Quantifying Phishing Susceptibility for Detection and Behavior Decisions

Objective: We use signal detection theory to measure vulnerability to phishing attacks, including variation in performance across task conditions. Background: Phishing attacks are difficult to prevent with technology alone, as long as technology is operated by people. Those responsible for managing security risks must understand user decision making in order to create and evaluate potential solutions. Method: Using a scenario-based online task, we performed two experiments comparing performance on two tasks: detection, deciding whether an e-mail is phishing, and behavior, deciding what to do with an e-mail. In Experiment 1, we manipulated the order of the tasks and notification of the phishing base rate. In Experiment 2, we varied which task participants performed. Results: In both experiments, despite exhibiting cautious behavior, participants’ limited detection ability left them vulnerable to phishing attacks. Greater sensitivity was positively correlated with confidence. Greater willingness to treat e-mails as legitimate was negatively correlated with perceived consequences from their actions and positively correlated with confidence. These patterns were robust across experimental conditions. Conclusion: Phishing-related decisions are sensitive to individuals’ detection ability, response bias, confidence, and perception of consequences. Performance differs when people evaluate messages or respond to them but not when their task varies in other ways. Application: Based on these results, potential interventions include providing users with feedback on their abilities and information about the consequences of phishing, perhaps targeting those with the worst performance. Signal detection methods offer system operators quantitative assessments of the impacts of interventions and their residual vulnerability.

[1]  Xin Luo,et al.  Investigating phishing victimization with the Heuristic-Systematic Model: A theoretical framework and an exploration , 2013, Comput. Secur..

[2]  K. Kaivanto The Effect of Decentralized Behavioral Decision Making on System‐Level Risk , 2014, Risk analysis : an official publication of the Society for Risk Analysis.

[3]  Elizabeth Sillence,et al.  It won't happen to me: Promoting secure behaviour among internet users , 2010, Comput. Hum. Behav..

[4]  B. Newell,et al.  The role of experience in decisions from description , 2007, Psychonomic bulletin & review.

[5]  Rui Chen,et al.  Research Article Phishing Susceptibility: An Investigation Into the Processing of a Targeted Spear Phishing Email , 2012, IEEE Transactions on Professional Communication.

[6]  Coreen Farris,et al.  Perceptual Mechanisms That Characterize Gender Differences in Decoding Women's Sexual Intent , 2008, Psychological science.

[7]  Pietro Perona,et al.  Homo economicus in visual search. , 2009, Journal of vision.

[8]  Todd M. Gureckis,et al.  CUNY Academic , 2016 .

[9]  Panagiotis G. Ipeirotis,et al.  Running Experiments on Amazon Mechanical Turk , 2010, Judgment and Decision Making.

[10]  Judi E. See,et al.  Meta-analysis of the sensitivity decrement in vigilance. , 1995 .

[11]  Lorrie Faith Cranor,et al.  A Framework for Reasoning About the Human in the Loop , 2008, UPSEC.

[12]  Serge Egelman,et al.  The Myth of the Average User: Improving Privacy and Security Systems through Individualization , 2015, NSPW.

[13]  Christopher J. Novak,et al.  2009 Data Breach Investigations Report , 2009 .

[14]  Edmund Fantino,et al.  What does and does not alleviate base-rate neglect under direct experience , 1999 .

[15]  D. Angus,et al.  Sources of non-compliance with clinical practice guidelines in trauma triage: a decision science study , 2012, Implementation Science.

[16]  W Todd Maddox,et al.  Toward a unified theory of decision criterion learning in perceptual categorization. , 2002, Journal of the experimental analysis of behavior.

[17]  J. C. Ballard Computerized assessment of sustained attention: a review of factors affecting vigilance performance. , 1996, Journal of clinical and experimental neuropsychology.

[18]  Joel S. Warm,et al.  Vigilance Requires Hard Mental Work and Is Stressful , 2008, Hum. Factors.

[19]  Cormac Herley,et al.  More Is Not the Answer , 2014, IEEE Security & Privacy.

[20]  D. Moore,et al.  The trouble with overconfidence. , 2008, Psychological review.

