Article

Why Do Users Not Report Spear Phishing Emails?

Authors:
To read the full-text of this research, you can request a copy directly from the authors.

Abstract

Cyber security training programs encourage users to report suspicious spear phishing emails, and most antiphishing software provide interfaces to assist in the reporting. Evidence, however, suggests that reporting is scarce. This research examined why this is the case. To this end, Social Cognitive Theory (SCT) was used to examine the influence of the triadic factors of perceived self-efficacy toward antiphishing behaviors, expected negative outcomes from reporting spear phishing emails, and cyber security self-monitoring, on individuals’ likelihood of reporting spear phishing emails. Based on recent research on phishing victims, the present study also incorporated cyber risk beliefs (CRBs) into the SCT framework. The model, tested using survey data (N = 386), revealed that the likelihood of reporting spear phishing emails is increased by perceived self-efficacy, expected negative outcomes, and cyber security self-monitoring. Furthermore, the CRBs directly influenced the three SCT factors and indirectly the individuals’ likelihood of reporting spear phishing emails. The findings add to our understanding of SCT and the science of cyber security.

No full-text available

Request Full-text Paper PDF

To read the full-text of this research,
you can request a copy directly from the authors.

... El phishing se trata de un tipo de malware oculto detrás de hipervínculos u archivos que parecen provenir de fuentes legítimas (33) . Se utiliza a modo de obtener acceso a información confidencial, persuadiendo a los usuarios para que proporcionen diferentes tipos de datos personales (34) . ...
... Se utiliza a modo de obtener acceso a información confidencial, persuadiendo a los usuarios para que proporcionen diferentes tipos de datos personales (34) . Es el método de ataque más común utilizado por los hackers en la actualidad (33) . ...
Article
Full-text available
Desde finales del año 2019, con el surgimiento de la crisis mundial generada por el SARS-CoV-2, se ha elevado considerablemente el porcentaje de la producción y consumo global de noticias e información sobre el tema, acaparando este la mayor parte del espacio en los medios masivos. Por ello, teniendo en cuenta la importancia de la información que se produce, emite y consume en un país, generando posteriormente diferentes tipos de reacciones en una sociedad; en el presente artículo, el objetivo general fue la realización de un análisis reflexivo sobre la situación acontecida durante el primer mes de confinamiento en Paraguay en el marco de la publicación de información referente a la pandemia mundial generada por el virus SARS-CoV-2. Los objetivos específicos se centraron en el análisis de la circulación de noticias falsas e interpretaciones erróneas y la neurosis generada a raíz de ello; la búsqueda y el análisis de las noticias basadas en fuentes científicas primarias; y la participación de investigadores nacionales y profesionales del área de la salud en la difusión de la información. Para la realización del estudio, que se corresponde con el enfoque cualitativo de diseño descriptivo, se analizaron a través del método inductivo las principales fuentes periodísticas tanto impresas, televisivas y principalmente digitales a nivel país, teniendo en cuenta los que poseen la programación de noticiarios de mayor influencia y alcance nacional de acuerdo a los últimos datos estadísticos recogidos por el Ministerio de Tecnologías de la Información y Comunicación de Paraguay. Los resultados obtenidos indican que una gran parte de la colectividad paraguaya ha caído en la diseminación de información falsa incluso ya desde antes del ingreso del virus al país, lo que ha generado una rápida reacción de neurosis en la sociedad, decantando en acciones relacionadas con compras compulsivas, xenofobia, prácticas riesgosas de cuidado sanitario, etc. En el segundo objetivo, se determinó que los principales medios masivos de comunicación contaban con una muy escasa –por no decir nula– producción propia de noticias basadas en fuentes científicas primarias, denotando una redacción basada en la traducción directa de otros periódicos extranjeros. En cuanto al último objetivo, se determinó la existencia de una participación incremental de los investigadores y especialistas como referentes principales al momento de ofrecer explicaciones relacionadas al virus y la pandemia a través de los medios masivos y digitales. Finalmente se realiza una breve recomendación útil para casos futuros, basada en experiencias extranjeras.
... In phishing, there is mostly the negligence of employees who do not timely report any such incident. In a study by [11] they discussed social cognitive theory (SCT) and cyber risk beliefs in SCT. Their major contribution is to give detailed study about the careless attitude from the employees and give awareness for cybersecurity. ...
... Authors have designed an algorithm to guard and protect the browser if botnets exploit resources for crypto mining. To secure the web browser, a fingerprinting method was proposed by [10,11] in which there is a transaction on identity method imposed. Users with high likely hood and based on their extracted features, they have generated an identity. ...
Article
Full-text available
In today’s digitalized world, a lot of information is getting online, and the size of online data is getting huge day by day; thus, the field of data science emerged. Questions arise when there is so much massive size of data. It also makes it vulnerable to people who have malicious intentions. The gateway for surfing the internet is the web browser. Whether people use that for fair means or foul, some data is precious and sensitive. In this research, a related study about web browser forensics specifies its importance in digital forensics. These studies mention the techniques and tools for web browser forensics, investigating the Android platform as different web browsers provide their web applications. Considering all these studies, the authors go in various directions to extract evidence from the browser. This research will utilize tools like dumpzilla (based on python script), Bulk extractor, and SQLite to extract the details of evidence like history URLs, Cookies, Add-ons, and web Sessions and saved passwords in the cloud storage of the browser. For this, A scenario in the virtual environment is created that the victim browser could be exploited. Forensics tools run on two different platforms, Kali Linux and Parrot Security OS. Two other platforms are used to authenticate and verify shreds of evidence collected. There are limitations of tools. While running on different platforms, they missed capturing some shreds of evidence. After gathering the data from the victim machine, the web browser activities were predicted. There are limitations, and research offers future scope by improving the tools’ performance—this requires sound knowledge of python, access control, and system architecture.
