ArticlePDF Available

Abstract and Figures

User education must focus on challenging and correcting the misconceptions that guide current user behavior. To date, user education on phishing has tried to persuade them to check URLs and a number of other indicators, with limited success. The authors evaluate a novel antiphishing tool in a realistic setting—participants had to buy tickets under time pressure and lost money if they bought from bad sites. Although none of the participants bought from sites the tool clearly identified as bad, 40 percent risked money with sites flagged as potentially risky, but offering bargains. When tempted by a good deal, participants didn't focus on the warnings; rather, they looked for signs they thought confirmed a site's trustworthiness.
Content may be subject to copyright.
A preview of the PDF is not available
... Public campaigns and organizational policies have been warning people about it for years. Yet, individuals still receive and fall for them [27,18,3,38]. With the steady growth of global digitization efforts, phishing appears to re-Previous works suggest that people disproportionately infer e-mail legitimacy from e-mail message content and less so from details in typical user-facing e-mail header information (e.g., subject, sender e-mail address, sender display name, timestamp) [24,57,40,60]. ...
... Many existing efforts to reduce phishing victimization rely on some form of training and are widely implemented in organizations and public campaigns already [5,25,46,47,6,45,52,20,58,27,30,30,29]. If the general public followed common cybersecurity advice, this study should have found higher average phishing detection proportions. ...
... New experiments are being conducted by the authors on new e-mail functionalities in this realm, e.g., showing explainable suspicion scores and changing text colors for suspicious e-mails. Such interventions could provide cost-effective alternatives to anti-phishing training programs that suffer from questionable long-term effectiveness [27,47] or phishing simulations that bear the risk of damaging employee relationships [59]. ...
Conference Paper
Phishing requires humans to fall for impersonated sources. Sender authenticity can often be inferred from e-mail header information commonly displayed by e-mail clients, such as sender and recipient details. People may be biased by convincing e-mail content and overlook these details, and subsequently fall for phishing. This study tests whether people are better at detecting phishing e-mails when they are only presented with user-facing e-mail headers, instead of full emails. Results from a representative sample show that most phishing e-mails were detected by less than 30% of the participants, regardless of which e-mail part was displayed. In fact, phishing detection was worst when only e-mail headers were provided. Thus, people still fall for phishing, because they do not recognize online impersonation tactics. No personal traits, e-mail characteristics, nor URL interactions reliably predicted phishing detection abilities. These findings highlight the need for novel approaches to help users with evaluating e-mail authenticity.
... misconceptions about password managers; Fagan et al. 2017), and uninformed behaviours (e.g. lack of knowledge about phishing; Kirlappos and Sasse 2012). Puhakainen (2006) reported that users fail to behave securely because they perceive high workload, have other more important tasks, and believe that cybersecurity policies slow them down. ...
... As a result, users tend to over-rely on website trust cues (e.g. logos, certificates), whereas security warnings are not perused with sufficient care (Kirlappos and Sasse 2012). Buck et al. (2018) found that time pressure induces negative emotions (e.g. ...
Article
Full-text available
Time pressure, a common phenomenon in everyday workplace environments, is an important driver for non-secure cybersecurity behaviour in organisations. Under time pressure, users are more likely to rely upon fast, affect-driven decision making, increasing their susceptibility to make mistakes and justify non-secure workarounds. This contributes to the role of human error in cybersecurity and counteracts cybersecurity measures (CSMs) designed to protect organisations from threats and vulnerabilities. In this study, we report results from an online survey (N = 207), investigating how users perceive the effectiveness of CSMs for facilitating secure behaviour under time pressure. Understanding how users perceive the effectiveness of CSMs is important to inform the design and implementation of such measures in practice. We find that perceived CSM effectiveness differs greatly across measures. Thereby, users' appreciation of incident severity and the general level of time pressure in their daily lives emerge as important antecedents. We discuss theoretical and practical implications for the design and implementation of CSMs.
... Researchers have suggested further experiential studies on information security awareness programs and education. Thus, awareness training and its effect on end-user performance (is termed "risk score" herein) and adherence to protection strategies can prevent cyber-attacks (Ifinedo, 2012;Kirlappos & Sasse, 2012;Purkait, 2012;Wilding, 2016). Thus, awareness achieved via proper education can affect information security. ...
