A comparison of features in a crowdsourced phishing warning system

Initial research on using crowdsourcing as a collaborative method for helping individuals identify phishing messages has shown promising results. However, the vast majority of crowdsourcing research has focussed on crowdsourced system components broadly and understanding individuals' motivation in contributing to crowdsourced systems. Little research has examined the features of crowdsourced systems that influence whether individuals utilise this information, particularly in the context of warnings for phishing emails. Thus, the present study examined four features related to warnings derived from a mock crowdsourced anti‐phishing warning system that 438 participants were provided to aid in their evaluation of a series of email messages: the number of times an email message was reported as being potentially suspicious, the source of the reports, the accuracy rate of the warnings (based on reports) and the disclosure of the accuracy rate. The results showed that crowdsourcing features work together to encourage warning acceptance and reduce anxiety. Accuracy rate demonstrated the most prominent effects on outcomes related to judgement accuracy, adherence to warning recommendations and anxiety with system use. The results are discussed regarding implications for organisations considering the design and implementation of crowdsourced phishing warning systems that facilitate accurate recommendations.

[1]  Ryan T. Wright,et al.  Combating Phishing Attacks: A Knowledge Management Approach , 2017, HICSS.

[2]  Alexander L. Davis,et al.  Quantifying Phishing Susceptibility for Detection and Behavior Decisions , 2016, Hum. Factors.

[3]  M. Angela Sasse,et al.  "Comply or Die" Is Dead: Long Live Security-Aware Principal Agents , 2013, Financial Cryptography Workshops.

[4]  Paula M. W. Musuva,et al.  A new approach to modelling the effects of cognitive processing and threat detection on phishing susceptibility , 2019, Comput. Hum. Behav..

[5]  Christopher B Mayhorn,et al.  Who's the real expert here? Pedigree's unique bias on trust between human and automated advisers. , 2019, Applied ergonomics.

[6]  Vincent G. Duffy,et al.  Towards augmenting cyber-physical-human collaborative cognition for human-automation interaction in complex manufacturing and operational environments , 2020, Int. J. Prod. Res..

[7]  Hsinchun Chen,et al.  A Comparison of Tools for Detecting Fake Websites , 2009, Computer.

[8]  Jan Marco Leimeister,et al.  The Nature of Crowd Work and its Effects on Individuals’ Work Perception , 2020, J. Manag. Inf. Syst..

[9]  Sanjay Goel,et al.  Got Phished? Internet Security and Human Vulnerability , 2017, J. Assoc. Inf. Syst..

[10]  Francis Kofi Andoh-Baidoo,et al.  Understanding Phishing Susceptibility: An Integrated Model of Cue-utilization and Habits , 2019, ICIS.

[11]  Zinaida Benenson,et al.  Unpacking Spear Phishing Susceptibility , 2017, Financial Cryptography Workshops.

[12]  Ronald C. Dodge,et al.  Empirical Benefits of Training to Phishing Susceptibility , 2012, SEC.

[13]  Swapna Kolimi,et al.  Reducing online identity disclosure using warnings. , 2014, Applied ergonomics.

[14]  R. Hurley The decision to trust. , 2011, Harvard business review.

[15]  Merrill Warkentin,et al.  Examining employee computer abuse intentions: insights from justice, deterrence and neutralization perspectives , 2018, Inf. Syst. J..

[16]  Marcus A. Butavicius,et al.  Predicting susceptibility to social influence in phishing emails , 2019, Int. J. Hum. Comput. Stud..

[17]  Kevin F. McCrohan,et al.  Influence of Awareness and Training on Cyber Security , 2010 .

[18]  Indranil Bose,et al.  Assessing anti-phishing preparedness: A study of online banks in Hong Kong , 2008, Decis. Support Syst..

[19]  Steve Love,et al.  Security awareness of computer users: A phishing threat avoidance perspective , 2014, Comput. Hum. Behav..

[20]  Bonnie Brinton Anderson,et al.  Tuning Out Security Warnings: A Longitudinal Examination of Habituation Through fMRI, Eye Tracking, and Field Experiments , 2018, MIS Q..