... The extension of the third scenario is that the cybersecurity of the organization now benefits from the detected phishing attempt. For this, the organizational cybersecurity needs to get informed about the phishing attempt and in the following uses this knowledge "to inform others of an attack before it spreads" (Kwak et al. 2020). Since we assume that the phishing email is not blocked by the technical countermeasures (otherwise it would not even reach the user), the cybersecurity of the organization cannot be aware of that phishing attempt. ...
... When looking at the collection of usable security aspects in Figure 2.2, we can notice that some of those aspects might be more related to the topic of reporting unsolicited emails or cybersecurity incidents in general than others. In order to identify and analyze the most relevant aspects of usable security for reporting unsolicited emails, I first introduce some research which deals with the question why users avoid using security systems or why they do not report unsolicited emails: The findings of Kwak et al. (2020) indicate that "reporting is inhibited by internal factors such as self-efficacy and the users' fear of reporting emails that might not be [...] phishing emails". These findings indicate that the users who avoid reporting unsolicited emails might be afraid to do something wrong because they might be insufficiently informed. ...
Thesis
As of 2021, phishing and other forms of unsolicited emails are still the main vector for cybersecurity attacks and threats. Since the problem cannot be solved through technical solutions, current research approaches to integrate the users as part of the solution for tackling this problem. In order to realize this approach, organizational cybersecurity needs to enable its users to report cybersecurity incidents by providing them with the necessary reporting tools. Those reporting tools, and especially their usable security aspect Supportive Information, are subject of the quantitative studies that I conduct in my thesis. Therefore, I develop two variants of a reporting tool for unsolicited emails that differ in their amount of Supportive Information. I then examine how the amount of Supportive Information in the reporting tool influences the quality and the quantity of reports that are submitted by the 158 test users to whom I distribute the software. Within the first quantitative study, I focus on how the usability affects the report quality by sending in total three simulated phishing attempts to each test user and analyze whether the submitted reports are categorized correctly. The second quantitative study consists of a user survey that aims determine how Supportive Information influences the users’ Intention to Use the reporting tool which then allows conclusions to the report quantity. Although I am not able to prove an effect of Supportive Information on the report quantity, the results of my studies nevertheless support the hypothesized positive effect of Supportive Information on the report quality. My thesis thereby contributes to a better understanding of usable security and the research in this field. Furthermore, I can provide new insights for the practical implementation of reporting tools and cybersecurity systems in general.
... Today, the most widely implemented user-focused intervention is to train individuals to increase their security awareness [10][11][12][13]. Major training methods emphasize reporting; they encourage users to report suspicious e-mails to e-mail security providers [14]. is is because that reporting makes early detection possible and allows e-mail security providers to inform other potential victims before the attack spreads. ...
... Prior research explained why users do not report phishing e-mails based on Social Cognitive eory [14]. However, it does not provide an effective incentive mechanism. ...
Article
Full-text available
The human is considered as the important link in the phishing attack, and the e-mail security provider encourages users to report suspicious e-mails. However, evidence suggests that reporting is scarce. Therefore, we study how to motivate users to report phishing e-mails in this paper. To solve the problem, a tripartite evolutionary game model among e-mail security providers, e-mail users, and attackers is constructed. We obtain the desired evolutionary stable strategy through solving the replicator dynamics equations. Moreover, the evolution process to the desired evolutionary stable strategy is derived, which can guide the e-mail security provider to make a reasonable incentive mechanism. Lastly, we experiment with a large real-world e-mail network. The experiment results show that our model is effective and practical.
... Kind regards, Jack For these reasons BEC are particularly difficult to detect and a well conducted attack can lead to substantial financial losses [21]: "In 2018, the IC3 received 20,373 BEC/E-mail Account Compromise (EAC) complaints with adjusted losses of over $1.2 billion." Collecting BEC is very challenging as there is no public corpora, and, in addition to being rare, BEC are not often reported [30]. We developed a framework which combines methods to anonymize and augment our corpus made of BEC and short benign texts extracted from emails. ...
Preprint
Text data augmentation, i.e. the creation of synthetic textual data from an original text, is challenging as augmentation transformations should take into account language complexity while being relevant to the target Natural Language Processing (NLP) task (e.g. Machine Translation, Question Answering, Text Classification, etc.). Motivated by a business application of Business Email Compromise (BEC) detection, we propose a corpus and task agnostic text augmentation framework combining different methods, utilizing BERT language model, multi-step back-translation and heuristics. We show that our augmentation framework improves performances on several text classification tasks using publicly available models and corpora (SST2 and TREC) as well as on a BEC detection task. We also provide a comprehensive argumentation about the limitations of our augmentation framework.
... Self-Efficacy) as they learn how software developers make their decisions to minimise user data when developing software systems that preserve user privacy. Self-Efficacy has a correlation with the one's knowledge [1,13]. For example, when software developers are knowledgeable of how to minimise user data, they are more motivated and confident in taking relevant actions to develop privacy-preserving software systems. ...
Preprint
Full-text available
Software applications continue to challenge user privacy when users interact with them. Privacy practices (e.g. Data Minimisation (DM), Privacy by Design (PbD) or General Data Protection Regulation (GDPR)) and related "privacy engineering" methodologies exist and provide clear instructions for developers to implement privacy into software systems they develop that preserve user privacy. However, those practices and methodologies are not yet a common practice in the software development community. There has been no previous research focused on developing "educational" interventions such as serious games to enhance software developers' coding behaviour. Therefore, this research proposes a game design framework as an educational tool for software developers to improve (secure) coding behaviour, so they can develop privacy-preserving software applications that people can use. The elements of the proposed framework were incorporated into a gaming application scenario that enhances the software developers' coding behaviour through their motivation. The proposed work not only enables the development of privacy-preserving software systems but also helping the software development community to put privacy guidelines and engineering methodologies into practice.
