ArticlePDF Available

Keeping Up With The Joneses: Assessing Phishing Susceptibility in an Email Task

Authors:
Kyung Wha Hong at Samsung
Kyung Wha Hong
Christopher M. Kelley
Christopher M. Kelley
Christopher M. Kelley
  • This person is not on ResearchGate, or hasn't claimed this research yet.
Rucha Tembe
Rucha Tembe
Rucha Tembe
  • This person is not on ResearchGate, or hasn't claimed this research yet.
Emerson Murphy-Hill
Emerson Murphy-Hill
Emerson Murphy-Hill
  • This person is not on ResearchGate, or hasn't claimed this research yet.
Show all 5 authorsHide
Download full-text PDF
Read full-text
Download citation

Abstract and Figures

Most prior research on preventing phishing attacks focuses on technology to identify and prevent the delivery of phishing emails. The current study supports an ongoing effort to develop a user-profile that predicts when phishing attacks will be successful. We sought to identify the behavioral, cognitive and perceptual attributes that make some individuals more vulnerable to phishing attack than others. Fifty-three participants responded to a number of self-report measures (e.g., dispositional trust) and completed the ‘Bob Jones’ email task that was designed to empirically evaluate phishing susceptibility. Over 92% of participants were to some extent vulnerable to phishing attacks. Additionally, individual differences in gender, trust, and personality were associated with phishing vulnerability. Application and implications for future research are discussed.
Figures - uploaded by Christopher Mayhorn
Author content
All figure content in this area was uploaded by Christopher Mayhorn
Content may be subject to copyright.
Content uploaded by Christopher Mayhorn
Author content
All content in this area was uploaded by Christopher Mayhorn on Mar 01, 2016
Content may be subject to copyright.
KEEPING UP WITH THE JONESES:
ASSESSING PHISHING SUSCEPTIBILITY IN AN EMAIL TASK
Kyung Wha Hong1, Christopher M. Kelley2, Rucha Tempa2,
Emerson Murphy-Hill1 & Christopher B. Mayhorn2
1Department of Computer Science, 2Department of Psychology,
North Carolina State University, Raleigh, NC
Most prior research on preventing phishing attacks focuses on technology to identify and
prevent the delivery of phishing emails. The current study supports an ongoing effort to
develop a user-profile that predicts when phishing attacks will be successful. We sought
to identify the behavioral, cognitive and perceptual attributes that make some individuals
more vulnerable to phishing attack than others. Fifty-three participants responded to a
number of self-report measures (e.g., dispositional trust) and completed the ‘Bob Jones’
email task that was designed to empirically evaluate phishing susceptibility. Over 92% of
participants were to some extent vulnerable to phishing attacks. Additionally, individual
differences in gender, trust, and personality were associated with phishing vulnerability.
Application and implications for future research are discussed.
INTRODUCTION
Cybersecurity involves a complex interaction
between users and technology. While security
threats might take a variety of forms such as viruses
or worms delivered via nefarious websites or USB
drives, theft using social engineering tactics such as
phishing are becoming increasingly common and
costly. Loss of time and increased stress levels are
the immediate personal costs (Hardee, West, &
Mayhorn, 2006). Long term personal costs are
likely as well, such as decreased trust and usage of
the internet for banking, shopping, and other
conveniences (Dhamija & Tygar, 2005; Kelley,
Hong, Mayhorn, & Murphy-Hill, 2012). In terms of
economic losses, a recent survey (Gartner, 2007)
indicates phishing attacks caused a loss of 3.2
billion dollars based on a sample of 4500 adults
with an average of $866 lost per phishing
occurrence. Moreover, phishing targeted at
administrators can compromise entire systems and
user communities (Schwartz, 2011).
The goal of this research is to develop a user-
profile that predicts when and where phishing
attacks will be successful. Such a user-profile could
be useful to help identify behavioral, cognitive, and
perceptual differences that make some users more
susceptible to phishing than others. For instance,
individual differences in trust and cognitive and
attentional capacity have been identified separately
as contributing to phishing susceptibility. However,
no one has constructed a unified user-profile that
combines individual differences to proactively
identify individual users who are prone to being
successfully phished.