[21]  Anupam Joshi,et al.  Phishing in an academic community: A study of user susceptibility and behavior , 2018, Cryptologia.

[22]  Albert L. Harris,et al.  The impact of information richness on information security awareness training effectiveness , 2009, Comput. Educ..

[23]  Marti A. Hearst,et al.  Why phishing works , 2006, CHI.

[24]  Gaurav Bansal Got Phished! Role of Top Management Support in Creating Phishing Safe Organizations , 2018 .

[25]  Charles J. Kacmar,et al.  Developing and Validating Trust Measures for e-Commerce: An Integrative Typology , 2002, Inf. Syst. Res..

[26]  Chi-Wen Chen,et al.  Effects of Perceived Risk on Intention to Purchase: A Meta-Analysis , 2019, J. Comput. Inf. Syst..

[27]  Poornima Madhavan,et al.  Effects of computer self-efficacy and system reliability on user interaction with decision support systems , 2010, Comput. Hum. Behav..

[28]  Ryan T. Wright,et al.  Research Note - Using Expectation Disconfirmation Theory and Polynomial Modeling to Understand Trust in Technology , 2016, Inf. Syst. Res..

[29]  Christopher J. Novak,et al.  2009 Data Breach Investigations Report , 2009 .

[30]  Thomas Hess,et al.  Differential Effects of Provider Recommendations and Consumer Reviews in E-Commerce Transactions: An Experimental Study , 2012, J. Manag. Inf. Syst..

[31]  Rui Chen,et al.  Research Article Phishing Susceptibility: An Investigation Into the Processing of a Targeted Spear Phishing Email , 2012, IEEE Transactions on Professional Communication.

[32]  Ivo Blohm,et al.  How to Design an Internal Crowdsourcing System , 2017, ICIS.

[33]  Naci Akdemir,et al.  Exploring the human factor in cyber-enabled and cyber-dependent crime victimisation: a lifestyle routine activities approach , 2020, Internet Res..

[34]  Erdem Uçar,et al.  The positive outcomes of information security awareness training in companies - A case study , 2009, Inf. Secur. Tech. Rep..

[35]  Xin Luo,et al.  Investigating phishing victimization with the Heuristic-Systematic Model: A theoretical framework and an exploration , 2013, Comput. Secur..

[36]  Ahmed Abbasi,et al.  PhishMonger: A free and open source public archive of real-world phishing websites , 2016, 2016 IEEE Conference on Intelligence and Security Informatics (ISI).

[37]  Choon Lin Tan,et al.  PhishWHO: Phishing webpage detection via identity keywords extraction and target domain name finder , 2016, Decis. Support Syst..

[38]  Sonia Chiasson,et al.  Why phishing still works: User strategies for combating phishing attacks , 2015, Int. J. Hum. Comput. Stud..

[39]  Raja Parasuraman,et al.  Designing for Flexible Interaction Between Humans and Automation: Delegation Interfaces for Supervisory Control , 2007, Hum. Factors.

[40]  Matthew L. Jensen,et al.  Evaluation of Competing Candidate Solutions in Electronic Networks of Practice , 2014, Inf. Syst. Res..

[41]  Lorrie Faith Cranor,et al.  School of phish: a real-world evaluation of anti-phishing training , 2009, SOUPS.

[42]  Nancy K. Lankton,et al.  Technology, Humanness, and Trust: Rethinking Trust in Technology , 2015, J. Assoc. Inf. Syst..

[43]  Christopher D. Wickens,et al.  A model for types and levels of human interaction with automation , 2000, IEEE Trans. Syst. Man Cybern. Part A.

[44]  Bonnie Brinton Anderson,et al.  Improving Security Message Adherence through Improved Comprehension: Neural and Behavioral Insights , 2018, AMCIS.

[45]  H. Raghav Rao,et al.  A User-Centered Approach to Phishing Susceptibility: The Role of a Suspicious Personality in Protecting Against Phishing , 2016, 2016 49th Hawaii International Conference on System Sciences (HICSS).

[46]  Ronald C. Dodge,et al.  Phishing for user security awareness , 2007, Comput. Secur..

[47]  Ainin Sulaiman,et al.  System- vs. consumer-generated recommendations: affective and social-psychological effects on purchase intention , 2019, Behav. Inf. Technol..

