Coping Responses in Phishing Detection: An Investigation of Antecedents and Consequences

This study investigates users' coping responses in the process of phishing email detection. Three common responses are identified based on the coping literature: task-focused coping, emotion-focused coping i.e., worry and self-criticism, and avoidance coping. The three responses are used to conceptualize a higher-order construct, coping adaptiveness, that resides on a continuum between maladaptive coping and adaptive coping manifested as increased task-focused coping and decreased emotion-focused coping and avoidance coping. Drawing on the extended parallel process model and behavioral decision-making literature, this paper examines the antecedents i.e., perceived phishing threat, perceived detection efficacy, and phishing anxiety and behavioral consequences i.e., detection effort and detection accuracy of coping adaptiveness. A survey experiment with 547 U.S. consumers was conducted. The results show that perceived detection efficacy increases coping adaptiveness. Partially mediated by phishing anxiety, perceived phishing threat decreases coping adaptiveness. Coping adaptiveness positively impacts the two objective measures in the study, detection effort and detection accuracy. The results also suggest that coping adaptiveness and detection effort have different effects on false positives compared to false negatives: detection effort fully mediates the effect of coping adaptiveness on false positive rate or detection accuracy related to legitimate emails, but has no impact on false negatives or detection accuracy related to phishing emails, unlike coping adaptiveness. A post hoc analysis on coping responses reveals two patterns of coping among subjects, throwing more light on coping in phishing detection. Theoretical and practical implications are discussed. The online appendix is available at https://doi.org/10.1287/isre.2016.0680 .

[1]  Izak Benbasat,et al.  Evaluating the Impact of DSS, Cognitive Effort, and Incentives on Strategy Selection , 1999, Inf. Syst. Res..

[2]  R. W. Rogers,et al.  A Protection Motivation Theory of Fear Appeals and Attitude Change1. , 1975, The Journal of psychology.

[3]  G. Matthews,et al.  Metacognition and maladaptive coping as components of test anxiety , 1999 .

[4]  Tyler H. Shaw,et al.  Individual differences in vigilance: Personality, ability and states of stress , 2010 .

[5]  Lorrie Faith Cranor,et al.  Behavioral response to phishing risk , 2007, eCrime '07.

[6]  Qing Hu,et al.  Future directions for behavioral information security research , 2013, Comput. Secur..

[7]  R. W. Rogers,et al.  Effects of components of protection-motivation theory on adaptive and maladaptive coping with a health threat. , 1987, Journal of personality and social psychology.

[8]  J. Frank Yates,et al.  Effects of procedural and outcome accountability on judgment quality , 1996 .

[9]  Michael W. Bridges,et al.  Distinguishing optimism from neuroticism (and trait anxiety, self-mastery, and self-esteem): a reevaluation of the Life Orientation Test. , 1994, Journal of personality and social psychology.

[10]  Jason Hong,et al.  The state of phishing attacks , 2012, Commun. ACM.

[11]  G. Matthews,et al.  Emotional Intelligence: Science and Myth , 2003 .

[12]  Timothy R. Levine,et al.  Deception Detection Accuracy is a Predictable Linear Function of Message Veracity Base-Rate: A Formal Test of Park and Levine's Probability Model , 2006 .

[13]  H. Arkes Costs and benefits of judgment errors: Implications for debiasing. , 1991 .

[14]  Ponnurangam Kumaraguru,et al.  Emerging phishing trends and effectiveness of the anti-phishing landing page , 2014, 2014 APWG Symposium on Electronic Crime Research (eCrime).

[15]  Rebecca A. Grier,et al.  Fundamental dimensions of subjective state in performance settings: task engagement, distress, and worry. , 2002, Emotion.

[16]  Merrill Warkentin,et al.  Fear Appeals and Information Security Behaviors: An Empirical Study , 2010, MIS Q..

[17]  M. Allen,et al.  A Meta-Analysis of Fear Appeals: Implications for Effective Public Health Campaigns , 2000, Health education & behavior : the official publication of the Society for Public Health Education.

[18]  Kai Lung Hui,et al.  Overcoming Online Information Privacy Concerns: An Information-Processing Theory Approach , 2007, J. Manag. Inf. Syst..

[19]  Wynne W. Chin,et al.  Handbook of Partial Least Squares , 2010 .

[20]  Rui Chen,et al.  Security services as coping mechanisms: an investigation into user intention to adopt an email authentication service , 2014, Inf. Syst. J..

[21]  K. Witte Putting the fear back into fear appeals: The extended parallel process model , 1992 .

