How Contextualisation Affects the Vulnerability of Individuals to Phishing Attempts

Hackers who engage in phishing manipulate their victims into revealing confidential information by exploiting their motives, habits and cognitive biases. Drawing on heuristic-systematic processing and anchoring effects, this study examines how the contextualisation of phishing messages, by modifying their framing and content, affects individual susceptibility to phishing. This study also investigates if there is a discrepancy between how individuals believe they will react to phishing attempts and their actual reactions. Using two fake phishing campaigns and an online survey, we find that individuals are more susceptible to phishing attempts when the phishing messages they receive are specific to their context, thereby appealing to their psychological vulnerabilities. There is also a significant gap between how individuals believe they will react and their actual reactions to phishing attempts. Finally, we find that these results vary by gender.

[1]  Shian-Shyong Tseng,et al.  The mediating effect of anti-phishing self-efficacy between college students' internet self-efficacy and anti-phishing behavior and gender difference , 2016, Comput. Hum. Behav..

[2]  Bryan Reinicke,et al.  How secure is education in Information Technology? A method for evaluating security education in IT , 2016 .

[3]  Eyong B. Kim,et al.  Recommendations for information security awareness training for college students , 2014, Inf. Manag. Comput. Secur..

[4]  Anat Hovav,et al.  Applying an extended model of deterrence across cultures: An investigation of information systems misuse in the U.S. and South Korea , 2012, Inf. Manag..

[5]  Mikko T. Siponen,et al.  A conceptual foundation for organizational information security awareness , 2000, Inf. Manag. Comput. Secur..

[6]  Ryan T. Wright,et al.  Research Note - Influence Techniques in Phishing Attacks: An Examination of Vulnerability and Resistance , 2014, Inf. Syst. Res..

[7]  Sean B. Maynard,et al.  Embedding Information Security Culture Emerging Concerns and Challenges , 2010, PACIS.

[8]  Benjamin J. Li,et al.  Stop bugging me: an examination of adolescents' protection behavior against online harassment. , 2012, Journal of adolescence.

[9]  I. Gotlib,et al.  Gender differences in depression: the role of personality factors , 2004, Psychiatry Research.

[10]  Yu Andy Wu,et al.  Impact of Users’ Security Awareness on Desktop Security Behavior: A Protection Motivation Theory Perspective , 2016, Inf. Syst. Manag..

[11]  Dennis F. Galletta,et al.  User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach , 2009, Inf. Syst. Res..

[12]  Bradley K. Jensen,et al.  Analysis of Student Vulnerabilities to Phishing , 2008, AMCIS.

[13]  Steve Love,et al.  A game design framework for avoiding phishing attacks , 2013, Comput. Hum. Behav..

[14]  N. Epley,et al.  Putting Adjustment Back in the Anchoring and Adjustment Heuristic: Differential Processing of Self-Generated and Experimenter-Provided Anchors , 2001, Psychological science.

[15]  Lorrie Faith Cranor,et al.  Decision strategies and susceptibility to phishing , 2006, SOUPS '06.

[16]  Xin Luo,et al.  Investigating phishing victimization with the Heuristic-Systematic Model: A theoretical framework and an exploration , 2013, Comput. Secur..

[17]  Victoria Stanciu,et al.  Students’ Awareness on Information Security between Own Perception and Reality – An Empirical Study , 2016 .

[18]  Jerry Chih-Yuan Sun,et al.  The moderating roles of gender and social norms on the relationship between protection motivation and risky online behavior among in-service teachers , 2017, Comput. Educ..

[19]  Mathias Ekstedt,et al.  Investigating personal determinants of phishing and the effect of national culture , 2015, Inf. Comput. Secur..

[20]  Ponnurangam Kumaraguru,et al.  Who falls for phish?: a demographic analysis of phishing susceptibility and effectiveness of interventions , 2010, CHI.

[21]  Elizabeth Monk-Turner,et al.  Gender differences in occupational status in the South Korean labor market: 1988‐1998 , 2007 .

