Search results
1 – 10 of 133Piers Bayl-Smith, Ronnie Taib, Kun Yu and Mark Wiggins
This study aims to examine the effect of cybersecurity threat and efficacy upon click-through, response to a phishing attack: persuasion and protection motivation in an…
Abstract
Purpose
This study aims to examine the effect of cybersecurity threat and efficacy upon click-through, response to a phishing attack: persuasion and protection motivation in an organizational context.
Design/methodology/approach
In a simulated field trial conducted in a financial institute, via PhishMe, employees were randomly sent one of five possible emails using a set persuasion strategy. Participants were then invited to complete an online survey to identify possible protective factors associated with clicking and reporting behavior (N = 2,918). The items of interest included perceived threat severity, threat susceptibility, response efficacy and personal efficacy.
Findings
The results indicate that response behaviors vary significantly across different persuasion strategies. Perceptions of threat susceptibility increased the likelihood of reporting behavior beyond clicking behavior. Threat susceptibility and organizational response efficacy were also associated with increased odds of not responding to the simulated phishing email attack.
Practical implications
This study again highlights human susceptibility to phishing attacks in the presence of social engineering strategies. The results suggest heightened awareness of phishing threats and responsibility to personal cybersecurity are key to ensuring secure business environments.
Originality/value
The authors extend existing phishing literature by investigating not only click-through behavior, but also no-response and reporting behaviors. Furthermore, the authors observed the relative effectiveness of persuasion strategies used in phishing emails as they compete to manipulate unsafe email behavior.
Details
Keywords
Brynne Harrison, Elena Svetieva and Arun Vishwanath
The purpose of this paper is to explore user susceptibility to phishing by unpacking the mechanisms that may influence individual victimization. The focus is on the…
Abstract
Purpose
The purpose of this paper is to explore user susceptibility to phishing by unpacking the mechanisms that may influence individual victimization. The focus is on the characteristics of the e-mail message, users’ knowledge and experience with phishing, and the manner in which these interact and influence how users cognitively process phishing e-mails.
Design/methodology/approach
A field experiment was conducted where 194 subjects were exposed to a real phishing attack. The experimenters manipulated the contents of the message and measures of user traits and user processing were obtained after the phishing attack.
Findings
Of the original list of targets, 47 percent divulged their private information to a bogus form page. Phishing susceptibility was predicted by a particular combination of both low attention to the e-mail elements and high elaboration of the phishing message. The presence of a threat or reward-based phishing message did not affect these processes, nor did it affect subsequent phishing susceptibility. Finally, individual factors such as knowledge and experience with e-mail increased resilience to the phishing attack.
Research limitations/implications
The findings are generalizable to students who are a particularly vulnerable target of phishing attacks.
Practical implications
The results presented in this study provide pragmatic recommendations for developing user-centered interventions to thwart phishing attacks. Lastly the authors suggest more effective educational efforts to protect individuals from such online fraud.
Originality/value
This study provides novel insight into why phishing is successful, the human factor in susceptibility to online deception as well the role of information processing in effective decision making in this context. Based on the findings, the authors dispel common misconceptions about phishing and discuss more effective educational efforts to protect individuals from such online fraud.
Details
Keywords
Molly Cooper, Yair Levy, Ling Wang and Laurie Dringus
This study introduces the concept of audiovisual alerts and warnings as a way to reduce phishing susceptibility on mobile devices.
Abstract
Purpose
This study introduces the concept of audiovisual alerts and warnings as a way to reduce phishing susceptibility on mobile devices.
Design/methodology/approach
This study has three phases. The first phase included 32 subject matter experts that provided feedback toward a phishing alert and warning system. The second phase included development and a pilot study to validate a phishing alert and warning system prototype. The third phase included delivery of the Phishing Alert and Warning System (PAWSTM mobile app) to 205 participants. This study designed, developed, as well as empirically tested the PAWSTM mobile app that alerted and warned participants to the signs of phishing in emails on mobile devices.
Findings
The results of this study indicated audio alerts and visual warnings potentially lower phishing susceptibility in emails. Audiovisual warnings appeared to assist study participants in noticing phishing emails more easily and in less time than without audiovisual warnings.
Practical implications
This study's implications to mitigation of phishing emails are key, as it appears that alerts and warnings added to email applications may play a significant role in the reduction of phishing susceptibility.
Originality/value
This study extends the existing information security body of knowledge on phishing prevention and awareness by using audiovisual alerts and warnings to email recipients tested in real-life applications.
Details
Keywords
Malcolm Pattinson, Cate Jerram, Kathryn Parsons, Agata McCormac and Marcus Butavicius
The purpose of this paper is to investigate the behaviour response of computer users when either phishing e‐mails or genuine e‐mails arrive in their inbox. The paper describes how…
Abstract
Purpose
The purpose of this paper is to investigate the behaviour response of computer users when either phishing e‐mails or genuine e‐mails arrive in their inbox. The paper describes how this research was conducted and presents and discusses the findings.