[22]  Concha Antón,et al.  Generalized Communicative Suspicion (GCS) Among Police Officers: Accounting for the Investigator Bias Effect1 , 2005 .

[23]  Amanda K. Emo,et al.  Emotional intelligence, personality, and task-induced stress. , 2006, Journal of experimental psychology. Applied.

[24]  Jörg Henseler,et al.  Handbook of Partial Least Squares: Concepts, Methods and Applications , 2010 .

[25]  Ritu Agarwal,et al.  Practicing Safe Computing: A Multimedia Empirical Examination of Home Computer User Security Behavioral Intentions , 2010, MIS Q..

[26]  J. G. Mohebzada,et al.  Phishing in a university community: Two large scale phishing experiments , 2012, 2012 International Conference on Innovations in Information Technology (IIT).

[27]  C. Fornell,et al.  Evaluating structural equation models with unobservable variables and measurement error. , 1981 .

[28]  Xin Luo,et al.  Investigating phishing victimization with the Heuristic-Systematic Model: A theoretical framework and an exploration , 2013, Comput. Secur..

[29]  Philip E. Tetlock,et al.  Emerging Perspectives on Judgment and Decision Research: Bridging Individual, Interpersonal, and Institutional Approaches to Judgment and Decision Making: The Impact of Accountability on Cognitive Bias , 2003 .

[30]  Yajiong Xue,et al.  Avoidance of Information Technology Threats: A Theoretical Perspective , 2009, MIS Q..

[31]  Jeffery D. Wilfong Computer anxiety and anger: the impact of computer use, computer experience, and self-efficacy beliefs , 2006, Comput. Hum. Behav..

[32]  T. Levine,et al.  A probability model of accuracy in deception detection experiments , 2001 .

[33]  Markus Jakobsson,et al.  Phishing IQ Tests Measure Fear, Not Ability , 2007, Financial Cryptography.

[34]  Detmar W. Straub,et al.  Specifying Formative Constructs in Information Systems Research , 2007, MIS Q..

[35]  Deborah Compeau,et al.  Computer Self-Efficacy: Development of a Measure and Initial Test , 1995, MIS Q..

[36]  Shari Lawrence Pfleeger,et al.  Going Spear Phishing: Exploring Embedded Training and Awareness , 2014, IEEE Security & Privacy.

[37]  S. Folkman,et al.  Stress, Appraisal, and Coping. New York, NY: Springer; , 1984 .

[38]  Rui Chen,et al.  An investigation of email processing from a risky decision making perspective , 2011, Decis. Support Syst..

[39]  Rui Chen,et al.  Why do people get phished? Testing individual differences in phishing vulnerability within an integrated, information processing model , 2011, Decis. Support Syst..

[40]  Dennis F. Galletta,et al.  Which phish get caught? An exploratory study of individuals′ susceptibility to phishing , 2017, Eur. J. Inf. Syst..

[41]  Donald H. Saklofske,et al.  Adaptive and maladaptive coping. , 1996 .

[42]  Xinguang Sheng,et al.  A policy analysis of phishing countermeasures , 2009 .

[43]  J. Warm,et al.  Task Engagement, Attention, and Executive Control , 2010 .

[44]  Rui Chen,et al.  Visual e-mail authentication and identification services: An investigation of the effects on e-mail use , 2009, Decis. Support Syst..

[45]  Rui Chen,et al.  Research Article Phishing Susceptibility: An Investigation Into the Processing of a Targeted Spear Phishing Email , 2012, IEEE Transactions on Professional Communication.

[46]  Dahui Li,et al.  Fighting identity theft: The coping perspective , 2012, Decis. Support Syst..

[47]  Merrill Warkentin,et al.  An Enhanced Fear Appeal Rhetorical Framework: Leveraging Threats to the Human Asset Through Sanctioning Rhetoric , 2015, MIS Q..

[48]  Ponnurangam Kumaraguru,et al.  Who falls for phish?: a demographic analysis of phishing susceptibility and effectiveness of interventions , 2010, CHI.

[49]  M. Workman Wisecrackers: A theory-grounded investigation of phishing and pretext social engineering threats to information security , 2008 .

[50]  S. Furnell Phishing: can we spot the signs? , 2007 .

[51]  Gang Liu,et al.  Smartening the crowds: computational techniques for improving human verification to fight phishing scams , 2011, SOUPS.

[52]  John A. Clark,et al.  Mobile Users' Strategies for Managing Phishing Attacks , 2014 .