METHOD
Participants
Fifty-three undergraduate students were
recruited to complete an experiment (Table 1).
Participants were tested individually in sessions that
lasted approximately two hours and given extra-
credit as compensation.
Materials
The experiment was completed in two stages
such that participants completed an online survey
and then a laboratory session.
Self-report measures. Participants completed a
survey that measured demographic characteristics
such as age, gender, and primary language as well
as previous experiences with phishing, online
purchasing behavior, and general computing
behavior (based on Eveland, Shah, & Kwak, 2003;
Yoshioka, Washizaki, & Maruyama, 2008).
Participants also responded to measures of
dispositional trust (Merritt & Ilgen, 2008),
impulsivity (Neyste & Mayhorn, 2009), and
personality (Gosling, Rentfrow, & Swann, 2003).
Table 1
Participant Characteristics
MRange
Age 20.20 18 - 27
Gende r
Male
Female
Race
Caucasian/Non-hispanic
Language
English Primary
Major
Computer Science
Psychology
Freque ncie s
60%
40%
80%
96%
SD
2.33
34%
66%
Behavioral measures. To empirically assess
phishing susceptibility, participants completed an
email task where they were asked to access a
Google Mail account for a character named “Bob
Jones” and categorize 14 email messages (Table 2).
Table 2
Email Messages Divided by Category
Email Category n
Phishing
7
Spam 1
Malware 1
Legitimate 5
Total 14
Figure 1 shows one of the phishing emails we used
as stimuli in this experiment. This email appears to
be from careerbuilder.com, a legitimate website
representing a real company (even with their logo).
Also it seems to give useful information to the user.
However, if a user clicks on the links included in
the email, it actually leads them to a website that is
not related to careerbuilder’s official website.
Disguising the sender or source of an email by
making it look like a legitimate company is a
typical tactic used to create phishing emails.
Figure 1
Example Phishing Email
Participants were given the following instructions:
When you are going through each email, do
as you normally do. For example, if you
normally read each email carefully do as
you usually do. Or if you usually skim
through each message quickly that’s also
fine, too. After going through an email you
have to make a decision about the email. If
you think email is legitimate and you’d like
to respond (e.g., reply, click on a link,
download a file) to the email, then mark
‘Important’. If you think email is legitimate
but doesn’t need any response and would
like to just archive, leave it as it is. If you
think email is not legitimate, suspicious, or
spam, then ‘Delete’.
Procedure
After providing informed consent and
completion of the self-report measures delivered
online, participants visited the laboratory where a
battery of cognitive tests and the Bob Jones email
task were administered. The cognitive tests included
a measure of working memory capacity (WMC)
(Unsworth, Heitz, Schrock, & Engle, 2005),
crystallized intelligence (Shipley, 1986), spatial
ability (Peters et al., 1995; Vandenberg & Kuse,
1978), and sustained attention (Temple et al., 2000).
Upon completion of the cognitive tests, instructions
for the Bob Jones email task were delivered.
Finally, participants were debriefed and dismissed.
RESULTS
Responses to self-report measures were
captured via an online survey tool, Qualtrics, and
the results of the cognitive tests and the Bob Jones
email task were entered into SPSS for analysis.
Survey Results
Prior phishing experience. Many respondents
indicated that they had previous phishing
experience via email. For instance, 25% reported
glancing at the contents of a phishing email whereas
36% admitted to completely reading a phishing
message. Thirty percent were compelled to ask
someone else whether they thought the email was
authentic whereas 11% reported contacting an
authority (e.g., bank). The most severe phishing
consequences seemed to be relatively rare with 15%
clicking on a link, 8% installing a virus/malware,
and 6% entering personal information. Of those
who entered personal information, name (6%) and
password (6%) comprised the information provided
to phishers. Most frequent consequences of worst
experience included “noticed unusual activity in an
online account” (15%) and “reduced online
activity” (15%). Based on this previous experience,
89% agreed that they were “confident that they can
tell the difference between a legitimate email and
one sent by a scammer.”