... Self-Efficacy) as they learn how software developers make their decisions to minimise user data when developing software systems that preserve user privacy. Self-Efficacy has a correlation with the one's knowledge [1,13]. For example, when software developers are knowledgeable of how to minimise user data, they are more motivated and confident in taking relevant actions to develop privacy-preserving software systems. ...
... Spear phishing is a technique of sending spam emails containing malware concealed inside embedded links and attachments that seem to come from reputable sources (e.g., a trustworthy and well-known corporation) [37]. The most prevalent form of phishing attack used by hackers at present is spear phishing. ...
Article
Full-text available
Internet of things (IoT) is a technology that enables our daily life objects to connect on the Internet and to send and receive data for a meaningful purpose. In recent years, IoT has led to many revolutions in almost every sector of our society. Nevertheless, security threats to IoT devices and networks are relentlessly disruptive, because of the proliferation of Internet technologies. Phishing is one of the most prevalent threats to all Internet users, in which attackers aim to fraudulently extract sensitive information of a user or system, using fictitious emails, websites, etc. With the rapid increase in IoT devices, attackers are targeting IoT devices such as security cameras, smart cars, etc., and perpetrating phishing attacks to gain control over such vulnerable devices for malicious purposes. In recent decades, such scams have been spreading, and they have become increasingly advanced over time. By following this trend, in this paper, we propose a threat modelling approach to identify and mitigate the cyber-threats that can cause phishing attacks. We considered two significant IoT use cases, i.e., smart autonomous vehicular system and smart home. The proposed work is carried out by applying the STRIDE threat modelling approach to both use cases, to disclose all the potential threats that may cause a phishing attack. The proposed threat modelling approach can support the IoT researchers, engineers, and IoT cyber-security policymakers in securing and protecting the potential threats in IoT devices and systems in the early design stages, to ensure the secure deployment of IoT devices in critical infrastructures.
... However, the number of phishing reports is still considered too low [97] as people usually only report phishing when they doubt its safety and need an expert's opinion [10,57], know the spoofed sender, have a desire to protect other potential victims, or perceive the email to be particularly convincing and therefore dangerous [10]. Counter to this, research has found that users may not report due to a lack of awareness of legitimate reporting channels, concerns of mishandling, and perceived self efficacy [56]. To promote phishing reporting, prior work has looked at using staff feedback after training simulation to modify policies to better align with staff needs [47]. ...
... Email based phishing attacks are one of the most common modes of email scams like advance-fee frauds. The phishing attacks may even come as spear phishing which is a more advanced form of phishing and is performed by sending emails to the victims that appear to come from trusted sources and are targeted towards specific individuals or positions in organizations [8]. Several software tools have been developed that help prevent phishing attacks to some extent, such as Google Safe Browsing, McAfee SiteAdvisor, Netcraft Anti-Phishing Toolbar, Spoof Guard etc. ...
Article
Chain and multi-recipient e-mails pose significant security and privacy threats such as phishing and the spread of Trojan horses. They also increase the chances of receiving spam e-mails. E-mails sent to multiple recipients at a time result in unwanted exposure of e-mail address to multiple recipients. The recipients of chain e-mails may include spammers or e-mail addresses of users whose e-mail account or device may have been compromised, thereby, exposing all e-mail addresses to spammers. Forwarding or sending a multi-recipient e-mail in a chain further increases the exposure of e-mail addresses to spammers. This paper discusses chain e-mails, multi-recipient e-mails and crucial security and privacy threats they pose to legitimate e-mail user. It also discusses various possible mechanisms to mitigate these threats and investigates their effectiveness. This study proposes a novel technique to counter these security risks by enhancing the default behaviour of e-mail client, SMPT server and SMTP protocol. The proposed technique has been implemented in the Java programming language which showed promising results against unnecessary exposure of multiple e-mail addresses while sending an e-mail to multiple recipients.
... Several companies already provide tools to report phishing emails, to quickly detect new attacks using aggregate information across multiple customers [19], [24]. The same companies report that users are improving at reporting phishing attempts over time [2], [1], however, other work showed that users are reticent to report phishing to the IT because of the lack of transparency in the process [60] and lack of fast responses from the system [39]. Prior to our work, it was not known if employees as a crowdsourcing mechanism in a closed scenario, such as a corporation that manages reported phishing in-house, works effectively with acceptable operational workload. ...
Preprint
In this paper, we present findings from a large-scale and long-term phishing experiment that we conducted in collaboration with a partner company. Our experiment ran for 15 months during which time more than 14,000 study participants (employees of the company) received different simulated phishing emails in their normal working context. We also deployed a reporting button to the company's email client which allowed the participants to report suspicious emails they received. We measured click rates for phishing emails, dangerous actions such as submitting credentials, and reported suspicious emails. The results of our experiment provide three types of contributions. First, some of our findings support previous literature with improved ecological validity. One example of such results is good effectiveness of warnings on emails. Second, some of our results contradict prior literature and common industry practices. Surprisingly, we find that embedded training during simulated phishing exercises, as commonly deployed in the industry today, does not make employees more resilient to phishing, but instead it can have unexpected side effects that can make employees even more susceptible to phishing. And third, we report new findings. In particular, we are the first to demonstrate that using the employees as a collective phishing detection mechanism is practical in large organizations. Our results show that such crowd-sourcing allows fast detection of new phishing campaigns, the operational load for the organization is acceptable, and the employees remain active over long periods of time.
... The rapid advancement of internet technologies has changed the way people interact online while also posing new security risks. Newly growing global dangers attack the user's computer and have the potential to steal their identity and money [9]. ...
... The rapid advancement of internet technologies has changed the way people interact online while also posing new security risks. Newly growing global dangers attack the user's computer and have the potential to steal their identity and money [9]. ...
