Which phish get caught? An exploratory study of individuals′ susceptibility to phishing

Phishing, or the practice of sending deceptive electronic communications to acquire private information from victims, results in significant financial losses to individuals and businesses. The first goal of this study is to identify situational and personality factors that explain why certain individuals are susceptible to such attacks. The second goal is to test those empirically, along with previously identified factors, to explain the likelihood that an individual will fall victim to a phishing attack. We employed the Delphi method to identify seven personality factors that may influence this susceptibility (trust, distrust, curiosity, entertainment drive, boredom proneness, lack of focus, and risk propensity). Our regression model included these as well as variables examined in previous studies. We find that emails sent from a known source significantly increase user susceptibility to phishing, as does a user’s curiosity, risk propensity, general Internet usage, and Internet anxiety. In post hoc tests, we also find that trust and distrust can be significant predictors of susceptibility and that this significance is dependent on the characteristics of the message.

[1]  Sonia Chiasson,et al.  Why phishing still works: User strategies for combating phishing attacks , 2015, Int. J. Hum. Comput. Stud..

[2]  Indranil Bose,et al.  Indirect Financial Loss of Phishing to Global Market , 2008, ICIS.

[3]  D. Berlyne NOVELTY AND CURIOSITY AS DETERMINANTS OF EXPLORATORY BEHAVIOUR1 , 1950 .

[4]  D. Straub Effective IS Security , 1990 .

[5]  Lorrie Faith Cranor,et al.  Teaching Johnny not to fall for phish , 2010, TOIT.

[6]  William Allen,et al.  The influence of source credibility on communication effectiveness , 1953 .

[7]  Murugan Anandarajan,et al.  Profiling Web Usage in the Workplace: A Behavior-Based Artificial Intelligence Approach , 2002, J. Manag. Inf. Syst..

[8]  Rui Chen,et al.  An investigation of email processing from a risky decision making perspective , 2011, Decis. Support Syst..

[9]  James C. Wetherbe,et al.  Key Issues in Information Systems Management: 1994-95 SIM Delphi Results , 1996, MIS Q..

[10]  Benjamin R. Cowan,et al.  Exploring the relationship between anxiety and usability evaluation - an online study of Internet and wiki anxiety , 2008 .

[11]  Alan Durndell,et al.  Gender, Internet Identification, and Internet Anxiety: Correlates of Internet Use , 2005, Cyberpsychology Behav. Soc. Netw..

[12]  L. J. Shrum,et al.  The Psychology of Entertainment Media: Blurring the Lines Between Entertainment and Persuasion , 2003 .

[13]  E. Burnstein,et al.  Encoding under trust and distrust: the spontaneous activation of incongruent cognitions. , 2004, Journal of personality and social psychology.

[14]  Detmar W. Straub,et al.  Security concerns of system users: A study of perceptions of the adequacy of security , 1991, Inf. Manag..

[15]  D. Harrison McKnight,et al.  Distrust and trust in B2C e-commerce: do they differ? , 2006, ICEC '06.

[16]  Andrea Everard,et al.  How Presentation Flaws Affect Perceived Site Quality, Trust, and Intention to Purchase from an Online Store , 2005, J. Manag. Inf. Syst..

[17]  Merrill Warkentin,et al.  Fear Appeals and Information Security Behaviors: An Empirical Study , 2010, MIS Q..

[18]  Ryan T. Wright,et al.  Where Did They Go Right? Understanding the Deception in Phishing Communications , 2010 .

[19]  Duane T. Wegener,et al.  Attitude change: Multiple roles for persuasion variables. , 1998 .

[20]  Anat Hovav,et al.  Deterring internal information systems misuse , 2007, CACM.

[21]  Naresh K. Malhotra,et al.  Internet Users' Information Privacy Concerns (IUIPC): The Construct, the Scale, and a Causal Model , 2004, Inf. Syst. Res..