[22]  Timothy D. Wilson,et al.  A new look at anchoring effects: basic anchoring and its antecedents. , 1996, Journal of experimental psychology. General.

[23]  Yada Zhu,et al.  Social Phishing , 2018, Encyclopedia of Social Network Analysis and Mining. 2nd Ed..

[24]  A. Tversky,et al.  Judgment under Uncertainty: Heuristics and Biases , 1974, Science.

[25]  Qing Hu,et al.  The Centrality of Awareness in the Formation of User Behavioral Intention toward Protective Information Technologies , 2007, J. Assoc. Inf. Syst..

[26]  Merrill Warkentin,et al.  Fear Appeals and Information Security Behaviors: An Empirical Study , 2010, MIS Q..

[27]  S. Upadhyaya,et al.  Internet and Online Information Privacy: An Exploratory Study of Preteens and Early Teens , 2009, IEEE Transactions on Professional Communication.

[28]  S. Chaiken The heuristic model of persuasion. , 1987 .

[29]  David B. Resnik,et al.  Ethics and Phishing Experiments , 2018, Sci. Eng. Ethics.

[30]  Oded Nov,et al.  Spear-Phishing in the Wild: A Real-World Study of Personality, Phishing Self-Efficacy and Vulnerability to Spear-Phishing Attacks , 2015 .

[31]  Markus Jakobsson,et al.  Designing ethical phishing experiments , 2007, IEEE Technology and Society Magazine.

[32]  Duane T. Wegener,et al.  Implications of Attitude Change Theories for Numerical Anchoring: Anchor Plausibility and the Limits of Anchor Effectiveness , 2001 .

[33]  Daejoong Kim,et al.  Understanding persuasive elements in phishing e-mails: A categorical content and semantic network analysis , 2013, Online Inf. Rev..

[34]  H. Brandstätter,et al.  Should economic psychology care about personality structure , 1993 .

[35]  Angsana A. Techatassanasoontorn,et al.  Understanding Users' Information Security Awareness and Intentions: A full Nomology of Protection Motivation Theory , 2018, PACIS.

[36]  J. R. Ndiege,et al.  Information Security Awareness amongst Students Joining Higher Academic Institutions in Developing Countries: Evidence from Kenya , 2018 .

[37]  Ping Zhang,et al.  An examination of gender differences among college students in their usage perceptions of the internet , 2011, Education and Information Technologies.

[38]  William L. Simon,et al.  The Art of Deception: Controlling the Human Element of Security , 2001 .

[39]  Keely L. Croxton,et al.  Biases in judgmental adjustments of statistical forecasts: The role of individual differences , 2010 .

[40]  Jiun-Yu Wu,et al.  Gender differences in online reading engagement, metacognitive strategies, navigation skills and reading literacy , 2014, J. Comput. Assist. Learn..

[41]  Sanjay Goel,et al.  Got Phished? Internet Security and Human Vulnerability , 2017, J. Assoc. Inf. Syst..

[42]  A. Furnham,et al.  A literature review of the anchoring effect , 2011 .

[43]  Johann Kranz,et al.  Antecedents of Employees' Information Security Awareness - Review, synthesis, and Directions for Future Research , 2017, ECIS.

[44]  Min Wu,et al.  Do security toolbars actually prevent phishing attacks? , 2006, CHI.

[45]  Shelly Chaiken,et al.  The heuristic-systematic model in its broader context. , 1999 .

[46]  Lorrie Faith Cranor,et al.  Getting users to pay attention to anti-phishing education: evaluation of retention and transfer , 2007, eCrime '07.

[47]  Gabor Kiss,et al.  Analysing of the information security awareness of the economic information technology students , 2016, 2016 IEEE 17th International Symposium on Computational Intelligence and Informatics (CINTI).

[48]  Nick Hajli,et al.  Exploring the Security of Information Sharing on Social Networking Sites: The Role of Perceived Control of Information , 2014, Journal of Business Ethics.