A phishing Mitigation Solution using Human Behaviour and Emotions that Influence the Success of Phishing Attacks

Phishing is a social engineering scam that can cause financial and reputational damage to people and organisations. Studies have demonstrated the effects of human behaviour and emotions on people's security behaviour, such as falling into a phishing scam. Moreover, several studies show the effects of the COVID-19 outbreak on human emotions, impacting phishing attempts' success. In this study, we have developed a solution using previous studies' results to identify vulnerable users (i.e., those at risk of clicking on phishing links) in organisations. The solution assigns proper mitigation actions to those high-risk users. The system contains behaviour measurement, risk scoring, and mitigation modules that can mature and develop accuracy over time. Furthermore, situations similar to a pandemic are considered in the solution. The proposed solution will help organisations focus more on protecting high-risk users and reducing successful phishing attacks. This solution should be used in combination with technical anti-phishing and cybersecurity awareness training campaigns to achieve better results.

[1]  M. North,et al.  Ransomware: Evolution, Mitigation and Prevention , 2017 .

[2]  Noor Zaman,et al.  Ten Deadly Cyber Security Threats Amid COVID-19 Pandemic , 2020 .

[3]  Rana Alabdan,et al.  Phishing Attacks Survey: Types, Vectors, and Technical Approaches , 2020, Future Internet.

[4]  Oded Nov,et al.  Spear-Phishing in the Wild: A Real-World Study of Personality, Phishing Self-Efficacy and Vulnerability to Spear-Phishing Attacks , 2015 .

[5]  Ana Radovic,et al.  Digital Approaches to Remote Pediatric Health Care Delivery During the COVID-19 Pandemic: Existing Evidence and a Call for Further Research , 2020, JMIR pediatrics and parenting.

[6]  Will M Aklin,et al.  Evaluation of behavioral measures of risk taking propensity with inner city adolescents. , 2005, Behaviour research and therapy.

[7]  Sherman A. Lee Coronavirus Anxiety Scale: A brief mental health screener for COVID-19 related anxiety , 2020, Death studies.

[8]  Jason Hong,et al.  The state of phishing attacks , 2012, Commun. ACM.

[9]  Albert L. Harris,et al.  The impact of information richness on information security awareness training effectiveness , 2009, Comput. Educ..

[10]  Abdul Basit,et al.  A comprehensive survey of AI-enabled phishing attacks detection techniques , 2020, Telecommunication systems.

[11]  Nasir D. Memon,et al.  Cultural and psychological factors in cyber-security , 2016, J. Mobile Multimedia.

[12]  Akashdeep Bhardwaj,et al.  Why is phishing still successful? , 2020, Computer Fraud & Security.

[13]  Yousra Javed,et al.  Investigating Teenagers’ Ability to Detect Phishing Messages , 2020, 2020 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW).

[14]  Robert E. Holtfreter,et al.  Risky remote purchasing and identity theft victimization among older Internet users , 2015 .

[15]  Mary Frances Theofanos,et al.  Categorizing human phishing difficulty: a Phish Scale , 2020, J. Cybersecur..

[16]  Ponnurangam Kumaraguru,et al.  Who falls for phish?: a demographic analysis of phishing susceptibility and effectiveness of interventions , 2010, CHI.

[17]  Eric Laermans,et al.  Phishing Happens Beyond Technology: The Effects of Human Behaviors and Demographics on Each Step of a Phishing Process , 2021, IEEE Access.

[18]  The Fear of COVID-19 Scale: Development and Initial Validation , 2020, International Journal of Mental Health and Addiction.

[19]  Hussain Aldawood,et al.  Educating and Raising Awareness on Cyber Security Social Engineering: A Literature Review , 2018, 2018 IEEE International Conference on Teaching, Assessment, and Learning for Engineering (TALE).

[20]  Eric Laermans,et al.  Phishing Attacks Root Causes , 2017, CRiSIS.

[21]  Eric Laermans,et al.  COVID-19 and Phishing: Effects of Human Emotions, Behavior, and Demographics on the Success of Phishing Attempts During the Pandemic , 2021, IEEE Access.