[22]  Tom L. Roberts,et al.  The Impact of Organizational Commitment on Insiders’ Motivation to Protect Organizational Information Assets , 2015, J. Manag. Inf. Syst..

[23]  D. Berlyne Conflict, arousal, and curiosity , 2014 .

[24]  Ronald C. Kessler,et al.  The Value of Screening for Adults with ADHD , 2001 .

[25]  Angelika Dimoka,et al.  What Does the Brain Tell Us About Trust and Distrust? Evidence from a Functional Neuroimaging Study , 2010, MIS Q..

[26]  Mikko T. Siponen,et al.  Neutralization: New Insights into the Problem of Employee Systems Security Policy Violations , 2010, MIS Q..

[27]  France Bélanger,et al.  The utilization of e‐government services: citizen trust, innovation and acceptance factors * , 2005, Inf. Syst. J..

[28]  Vincent S. Lai,et al.  Prediction of Internet and World Wide Web usage at work: a test of an extended Triandis model , 2000, Decis. Support Syst..

[29]  Marko Sarstedt,et al.  PLS-SEM: Indeed a Silver Bullet , 2011 .

[30]  William L. Simon,et al.  The Art of Deception: Controlling the Human Element of Security , 2001 .

[31]  Paul Benjamin Lowry,et al.  Explaining and Predicting the Impact of Branding Alliances and Web Site Quality on Initial Consumer Trust of E-Commerce Web Sites , 2007, J. Manag. Inf. Syst..

[32]  Lorrie Faith Cranor,et al.  You've been warned: an empirical study of the effectiveness of web browser phishing warnings , 2008, CHI.

[33]  Paul Benjamin Lowry,et al.  Proposing the control‐reactance compliance model (CRCM) to explain opposing motivations to comply with organisational information security policies , 2015, Inf. Syst. J..

[34]  Detmar W. Straub,et al.  Examining Trust in Information Technology Artifacts: The Effects of System Quality and Culture , 2008, J. Manag. Inf. Syst..

[35]  D E BERLYNE,et al.  Interest as a psychological concept. , 1949, The British journal of psychology. General section.

[36]  Irene M. Y. Woon,et al.  Forthcoming: Journal of Information Privacy and Security , 2022 .

[37]  Ryan T. Wright,et al.  Research Note - Influence Techniques in Phishing Attacks: An Examination of Vulnerability and Resistance , 2014, Inf. Syst. Res..

[38]  Lorrie Faith Cranor,et al.  School of phish: a real-world evaluation of anti-phishing training , 2009, SOUPS.

[39]  R. Farmer,et al.  Boredom proneness--the development and correlates of a new scale. , 1986, Journal of personality assessment.

[40]  Yada Zhu,et al.  Social Phishing , 2018, Encyclopedia of Social Network Analysis and Mining. 2nd Ed..

[41]  John A. Clark,et al.  F for fake: four studies on how we fall for phish , 2011, CHI.

[42]  Dennis F. Galletta,et al.  User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach , 2009, Inf. Syst. Res..

[43]  Merrill Warkentin,et al.  An Enhanced Fear Appeal Rhetorical Framework: Leveraging Threats to the Human Asset Through Sanctioning Rhetoric , 2015, MIS Q..

[44]  N. L. Chervany,et al.  Initial Trust Formation in New Organizational Relationships , 1998 .

[45]  Ponnurangam Kumaraguru,et al.  Who falls for phish?: a demographic analysis of phishing susceptibility and effectiveness of interventions , 2010, CHI.

[46]  Thompson S. H. Teo,et al.  Prevalence, perceived seriousness, justification and regulation of cyberloafing in Singapore: An exploratory study , 2005, Inf. Manag..

[47]  Yaacov Schul,et al.  The value of distrust , 2008 .

[48]  Hans van der Heijden,et al.  User Acceptance of Hedonic Information Systems , 2004, MIS Q..

[49]  Yajiong Xue,et al.  Avoidance of Information Technology Threats: A Theoretical Perspective , 2009, MIS Q..