[48]  Adam N. Joinson,et al.  Exploring susceptibility to phishing in the workplace , 2018, International Journal of Human-Computer Studies.

[49]  Starr Roxanne Hiltz,et al.  Structuring computer-mediated communication systems to avoid information overload , 1985, CACM.

[50]  Hussein A. Abbass,et al.  Towards Trust-Aware Human-Automation Interaction: An Overview of the Potential of Computational Trust Models , 2020, HICSS.

[51]  Dennis F. Galletta,et al.  Which phish get caught? An exploratory study of individuals′ susceptibility to phishing , 2017, Eur. J. Inf. Syst..

[52]  Florian Schaub,et al.  Put Your Warning Where Your Link Is: Improving and Evaluating Email Phishing Warnings , 2019, CHI.

[53]  Min Wu,et al.  Do security toolbars actually prevent phishing attacks? , 2006, CHI.

[54]  John A. Clark,et al.  F for fake: four studies on how we fall for phish , 2011, CHI.

[55]  Chuan Yue,et al.  Phishing suspiciousness in older and younger adults: The role of executive functioning , 2017, PloS one.

[56]  Martin Schader,et al.  Crowdsourcing Information Systems - Definition, Typology, and Design , 2012, ICIS.

[57]  Daniel R. Ilgen,et al.  Not All Trust Is Created Equal: Dispositional and History-Based Trust in Human-Automation Interactions , 2008, Hum. Factors.

[58]  Jae-Kwang Lee,et al.  Design of Security Training System for Individual Users , 2016, Wirel. Pers. Commun..

[59]  Ryan T. Wright,et al.  Training to Mitigate Phishing Attacks Using Mindfulness Techniques , 2017, J. Manag. Inf. Syst..

[60]  Christopher B. Mayhorn,et al.  A Temporal Analysis of Persuasion Principles in Phishing Emails , 2016 .

[61]  Cees J. H. Midden,et al.  The effects of errors on system trust, self-confidence, and the allocation of control in route planning , 2003, Int. J. Hum. Comput. Stud..

[62]  Fernando González-Ladrón-de-Guevara,et al.  Towards an integrated crowdsourcing definition , 2012, J. Inf. Sci..

[63]  J. G. Mohebzada,et al.  Phishing in a university community: Two large scale phishing experiments , 2012, 2012 International Conference on Innovations in Information Technology (IIT).

[64]  Jingguo Wang,et al.  Overconfidence in Phishing Email Detection , 2016, J. Assoc. Inf. Syst..

[65]  Dharma P. Agrawal,et al.  Fighting against phishing attacks: state of the art and future challenges , 2016, Neural Computing and Applications.

[66]  Bonnie Brinton Anderson,et al.  Using fMRI to Measure Stimulus Generalization of Software Notification to Security Warnings , 2019, Information Systems and Neuroscience.

[67]  Shari Lawrence Pfleeger,et al.  Going Spear Phishing: Exploring Embedded Training and Awareness , 2014, IEEE Security & Privacy.

[68]  Rui Chen,et al.  Why do people get phished? Testing individual differences in phishing vulnerability within an integrated, information processing model , 2011, Decis. Support Syst..

[69]  John D. Lee,et al.  Trust in Automation: Designing for Appropriate Reliance , 2004, Hum. Factors.

[70]  Steve Love,et al.  A game design framework for avoiding phishing attacks , 2013, Comput. Hum. Behav..

[71]  Jay F. Nunamaker,et al.  Detecting Fake Websites: The Contribution of Statistical Learning Theory , 2010, MIS Q..

[72]  Zhe Shan,et al.  Learning to See the Hook: Comparing Phishing Training Approaches , 2019, ICIS.

[73]  Arun Vishwanath,et al.  Suspicion, Cognition, and Automaticity Model of Phishing Susceptibility , 2018, Commun. Res..

[74]  Romilla Syed,et al.  Enterprise reputation threats on social media: A case of data breach framing , 2019, J. Strateg. Inf. Syst..

[75]  Kai Fischbach,et al.  Internal crowdsourcing: conceptual framework, structured review, and research agenda , 2016, J. Inf. Technol..