Behavioral Results
Bob Jones email task performance. To
ascertain phishing susceptibility, a score that ranged
from 0 (perfect ability) to 100 (no ability) was
calculated for participant’s ability to identify
phishing emails. The data suggested more than 92%
of participants were susceptible to phishing with
only 4 participants (7.5% of the sample)
successfully identifying all of the phishing emails
and approximately 52% misclassifying more than
half of the phishing emails. Since phishing also
impacts the ability of people to identify legitimate
emails, the number of authentic emails that were
incorrectly deleted was assessed. Fifty-four percent
deleted at least one authentic email.
Individual differences correlated with
accuracy. The ability to correctly identify phishing
emails revealed gender, trust, and personality were
correlated with phishing vulnerability. For example,
women were less likely than men to correctly
identify phishing emails, t(51) = -2.15, p < .036.
Dispositional trust, extraversion and openness to
new experience were correlated with deleting
legitimate emails. Specifically, less trusting
individuals, r(52) = -.30, p < .034, introverts, r(53)
= -.29, p < .054, and those less open to new
experiences, r(53) = -.435, p < .002, were more
likely to delete legitimate emails.
Severity of email misclassification. In
addition, because misclassifying some emails could
have more severe consequences than others, five
classes of email severity were created that ranged
from 1 to 5. (Class 1:legitimate email—no danger,
Class 2:spam email or email sent to numerous
recipients—no danger but less useful, Class
3:phishing email redirecting to unexpected site—no
danger, Class 4:phishing email with a danger of
loosing less critical information, Class 5: phishing
email with a danger of losing money or critical
information). Thus, when an email was
misclassified a severity score was assigned based on
the participant’s response (e.g., their classification)
and the consequence of misclassifying that
particular email (Table 3). For example, if a
participant responded with ‘important’ for a
phishing email in email severity class 4, the severity
score for this response was assigned a score of 4.
However, if this participant responded with ‘delete’
for a phishing email in email severity class 5, the
severity score for this response was assigned a score
of 0. A total severity score due to misclassification
was calculated as the sum of severity scores for
each email response and ranged from 0 (no
consequence) to 23 (severe consequence).
Table 3
The Severity Score based on Email Severity Class and
Participants’ responses
Results revealed an average severity score of
14.24. What’s more, only 2% of participants
correctly classified all emails indicating
approximately 98% would have experienced
adverse consequences resulting from email
misclassification.
DISCUSSION
While the topic of phishing and social
engineering is not new, the current focus on the
human side of the HCI equation promises to expand
our knowledge in this area. The preliminary results
of the current study illustrate a number of findings.
First, results suggest a disconnect between
participants’ self-reported data and the empirical
data collected from the Bob Jones email task.
Specifically, approximately 92% of participants
misclassified phishing emails even though 89%
indicated they were confident of their ability to
identify phishing emails. These results suggest a
majority of participants were not only susceptible to
phishing attacks, but overconfident in their ability to
protect themselves from such attacks. Second, only
2% of the participants suffered no adverse
consequences due to misclassification of emails
during the task. Third, individual differences such
as gender, dispositional trust, and personality appear
to be associated with the ability to correctly
categorize emails as either legitimate or phishing.
Limitations
While these results are interesting, they should
be interpreted with caution given several potential
methodological and analytical limitations. For
instance, reliance on self-report of prior behavior
may be subject to memory biases. Likewise, the
behavioral measure (Bob Jones email task) could be
described as artificial because participants were
asked to role play; however, this methodology has
been validated with prior research (Sheng et al.,
2010). Moreover, analysis of the consequences of
participants’ email misclassification severity was
based on a preliminary coding scheme developed by
an individual rater. Current efforts are underway to
provide inter-rater reliability for this measure and
additional measures used in the Bob Jones email
task. The sample recruited for the current study
consisted of college students. However, efforts are
currently underway to recruit a more diverse set of
participants (i.e., a non-student sample of working
professionals). Recently, we collected data from
volunteers employed at a government agency.
Future analyses will compare the students and non-
students to determine whether there are similarities
that are common to the two groups and more
importantly, how they vary in terms of phishing
susceptibility.
Future Research and Application
These results contribute to an ongoing effort to
develop a user profile that identifies those most at
risk of being phished. One implication might be the
ability to recommend a tailored anti-phishing
training tool to a user who is determined to be
vulnerable to phishing attack. Moreover, our efforts
to investigate individual differences in phishing
susceptibility are exemplified in a recent paper that
describes how people from different cultures
conceptualize phishing (Tembe, Hong, Murphy-
Hill, Mayhorn, & Kelley, 2013).
