Designing ethical phishing experiments

While fraud has been part of human society for as long as we know, the automated type of fraud that is known as phishing is a relatively recent phenomenon. It is becoming clear to society that phishing is a problem of quite catastrophic dimensions. Phishing is a multifaceted techno-social problem for which there is no known single silver bullet. As a result of these insights, an increasing number of researchers and practitioners are attempting to quantify risks and degrees of vulnerabilities in order to understand where to focus protective measures. When academic researchers plan phishing studies, they are faced with the reality that such studies must not only be conducted in an ethical manner, but they also must be reviewed and approved by their Institutional Review Board (IRB). This article provides an overview of the review process used by IRBs, an outline of the section of the federal regulations, 45 CFR 46, 116(d)(14), that provide the circumstances where aspects of the informed consent process can be waived. Moreover, it contains a discussion of the controversial ethical issues inherent in phishing studies that request a waiver of aspects of the informed consent requirement. Finally, this paper outlines the process of designing and analyzing phishing experiments in an ethical manner, and in accordance with the principles and regulations guiding IRBs