Why do users trust the wrong messages? A behavioural model of phishing

Given the rise of phishing over the past 5 years, a recurring question is why users continue to fall for these scams? Various technical countermeasures have been proposed to try and counter phishing, and none have yet comprehensively succeeded in preventing users from becoming victims. This paper argues that an explicit model of user psychology is required to understand user behaviour in (a) processing phishing e-mails, (b) clicking on links to phishing websites, and (c) interacting with these websites. Many users engage in e-mail and web activity with an inappropriately high level of trust: users are constantly rewarded by their online interactions, even where there is a low level of formalised trust between the sending and receiving parties, eg, if an e-mail claims to be sent from a bank, then it must be so, even if there has been no a priori exchange of credentials mediated by a trusted third party. Previously, mathematical models have been developed to predict trust established and maintenance based on reputation scores (e.g., Tran et al [1, 2]). This paper considers two inter-related questions: (a) can we model the behaviour of users learning to trust, based on non-associative models of learning (habituation and sensitisation), and (b) can we then locate this behavioural activity in a broader psychological model with a view to identifying potential countermeasures which might circumvent learned behaviour?

[1]  Nicolas Christin,et al.  Predicted and Observed User Behavior in the Weakest-link Security Game , 2008, UPSEC.

[2]  Vijay Varadharajan,et al.  Trust and authorization in the grid: a recommendation model , 2005, ICPS '05. Proceedings. International Conference on Pervasive Services, 2005..

[3]  Paul A. Watters,et al.  Trustworthy e-mail using secure XML Web services , 2005, Seventh IEEE International Conference on E-Commerce Technology (CEC'05).

[4]  I R Bell,et al.  Increased limbic system symptomatology and sensitizability of young adults with chemical and noise sensitivities. , 1995, Environmental research.

[5]  Vijay Varadharajan,et al.  A Trust based Access Control Framework for P2P File-Sharing Systems , 2005, Proceedings of the 38th Annual Hawaii International Conference on System Sciences.

[6]  D. C. Wood Habituation in Stentor: produced by mechanoreceptor channel modification , 1988, The Journal of neuroscience : the official journal of the Society for Neuroscience.

[7]  Nicolas Christin,et al.  Secure or insure?: a game-theoretic analysis of information security games , 2008, WWW.

[8]  Fred D. Davis,et al.  User Acceptance of Computer Technology: A Comparison of Two Theoretical Models , 1989 .

[9]  H V Peeke,et al.  Stimulus specificity of habituated aggression in the stickleback (Gasterosteus aculeatus). , 1973, Behavioral biology.

[10]  P. Watters,et al.  Current Research in Social Psychology Social Processes as Dynamical Processes: Qualitative Dynamical Systems Theory in Social Psychology* , 1996 .

[11]  J. Wooders,et al.  Reputation in Auctions: Theory, and Evidence from Ebay , 2006 .

[12]  S. Link,et al.  A sequential theory of psychological discrimination , 1975 .

[13]  M. Davis,et al.  A primary acoustic startle circuit: lesion and stimulation studies , 1982, The Journal of neuroscience : the official journal of the Society for Neuroscience.

[14]  John E. R. Staddon,et al.  MULTIPLE TIME SCALES IN SIMPLE HABITUATION , 1996 .

[15]  F. Craik,et al.  Levels of Pro-cessing: A Framework for Memory Research , 1975 .

[16]  Paul A. Watters,et al.  The Efficiency of Periodic Rekeying in Dynamic Group Key Management , 2007, Fourth European Conference on Universal Multiservice Networks (ECUMN'07).

[17]  Alex Ng,et al.  Forensic Characteristics of Phishing - Petty Theft or Organized Crime? , 2008, WEBIST.