Further research will focus on refining this
profiling procedure and using it to inform the design
of a usable and effective tool to help users combat
phishing attacks. Our plan is to develop a training
tool that includes training contents reflecting the
results from this study in addition to conventional
training tools’ contents (e.g., disguised email
source, poor grammar, urgency cues, etc.).
Moreover, we will analyze how our anti-phishing
tool contributes to protecting users from the severe
consequences of phishing attacks compared to other
tools that are currently on the market.
ACKNOWLEDGEMENTS
This research was supported by a National
Security Agency Grant to the fourth and fifth
authors.
REFERENCES
Dhamija, R., & Tygar, J. D. (2005). The battle against
phishing: Dynamic security skins. Paper presented at the
ACM International Conference Proceeding Series.
Eveland, W. P., Shah, D. V., & Kwak, N. (2003). Assessing
causality in the cognitive mediation model: A panel study
of motivations, information processing, and learning
during campaign 2000. Communication Research, 30(4),
359-386. doi: 10.1177/0093650203253369
Gartner. (2007). Gartner survey shows phishing attacks
escalated in 2007; more than $3 billion lost to these
attacks. Retrieved from
http://www.gartner.com/newsroom/id/565125
Gosling, S. D., Rentfrow, P. J., & Swann, W. B. (2003). A
very brief measure of the big-five personality domains.
Journal of Research in personality, 37(6), 504-528.
Hardee, J. B., West, R., & Mayhorn, C. B. (2006). To
download or not to download: An examination of
computer security decision making. interactions, 13(3),
32-37.
Kelley, C. M., Hong, K. W., Mayhorn, C. B., & Murphy-Hill,
E. (2012). Something smells phishy: Exploring
definitions, consequences, and reactions to phishing.
Proceedings of the Human Factors and Ergonomics
Society Annual Meeting, 56(1), 2108-2112. doi:
10.1177/1071181312561447
Merritt, S. M., & Ilgen, D. R. (2008). Not all trust is created
equal: Dispositional and history-based trust in human-
automation interactions. Human Factors: The Journal of
the Human Factors and Ergonomics Society, 50(2), 194-
210.
Neyste, P. G., & Mayhorn, C. B. (2009). Perceptions of
cybersecurity: An exploratory analysis. Proceedings of
the 17th world congress of the international ergonomics
association. Beijing, China.
Peters, M., Laeng, B., Latham, K., Jackson, M., Zaiyouna, R.,
& Richardson, C. (1995). A redrawn vandenberg and kuse
mental rotations test-different versions and factors that
affect performance. Brain and cognition, 28(1), 39-58.
Schwartz, M. J. (2011). Spear phishing attacks on the rise,
InformationWeek. Retrieved from
http://www.informationweek.com/security/attacks/spear-
phishing-attacks-on-the-rise/230500025
Sheng, S., Holbrook, M., Kumaraguru, P., Cranor, L. F., &
Downs, J. (2010). Who falls for phish?: A demographic
analysis of phishing susceptibility and effectiveness of
interventions. Proceedings of the 28th international
conference on Human factors in computing systems.
Atlanta, Georgia, USA
Shipley, W. C. (1986). Shipley institute of living scale. Los
Angeles, CA: Western Psychological Services.
Tembe, R., Hong, K. W., Murphy-Hill, E., Mayhorn, C. B., &
Kelley, C. M. (2013). American and Indian
Conceptualizations of Phishing. Proceedings of the 3rd
Workshop on Socio-Technical Aspects in Security and
Trust.
Temple, J. G., Warm, J. S., Dember, W. N., Jones, K. S.,
LaGrange, C. M., & Matthews, G. (2000). The effects of
signal salience and caffeine on performance, workload,
and stress in an abbreviated vigilance task. Human
Factors: The Journal of the Human Factors and
Ergonomics Society, 42(2), 183-194. doi:
10.1518/001872000779656480
Unsworth, N., Heitz, R. P., Schrock, J. C., & Engle, R. W.
(2005). An automated version of the operation span task.
Behavior Research Methods, 37(3), 498-505.