[76]  Ponnurangam Kumaraguru,et al.  Who falls for phish?: a demographic analysis of phishing susceptibility and effectiveness of interventions , 2010, CHI.

[77]  Bonnie M. Muir,et al.  Trust Between Humans and Machines, and the Design of Decision Aids , 1987, Int. J. Man Mach. Stud..

[78]  Sunny Consolvo,et al.  Improving SSL Warnings: Comprehension and Adherence , 2015, CHI.

[79]  Tian Lin,et al.  Dissecting Spear Phishing Emails for Older vs Young Adults: On the Interplay of Weapons of Influence and Life Domains in Predicting Susceptibility to Phishing , 2017, CHI.

[80]  Lorrie Faith Cranor,et al.  Decision strategies and susceptibility to phishing , 2006, SOUPS '06.

[81]  Judy Kay,et al.  It’s the deceiver and the receiver: Individual differences in phishing susceptibility and false positives with item profiling , 2018, PloS one.

[82]  Deborah Compeau,et al.  Computer Self-Efficacy: Development of a Measure and Initial Test , 1995, MIS Q..

[83]  Ryan T. Wright,et al.  Phishing Training: A Preliminary Look at the Effects of Different Types of Training , 2016 .

[84]  Ryan T. Wright,et al.  Research Note - Influence Techniques in Phishing Attacks: An Examination of Vulnerability and Resistance , 2014, Inf. Syst. Res..

[85]  Raja Parasuraman,et al.  Humans and Automation: Use, Misuse, Disuse, Abuse , 1997, Hum. Factors.

[86]  Lorrie Faith Cranor,et al.  Getting users to pay attention to anti-phishing education: evaluation of retention and transfer , 2007, eCrime '07.

[87]  Gert-Jan de Vreede,et al.  Conceptual Foundations of Crowdsourcing: A Review of IS Research , 2013, 2013 46th Hawaii International Conference on System Sciences.

[88]  Lars Hetmank,et al.  Components and Functions of Crowdsourcing Systems - A Systematic Literature Review , 2013, Wirtschaftsinformatik.

[89]  Jemal H. Abawajy,et al.  User preference of cyber security awareness delivery methods , 2014, Behav. Inf. Technol..

[90]  Masooda N. Bashir,et al.  Trust in Automation: Integrating Empirical Evidence on Factors That Influence Trust , 2015, Hum. Factors.

[91]  Lorrie Faith Cranor,et al.  You've been warned: an empirical study of the effectiveness of web browser phishing warnings , 2008, CHI.

[92]  Juan Manuel González Nieto,et al.  Who is more susceptible to phishing emails? : a Saudi Arabian study , 2012 .

[93]  Zhijie Lin,et al.  An empirical investigation of user and system recommendations in e-commerce , 2014, Decis. Support Syst..

[94]  Ilkka Kauranen,et al.  Crowdsourcing: a comprehensive literature review , 2015 .

[95]  Michael Workman,et al.  Wisecrackers: A theory-grounded investigation of phishing and pretext social engineering threats to information security , 2008, J. Assoc. Inf. Sci. Technol..

[96]  Yada Zhu,et al.  Social Phishing , 2018, Encyclopedia of Social Network Analysis and Mining. 2nd Ed..

[97]  R. Cialdini Influence: Science and Practice , 1984 .

[98]  Alexandra Kunz,et al.  User experiences of TORPEDO: TOoltip-poweRed Phishing Email DetectiOn , 2017, Comput. Secur..

[99]  Paul Benjamin Lowry,et al.  Proposing the control‐reactance compliance model (CRCM) to explain opposing motivations to comply with organisational information security policies , 2015, Inf. Syst. J..

[100]  Wendy Wood,et al.  Psychology of Habit. , 2016, Annual review of psychology.

[101]  Patrick G. Nyeste,et al.  Training Users to Counteract Phishing , 2010, Work.

[102]  Pietro Perona,et al.  Sleep spindle detection: crowdsourcing and evaluating performance of experts, non-experts, and automated methods , 2014, Nature Methods.