[50]  D. Harrison Charles J Vivek McKnight,et al.  Dispositional Trust And Distrust Distinctions in Predicting High- and Low-Risk Internet Expert Advice Site Perceptions , 2005 .

[51]  Dennis F. Galletta,et al.  What Do Systems Users Have to Fear? Using Fear Appeals to Engender Threats and Fear that Motivate Protective Security Behaviors , 2015, MIS Q..

[52]  Sasha Romanosky,et al.  Examining the costs and causes of cyber incidents , 2016, J. Cybersecur..

[53]  Norman M. Sadeh,et al.  Learning to detect phishing emails , 2007, WWW '07.

[54]  Elena Karahanna,et al.  Time Flies When You're Having Fun: Cognitive Absorption and Beliefs About Information Technology Usage , 2000, MIS Q..

[55]  Mo Adam Mahmood,et al.  A New Model for Understanding Users' IS Security Compliance , 2006, PACIS.

[56]  Detmar W. Straub,et al.  Inexperience and experience with online stores: the importance of TAM and trust , 2003, IEEE Trans. Engineering Management.

[57]  Hock-Hai Teo,et al.  An integrative study of information systems security effectiveness , 2003, Int. J. Inf. Manag..

[58]  Markus Jakobsson,et al.  Social phishing , 2007, CACM.

[59]  Angelika Dimoka,et al.  The Nature and Role of Feedback Text Comments in Online Marketplaces: Implications for Trust Building, Price Premiums, and Seller Differentiation , 2006, Inf. Syst. Res..

[60]  Mikko T. Siponen,et al.  Critical analysis of different approaches to minimizing user-related faults in information systems security: implications for research and practice , 2000, Inf. Manag. Comput. Secur..

[61]  Donna L. Hoffman,et al.  Building consumer trust online , 1999, CACM.

[62]  Detmar W. Straub,et al.  Effective IS Security: An Empirical Study , 1990, Inf. Syst. Res..

[63]  Marti A. Hearst,et al.  Why phishing works , 2006, CHI.

[64]  Karen A. Jehn,et al.  Do friends perform better than acquaintances? the interaction of friendship, conflict, and task , 1993 .

[65]  Tejaswini Herath,et al.  Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness , 2009, Decis. Support Syst..

[66]  Jordan Litman,et al.  Measuring Epistemic Curiosity and Its Diversive and Specific Components , 2003, Journal of personality assessment.

[67]  Charles J. Kacmar,et al.  Whoops... did I use the wrong concept to predict e-commerce trust? Modeling the risk-related effects of trust versus distrust concepts , 2003, 36th Annual Hawaii International Conference on System Sciences, 2003. Proceedings of the.

[68]  Irene Woon,et al.  A Protection Motivation Theory Approach to Home Wireless Security , 2005, ICIS.

[69]  H. Raghav Rao,et al.  Protection motivation and deterrence: a framework for security policy compliance in organisations , 2009, Eur. J. Inf. Syst..

[70]  Young U. Ryu,et al.  International Conference on Information Systems ( ICIS ) December 2005 I Am Fine but You Are Not : Optimistic Bias and Illusion of Control on Information Security , 2017 .

[71]  D. Berlyne A theory of human curiosity. , 1954, British journal of psychology.

[72]  Charles J. Kacmar,et al.  Developing and Validating Trust Measures for e-Commerce: An Integrative Typology , 2002, Inf. Syst. Res..

[73]  Moez Limayem,et al.  Data Collection in the Digital Age: Innovative Alterantives to Student Samples , 2014, MIS Q..

[74]  Paul Benjamin Lowry,et al.  "Cargo Cult" science in traditional organization and information systems survey research: A case for using nontraditional methods of data collection, including Mechanical Turk and online panels , 2016, J. Strateg. Inf. Syst..