Article
Phishing is an identity theft, which deceives Internet users into revealing their sensitive data, e.g., login information, credit/debit card details, and so on. Researchers have developed various anti-phishing methods in recent years. However, the problem still exists. Therefore, this paper presents a detailed analysis of phishing attack methods and defense techniques. This survey is presented in five folds. First, we discuss in detail the lifecycle of phishing attack, its history, and motivation behind this attack. Second, we present various distribution methods that are used to spread phishing attacks. Third, we provide taxonomy of various phishing-attacking techniques in desktop and mobile environments. Fourth, we provide numerous phishing protection mechanisms and their comparisons. Finally, the article presents various performance challenges faced by developers while dealing with this crucial attack. This paper also provides the consequences of phishing attacks in emerging domains like mobile and online social networks. This paper will help the different users in avoiding phishing attacks while using Internet for their day-to-day activities, and will guide business administrators in designing new effective solutions for their enterprise against various types of phishing threats.
Article
When interacting with computers or digital artifacts, individuals tend to replicate interpersonal trust and distrust mechanisms to calibrate their trust. Such mechanisms involve cognitive processes that individuals rely on before making a decision to trust or distrust. With the worldwide increase in email traffic, both the academic literature and professionals warn of insider threats, that is, coming from inside an organization, in particular those created by legitimate users who have decided to trust a phishing email. This article offers a cognitive approach to the decision whether to trust a phishing email. After reviewing the literature on decision making concerning a cognitive perspective, interpretation, trust, distrust, online deception, and insider threats, we present a study conducted on 249 participants designed to ascertain how they interpreted phishing emails and decided whether or not to trust them. We noted that certain elements eliciting trust or distrust remained invariable regardless of the participant. We show examples of phishing emails designed to maximize (or minimize) the decision to trust (or distrust), and lastly consider the limitations and ethical questions raised by this research.
Chapter
The electronic mailing system has in recent years become a timely and convenient way for the exchange of multimedia messages across the cyberspace and computer networks in the global sphere. This proliferation has prompted most (if not all) inboxes receiving junk email messages on numerous occasions every day. Due to these surges in spam attacks, a number of approaches have been proposed to lessen the attacks across the globe significantly. The effect of previous detection techniques has been weakened due to the adaptive nature of unsolicited email spam. Hence, resolving spam detection (SD) problem is a challenging task. A regular class of the Artificial Neural Network (ANN) called Multi-Layer Perceptron (MLP) was proposed in this study for email SD. The main idea of this research is to train a neural network by leveraging a new nature-inspired metaheuristic algorithm referred to as a Grasshopper Optimization Algorithm (GOA) to categorize emails as ham and spam. Evaluation of its performance was performed on an often-used standard dataset. The results showed that the proposed MLP model trained by GOA achieves high accuracy of up to 94.25% performance compared to other optimization.
Article
Full-text available
Phishing emails provide a means to infiltrate the technical systems of organisations by encouraging employees to click on malicious links or attachments. Despite the use of awareness campaigns and phishing simulations, employees remain vulnerable to phishing emails. The present research uses a mixed methods approach to explore employee susceptibility to targeted phishing emails, known as spear phishing. In study one, nine spear phishing simulation emails sent to 62,000 employees over a six-week period were rated according to the presence of authority and urgency influence techniques. Results demonstrated that the presence of authority cues increased the likelihood that a user would click a suspicious link contained in an email. In study two, six focus groups were conducted in a second organisation to explore whether additional factors within the work environment impact employee susceptibility to spear phishing. We discuss these factors in relation to current theoretical approaches and provide implications for user communities.
Article
Full-text available
Recent research has begun to focus on the factors that cause people to respond to phishing attacks. In this study a real-world spear-phishing attack was performed on employees in organizational settings in order to examine how users’ personality, attitudinal and perceived efficacy factors affect their tendency to expose themselves to such an attack. Spear-phishing attacks are more sophisticated than regular phishing attacks as they use personal information about their intended victim and present a stronger challenge for detection by both the potential victims as well as email phishing filters.While previous research showed that certain phishing attacks can lure a higher response rate from people with a higher level of the personality trait of Neuroticism, other traits were not explored in this context. The present study included a field-experiment which revealed a number of factors that increase the likelihood of users falling for a phishing attack: the factor that was found to be most correlated to the phishing response was users’ Conscientiousness personality trait. The study also found gender-based difference in the response, with women more likely to respond to a spear-phishing message than men. In addition, this work detected negative correlation between the participants subjective estimate of their own vulnerability to phishing attacks and the likelihood that they will be phished. Put together, the finding suggests that vulnerability to phishing is in part a function of users’ personality and that vulnerability is not due to lack of awareness of phishing risks. This implies that real-time response to phishing is hard to predict in advance by the users themselves, and that a targeted approach to defense may increase security effectiveness.
Article
Full-text available
Scams and other malicious attempts to influence people are continuing to proliferate across the globe, aided by the availability of technology that makes it increasingly easy to create communications that appear to come from legitimate sources. The rise in integrated technologies and the connected nature of social communications means that online scams represent a growing issue across society, with scammers successfully persuading people to click on malicious links, make fraudulent payments, or download malicious attachments. However, current understanding of what makes people particularly susceptible to scams in online contexts, and therefore how we can effectively reduce potential vulnerabilities, is relatively poor. So why are online scams so effective? And what makes people particularly susceptible to them? This paper presents a theoretical review of literature relating to individual differences and contextual factors that may impact susceptibility to such forms of malicious influence in online contexts. A holistic approach is then proposed that provides a theoretical foundation for research in this area, focusing on the interaction between the individual, their current context, and the influence message itself, when considering likely response behaviour.