Vandenberg, S. G., & Kuse, A. R. (1978). Mental rotations, a
group test of three-dimensional spatial visualization.
Perceptual and motor skills, 47(2), 599-604. doi:
10.2466/pms.1978.47.2.599
Yoshioka, N., Washizaki, H., & Maruyama, K. (2008). A
survey on security patterns. Progress in Informatics, 5(5),
35-47.
... Concerning the relationship between gender and phishing susceptibility, while some studies have shown a relationship between them (Sheng et al., 2010;Hong et al., 2013;Abroshan et al., 2021), others indicate that this relationship is non-existent (Canfield et al., 2016;Sarno et al., 2017;Gopavaram et al., 2017). ...
... Specifically, authors such as Sheng and colleagues (2010), Hong and colleagues, (2013), and Abroshan and colleagues (2021) observed that women were more susceptible to phishing than men, failing more in identifying phishing emails (Sheng et al., 2010;Hong et al., 2013). One possible explanation is that women have less motivation or fewer opportunities to learn about phishing attacks (Sheng et al., 2010). ...
... Interestingly, former cyber-victimization experiences and previous phishing victimization did not predictor phishing susceptibility in this study. This finding contrast with the study by Hong et al. (2013) where they argued that previous cyber-victimization experience did not decrease phishing susceptibility. Furthermore, it is contrary to studies that mention that individuals with previous cyber-victimization experiences tend to adopt more cautious behaviors and, therefore, are less susceptible to phishing Chen et al., 2020;Hassandoust et al., 2020). ...
Which factors predict susceptibility to phishing? An empirical study
Article
Full-text available
  • Nov 2023
  • COMPUT SECUR
Phishing is a cybercrime in active growth that victimizes a large number of individuals and organizations. To explore which individual and contextual factors predict phishing susceptibility, an online survey was developed, and participants were invited to participate through institutional email from the University of Porto and social networks. The total sample was constituted of 449 individuals. Results showed that subjects that perceive to have phishing detection self-efficacy and those that have greater use of services in Internet routine activities were more susceptible to phishing. Technology competencies and other individual variables do not predict phishing susceptibility in our sample. Furthermore, the majority of factors (individual and contextual) tested do not predict phishing susceptibility. So, more studies are needed to understand which factors influence this susceptibility, and regarding that how individuals can protect themselves. Finally, potential applications of this research include replication in other countries/contexts, and/or the application of the survey together with other innovative tools.
View
... Hong et al. explored the behavioural, cognitive, and perceptual attributes that make individuals more vulnerable to phishing. Of 53 respondents, over 92% were somewhat defenceless towards phishing [22]. In this experiment, it was revealed that females were less likely to uncover phishing e-mails. ...
Vulnerability of Students of Masaryk University to Two Different Types of Phishing
Article
Full-text available
  • Jun 2024
According to the European Union Agency for Cybersecurity’s (ENISA) Threat Landscape (ETL) report 2020, phishing is the most commonly used type of cyberattack. Phishing is the technique of delivering false communications that appear to be from a real and respectable source, typically via e-mail or text message. The attacker aims to steal money, obtain access to sensitive data, and login information, or install malware on the victim’s device. Data from the same report shows that during the COVID-19 pandemic, phishing attacks increased by 667% in one month. Simultaneously, warnings about expected waves of phishing e-mails at Masaryk University in Czechia were encountered more often. However, at the time this article was written, there was de facto no anti-phishing research dealing with the problem of phishing attacks on Czech universities. The present article focuses on unintentional human error on the side of students of Masaryk University. The main aim of this article is to uncover the profile of the user who is most prone to victimisation of phishing in the university setting. These results were achieved by performing two real-life phishing simulations. Data suggests that female students are more prone to crash for targeted e-mails. At the same time, all students are more susceptible to spear-phishing attacks than to the generic ones. Findings are explained by analysing the empirical results of the two real-life phishing attacks conducted.
View
... Dispositional trust was also controlled since past studies have revealed that it could affect how users process information with malicious intent (Hong et al., 2013). It was measured with three items adopted from Wright and Marett (2010) such as "I usually trust people until they give me a reason not to trust them" and "I generally give people the benefit of the doubt when I first meet them" to control for their pre-existing tendency of trusting others (M = 5.09, SD = 1.13, α = .71). ...
