | n/a | PSE-1 (social engineering cues) |
| [21] | Alsaqer et al. | 2025 | n/a | PSE-1 (platforma symulacyjna) |
G. Format cytowań (IEEE)
[1] A. T. Rozema and J. C. Davis, "Anti-Phishing Training (Still) Does Not Work,"
arXiv:2506.19899, 2025.
[2] G. Ho et al., "Understanding the Efficacy of Phishing Training in Practice,"
in Proc. IEEE S&P, 2025. DOI: 10.1109/SP61157.2025.00076
[3] D. Hillman, Y. Harel, and E. Toch, "Evaluating Organizational Phishing Awareness Training
on an Enterprise Scale," Computers & Security, 2023. DOI: 10.1016/j.cose.2023.103364
[4] T. Lin et al., "Susceptibility to Spear-Phishing Emails,"
ACM Trans. Comput.-Hum. Interact., 2019. DOI: 10.1145/3336141
[5] E. Williams, J. Hinds, and A. Joinson, "Exploring susceptibility to phishing in the workplace,"
Int. J. Hum.-Comput. Stud., 2018. DOI: 10.1016/j.ijhcs.2018.06.004
[12] M. S. Bernstein et al., "ESR: Ethics and Society Review of Artificial Intelligence Research,"
arXiv:2106.11521, 2021.
[15] Z. Lin, "Beyond Principlism: Practical Strategies for Ethical AI Use in Research Practices,"
AI & Society, 2024. DOI: 10.1007/s43681-024-00585-5
[17] S. Zhuo et al., "SoK: Human-Centered Phishing Susceptibility," arXiv:2202.07905, 2022.