Article
Full-text available
We examined the influence of three social engineering strategies on users' judgments of how safe it is to click on a link in an email. The three strategies examined were authority, scarcity and social proof, and the emails were either genuine, phishing or spear-phishing. Of the three strategies, the use of authority was the most effective strategy in convincing users that a link in an email was safe. When detecting phishing and spear-phishing emails, users performed the worst when the emails used the authority principle and performed best when social proof was present. Overall, users struggled to distinguish between genuine and spear-phishing emails. Finally, users who were less impulsive in making decisions generally were less likely to judge a link as safe in the fraudulent emails. Implications for education and training are discussed.
Article
Full-text available
Over the last few decades there has been a substantial increase in the research and applications of meta-cognition and mindfulness. The concept of meta-cognition and mindfulness seems different and their research literature evolved independent of each other. However, meta-cognition and mindfulness share many commonalities and are conceptually related in many ways. Evidently, there has been relatively little research addressing this relationship. The research tradition of meta-cognition and mindfulness may strengthen and benefit each other. Specific aspects, such as development of 'meta-awareness' can be integrated with each other in a complementary as well as supplementary manner in applied settings such as psychotherapy. This paper describes the nature of meta-cognition and mindfulness and reviews their conceptual relationships. Finally, theoretical and applied implications of this relationship are discussed.
Article
Full-text available
Social-psychological research on phishing has implicated ineffective cognitive processing as the key reason for individual victimization. Interventions have consequently focused on training individuals to better detect deceptive emails. Evidence, however, points to individuals sinking into patterns of email usage that within a short period of time results in an attenuation of the training effects. Thus, individual email habits appear to be another predictor of their phishing susceptibility. To comprehensively account for all these influences, the research built a model that accounts for the cognitive, preconscious, and automatic processes that potentially leads to phishing-based deception. The resultant Suspicion, Cognition, and Automaticity Model (SCAM) was tested using two experimental studies in which participants were subjected to different types of email-based phishing attacks.
Conference Paper
Full-text available
As the number of Internet users has grown, so have the security threats that they face online. Security warnings are one key strategy for trying to warn users about those threats; but recently, it has been questioned whether they are effective. We conducted a study in which 120 participants brought their own laptops to a usability test of a new academic article summary tool. They encountered a PDF download warning for one of the papers. All participants noticed the warning, but 98 (81.7%) downloaded the PDF file that triggered it. There was no significant difference between responses to a brief generic warning, and a longer specific one. The participants who heeded the warning were overwhelmingly female, and either had previous experience with viruses or lower levels of computing skills. Our analysis of the reasons for ignoring warnings shows that participants have become desensitised by frequent exposure and false alarms, and think they can recognise security risks. At the same time, their answers revealed some misunderstandings about security threats: for instance, they rely on anti-virus software to protect them from a wide range of threats, and do not believe that PDF files can infect their machine with viruses. We conclude that security warnings in their current forms are largely ineffective, and will remain so, unless the number of false positives can be reduced.
Article
Full-text available
Bandura's Social Cognitive Theory (SCT) recognizes physical, social and self-evaluative outcome expectations. Particularly the latter have a central place in motivation. Furthermore, SCT recognizes self-evaluation inhibiting processes. The proposed relationships among these cognitive factors and their relation to behavior are summarized in the Self-Evaluation Motivation model and explored in the present study. Smokers (N= 1546) were recruited via newspaper advertisements to take part in a study on smoking cessation. They filled in a questionnaire assessing specific cognitive variables described in SCT. Follow-up assessments of quitting behavior were conducted after three and after fourteen months. Multivariate regression analyses indicated, first, that the influence of physical and social outcome expectations and of dissonance reducing cognitions and attentional change processes on intention and behavior, was mediated by self-evaluation. Second, perceived long-term health outcomes were not related to self-evaluation when smokers used few attentional change processes. Third, the influence of dissonance reducing cognitions and attentional change processes on self-evaluation was partly mediated by their influence on physical and social outcome expectations. Suggestions for interventions to increase motivation to quit smoking are given.
Article
Full-text available
Recent reports of problematic forms of Internet usage bring new currency to the problem of "media addictions" that have long been the subject of both popular and scholarly writings. The research in this article reconsidered such behavior as deficient self-regulation within the framework of A. Bandura's (1991) theory of self-regulation. In this framework, behavior patterns that have been called media addictions lie at one extreme of a continuum of unregulated media behavior that extends from normally impulsive media consumption patterns to extremely problematic behavior that might properly be termed pathological. These unregulated media behaviors are the product of deficient self-regulatory processes through which media consumers monitor, judge, and adjust their own behavior, processes that may be found in all media consumers. The impact of deficient self-regulation on media behavior was examined in a sample of 465 college students. A measure of deficient self-regulation drawn from the diagnostic criteria used in past studies of pathological Internet usage was significantly and positively correlated to Internet use across the entire range of consumption, including among normal users who showed relatively few of the "symptoms." A path analysis demonstrated that depression and media habits formed to alleviate depressed moods undermined self-regulation and led to increased Internet usage.
Conference Paper
Full-text available
As technology such as the Internet, computers and mobile devices become ubiquitous throughout society, the need to ensure our information remains secure is imperative. Unfortunately, it has long been understood that good security cannot be achieved through technical means alone and a solid understanding of the issues and how to protect yourself is required from users. Whilst many initiatives, programs and strategies have been proposed to improve the level of information security awareness, most have been directed at organizations, with a few national programs focused upon home users. Given people's use of technology is primarily focused upon those two areas: the workplace and home, this paper seeks to understand the knowledge and practice relationship between these environments. Through the survey that was developed, it was identified that the majority of the learning about information security occurred in the workplace, where clear motivations, such as legislation and regulation, existed. It was also found that user's were more than willing to engage with such awareness raising initiatives. From a comparison of practice between work and home environments, it was found that this knowledge and practice obtained at the workplace was transferred to the home environment. Given this positive transferability of knowledge and the willingness to learn about how to remain secure, an opportunity exists to move away from specific organizational awareness programs and to move towards awareness raising strategies that, whilst deployed in the organization, will develop an all-round individual security culture for users independent of the environment within which they are operating.