Thesis
Full-text available
Cybersecurity awareness training plays a vital role for organizations in guaranteeing resources' availability. Sufficient education regarding security awareness necessitates relating both the scope and importance of the training. This research determines the correlation between an employee's risk score and the effectiveness of AI-based security awareness training to contend with cyber intimidations, limit and lessen data violations, and include the Unified Theory of Acceptance and Use of Technology. Prior research has revealed that at-risk employees' behavior and implementation of information security awareness training make up successful interventions. This research fills a literature gap by determining the relationships between the employees' risk scores and AI-based security awareness training programs' effectiveness. This study used a quantitative research design. The researcher analyzed survey responses using Pearson's Correlation and an independent t-test to determine if there were statistically significant relationships and differences between employees' risk scores and an AI-based security awareness training programs' effectiveness. The calculations came from a sample size of 200 participants from two different organizations, and the formula for determining results was G* Power (n=200). The Pearson product correlation of employee's risk scores and the effectiveness of the security awareness training program was statistically significant (r = .154, p < .05). The researcher also conducted an independent-samples t-test to compare the employees' risk scores by gender. There were no significant differences (t[198] =1.850, p=> 0.05) in scores. Male scores (M=25.074, SD = 5.9022) are higher than Female ones (M = 23.518, SD = 5.9522). The mean difference (which is 1.5563. 95% CI: -0.1026 to 3.2152) was minimal. The findings herein help interpret the role of information security awareness training in the workplace, promoting behavioral changes that would impede data violations by including the users' vulnerability and the severity of intimidation, and the response to a threat in prognosticating behavior intentions.
... However, mobile device users are often not mandated by any organizational policies and can be victims of IT threats because they become prey. Anti-phishing applications were developed to thwart phishing and provide awareness to users about phishing attacks [29] but are not sufficient to thwart phishing attacks [66], [6] on mobile devices. ...
Preprint
Full-text available
The mobile device is one of the fasted growing technologies that is widely used in a diversifying sector. Mobile devices are used for everyday life, such as personal information exchange - chatting, email, shopping, and mobile banking, contributing to information security threats. Users' behavior can influence information security threats. More research is needed to understand users' threat avoidance behavior and motivation. Using Technology threat avoidance theory (TTAT), this study assessed factors that influenced mobile device users' threat avoidance motivations and behaviors as it relates to phishing attacks. From the data collected from 137 mobile device users using a questionnaire, the findings indicate that (1) mobile device users' perceived susceptibility and severity of phishing attacks have a significant correlation with a users' perception of the threat; (2) mobile device users' motivation to avoid a threat is correlated to a users' behavior in avoiding threat; and (3) a mobile device user's susceptibility to phishing attacks can be reduced by their perception of the threat. These findings reveal that a user's perception of threat increases if they perceive that the consequence of such threat to their mobile devices will be severe, thereby increasing a user's motivation and behavior to avoid phishing attack threats. This study is beneficial to mobile device users in personal and organizational settings.
Article
Full-text available
Phishing attacks are still seen as a significant threat to cyber security, and large parts of the industry rely on anti-phishing simulations to minimize the risk imposed by such attacks. This study conducted a large-scale anti-phishing training with more than 31000 participants and 144 different simulated phishing attacks to develop a data-driven model to classify how users would perceive a phishing simulation. Furthermore, we analyze the results of our large-scale anti-phishing training and give novel insights into users’ click behavior. Analyzing our anti-phishing training data, we find out that 66% of users do not fall victim to credential-based phishing attacks even after being exposed to twelve weeks of phishing simulations. To further enhance the phishing awareness-training effectiveness, we developed a novel manifold learning-powered machine learning model that can predict how many people would fall for a phishing simulation using the several structural and state-of-the-art NLP features extracted from the emails. In this way, we present a systematic approach for the training implementers to estimate the average "convincing power" of the emails prior to rolling out. Moreover, we revealed the top-most vital factors in the classification. In addition, our model presents significant benefits over traditional rule-based approaches in classifying the difficulty of phishing simulations. Our results clearly show that anti-phishing training should focus on the training of individual users rather than on large user groups. Additionally, we present a promising generic machine learning model for predicting phishing susceptibility.