[22]  J. Hunter The human factor. , 2001, Nursing standard (Royal College of Nursing (Great Britain) : 1987).

[23]  Walter Fuertes,et al.  Classification of Phishing Attack Solutions by Employing Deep Learning Techniques: A Systematic Literature Review , 2019, MICRADS.

[24]  Jack F. Bravo-Torres,et al.  Social engineering as an attack vector for ransomware , 2017, 2017 CHILEAN Conference on Electrical, Electronics Engineering, Information and Communication Technologies (CHILECON).

[25]  Elmarie Kritzinger,et al.  A conceptual analysis of information security education, information security training and information security awareness definitions , 2014, The 9th International Conference for Internet Technology and Secured Transactions (ICITST-2014).

[26]  Choon Lin Tan,et al.  A survey of phishing attacks: Their types, vectors and technical approaches , 2018, Expert Syst. Appl..

[27]  Ronald C. Dodge,et al.  Phishing for user security awareness , 2007, Comput. Secur..

[28]  Grzegorz Sedek,et al.  Effects of Age and Initial Risk Perception on Balloon Analog Risk Task: The Mediating Role of Processing Speed and Need for Cognitive Closure , 2016, Front. Psychol..

[29]  L. Hartling,et al.  Design and Delivery Features That May Improve the Use of Internet-Based Cognitive Behavioral Therapy for Children and Adolescents With Anxiety: A Realist Literature Synthesis With a Persuasive Systems Design Perspective , 2019, Journal of medical Internet research.

[30]  Lee Hadlington,et al.  The "Human Factor" In Cybersecurity: Exploring the Accidental Insider , 2018 .

[31]  Maike Bruckes,et al.  Why Employees (Still) Click on Phishing Links: Investigation in Hospitals , 2020, Journal of medical Internet research.

[32]  G. Andersson,et al.  Randomised controlled non-inferiority trial with 3-year follow-up of internet-delivered versus face-to-face group cognitive behavioural therapy for depression. , 2013, Journal of affective disorders.

[33]  Ramakrishna Ayyagari,et al.  Risk and Demographics’ Influence on Security Behavior Intentions , 2020, Journal of the Southern Association for Information Systems.

[34]  Roslina Mohd Sidek,et al.  Types of anti-phishing solutions for phishing attack , 2020 .

[35]  Adam N. Joinson,et al.  Exploring susceptibility to phishing in the workplace , 2018, International Journal of Human-Computer Studies.

[36]  Shymaa Akram Alrubaie,et al.  The Role of Activating Electronic Training in Increasing Efficiency of Training Process , 2020 .

[37]  Michel Cukier,et al.  Correlating human traits and cyber security behavior intentions , 2018, Comput. Secur..

[38]  Alice T. Sawyer,et al.  The Efficacy of Cognitive Behavioral Therapy: A Review of Meta-analyses , 2012, Cognitive Therapy and Research.

[39]  Xiao Yu,et al.  You Are What You Do: Hunting Stealthy Malware via Data Provenance Analysis , 2020, NDSS.

[40]  Alwyn R. Pais,et al.  CatchPhish: detection of phishing websites by inspecting URLs , 2020, J. Ambient Intell. Humaniz. Comput..

[41]  Gregory L. Stuart,et al.  Evaluation of a behavioral measure of risk taking: the Balloon Analogue Risk Task (BART). , 2002, Journal of experimental psychology. Applied.

[42]  Serge Egelman,et al.  Scaling the Security Wall: Developing a Security Behavior Intentions Scale (SeBIS) , 2015, CHI.

[43]  Michael Workman,et al.  Wisecrackers: A theory-grounded investigation of phishing and pretext social engineering threats to information security , 2008, J. Assoc. Inf. Sci. Technol..

[44]  A. Falk,et al.  Individual Risk Attitudes: Measurement, Determinants and Behavioral Consequences , 2009 .

[45]  G. Andersson,et al.  Please Scroll down for Article Cognitive Behaviour Therapy Internet-based and Other Computerized Psychological Treatments for Adult Depression: a Meta-analysis , 2022 .

[46]  Gerhard Andersson,et al.  Internet-based psychological treatments for depression , 2012, Expert review of neurotherapeutics.