[53]  William C. McDowell,et al.  Am I Really at Risk? Determinants of Online Users' Intentions to Use Strong Passwords , 2009 .

[54]  D. Mackinnon,et al.  A Simulation Study of Mediated Effect Measures. , 1995, Multivariate behavioral research.

[55]  Alex R. Piquero,et al.  How Much is the Public Willing to Pay to be Protected from Identity Theft? , 2011 .

[56]  Marti A. Hearst,et al.  Why phishing works , 2006, CHI.

[57]  Lorrie Faith Cranor,et al.  Anti-Phishing Phil: the design and evaluation of a game that teaches people not to fall for phish , 2007, SOUPS '07.

[58]  Lorrie Faith Cranor,et al.  Decision strategies and susceptibility to phishing , 2006, SOUPS '06.

[59]  John W. Payne,et al.  Contingent decision behavior. , 1982 .

[60]  Lorrie Faith Cranor,et al.  Phishguru: a system for educating users about semantic attacks , 2009 .

[61]  A. Bandura Self-efficacy mechanism in human agency , 2024, Psihologìâ ì suspìlʹstvo.

[62]  Markus Jakobsson,et al.  Phishing and Countermeasures , 2006 .

[63]  John W. Payne,et al.  Effort and Accuracy in Choice , 1985 .

[64]  Lorrie Faith Cranor,et al.  Lessons from a real world evaluation of anti-phishing training , 2008, 2008 eCrime Researchers Summit.

[65]  Lorrie Faith Cranor,et al.  A Framework for Reasoning About the Human in the Loop , 2008, UPSEC.

[66]  Dennis F. Galletta,et al.  What Do Systems Users Have to Fear? Using Fear Appeals to Engender Threats and Fear that Motivate Protective Security Behaviors , 2015, MIS Q..

[67]  N. Endler,et al.  Multidimensional assessment of coping: a critical evaluation. , 1990, Journal of personality and social psychology.

[68]  Izak Benbasat,et al.  Inducing compensatory information processing through decision aids that facilitate effort reduction: an experimental assessment , 2000 .

[69]  Kathryn Parsons,et al.  Information Management & Computer Security Why do some people manage phishing e-mails better than others ? , 2016 .

[70]  Markus Jakobsson,et al.  Phishing and Countermeasures: Understanding the Increasing Problem of Electronic Identity Theft , 2006 .

[71]  Markus Jakobsson,et al.  Social phishing , 2007, CACM.

[72]  Lucy Popova,et al.  The Extended Parallel Process Model , 2012, Health education & behavior : the official publication of the Society for Public Health Education.

[73]  Yajiong Xue,et al.  Understanding Security Behaviors in Personal Computer Usage: A Threat Avoidance Perspective , 2010, J. Assoc. Inf. Syst..

[74]  Ronald C. Dodge,et al.  Phishing for user security awareness , 2007, Comput. Secur..

[75]  Celette Sugg Skinner,et al.  A Breast Cancer Fear Scale: Psychometric Development , 2004, Journal of health psychology.

[76]  Eric J. Johnson,et al.  A componential analysis of cognitive effort in choice , 1990 .

[77]  Anne Beaudry,et al.  The Other Side of Acceptance: Studying the Direct and Indirect Effects of Emotions on Information Technology Use , 2010, MIS Q..

[78]  Ryan T. Wright,et al.  The Influence of Experiential and Dispositional Factors in Phishing: An Empirical Investigation of the Deceived , 2010, J. Manag. Inf. Syst..

[79]  A. Kruglanski,et al.  On Leaping to Conclusions When Feeling Tired: Mental Fatigue Effects on Impressional Primacy , 1996 .

[80]  Il-Yeol Song,et al.  Investigating Information Structure of Phishing Emails Based on Persuasive Communication Perspective , 2007, J. Digit. Forensics Secur. Law.

[81]  Kyle J. Susa,et al.  Can intuition improve deception detection performance , 2009 .

[82]  Lorrie Faith Cranor,et al.  Teaching Johnny not to fall for phish , 2010, TOIT.

[83]  Gilbert A. Churchill A Paradigm for Developing Better Measures of Marketing Constructs , 1979 .

[84]  Ellen Garbarino,et al.  Cognitive Effort, Affect, and Choice , 1997 .

[85]  Gerald Matthews,et al.  Task-Induced Stress and Individual Differences in Coping , 1998 .

[86]  R. W. Rogers,et al.  A meta-analysis of research on protection motivation theory. , 2000 .