Less vigilant in the mobile era? A comparison of information processing on mobile phones and personal computers
Article
  • Nov 2023
Do people process information differently on mobile phones compared to computers? We investigate this question by conducting two online field experiments. We randomly assigned participants to use their mobile phones or personal computers (PCs) to process different kinds of information. Study 1 ( N = 116) discovered that participants using mobile phones process emails more efficiently (i.e., spend less time) than those using PCs. Study 2 ( N = 241) extended this to online deceptive content and found that individuals using mobile phones, especially habitual users, are more efficient, but engage in less information processing, are less attentive and less vigilant about misinformation, compared to those using PCs. However, the latter are more likely to succumb to phishing emails by clicking on malicious links. We discuss theoretical implications for information processing across media devices and practical implications for combating misinformation and cybersecurity attacks.
View
... Younger persons are more susceptible [51,31,35] Older persons are more susceptible [57,36,57,37,35] Gender Female are more susceptible [51,27,37,24,23,22] Males are more susceptible [36,47] Education Higher level of education makes less susceptible [41,60] Cybersecurity education makes more susceptible [41] Technicality Technical users are less susceptible [24,47,31,46,21,35] From the category of (socio-) demographic factors, Jampen et al. summarized multiple studies for the aspects of Age, Gender, Education, and Technicality. The previous research shows inconsistent findings about the impact on users' susceptibility for many factors (c.f. ...
PREPRINT: We have Phishing at Home: Quantitative Study on Email Phishing Susceptibility in Private Contexts
Preprint
Full-text available
  • Oct 2023
Phishing is among the most common attack vectors against organizations, institutions, and individuals. However, previous research on phishing susceptibility is almost always performed in professional or academic contexts, thus rendering the target domain of private persons understudied. We explore this gap in research by conducting a large-scale study with participants in Germany, attempting to translate findings from previous research in academic or professional contexts to the private context. Throughout four months, we sent over 14,000 phishing emails to approximately 4,700 recipients. We observed increased volatility for younger and older persons, as well as those with lower education degrees. Further, we identify that the best indicator for future susceptibility is a reaction to previous phishing emails. We hence conclude that various vectors identified in previous research translate to the private context.
View
View
View
We have Phishing at Home: Quantitative Study on Email Phishing Susceptibility in Private Contexts
Chapter
  • Oct 2024
Phishing is among the most common attack vectors against organizations, institutions, and individuals. However, previous research on phishing susceptibility has almost always been performed in profes- sional or academic contexts, thus rendering the target domain of private persons understudied. We explore this gap in research by conducting a large-scale study with participants in Germany, attempting to translate findings from previous research in academic or professional contexts to the private context. We sent over 14,000 phishing emails to approxi- mately 4,700 recipients throughout four months. We observed increased volatility for younger and older persons and those with lower education degrees. Further, we identify that the best indicator for future susceptibil- ity is a previous reaction to phishing emails. We conclude by highlighting that various vectors identified in previous research can be translated to the private context.
View
Internet-Based Social Engineering Psychology, Attacks, and Defenses: A Survey
Article
  • Mar 2024
Internet-based social engineering (SE) attacks are a major cyber threat. These attacks often serve as the first step in a sophisticated sequence of attacks that target, among other things, victims’ credentials and can cause financial losses. The problem has received mounting attention in recent years, with many publications proposing defenses against SE attacks. Despite this, the situation has not improved. In this article, we aim to understand and explain this phenomenon by investigating the root cause of the problem. To this end, we examine Internet-based SE attacks and defenses through a unique lens based on psychological factors (PFs) and psychological techniques (PTs). We find that there is a key discrepancy between attacks and defenses: SE attacks have deliberately exploited 46 PFs and 16 PTs in total, but existing defenses have only leveraged 16 PFs and seven PTs in total. This discrepancy may explain why existing defenses have achieved limited success and prompt us to propose a systematic roadmap for future research.
