Exploring susceptibility to phishing in the workplace

Abstract Phishing emails provide a means to infiltrate the technical systems of organisations by encouraging employees to click on malicious links or attachments. Despite the use of awareness campaigns and phishing simulations, employees remain vulnerable to phishing emails. The present research uses a mixed methods approach to explore employee susceptibility to targeted phishing emails, known as spear phishing. In study one, nine spear phishing simulation emails sent to 62,000 employees over a six-week period were rated according to the presence of authority and urgency influence techniques. Results demonstrated that the presence of authority cues increased the likelihood that a user would click a suspicious link contained in an email. In study two, six focus groups were conducted in a second organisation to explore whether additional factors within the work environment impact employee susceptibility to spear phishing. We discuss these factors in relation to current theoretical approaches and provide implications for user communities.

[1]  Barry Kirwan,et al.  A Guide To Task Analysis: The Task Analysis Working Group , 1992 .

[2]  Ian Begg,et al.  Dissociation of processes in belief: Source recollection, statement familiarity, and the illusion of truth , 1992 .

[3]  Arun Vishwanath,et al.  Suspicion, Cognition, and Automaticity Model of Phishing Susceptibility , 2018, Commun. Res..

[4]  B. Berg Qualitative Research Methods for the Social Sciences , 1989 .

[5]  Fang Chen,et al.  A Qualitative Investigation of Bank Employee Experiences of Information Security and Phishing , 2017, SOUPS.

[6]  Frank Stajano,et al.  Understanding scam victims , 2011, Commun. ACM.

[7]  Shian-Shyong Tseng,et al.  The mediating effect of anti-phishing self-efficacy between college students' internet self-efficacy and anti-phishing behavior and gender difference , 2016, Comput. Hum. Behav..

[8]  Michael Workman,et al.  Wisecrackers: A theory-grounded investigation of phishing and pretext social engineering threats to information security , 2008, J. Assoc. Inf. Sci. Technol..

[9]  J. Barnett,et al.  Risk Perception and Experience: Hazard Personality Profiles and Individual Differences , 2001, Risk analysis : an official publication of the Society for Risk Analysis.

[10]  M. Sherif,et al.  The psychology of attitudes. , 1946, Psychological review.

[11]  A. Shepherd,et al.  Guide to Task Analysis , 2003 .

[12]  Elena Svetieva,et al.  Individual processing of phishing emails: How attention and elaboration protect against phishing , 2016, Online Inf. Rev..

[13]  R. Cialdini Influence: The Psychology of Persuasion , 1993 .

[14]  Danielle C. Polage,et al.  Making up History: False Memories of Fake News Stories , 2012 .

[15]  Arun Vishwanath,et al.  Examining the Distinct Antecedents of E-Mail Habits and its Influence on the Outcomes of a Phishing Attack , 2015, J. Comput. Mediat. Commun..

[16]  Rajesh V. Manchanda,et al.  The effect of cognitive busyness on consumers’ perception of product value , 2003 .

[17]  Shawn P. Curley,et al.  Individual differences in risk taking. , 1992 .

[18]  Kathleen D. Vohs,et al.  Can Ordinary People Detect Deception After All? , 2016, Trends in Cognitive Sciences.

[19]  Noelle M. Nelson,et al.  Making choices impairs subsequent self-control: a limited-resource account of decision making, self-regulation, and active initiative. , 2008, Journal of personality and social psychology.

[20]  H. Raghav Rao,et al.  A User-Centered Approach to Phishing Susceptibility: The Role of a Suspicious Personality in Protecting Against Phishing , 2016, 2016 49th Hawaii International Conference on System Sciences (HICSS).

[21]  Paul Dourish,et al.  Collective Information Practice: Exploring Privacy and Security as Social and Cultural Phenomena , 2006, Hum. Comput. Interact..

[22]  Kathryn Parsons,et al.  Information Management & Computer Security Why do some people manage phishing e-mails better than others ? , 2016 .

[23]  D. Kahneman,et al.  Attention and Effort , 1973 .

[24]  Kenneth G. DeBono,et al.  The Impact of Distractions on Heuristic Processing: Internet Advertisements and Stereotype Use1 , 2007 .

[25]  R. W. Rogers,et al.  A Protection Motivation Theory of Fear Appeals and Attitude Change1. , 1975, The Journal of psychology.