Article
School systems may pay attention to the fact that individuals and companies using smart devices are increasingly at risk of becoming victims of cybercrime. The literature on how effective students in developed countries such as the Netherlands are taught about cyber security skills during their school career is scarce. Although curriculum materials are available, scaling up computer science education is behind. Therefore, this study explores to what extent Dutch students develop cyber secure behavior at elementary and high school. A questionnaire was used for self-assessment of cyber security behavior. After the questionnaire was completed, two group interviews were conducted to improve the interpretation of the questionnaire results. The study findings revealed that the Dutch school curriculum hardly pays attention to this topic and that students acquire their online behavior mainly through experience, instructions on the internet, through parents, and through siblings. In addition, many students developed more reckless behavior over time. We recommend that cyber security education should start at elementary school as soon as children begin to use online equipment. A subject that deserves special attention is recognizing phishing emails and phishing websites. The learners should be convinced that risky behavior on the internet may turn against them and against the organization to which they belong.
Article
Several previous studies have investigated user susceptibility to phishing attacks. A thorough meta-analysis or systematic review is required to gain a better understanding of these findings and to assess the strength of evidence for phishing susceptibility of a subpopulation, e.g., older users. We aim to determine whether an effect exists; another aim is to determine whether the effect is positive or negative and to obtain a single summary estimate of the effect. OBJECTIVES: We systematically review the results of previous user studies on phishing susceptibility and conduct a meta-analysis. METHOD: We searched four online databases for English studies on phishing. We included all user studies in phishing detection and prevention, whether they proposed new training techniques or analyzed users' vulnerability. FINDINGS: A careful analysis reveals some discrepancies between the findings. More than half of the studies that analyzed the effect of age reported no statistically significant relationship between age and users' performance. Some studies reported older people performed better while some reported the opposite. A similar finding holds for the gender difference. The meta-analysis shows: 1) a significant relationship between participants' age and their susceptibility 2) females are more susceptible than males 3) users training significantly improves their detection ability.
Chapter
IT is being increasingly used in most areas of life. With the IoT, this technology is set to be in a state of continuous evolution in urban and regional settings. The ongoing development of digitalization processes also increases the possibilities of abuse—both at the technical and interpersonal level. Better information security (IS) awareness (ISA) and knowledge about the dangers that accompany digitalization and the corresponding protective measures are important in private and work life. However, ISA is often overlooked. Training the relevant awareness and skills should also be included in urban and regional planning for citizens. This article thus provides a review of the scientific literature of leading academic journals in the area of IS and the transfer of scientific knowledge for practical purposes. The article presents Serious Games as a way to achieve a deeper understanding of how to promote sustainable ISA using creative methods. Furthermore, ideas of how to apply the Fun Theory and its practice to integrate awareness into modern urban and regional planning will be discussed.
Article
Full-text available
The halo effect is a systematic bias in attribute ratings resulting from raters' tendency to rely on global affect rather than carefully discriminating among conceptually distinct and potentially independent brand attributes. Traditionally, researchers have regarded the halo effect as a source of measurement error to be avoided. Discusses how halo measurement can serve as a useful indicator of brand equity. Uses consumer rating data in three categories of commonly purchased household products to demonstrate the approach.
Chapter
Full-text available
In this paper, we investigate how interpersonal cues of expertise affect trust in different media representations. Based on a review of previous research, richer representations could lead either to a positive media bias (P1) or increased sensitivity for cues of expertise (P2). In a laboratory study, we presented 160 participants with two advisors — one represented by text-only; the other represented by one of four alternate formats: video, audio, avatar, or photo+text. Unknown to the participants, one was an expert (i.e. trained) and the other was a non-expert (i.e. untrained). We observed participants’ advice seeking and advice uptake to infer their sensitivity to correct advice in a situation of financial risk. We found that most participants preferred seeking advice from the expert, but we also found a tendency for seeking audio and in particular video advice. Users’ self-reports indicate that they believed that video in particular would give them the most detailed insight into expertise. Data for advice uptake, however, showed that all media representation, including text-only, resulted in good sensitivity to correct advice.