[103]  Jessie Y. C. Chen,et al.  A Meta-Analysis of Factors Affecting Trust in Human-Robot Interaction , 2011, Hum. Factors.

[104]  Gang Liu,et al.  Smartening the crowds: computational techniques for improving human verification to fight phishing scams , 2011, SOUPS.

[105]  Ryan T. Wright,et al.  The Influence of Experiential and Dispositional Factors in Phishing: An Empirical Investigation of the Deceived , 2010, J. Manag. Inf. Syst..

[106]  Stefano Tranquillini,et al.  Keep it simple: reward and task design in crowdsourcing , 2013, CHItaly '13.

[107]  Lorrie Faith Cranor,et al.  Teaching Johnny not to fall for phish , 2010, TOIT.

[108]  Lu Wang,et al.  Trust and Reliance on an Automated Combat Identification System , 2009, Hum. Factors.

[109]  Fred D. Davis Perceived Usefulness, Perceived Ease of Use, and User Acceptance of Information Technology , 1989, MIS Q..

[110]  Rudy Hirschheim,et al.  Crowdsourcing of information systems research , 2017, Eur. J. Inf. Syst..

[111]  Arun Vishwanath,et al.  Examining the Distinct Antecedents of E-Mail Habits and its Influence on the Outcomes of a Phishing Attack , 2015, J. Comput. Mediat. Commun..

[112]  Rossouw von Solms,et al.  Phishing for phishing awareness , 2013, Behav. Inf. Technol..

[113]  Jessie Y. C. Chen,et al.  Transparent interaction and human–robot collaboration for military operations , 2020 .

[114]  David Johnstone,et al.  Factors Influencing the Decision to Crowdsource , 2013, CRIWG.

[115]  Izak Benbasat,et al.  Trust In and Adoption of Online Recommendation Agents , 2005, J. Assoc. Inf. Syst..

[116]  Stephen Marsh,et al.  The role of trust in information science and technology , 2005, Annu. Rev. Inf. Sci. Technol..

[117]  Ilango Krishnamurthi,et al.  An efficacious method for detecting phishing webpages through target domain identification , 2014, Decis. Support Syst..

[118]  Jay F. Nunamaker,et al.  Enhancing Predictive Analytics for Anti-Phishing by Exploiting Website Genre Information , 2015, J. Manag. Inf. Syst..

[119]  Jason R. C. Nurse,et al.  Baiting the hook: factors impacting susceptibility to phishing attacks , 2016, Human-centric Computing and Information Sciences.

[120]  Johannes Rath,et al.  Evolution of Different Dual-use Concepts in International and National Law and Its Implications on Research Ethics and Governance , 2014, Science and Engineering Ethics.

[121]  Fred D. Davis,et al.  A Theoretical Extension of the Technology Acceptance Model: Four Longitudinal Field Studies , 2000, Management Science.

[122]  Tyler Moore,et al.  Evaluating the Wisdom of Crowds in Assessing Phishing Websites , 2008, Financial Cryptography.

[123]  Naresh K. Malhotra,et al.  Internet Users' Information Privacy Concerns (IUIPC): The Construct, the Scale, and a Causal Model , 2004, Inf. Syst. Res..

[124]  C. J. Pearson,et al.  Email phishing and signal detection: How persuasion principles and personality influence response patterns and accuracy. , 2020, Applied ergonomics.

[125]  Jinyoung Kim,et al.  Do we trust the crowd or information system? Effects of personalization and bandwagon cues on users' attitudes and behavioral intentions toward a restaurant recommendation website , 2016, Comput. Hum. Behav..

[126]  Jason Hong,et al.  The state of phishing attacks , 2012, Commun. ACM.

[127]  Fatemeh Zahedi,et al.  The Phishing Funnel Model: A Design Artifact to Predict User Susceptibility to Phishing Websites , 2021, Inf. Syst. Res..

[128]  John D. Lee,et al.  Review of a Pivotal Human Factors Article: “Humans and Automation: Use, Misuse, Disuse, Abuse” , 2008, Hum. Factors.

[129]  Sunny Consolvo,et al.  An Experience Sampling Study of User Reactions to Browser Warnings in the Field , 2018, CHI.