Who falls for phish?: a demographic analysis of phishing susceptibility and effectiveness of interventions

In this paper we present the results of a roleplay survey instrument administered to 1001 online survey respondents to study both the relationship between demographics and phishing susceptibility and the effectiveness of several anti-phishing educational materials. Our results suggest that women are more susceptible than men to phishing and participants between the ages of 18 and 25 are more susceptible to phishing than other age groups. We explain these demographic factors through a mediation analysis. Educational materials reduced users' tendency to enter information into phishing webpages by 40% percent; however, some of the educational materials we tested also slightly decreased participants' tendency to click on legitimate links.

[1]  P. Slovic Perception of risk. , 1987, Science.

[2]  D. Mackinnon,et al.  Estimating Mediated Effects in Prevention Studies , 1993 .

[3]  C. K. Mertz,et al.  Gender, race, and perception of environmental health risks. , 1994, Risk analysis : an official publication of the Society for Risk Analysis.

[4]  A. J. Ferguson Fostering E-Mail Security Awareness: The West Point Carronade , 2005 .

[5]  G. Larcom,et al.  Gone phishing , 2006 .

[6]  Lorrie Faith Cranor,et al.  Decision strategies and susceptibility to phishing , 2006, SOUPS '06.

[7]  E. Weber,et al.  A Domain-Specific Risk-Taking (DOSPERT) Scale for Adult Populations , 2006, Judgment and Decision Making.

[8]  Min Wu,et al.  Do security toolbars actually prevent phishing attacks? , 2006, CHI.

[9]  Marti A. Hearst,et al.  Why phishing works , 2006, CHI.

[10]  Stefan Gorling,et al.  The Myth of User Education , 2006 .

[11]  V. Reyna,et al.  Risk and Rationality in Adolescent Decision Making , 2006, Psychological science in the public interest : a journal of the American Psychological Society.

[12]  Matthew S. Fritz,et al.  Mediation analysis. , 2019, Annual review of psychology.

[13]  Lorrie Faith Cranor,et al.  Behavioral response to phishing risk , 2007, eCrime '07.

[14]  Stuart E. Schechter,et al.  The Emperor's New Security Indicators , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[15]  Lorrie Faith Cranor,et al.  Protecting people from phishing: the design and evaluation of an embedded training email system , 2007, CHI.

[16]  Lorrie Faith Cranor,et al.  Anti-Phishing Phil: the design and evaluation of a game that teaches people not to fall for phish , 2007, SOUPS '07.

[17]  Markus Jakobsson,et al.  Social phishing , 2007, CACM.

[18]  Kristopher J Preacher,et al.  Asymptotic and resampling strategies for assessing and comparing indirect effects in multiple mediator models , 2008, Behavior research methods.

[19]  Lorrie Faith Cranor,et al.  School of phish: a real-world evaluation of anti-phishing training , 2009, SOUPS.

[20]  Lorrie Faith Cranor,et al.  Are your participants gaming the system?: screening mechanical turk workers , 2010, CHI.

[21]  Lorrie Faith Cranor,et al.  Teaching Johnny not to fall for phish , 2010, TOIT.