View
Cognition in Social Engineering Empirical Research: A Systematic Literature Review
Article
Full-text available
  • Nov 2023
The interdisciplinarity of the Social Engineering (SE) domain creates crucial challenges for the development and advancement of empirical SE research, making it particularly difficult to identify the space of open research questions that can be addressed empirically. This space encompasses questions on attack conditions, employed experimental methods, and interactions with underlying cognitive aspects. As a consequence, much potential in the breadth of existing empirical SE research and in its mapping to the actual cognitive processes it aims to measure is left untapped. In this work, we carry out a systematic review of 169 articles investigating overall 735 hypotheses in the field of empirical SE research, focusing on experimental characteristics and core cognitive features from both attacker and target perspectives. Our study reveals that experiments only partially reproduce real attacks and that the exploitable SE attack surface appears much larger than the coverage provided by the current body of research. Factors such as targets’ context and cognitive processes are often ignored or not explicitly considered in experimental designs. Similarly, the effects of different pretexts and varied targetization levels are overall marginally investigated. Our findings on current SE research dynamics provide insights into methodological shortcomings and help identify supplementary techniques that can open promising future research directions.
View
Phishing: A Theoretical Approach and the Innovative Tools
Chapter
  • Sep 2023
Phishing is a cybercrime in active growth that could cause several damages for its victims, such as identity theft. Specifically, in the last years, cybercrime has been of particular concern due to several attacks developed against society in general. In this sense, understanding this phenomenon and the factors that may explain the susceptibility to this is essential. But it is also essential to know which of the traditional methods are used to study phishing susceptibility and the innovative ones. This chapter presents a complete study in this field, providing a theoretical and practical approach, by using a perspective that is simple and accessible to everyone. In the end, individuals, in general, will know more about the subject, and, academically, this provides important insights to better-developed studies in the phishing susceptibility field.
View
Something Smells Phishy: Exploring Definitions, Consequences, and Reactions to Phishing
Article
Full-text available
  • Oct 2012
One hundred fifty-five participants completed a survey on Amazon’s Mechanical Turk that assessed characteristics of phishing attacks and requested participants to describe their previous experiences and the related consequences. Results indicated almost all participants had been targets of a phishing with 22% reporting these attempts were successful. Participants reported actively engaging in efforts to protect themselves online by noticing the “padlock icon” and seeking additional information to verify the legitimacy of e-retailers. Moreover, participants indicated that phishers most frequently pose as members of organizations and that phishing typically occurs via email yet they are aware that other media might also make them susceptible to phishing scams. The reported consequences of phishing attacks go beyond financial loss, with many participants describing social ramifications such as embarrassment and reduced trust. Implications for research in risk communication and design roles by human factors/ergonomics (HF/E) professionals are discussed.
View
American and Indian Conceptualizations of Phishing
Conference Paper
Full-text available
  • Jun 2013
Using Amazon's Mechanical Turk, fifty American and sixty-one Indian participants completed a survey that assessed characteristics of phishing attacks, asked participants to describe their previous phishing experiences, and report phishing consequences. The results indicated that almost all participants had been targets, yet Indian participants were twice as likely to be successfully phished as American participants. Part of the reason appears to be that American participants reported more frequent efforts to protect themselves online such as by looking for the padlock icon in their browser. Statistical analyses indicated that American participants agreed more with items for characteristics of phishing, consequences of phishing and the types of media where phishing occurs, suggesting more cautiousness and awareness of phishing.
View
A survey on security patterns
Article
Full-text available
  • Mar 2008
  • Progr Informat
Security has become an important topic for many software systems. Security patterns are reusable solutions to security problems. Although many security patterns and techniques for using them have been proposed, it is still difficult to adapt security patterns to each phase of software development This paper provides a survey of approaches to security patterns. As a result of classifying these approaches, a direction for the integration and future research topics is illustrated.
View
Assessing Causality in the Cognitive Mediation ModelA Panel Study of Motivations, Information Processing, and Learning During Campaign 2000
Article
Full-text available
This two-wave national panel study was designed to test the causal claims of the “cognitive mediation model.” The data indicate strong support for the following causal relationships predicted by the model: (a) surveillance motivations influence information processing, (b) information processing influences knowledge, and (c) motivations influence knowledge only indirectly through information processing. However, additional analyses demonstrated that these variables are not related in a simple unidirectional causal pattern. Instead, panel analyses found that most of these relationships are mutually causal. Future research should consider the reciprocal nature of relationships between information processing and knowledge, particularly as it relates to the study of the knowledge gap hypothesis.