Article
Full-text available
The effects of fear appeals on persuasion were investigated in a factorial experiment that was designed to test a combined model of protection motivation theory and self-efficacy theory. As predicted, the probability of a threat's occurrence and the effectiveness of a coping response both had positive main effects on intentions to adopt a recommended preventive health behavior. More importantly, the findings provided support for self-efficacy expectancy as a fourth component of protection motivation theory: Self-efficacy had a direct influence on intentions and interacted with two other variables of protection motivation theory. The interaction effect was interpreted in terms of two new decision-making strategies that people use when confronted with a fear appeal: a precaution strategy and a hyperdefensiveness strategy. In addition, the results replicated previous findings on the relationship between self-efficacy expectancy and outcome expectancy. A model incorporating protection motivation theory and self-efficacy theory is presented as a possible general model of attitude change.
Conference Paper
Full-text available
In this paper we present the results of a roleplay survey instrument administered to 1001 online survey respondents to study both the relationship between demographics and phishing susceptibility and the effectiveness of several anti- phishing educational materials. Our results suggest that women are more susceptible than men to phishing and participants between the ages of 18 and 25 are more susceptible to phishing than other age groups. We explain these demographic factors through a mediation analysis. Educational materials reduced users' tendency to enter information into phishing webpages by 40% percent; however, some of the educational materials we tested also slightly decreased participants' tendency to click on legitimate links.
Article
This study investigates users’ coping responses in the process of phishing email detection. Three common responses are identified based on the coping literature: task-focused coping, emotion-focused coping (i.e., worry and self-criticism), and avoidance coping. The three responses are used to conceptualize a higher-order construct, coping adaptiveness, that resides on a continuum between maladaptive coping and adaptive coping (manifested as increased task-focused coping and decreased emotion-focused coping and avoidance coping). Drawing on the extended parallel process model and behavioral decision-making literature, this paper examines the antecedents (i.e., perceived phishing threat, perceived detection efficacy, and phishing anxiety) and behavioral consequences (i.e., detection effort and detection accuracy) of coping adaptiveness. A survey experiment with 547 U.S. consumers was conducted. The results show that perceived detection efficacy increases coping adaptiveness. Partially mediated by phishing anxiety, perceived phishing threat decreases coping adaptiveness. Coping adaptiveness positively impacts the two objective measures in the study, detection effort and detection accuracy. The results also suggest that coping adaptiveness and detection effort have different effects on false positives compared to false negatives: detection effort fully mediates the effect of coping adaptiveness on false positive rate (or detection accuracy related to legitimate emails), but has no impact on false negatives (or detection accuracy related to phishing emails), unlike coping adaptiveness. A post hoc analysis on coping responses reveals two patterns of coping among subjects, throwing more light on coping in phishing detection. Theoretical and practical implications are discussed. The online appendix is available at https://doi.org/10.1287/isre.2016.0680.
Article
Internet users experience a variety of online security threats that require them to enact safety precautions. Protection Motivation Theory (PMT) provides a theoretical framework for understanding Internet users' security protection that has informed past research. Ongoing research on online safety recommends new motivational factors that are integrated here in a PMT framework for the first time. Using PMT, a cross-sectional survey (N = 988) of Amazon Mechanical Turk (MTurk) users was conducted to examine how classical and new PMT factors predicted security intentions. Coping appraisal variables were the strongest predictors of online safety intentions, especially habit strength, response efficacy, and personal responsibility. Threat severity was also a significant predictor. Incorporating additional factors (i.e., prior experiences, subjective norms, habit strength, perceived security support, and personal responsibility) into the conventional PMT model increased the model's explanatory power by 15%. Findings are discussed in relation to advancing PMT within the context of online security for home computer users.
Article
To increase women's representation in technology careers, it's important to spark and nurture their interest and confidence during middle and high school. A pilot study compares gender differences in cybersecurity self-efficacy and interest among teens at a five-day cybersecurity camp. Although males initially scored higher on the Cybersecurity Engagement and Self-Efficacy Scale, the females caught up by week's end.
Article
While research has linked social media phishing susceptibility to individual Facebook habits, the underlying process by which habits lead to victimization and the extent to which it explains e-mail-based phishing remains unclear. The study compared the antecedents and consequences of e-mail habits and cognitive processing on the outcome of a simulated phishing attack. E-mail habits were rooted in stable personality dimensions of conscientiousness and emotional stability, while cognitive processing was premised on contextual information adequacy considerations. Interestingly, habits and processing jointly influenced the outcome of the attack: Systematic processing attenuated phishing susceptibility by a small factor; the cumulative effects of heuristic processing and e-mail habits, however, caused a fourfold increase in likely victimization, overwhelming any advantage from detailed processing.
Article
Research problem: Phishing is an email-based scam where a perpetrator camouflages emails to appear as a legitimate request for personal and sensitive information. Research question: How do individuals process a phishing email, and determine whether to respond to it? Specifically, this study examines how users' attention to “visual triggers” and “phishing deception indicators” influence their decision-making processes and consequently their decisions. Literature review: This paper draws upon the theory of deception and the literature on mediated cognition and learning, including the critical role of attention and elaboration in deception detection. From this literature, we developed a research model to suggest that overall cognitive effort expended in email processing decreases with attention to visual triggers and phishing deception indicators. The likelihood to respond to phishing emails increases with attention to visceral cues, but decreases with attention to phishing deception indicators and cognitive effort. Knowledge of email-based scams increases attention to phishing deception indicators, and directly decreases response likelihood. It also moderates the impact of attention to visceral triggers and that of phishing deception indicators on likelihood to respond. Methodology: Using a real phishing email as a stimulus, a survey of 321 members of a public university community in the Northeast US, who were intended victims of a spear phishing attack that took place, was conducted. The survey used validated measures developed in prior literature for the most part and tested results using the partial least-squares regression. Results and discussion: Our research model and hypotheses were supported by the data except that we did not find that cognitive effort significantly affects response likelihood. The implication of the study is that attention to visceral triggers, attention to phishing deception indicators, and phishing knowledg- play critical roles in phishing detection. The limitations of the study were that the data were drawn from students, and the study explored one phishing attack, relied on some single-item measures, cognitive effort measure, and a one-round survey. Future research would examine the impact of a varying degree of urgency and a varying level of phishing deception indicators, and actual victims of phishing attacks.