[75]  Dan Jong Kim,et al.  Customer self-service systems: The effects of perceived Web quality with service contents on enjoyment, anxiety, and e-trust , 2007, Decis. Support Syst..

[76]  J. Webster,et al.  The Dimensionality and Correlates of Flow in Human-Computer Interactions. , 1993 .

[77]  Juan Manuel González Nieto,et al.  Who is more susceptible to phishing emails? : a Saudi Arabian study , 2012 .

[78]  Evangelos A. Kiountouzis,et al.  The insider threat to information systems and the effectiveness of ISO17799 , 2005, Comput. Secur..

[79]  E. Soane,et al.  Personality and domain‐specific risk taking , 2005 .

[80]  Marcel Creemers,et al.  Understanding online purchase intentions: contributions from technology and trust perspectives , 2003, Eur. J. Inf. Syst..

[81]  Khim-Yong Goh,et al.  Engaging Consumers with Advergames: An Experimental Evaluation of Interactivity, Fit and Expectancy , 2014, J. Assoc. Inf. Syst..

[82]  Izak Benbasat,et al.  A Two-Process View of Trust and Distrust Building in Recommendation Agents: A Process-Tracing Study , 2008, J. Assoc. Inf. Syst..

[83]  J. H. Davis,et al.  An Integrative Model Of Organizational Trust , 1995 .

[84]  D. Paulhus,et al.  The Dark Triad of personality: Narcissism, Machiavellianism, and psychopathy , 2002 .

[85]  Dennis F. Galletta,et al.  When Trust and Distrust Collide Online: The Engenderment and Role of Consumer Ambivalence in Online Consumer Behavior , 2014, Electron. Commer. Res. Appl..

[86]  Yajiong Xue,et al.  Understanding Security Behaviors in Personal Computer Usage: A Threat Avoidance Perspective , 2010, J. Assoc. Inf. Syst..

[87]  Haifeng Shen,et al.  Achieving Data Consistency by Contextualization in Collaborative Web-based Applications , 2011 .

[88]  Gary Hackbarth,et al.  Computer playfulness and anxiety: positive and negative mediators of the system experience effect on perceived ease of use , 2003, Inf. Manag..

[89]  Mikko T. Siponen,et al.  Using the theory of interpersonal behavior to explain non-work-related personal use of the Internet at work , 2013, Inf. Manag..

[90]  H. Fowler Curiosity and exploratory behavior , 1965 .

[91]  J. Cacioppo,et al.  Central and Peripheral Routes to Advertising Effectiveness: The Moderating Role of Involvement , 1983 .

[92]  Ryan T. Wright,et al.  The Influence of Experiential and Dispositional Factors in Phishing: An Empirical Investigation of the Deceived , 2010, J. Manag. Inf. Syst..

[93]  J. M. Digman PERSONALITY STRUCTURE: EMERGENCE OF THE FIVE-FACTOR MODEL , 1990 .

[94]  Tracy L. Tuten,et al.  Understanding differences in web usage: The role of need for cognition and the five factor model of personality. , 2001 .

[95]  D. Galletta,et al.  An Empirical Investigation of Antecedents of Internet Abuse in the Workplace , 2003 .

[96]  Sirkka L. Jarvenpaa,et al.  Perils of Internet fraud: an empirical investigation of deception and trust with experienced Internet consumers , 2000, IEEE Trans. Syst. Man Cybern. Part A.

[97]  S. Grazioli Where Did They Go Wrong? An Analysis of the Failure of Knowledgeable Internet Consumers to Detect Deception Over the Internet , 2004 .

[98]  Larry E. Toothaker,et al.  Multiple Regression: Testing and Interpreting Interactions , 1991 .

[99]  R. W. Rogers,et al.  A Protection Motivation Theory of Fear Appeals and Attitude Change1. , 1975, The Journal of psychology.

[100]  Faisel Yunus,et al.  Statistics Using SPSS: An Integrative Approach, second edition , 2010 .