View
Who falls for phish? A demographic analysis of phishing susceptibility and effectiveness of interventions
Conference Paper
Full-text available
  • Apr 2010
In this paper we present the results of a roleplay survey instrument administered to 1001 online survey respondents to study both the relationship between demographics and phishing susceptibility and the effectiveness of several anti- phishing educational materials. Our results suggest that women are more susceptible than men to phishing and participants between the ages of 18 and 25 are more susceptible to phishing than other age groups. We explain these demographic factors through a mediation analysis. Educational materials reduced users' tendency to enter information into phishing webpages by 40% percent; however, some of the educational materials we tested also slightly decreased participants' tendency to click on legitimate links.
View
To download or not to download: An examination of computer security decision making
Article
Full-text available
  • May 2006
The concept of making security decisions fundamental to design security features used by the users, is described. A series of decision-making scenarios were designed to systematically vary by decision domain, risk, and gain-to-loss ratio in an effort to determine how computer users might respond to potential security decisions. Fifty-six students enrolled at a public university volunteered to participate in a study that used a 2×2×3 repeated measures factorial design. The study used performance on a scenario-based decision task to draw conclusions about how risk and gain-to-loss ratio might affect decision-making within the domains of computing and non-computing security decisions. Combining the evaluation approach with potential alterations of security warnings should allow designers to improve security systems.
View
Mental Rotations, a Group Test of Three-Dimensional Spatial Visualization
Article
Full-text available
A new paper-and-pencil test of spatial visualization was constructed from the figures used in the Chronometric study of Shepard and Metzler (1971). In large samples, the new test displayed substantial internal consistency (Kuder-Richardson 20 = .88), a test-retest reliability (.83), and consistent sex differences over the entire range of ages investigated. Correlations with other measures indicated strong association with tests of spatial visualization and virtually no association with tests of verbal ability.
View
View
A Very Brief Measure of the Big-Five Personality Domains
Article
  • Dec 2003
When time is limited, researchers may be faced with the choice of using an extremely brief measure of the Big-Five personality dimensions or using no measure at all. To meet the need for a very brief measure, 5 and 10-item inventories were developed and evaluated. Although somewhat inferior to standard multi-item instruments, the instruments reached adequate levels in terms of: (a) convergence with widely used Big-Five measures in self, observer, and peer reports, (b) test–retest reliability, (c) patterns of predicted external correlates, and (d) convergence between self and observer ratings. On the basis of these tests, a 10-item measure of the Big-Five dimensions is offered for situations where very short measures are needed, personality is not the primary topic of interest, or researchers can tolerate the somewhat diminished psychometric properties associated with very brief measures.
View
The Battle against Phishing: Dynamic Security Skins
Conference Paper
  • Jan 2005
Phishing is a model problem for illustrating usability concerns of privacy and security because both system designers and attackers battle using user interfaces to guide (or misguide) users.We propose a new scheme, Dynamic Security Skins, that allows a remote web server to prove its identity in a way that is easy for a human user to verify and hard for an attacker to spoof. We describe the design of an extension to the Mozilla Firefox browser that implements this scheme.We present two novel interaction techniques to prevent spoofing. First, our browser extension provides a trusted window in the browser dedicated to username and password entry. We use a photographic image to create a trusted path between the user and this window to prevent spoofing of the window and of the text entry fields.Second, our scheme allows the remote server to generate a unique abstract image for each user and each transaction. This image creates a "skin" that automatically customizes the browser window or the user interface elements in the content of a remote web page. Our extension allows the user's browser to independently compute the image that it expects to receive from the server. To authenticate content from the server, the user can visually verify that the images match.We contrast our work with existing anti-phishing proposals. In contrast to other proposals, our scheme places a very low burden on the user in terms of effort, memory and time. To authenticate himself, the user has to recognize only one image and remember one low entropy password, no matter how many servers he wishes to interact with. To authenticate content from an authenticated server, the user only needs to perform one visual matching operation to compare two images. Furthermore, it places a high burden of effort on an attacker to spoof customized security indicators.
View