[21]  M. Hautus Corrections for extreme proportions and their biasing effects on estimated values ofd′ , 1995 .

[22]  Wayne A. Wickelgren,et al.  Speed-accuracy tradeoff and information processing dynamics , 1977 .

[23]  Ryan T. Wright,et al.  The Influence of Experiential and Dispositional Factors in Phishing: An Empirical Investigation of the Deceived , 2010, J. Manag. Inf. Syst..

[24]  Neil A. Macmillan,et al.  Detection Theory: A User's Guide , 1991 .

[25]  N. Mackworth The Breakdown of Vigilance during Prolonged Visual Search 1 , 1948 .

[26]  Eric R Stone,et al.  Identifying the Effects of Unjustified Confidence versus Overconfidence: Lessons Learned from Two Analytic Methods. , 2014, Journal of behavioral decision making.

[27]  Ryan T. Wright,et al.  Where Did They Go Right? Understanding the Deception in Phishing Communications , 2010 .

[28]  Lorrie Faith Cranor,et al.  Are your participants gaming the system?: screening mechanical turk workers , 2010, CHI.

[29]  J A Swets,et al.  Psychological Science Can Improve Diagnostic Decisions , 2000, Psychological science in the public interest : a journal of the American Psychological Society.

[30]  Jeremy M Wolfe,et al.  Prevalence effects in newly trained airport checkpoint screeners: trained observers miss rare targets, too. , 2013, Journal of vision.

[31]  Ponnurangam Kumaraguru,et al.  Who falls for phish?: a demographic analysis of phishing susceptibility and effectiveness of interventions , 2010, CHI.

[32]  Jing Chen,et al.  The Role of Human Factors/Ergonomics in the Science of Security , 2015, Hum. Factors.

[33]  Alexander L. Davis,et al.  Environmental risk perception from visual cues: the psychophysics of tornado risk perception , 2015 .

[34]  Baruch Fischhoff,et al.  Calibrating databases , 1986, J. Am. Soc. Inf. Sci..

[35]  Patrick G. Nyeste,et al.  Training Users to Counteract Phishing , 2010, Work.

[36]  Naomi M. Kenner,et al.  Low target prevalence is a stubborn source of errors in visual search tasks. , 2007, Journal of experimental psychology. General.

[37]  C. H. Coombs,et al.  Mathematical psychology : an elementary introduction , 1970 .

[38]  Lisa Feldman Barrett,et al.  “Utilizing” Signal Detection Theory , 2014, Psychological science.

[39]  Siddharth Suri,et al.  Conducting behavioral research on Amazon’s Mechanical Turk , 2010, Behavior research methods.

[40]  Rui Chen,et al.  Why do people get phished? Testing individual differences in phishing vulnerability within an integrated, information processing model , 2011, Decis. Support Syst..

[41]  Christopher B. Mayhorn,et al.  I Downloaded What?: An Examination of Computer Security Decisions , 2006 .

[42]  Peter Mendel,et al.  Implementation of the CALM intervention for anxiety disorders: a qualitative study , 2012, Implementation Science.

[43]  Swapna Kolimi,et al.  Reducing online identity disclosure using warnings. , 2014, Applied ergonomics.

[44]  G. McClelland,et al.  A signal detection theory analysis of racial and ethnic disproportionality in the referral and substantiation processes of the U.S. child welfare services system , 2014, Judgment and Decision Making.

[45]  B. Fischhoff,et al.  Training for calibration. , 1980 .

[46]  Cormac Herley,et al.  So long, and no thanks for the externalities: the rational rejection of security advice by users , 2009, NSPW '09.

[47]  Lorrie Faith Cranor,et al.  Teaching Johnny not to fall for phish , 2010, TOIT.

[48]  Marti A. Hearst,et al.  Why phishing works , 2006, CHI.

[49]  Lorrie Faith Cranor,et al.  Anti-Phishing Phil: the design and evaluation of a game that teaches people not to fall for phish , 2007, SOUPS '07.

[50]  Lorrie Faith Cranor,et al.  Decision strategies and susceptibility to phishing , 2006, SOUPS '06.