Conference Paper
In this paper, we investigate how interpersonal cues of expertise affect trust in different media representations. Based on a review of previous research, richer representations could lead either to a positive media bias (P1) or increased sensitivity for cues of expertise (P2). In a laboratory study, we presented 160 participants with two advisors - one represented by text-only; the other represented by one of four alternate formats: video, audio, avatar, orphoto+text. Unknown to the participants, one was an expert (i.e. trained) and the other was a non-expert (i.e. untrained). We observed participants' advice seeking and advice uptake to infer their sensitivity to correct advice in a situation of financial risk. We found that most participants preferred seeking advice from the expert, but we also found a tendency for seeking audio and in particular video advice. Users' self-reports indicate that they believed that video in particular would give them the most detailed insight into expertise. Data for advice uptake, however, showed that all media representation, including text-only, resulted in good sensitivity to correct advice.
Article
Effective countermeasures depend on first understanding how users naturally fall victim to fraudsters.
Article
The present paper reports the effects of N2 addition and preheating of reactants on bluff-body stabilized coaxial LPG jet diffusion flame for two cases, namely, (I) preheated air and (II) preheated air and fuel. Experimental results confirm that N2 addition to the fuel stream leads to an enhancement in flame length, which may be attributed to the reduction in flame temperature. The soot free length fraction (SFLF) also increases, which might be caused by the decrease in fuel concentration and flame temperature. The flame length and also the SFLF are observed to be reduced with increasing temperature of reactants and lip thickness of the bluff body. The NOx emission level for all burner configurations are found to be attenuated with nitrogen addition, which can be attributed to the reduction of the residence time of the gas mixture in the flame. The emission index of NOx (EINOx ) also becomes enhanced with increasing lip thickness and reactant temperature due to an increased residence time and thermal effect, respectively.
Article
We evaluate website authentication measures that are designed to protect users from man-in-the-middle, ?phishing?, and other site forgery attacks. We asked 67 bank customers to conduct common online banking tasks. Each time they logged in, we presented increasingly alarming clues that their connection was insecure. First, we removed HTTPS indicators. Next, we removed the participant?s site-authentication image-the customer-selected image that many websites now expect their users to verify before entering their passwords. Finally, we replaced the bank?s password-entry page with a warning page. After each clue, we determined whether participants entered their passwords or withheld them. We also investigate how a study?s design affects participant behavior: we asked some participants to play a role and others to use their own accounts and passwords. We also presented some participants with security-focused instructions. We confirm prior findings that users ignore HTTPS indicators: no participants withheld their passwords when these indicators were removed. We present the first empirical investigation of site-authentication images, and we find them to be ineffective: even when we removed them, 23 of the 25 (92%) participants who used their own accounts entered their passwords. We also contribute the first empirical evidence that role playing affects participants? security behavior: role-playing participants behaved significantly less securely than those using their own passwords.
Article
It is often suggested that users are hopelessly lazy and unmotivated on security questions. They chose weak passwords, ignore security warnings, and are oblivious to certificates errors. We argue that users' rejection of the security advice they receive is entirely rational from an economic perspective. The advice offers to shield them from the direct costs of attacks, but burdens them with far greater indirect costs in the form of effort. Looking at various examples of security advice we find that the advice is complex and growing, but the benefit is largely speculative or moot. For example, much of the advice concerning passwords is outdated and does little to address actual threats, and fully 100% of certificate error warnings appear to be false positives. Further, if users spent even a minute a day reading URLs to avoid phishing, the cost (in terms of user time) would be two orders of magnitude greater than all phishing losses. Thus we find that most security advice simply offers a poor cost-benefit tradeoff to users and is rejected. Se-curity advice is a daily burden, applied to the whole population, while an upper bound on the benefit is the harm suffered by the fraction that become victims an-nually. When that fraction is small, designing security advice that is beneficial is very hard. For example, it makes little sense to burden all users with a daily task to spare 0.01% of them a modest annual pain.