[101]  Samer Faraj,et al.  Why Should I Share? Examining Social Capital and Knowledge Contribution in Electronic Networks of Practice , 2005, MIS Q..

[102]  Sharon L. Weinberg,et al.  Statistics Using IBM SPSS: An Integrative Approach , 2008 .

[103]  Rajendra P. Srivastava,et al.  An Information Systems Security Risk Assessment Model Under the Dempster-Shafer Theory of Belief Functions , 2006, J. Manag. Inf. Syst..

[104]  R. E. Christal,et al.  Recurrent personality factors based on trait ratings. , 1992, Journal of personality.

[105]  Rui Chen,et al.  Visual e-mail authentication and identification services: An investigation of the effects on e-mail use , 2009, Decis. Support Syst..

[106]  R. McCrae,et al.  An introduction to the five-factor model and its applications. , 1992, Journal of personality.

[107]  Michael Workman,et al.  Wisecrackers: A theory-grounded investigation of phishing and pretext social engineering threats to information security , 2008, J. Assoc. Inf. Sci. Technol..

[108]  Ritu Agarwal,et al.  Practicing Safe Computing: A Multimedia Empirical Examination of Home Computer User Security Behavioral Intentions , 2010, MIS Q..

[109]  D. Berlyne The influence of complexity and novelty in visual figures on orienting responses. , 1958, Journal of experimental psychology.

[110]  Marc Vanhuele,et al.  Know the name, forget the exposure: Brand familiarity versus memory of exposure context , 1999 .

[111]  Izak Benbasat,et al.  Attributions of Trust in Decision Support Technologies: A Study of Recommendation Agents for E-Commerce , 2008, J. Manag. Inf. Syst..

[112]  Nathan W. Twyman,et al.  Taking "Fun and Games" Seriously: Proposing the Hedonic-Motivation System Adoption Model (HMSAM) , 2012, J. Assoc. Inf. Syst..

[113]  D. Gefen,et al.  Consumer trust in B2C e-Commerce and the importance of social presence: experiments in e-Products and e-Services , 2004 .

[114]  Rui Chen,et al.  Why do people get phished? Testing individual differences in phishing vulnerability within an integrated, information processing model , 2011, Decis. Support Syst..

[115]  R. H. Smith,et al.  Reputation Mechanisms , 2005 .

[116]  J. W. Hutchinson,et al.  Knowledge Calibration: What Consumers Know and What They Think They Know , 2000 .

[117]  Robert J. Kauffman,et al.  50th Anniversary Article: The Evolution of Research on Information Systems: A Fiftieth-Year Survey of the Literature in Management Science , 2004, Manag. Sci..

[118]  Clark Leavitt,et al.  The Persuasive Effect of Source Credibility: Tests of Cognitive Response , 1978 .

[119]  Bonnie Brinton Anderson,et al.  From Warning to Wallpaper: Why the Brain Habituates to Security Warnings and What Can Be Done About It , 2016, J. Manag. Inf. Syst..

[120]  Dennis F. Galletta,et al.  It’s complicated: explaining the relationship between trust, distrust, and ambivalence in online transaction relationships using polynomial regression analysis and response surface analysis , 2017, Eur. J. Inf. Syst..

[121]  G. Loewenstein The psychology of curiosity: A review and reinterpretation. , 1994 .

[122]  James C. McElroy,et al.  Dispositional Factors in Internet Use: Personality Versus Cognitive Style , 2007, MIS Q..

[123]  Timothy C. Brock,et al.  The Need for Entertainment Scale , 2003 .

[124]  Paul J. Hart,et al.  Power and Trust: Critical Factors in the Adoption and Use of Electronic Data Interchange , 1997 .

[125]  Mark J. Brosnan,et al.  The relationship between Internet identification, Internet anxiety and Internet use , 2007, Comput. Hum. Behav..

[126]  Jay F. Nunamaker,et al.  Detecting Fake Websites: The Contribution of Statistical Learning Theory , 2010, MIS Q..