Design/methodology/approach
This study was a scenario‐based role‐play experiment that involved the development of a web‐based questionnaire that was only accessible by invited participants when they attended a one‐hour, facilitated session in a computer laboratory.
Findings
The findings indicate that overall, genuine e‐mails were managed better than phishing e‐mails. However, informed participants managed phishing e‐mails better than not‐informed participants. Other findings show how familiarity with computers, cognitive impulsivity and personality traits affect behavioural responses to both types of e‐mail.
Research limitations/implications
This study does not claim to evaluate actual susceptibility to phishing emails. The subjects were University students and therefore the conclusions are not necessarily representative of the general population of e‐mail users.
Practical implications
The outcomes of this research would assist management in their endeavours to improve computer user behaviour and, as a result, help to mitigate risks to their organisational information systems.
Originality/value
The literature review indicates that this paper addresses a genuine gap in the research.
Details
Keywords
Tianhao Xu and Prashanth Rajivan
Distinguishing phishing emails from legitimate emails continues to be a difficult task for most individuals. This study aims to investigate the psycholinguistic factors associated…
Abstract
Purpose
Distinguishing phishing emails from legitimate emails continues to be a difficult task for most individuals. This study aims to investigate the psycholinguistic factors associated with deception in phishing email text and their effect on end-user ability to discriminate phishing emails from legitimate emails.
Design/methodology/approach
Email messages and end-user decisions collected from a laboratory phishing study were validated and analyzed using natural language processing methods (Linguistic Inquiry Word Count) and penalized regression models (LASSO and Elastic Net) to determine the linguistic dimensions that attackers may use in phishing emails to deceive end-users and measure the impact of such choices on end-user susceptibility to phishing.
Findings
We found that most participants, who played the role of a phisher in the study, chose to deceive their end-user targets by pretending to be a familiar individual and presenting time pressure or deadlines. Results show that use of words conveying certainty (e.g. always, never) and work-related features in the phishing messages predicted higher end-user vulnerability. On the contrary, use of words that convey achievement (e.g. earn, win) or reward (cash, money) in the phishing messages predicted lower end-user vulnerability because such features are usually observed in scam-like messages.
Practical implications
Insights from this research show that analyzing emails for psycholinguistic features associated with computer-mediated deception could be used to fine-tune and improve spam and phishing detection technologies. This research also informs the kinds of phishing attacks that must be prioritized in antiphishing training programs.
Originality/value
Applying natural language processing and statistical modeling methods to analyze results from a laboratory phishing experiment to understand deception from both attacker and end-user is novel. Furthermore, results from this work advance our understanding of the linguistic factors associated with deception in phishing email text and its impact on end-user susceptibility.
Details
Keywords
Sanchari Das, Christena Nippert-Eng and L. Jean Camp
Phishing is a well-known cybersecurity attack that has rapidly increased in recent years. It poses risks to businesses, government agencies and all users due to sensitive data…
Abstract
Purpose
Phishing is a well-known cybersecurity attack that has rapidly increased in recent years. It poses risks to businesses, government agencies and all users due to sensitive data breaches and subsequent financial losses. To study the user side, this paper aims to conduct a literature review and user study.
Design/methodology/approach
To investigate phishing attacks, the authors provide a detailed overview of previous research on phishing techniques by conducting a systematic literature review of n = 367 peer-reviewed academic papers published in ACM Digital Library. Also, the authors report on an evaluation of a high school community. The authors engaged 57 high school students and faculty members (12 high school students, 45 staff members) as participants in research using signal detection theory (SDT).
Findings
Through the literature review which goes back to as early as 2004, the authors found that only 13.9% of papers focused on user studies. In the user study, through scenario-based analysis, participants were tasked with distinguishing phishing e-mails from authentic e-mails. The results revealed an overconfidence bias in self-detection from the participants, regardless of their technical background.
Originality/value
The authors conducted a literature review with a focus on user study which is a first in this field as far the authors know. Additionally, the authors conducted a detailed user study with high school students and faculty using SDT which is also an understudied area and population.
Details
Keywords
Mark I. Hwang and Susan Helser
Computer games that teach cybersecurity concepts have been developed to help both individuals and organizations shore up their defence against cybercrimes. Evidence of the…
Abstract
Purpose
Computer games that teach cybersecurity concepts have been developed to help both individuals and organizations shore up their defence against cybercrimes. Evidence of the effectiveness of these games has been rather weak, however. This paper aims to guide the design and testing of more effective cybersecurity educational games by developing a theoretical framework.
Design/methodology/approach
A review of the literature is conducted to explore the dependent variable of this research stream, learning outcomes and its relationship with four independent variables, game characteristics, game context, learning theory and user characteristics.
Findings
The dependent variable can be measured by five learning outcomes: information, content, strategic knowledge, eagerness to learn/time spent and behavioral change. Game characteristics refer to features that contribute to a game’s usefulness, interactivity, playfulness or attractiveness. Game context pertains to factors that determine how a game is used, including the target audience, the skill involved and the story. Learning theory explains how learning takes place and can be classified as behaviorism, cognitivism, humanism, social learning or constructivism. User characteristics including gender, age, computer experience, knowledge and perception, are attributes that can impact users’ susceptibility to cybercrimes and hence learning outcomes.