[26]  Xin Luo,et al.  Investigating phishing victimization with the Heuristic-Systematic Model: A theoretical framework and an exploration , 2013, Comput. Secur..

[27]  K. Grill-Spector,et al.  Repetition and the brain: neural models of stimulus-specific effects , 2006, Trends in Cognitive Sciences.

[28]  Sacha Brostoff,et al.  Transforming the ‘Weakest Link’ — a Human/Computer Interaction Approach to Usable and Effective Security , 2001 .

[29]  N. Akbar,et al.  Analysing Persuasion Principles in Phishing Emails , 2014 .

[30]  Ryan T. Wright,et al.  Research Note - Influence Techniques in Phishing Attacks: An Examination of Vulnerability and Resistance , 2014, Inf. Syst. Res..

[31]  Tian Lin,et al.  Dissecting Spear Phishing Emails for Older vs Young Adults: On the Interplay of Weapons of Influence and Life Domains in Predicting Susceptibility to Phishing , 2017, CHI.

[32]  Ross J. Anderson,et al.  Reading this may harm your computer: The psychology of malware warnings , 2014, Comput. Hum. Behav..

[33]  Shari Lawrence Pfleeger,et al.  Going Spear Phishing: Exploring Embedded Training and Awareness , 2014, IEEE Security & Privacy.

[34]  Rui Chen,et al.  Why do people get phished? Testing individual differences in phishing vulnerability within an integrated, information processing model , 2011, Decis. Support Syst..

[35]  Robert LaRose,et al.  Understanding online safety behaviors: A protection motivation theory perspective , 2016, Comput. Secur..

[36]  Jingguo Wang,et al.  Coping Responses in Phishing Detection: An Investigation of Antecedents and Consequences , 2017, Inf. Syst. Res..

[37]  Adam N. Joinson,et al.  Individual differences in susceptibility to online influence: A theoretical review , 2017, Comput. Hum. Behav..

[38]  A. W. Roscoe,et al.  Security and Usability: Analysis and Evaluation , 2010, 2010 International Conference on Availability, Reliability and Security.

[39]  N. McGlynn Thinking fast and slow. , 2014, Australian veterinary journal.

[40]  Richard Piggin Cyber security trends: What should keep CEOs awake at night , 2016, Int. J. Crit. Infrastructure Prot..

[41]  Paul Kearney,et al.  Human vulnerabilities in security systems , 2007 .

[42]  Ronald C. Dodge,et al.  Phishing for user security awareness , 2007, Comput. Secur..

[43]  Wilson Huang,et al.  A Study of Social Engineering in Online Frauds , 2013 .

[44]  Jemal H. Abawajy,et al.  User preference of cyber security awareness delivery methods , 2014, Behav. Inf. Technol..

[45]  Lorrie Faith Cranor,et al.  Decision strategies and susceptibility to phishing , 2006, SOUPS '06.

[46]  Phillip L. Morgan,et al.  Press accept to update now: Individual differences in susceptibility to malevolent interruptions , 2017, Decis. Support Syst..

[47]  Mathias Ekstedt,et al.  Shaping intention to resist social engineering through transformational leadership, information security culture and awareness , 2016, Comput. Secur..

[48]  Alexander L. Davis,et al.  Quantifying Phishing Susceptibility for Detection and Behavior Decisions , 2016, Hum. Factors.

[49]  Shelley E. Taylor,et al.  Salience, Attention, and Attribution: Top of the Head Phenomena , 1978 .

[50]  Dylan M. Jones,et al.  Interruption of the Tower of London task: support for a goal-activation approach. , 2006, Journal of experimental psychology. General.

[51]  M. Dewey,et al.  Coefficients of Agreement , 1983, British Journal of Psychiatry.

[52]  D. Meyer,et al.  Supporting Online Material Materials and Methods Som Text Figs. S1 to S6 References Evidence for a Collective Intelligence Factor in the Performance of Human Groups , 2022 .

[53]  Malcolm Robert Pattinson,et al.  Breaching the Human Firewall: Social engineering in Phishing and Spear-Phishing Emails , 2016, ACIS.

[54]  Atreyi Kankanhalli,et al.  Studying users' computer security behavior: A health belief perspective , 2009, Decis. Support Syst..

[55]  J. Fereday,et al.  Demonstrating Rigor Using Thematic Analysis: A Hybrid Approach of Inductive and Deductive Coding and Theme Development , 2006 .