Quantifying Susceptibility to Spear Phishing in a High School Environment Using Signal Detection Theory

Spear phishing is a deceptive attack that uses social engineering to obtain confidential information through targeted victimization. It is distinguished by its use of social cues and personalized information to target specific victims. Previous work on resilience to spear phishing has focused on convenience samples, with a disproportionate focus on students. In contrast, here, we report on an evaluation of a high school community. We engaged 57 high school students and faculty members (12 high school students, 45 staff members) as participants in research utilizing signal detection theory (SDT). Through scenario-based analysis, participants tasked with distinguishing phishing emails from authentic emails. The results revealed an overconfidence bias in self-detection from the participants, regardless of their technical background. These findings are critical for evaluating the decision-making of underrepresented populations and protecting people from potential spear phishing attacks by examining human susceptibility.

[1]  Carolyn Penstein Rosé,et al.  CANTINA+: A Feature-Rich Machine Learning Framework for Detecting Phishing Web Sites , 2011, TSEC.

[2]  Steven Furnell,et al.  Assessing end-user awareness of social engineering and phishing , 2006 .

[3]  Joseph M. Hatfield Social engineering in cybersecurity: The evolution of a concept , 2018, Comput. Secur..

[4]  L. Jean Camp,et al.  Why Johnny Doesn't Use Two Factor A Two-Phase Usability Study of the FIDO U2F Security Key , 2018, Financial Cryptography.

[5]  Gunilla Widén,et al.  The Impact of Digitalization on Literacy: Digital Immigrants vs. Digital Natives , 2019, ECIS.

[6]  Yousra Javed,et al.  Investigating Teenagers’ Ability to Detect Phishing Messages , 2020, 2020 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW).

[7]  Michael D. Coovert,et al.  Signal Detection Theory (SDT) Is Effective for Modeling User Behavior Toward Phishing and Spear-Phishing Attacks , 2018, Hum. Factors.

[8]  Christopher Hadnagy,et al.  Social Engineering: The Art of Human Hacking , 2010 .

[9]  Vaibhav Garg,et al.  Risk communication design for older adults , 2012 .

[10]  L. Jean Camp,et al.  A qualitative study on usability and acceptability of Yubico security key , 2018, STAST '17.

[11]  Ponnurangam Kumaraguru,et al.  Who falls for phish?: a demographic analysis of phishing susceptibility and effectiveness of interventions , 2010, CHI.

[12]  Christena Nippert-Eng,et al.  All About Phishing: Exploring User Research through a Systematic Literature Review , 2019, HAISA.

[13]  Ramana Rao Kompella,et al.  PhishNet: Predictive Blacklisting to Detect Phishing Attacks , 2010, 2010 Proceedings IEEE INFOCOM.

[14]  Alexander L. Davis,et al.  Quantifying Phishing Susceptibility for Detection and Behavior Decisions , 2016, Hum. Factors.

[15]  Norman M. Sadeh,et al.  Learning to detect phishing emails , 2007, WWW '07.

[16]  Min Wu,et al.  Do security toolbars actually prevent phishing attacks? , 2006, CHI.

[17]  Garth Lewis,et al.  What is Multi-Factor Authentication? , 2007 .

[18]  L. Jean Camp,et al.  MFA is a Waste of Time! Understanding Negative Connotation Towards MFA Applications via User Generated Content , 2019, HAISA.

[19]  Pieter H. Hartel,et al.  How Effective is Anti-Phishing Training for Children? , 2017, SOUPS.

[20]  L. Jean Camp,et al.  Why Don’t Older Adults Adopt Two-Factor Authentication? , 2020 .

[21]  L. Jean Camp,et al.  User-Centered Risk Communication for Safer Browsing , 2020, Financial Cryptography Workshops.

[22]  Sanchari Das Towards Implementing Inclusive Authentication Technologies for Older Adults , 2019 .

[23]  Markus Jakobsson,et al.  The Threat of Political Phishing , 2008, HAISA.

[24]  Marti A. Hearst,et al.  Why phishing works , 2006, CHI.

[25]  Aleksandr Ometov,et al.  Multi-Factor Authentication: A Survey , 2018, Cryptogr..

[26]  Alexander De Luca,et al.  Using data type based security alert dialogs to raise online security awareness , 2011, SOUPS.

[27]  Ellen R. Girden,et al.  ANOVA: Repeated Measures , 1991 .

[28]  Lorrie Faith Cranor,et al.  School of phish: a real-world evaluation of anti-phishing training , 2009, SOUPS.

[29]  L. Jean Camp,et al.  MFA is A Necessary Chore!: Exploring User Mental Models of Multi-Factor Authentication Technologies , 2020, HICSS.

[30]  Matthew Smith,et al.  Using personal examples to improve risk communication for security & privacy decisions , 2014, CHI.

[31]  Cleotilde González,et al.  Creative Persuasion: A Study on Adversarial Behaviors and Strategies in Phishing Attacks , 2018, Front. Psychol..

[32]  L. Jean Camp,et al.  Evaluating User Perception of Multi-Factor Authentication: A Systematic Review , 2019, HAISA.