Originality/value
The framework facilitates taking stock of past research and guiding future research. The use of the framework is illustrated in a critique of two research streams. Multiple research directions are discussed for continued research into the design and testing of next-generation cybersecurity computer games.
Details
Keywords
Yi Yong Lee, Chin Lay Gan and Tze Wei Liew
The purpose of this paper is to understand the influence of exposure to motivated offenders who may alter the vulnerability levels to phishing victimization. This is particularly…
Abstract
Purpose
The purpose of this paper is to understand the influence of exposure to motivated offenders who may alter the vulnerability levels to phishing victimization. This is particularly focused on explaining the influences of individuals’ online lifestyles and attitudes toward information sharing online on phishing susceptibility.
Design/methodology/approach
This conceptual paper explores the risk of phishing victimization using criminological theories. The authors draw on empirical evidence from existing cybercrime literature and revisit routine activities theory (RAT) and lifestyle RAT (LRAT) to elucidate the risk of phishing victimization. This paper proposes that cyber-RAT, which was developed from RAT and LRAT, could interpret phishing victimization. Grounded on the intervention-based theory against cybercrime phishing, this study suggests that an attitude toward precautionary behavior (information sharing online) is essential to mitigate the phishing victimization risk.
Findings
This paper aims to provide a clear insight into the understanding of phishing victimization risk using theoretical and empirical evidence.
Originality/value
The theoretical perspective outlined provides the understanding of the impacts of online routine activities on a phishing attack which in turn will increase the awareness of phishing threats. The important role of the precautionary countermeasure, that is, attitudes toward information sharing online is highlighted to reconcile the phishing victimization risk.
Details
Keywords
This paper aims to review the behavioral phishing literature to understand why anti-phishing recommendations are not very effective and to propose ways of making the…
Abstract
Purpose
This paper aims to review the behavioral phishing literature to understand why anti-phishing recommendations are not very effective and to propose ways of making the recommendations more effective. The paper also examines how the concept of stages from health communication and psychology can be used to make recommendations against phishing more effective.
Design/methodology/approach
This literature review study focused on the behavioral phishing literature that has relied on human subjects. Studies were excluded for reasons that included lacking practical recommendations and human subjects.
Findings
The study finds that phishing research does not consider where victims are residing in qualitatively different stages. Consequently, the recommendations do not often match the specific needs of different victims. This study proposes a prototype for developing stage theories of phishing victims and identifies three stages of phishing victims from analyzing the previous phishing research.
Research limitations/implications
This study relied on published research on phishing victims. Future research can overcome this problem by interviewing phishing victims. Further, the authors’ recommendation that phishing researchers categorize phishing victims into stages and develop targeted messages is not based on direct empirical evidence. Nonetheless, evidence from cancer research and health psychology suggests that targeted messaging is efficacious and cost-effective. Thus, the impact of targeted messaging in phishing could be quite large.
Practical implications
The study recommends categorizing individuals into stages, based on their security knowledge and online behaviors, and other similar characteristics they may possess. A stage approach will consider that individuals who at one time clicked on a phishing link because they lacked the requisite security knowledge, after receiving security training, may click on a link because they are overconfident.
Originality/value
The paper explains why proposing anti-phishing recommendations, based on a “one-size fits all” approach has not been very effective (e.g. because it simplifies why people engage in different behaviors). The proposals introduce a new approach to designing and deploying anti-phishing recommendations based on the concept of stages.
Details
Keywords
Kavya Sharma, Xinhui Zhan, Fiona Fui-Hoon Nah, Keng Siau and Maggie X. Cheng
Phishing attacks are the most common cyber threats targeted at users. Digital nudging in the form of framing and priming may reduce user susceptibility to phishing. This research…
Abstract
Purpose
Phishing attacks are the most common cyber threats targeted at users. Digital nudging in the form of framing and priming may reduce user susceptibility to phishing. This research focuses on two types of digital nudging, framing and priming, and examines the impact of framing and priming on users' behavior (i.e. action) in a cybersecurity setting. It draws on prospect theory, instance-based learning theory and dual-process theory to generate the research hypotheses.
Design/methodology/approach
A 3 × 2 experimental study was carried out to test the hypotheses. The experiment consisted of three levels for framing (i.e. no framing, negative framing and positive framing) and two levels for priming (i.e. with and without priming).
Findings
The findings suggest that priming users to information security risks reduces their risk-taking behavior, whereas positive and negative framing of information security messages regarding potential consequences of the available choices do not change users' behavior. The results also indicate that risk-averse cybersecurity behavior is associated with greater confidence with the action, greater perceived severity of cybersecurity risks, lower perceived susceptibility to cybersecurity risks resulting from the action and lower trust in the download link.
Originality/value
This research shows that digital nudging in the form of priming is an effective way to reduce users' exposure to cybersecurity risks.
Details