Article
To explore the effectiveness of embedded training, researchers conducted a large-scale experiment that tracked workers' reactions to a series of carefully crafted spear phishing emails and a variety of immediate training and awareness activities. Based on behavioral science findings, the experiment included four different training conditions, each of which used a different type of message framing. The results from three trials showed that framing had no significant effect on the likelihood that a participant would click a subsequent spear phishing email and that many participants either clicked all links or none regardless of whether they received training. The study was unable to determine whether the embedded training materials created framing changes on susceptibility to spear phishing attacks because employees failed to read the training materials.
Article
A key issue in community research is the set of motivations stimulating individuals to participate and contribute voluntarily to communities. This article examines the motivations of employees, who are traditionally not involved in the innovation process, to (not) participate in organizational innovation communities. Building on an in-depth single case study, we aim to answer the following research questions: (1) What motivates participants of organizational innovation communities to participate? and (2) What motivates nonparticipants of organizational innovation communities to not participate? We find and categorize multiple factors that motivate non-research and development employees to participate and to not participate. Moreover, we find an overlap as well as differences in the set of motivations of participants and nonparticipants. With nonparticipants normally being a large but barely explicitly recognized group, we argue that the found deviations contribute to the understanding of motivations in the context of organizational innovation communities and allow for direct design implications for innovation managers.
Article
Professor Steven Furnell looks at reckless users online, as they make friends with complete strangers, even putting themselves at risk.
Article
This article examines health promotion and disease prevention from the perspective of social cognitive theory. The areas of overlap with some of the most widely applied psychosocial models of health are identified. The models of health promotion and disease prevention have undergone several generational changes. We have shifted from trying to scare people into health, to rewarding them into health, to equipping them with self-regulatory skills to manage their health habits, to shoring up their habit changes with dependable social supports. These transformations have evolved a multifaceted approach that addresses the reciprocal interplay between self-regulatory and environmental determinants of health behavior. Social cognitive theory addresses the socio structural determinants of health as well as the personal determinants. A comprehensive approach to health promotion requires changing the practices of social systems that have widespread detrimental effects on health rather than solely changing the habits of individuals. Further progress in this field requires building new structures for health promotion, new systems for risk reduction and greater emphasis on health policy initiatives. People's beliefs in their collective efficacy to accomplish social change, therefore, play a key role in the policy and public health approach to health promotion and disease prevention.
Article
Tested the hypothesis that self-evaluative and self-efficacy mechanisms mediate the effects of goal systems on performance motivation. These self-reactive influences are activated through cognitive comparison requiring both personal standards and knowledge of performance. 45 male and 45 female undergraduates performed a strenuous activity with either goals and performance feedback, goals alone, feedback alone, or without either factor. The condition combining performance information and a standard had a strong motivational impact, whereas neither goals alone nor feedback alone effected changes in motivation. When both comparative factors were present, the evaluative and efficacy self-reactive influences predicted the magnitude of motivation enhancement. The higher the self-dissatisfaction with substandard performance and the stronger the perceived self-efficacy for goal attainment, the greater was the subsequent intensification of effort. When one comparative factor was lacking, the self-reactive influences were differentially related to performance motivation, depending on the nature of the partial information and on the type of subjective comparative structure imposed on the activity. (25 ref) (PsycINFO Database Record (c) 2012 APA, all rights reserved)
Article
Summarizes what developmentalists have come to believe about human cognitive development after over a century of study. Topics briefly considered include the child as constructive thinker; invention of new research methods; the diagnosis problem; recent changes in estimates of children's competence; the question of general stages vs domain-specific developments; the effects of expertise; natural domains and constraints; cognitive development as theory development; synchronisms, sequences, and qualitative changes; mechanisms of development; sociocultural influences; individual differences; practical applications; and suggestions about what develops. This article concludes with some guesses about future directions for the field. (PsycINFO Database Record (c) 2012 APA, all rights reserved)
Article
This article examines the adequacy of the “rules of thumb” conventional cutoff criteria and several new alternatives for various fit indexes used to evaluate model fit in practice. Using a 2‐index presentation strategy, which includes using the maximum likelihood (ML)‐based standardized root mean squared residual (SRMR) and supplementing it with either Tucker‐Lewis Index (TLI), Bollen's (1989) Fit Index (BL89), Relative Noncentrality Index (RNI), Comparative Fit Index (CFI), Gamma Hat, McDonald's Centrality Index (Mc), or root mean squared error of approximation (RMSEA), various combinations of cutoff values from selected ranges of cutoff criteria for the ML‐based SRMR and a given supplemental fit index were used to calculate rejection rates for various types of true‐population and misspecified models; that is, models with misspecified factor covariance(s) and models with misspecified factor loading(s). The results suggest that, for the ML method, a cutoff value close to .95 for TLI, BL89, CFI, RNI, and Gamma Hat; a cutoff value close to .90 for Mc; a cutoff value close to .08 for SRMR; and a cutoff value close to .06 for RMSEA are needed before we can conclude that there is a relatively good fit between the hypothesized model and the observed data. Furthermore, the 2‐index presentation strategy is required to reject reasonable proportions of various types of true‐population and misspecified models. Finally, using the proposed cutoff criteria, the ML‐based TLI, Mc, and RMSEA tend to overreject true‐population models at small sample size and thus are less preferable when sample size is small.
Article
Even in busy online communities, usually only a small fraction of members post messages. Why do so many people prefer not to contribute publicly? From an online survey that generated 1,188 responses from posters and lurkers from 375 MSN bulletin board communities, 219 lurkers spoke out about their reasons for not posting. While lurkers did not participate publicly, they did seek answers to questions. However, lurkers’ satisfaction with their community experience was lower than those who post. Data from 19 checkbox items and over 490 open-ended responses were analyzed. From this analysis, the main reasons why lurkers lurk were concerned with: not needing to post; needing to find out more about the group before participating; thinking that they were being helpful by not posting; not being able to make the software work (i.e., poor usability); and not liking the group dynamics or the community was a poor fit for them. Two key conclusions were drawn from this analysis. First, there are many reasons why people lurk in online discussion communities. Second, and most important, most lurkers are not selfish free-riders. From these findings, it is clear that there are many ways to improve online community experiences for both posters and lurkers. Some solutions require improved software and better tools, but moderation and better interaction support will produce dramatic improvements.
Article
The ultimate success of information security depends on appropriate information security practice behaviors by the end users. Based on social cognitive theory, this study models and tests relationships among self-efficacy in information security, security practice behavior and motivation to strengthen security efforts. This study also explores antecedents to individuals' self-efficacy beliefs in information security. Results provide support for the many hypothesized relationships. This study provides an initial step toward understanding of the applicability of social cognitive theory in a new domain of information security. The results suggest that simply listing what not to do and penalties associated with a wrong doing in the users' information security policy alone will have a limited impact on effective implementation of security measures. The findings may help information security professionals design security awareness programs that more effectively increase the self-efficacy in information security.
Article
End-users are now recognized as being at increased risk in online scenarios, with a range of threats that seek to specifically target them and exploit their systems. Novice users are particularly likely to face difficulties in this context, as their unfamiliarity with the technology can limit their ability to recognize the threats and understand the required protection. This paper presents the results from a qualitative study, arising from detailed interviews conducted with 20 novice users in order to assess their views and experiences with Internet security. The findings reveal a general awareness of the existence of threats, but less familiarity with the appropriate safeguards beyond a very basic level. Although users generally recognize that they have a responsibility for their own protection, they often appear unconcerned about the potential impacts of the problems. In other cases, they felt unable to address their concerns as a result of their lack of technical knowledge or obstacles posed by security tools.
Article
This paper reports the results of a qualitative study of motivation and barriers to employee participation in virtual knowledge-sharing communities of practice at Caterpillar Inc., a Fortune 100, multinational corporation. The study indicates that, when employees view knowledge as a public good belonging to the whole organization, knowledge flows easily. However, even when individuals give the highest priority to the interests of the organization and of their community, they tend to shy away from contributing knowledge for a variety of reasons. Specifically, employees hesitate to contribute out of fear of criticism, or of misleading the community members (not being sure that their contributions are important, or completely accurate, or relevant to a specific discussion). To remove the identified barriers, there is a need for developing various types of trust, ranging from the knowledge-based to the institution-based trust. Future research directions and implications for KM practitioners are formulated.
Article
The present article examines the nature and function of human agency within the conceptual model of triadic reciprocal causation. In analyzing the operation of human agency in this interactional causal structure, social cognitive theory accords a central role to cognitive, vicarious, self-reflective, and self-regulatory processes. The issues addressed concern the psychological mechanisms through which personal agency is exercised, the hierarchical structure of self-regulatory systems, eschewal of the dichotomous construal of self as agent and self as object, and the properties of a nondualistic but nonreductional conception of human agency. The relation of agent causality to the fundamental issues of freedom and determinism is also analyzed.
Article
Engaging in a behaviour that has negative physical consequences is considered to be a threat to the self because it makes the self appear inadequate and non-adaptive. This self-threat is experienced as self-evaluative emotions. The self-threat can be removed by refraining from the unhealthy behaviour. The experience of self-threat influences behaviour because it contributes to expectations about the occurrence of self-evaluative emotions in the case of behaviour change. The results of Study 1, conducted among 503 smokers, showed that self-evaluative emotions were the central predictor of quitting activity during a 7-month period, among measures related to the negative consequences of smoking. The results of Study 2, conducted among 409 smokers, showed that expectations about the self-evaluative emotions that follow quitting smoking predicted quitting activity during a 9-month period and that these expectations partly mediated the relation between self-evaluative emotions and quitting. The results of Study 3, conducted among 255 smokers, showed that information on the negative outcomes of smoking led to quitting activity only when there was room to change self-evaluative outcome expectations. In addition, increases in these expectations predicted quitting activity during a 6-month period. The results suggest that negative self-evaluative emotions are a central motive to change unhealthy behaviour and that self-evaluative outcome expectations govern the behaviour change. The results can be understood within Steele's (1999) Self-affirmation theory.
97% of people globally unable to correctly identify phishing emails
  • Intel Security
Spear-phishing” roiled the presidential campaign-here’s how to protect yourself. The Conversation
  • A Vishwanath
How to report phishing
  • Pishing
  • N D Org
The cost of phishing & value of employee Training
  • Ponemon Institute
The critical role of cyber risk beliefs (CRB) in determining why people fall victim to spear phishing. The International Communication Association's Annual Conference
  • A Vishwanath
  • Y S Kwak
  • B Harrison
What’s the difference between phishing and spear phishing
  • Vade Secure
Spear phishing: The tip of the spear used by cyber terrorists
  • Vishwanath