Why do people get phished? Testing individual differences in phishing vulnerability within an integrated, information processing model

This research presents an integrated information processing model of phishing susceptibility grounded in the prior research in information process and interpersonal deception. We refine and validate the model using a sample of intended victims of an actual phishing attack. The data provides strong support for the model's theoretical structure and causative sequence. Overall, the model explains close to 50% of the variance in individual phishing susceptibility. The results indicate that most phishing emails are peripherally processed and individuals make decisions based on simple cues embedded in the email. Interestingly, urgency cues in the email stimulated increased information processing thereby short circuiting the resources available for attending to other cues that could potentially help detect the deception. Additionally, the findings suggest that habitual patterns of media use combined with high levels of email load have a strong and significant influence on individuals' likelihood to be phished. Consistent with social cognitive theory, computer self-efficacy was found to significantly influence elaboration, but its influence was diminished by domain specific-knowledge.

[1]  S. Grazioli Where Did They Go Wrong? An Analysis of the Failure of Knowledgeable Internet Consumers to Detect Deception Over the Internet , 2004 .

[2]  J. W. Rigney Learning Strategies: A Theoretical Perspective , 1978 .

[3]  Arvind K. Tripathi,et al.  Admediation: New Horizons in Effective Email Advertising , 2001, CACM.

[4]  Robert LaRose,et al.  Unregulated Internet Usage: Addiction, Habit, or Deficient Self-Regulation? , 2003 .

[5]  John T. Cacioppo,et al.  The Elaboration Likelihood Model of Persuasion , 1986, Advances in Experimental Social Psychology.

[6]  H. Raghav Rao,et al.  Information Assurance, Security and Privacy Services , 2009 .

[7]  Alok Gupta,et al.  Risk profile and consumer shopping behavior in electronic and traditional channels , 2004, Decis. Support Syst..

[8]  Steven Furnell,et al.  Assessing end-user awareness of social engineering and phishing , 2006 .

[9]  J. Burgoon,et al.  Interpersonal Deception Theory , 1996 .

[10]  J. Cacioppo,et al.  Central and Peripheral Routes to Advertising Effectiveness: The Moderating Role of Involvement , 1983 .

[11]  Indranil Bose,et al.  Unveiling the Mask of Phishing: Threats, Preventive Measures, and Responsibilities , 2007, Commun. Assoc. Inf. Syst..

[12]  Avivah Litan Phishing Attack Victims Likely Targets for Identity Theft , 2005 .

[13]  Michael Workman,et al.  Wisecrackers: A theory-grounded investigation of phishing and pretext social engineering threats to information security , 2008, J. Assoc. Inf. Sci. Technol..

[14]  William P. Eveland,et al.  A Panel Study of Motivations, Information Processing, and Learning During Campaign 2000 , 2003 .

[15]  France Bélanger,et al.  Trustworthiness in electronic commerce: the role of privacy, security, and site attributes , 2002, J. Strateg. Inf. Syst..

[16]  Indranil Bose,et al.  Assessing anti-phishing preparedness: A study of online banks in Hong Kong , 2008, Decis. Support Syst..

[17]  E. Perse Audience Selectivity and Involvement in the Newer Media Environment , 1990 .

[18]  J. Zaichkowsky Measuring the Involvement Construct , 1985 .

[19]  Markus Jakobsson,et al.  What Instills Trust? A Qualitative Study of Phishing , 2007, Financial Cryptography.

[20]  Indranil Bose,et al.  Technical opinionWhat drives the adoption of antiphishing measures by Hong Kong banks? , 2009, Commun. ACM.

[21]  France Bélanger,et al.  A framework for e-government: privacy implications , 2006, Bus. Process. Manag. J..

[22]  R. LaRose,et al.  A Social Cognitive Theory of Internet Uses and Gratifications: Toward a New Model of Media Attendance , 2004 .

[23]  A. Bandura Social Foundations of Thought and Action: A Social Cognitive Theory , 1985 .

[24]  S. Grazioli,et al.  Success and failure in expert reasoning , 1992 .

[25]  Robert W. Zmud,et al.  Inducing Sensitivity to Deception in Order to Improve Decision Making Performance: A Field Study , 2002, MIS Q..

[26]  Reza Barkhi,et al.  The impact of personality type on purchasing decisions in virtual stores , 2007, Inf. Technol. Manag..

[27]  J. Bryant,et al.  Media effects : advances in theory and research , 2002 .

[28]  J. Bargh,et al.  Environmental control of goal-directed action: automatic and strategic contingencies between situations and behavior. , 1994, Nebraska Symposium on Motivation. Nebraska Symposium on Motivation.

[29]  BarkhiReza,et al.  The impact of personality type on purchasing decisions in virtual stores , 2007 .

[30]  Marti A. Hearst,et al.  Why phishing works , 2006, CHI.

[31]  Lorrie Faith Cranor,et al.  Decision strategies and susceptibility to phishing , 2006, SOUPS '06.

[32]  Sylvia G. Roch,et al.  Effects of Electronic Monitoring Types on Perceptions of Procedural Justice, Interpersonal Justice, and Privacy , 2007 .

[33]  E. Rogers,et al.  Diffusion of innovations , 1964, Encyclopedia of Sport Management.

[34]  Deborah Compeau,et al.  Computer Self-Efficacy: Development of a Measure and Initial Test , 1995, MIS Q..

[35]  Lorrie Faith Cranor,et al.  Behavioral response to phishing risk , 2007, eCrime '07.

[36]  Mike Schmierbach,et al.  The Interplay of News Frames on Cognitive Complexity , 2004 .

[37]  J. Wyatt Decision support systems. , 2000, Journal of the Royal Society of Medicine.

[38]  S. Fiske,et al.  The Handbook of Social Psychology , 1935 .

[39]  R. L. Holbert,et al.  Structural Equation Modeling in the Communication Sciences, 1995–2000 , 2002 .

[40]  Lorrie Faith Cranor,et al.  Protecting people from phishing: the design and evaluation of an embedded training email system , 2007, CHI.

[41]  R. Cialdini Influence: Science and Practice , 1984 .

[42]  J. Dewey The Reflex Arc Concept in Psychology , 2011 .

[43]  William Jenson Adams,et al.  How People Watch Television As Investigated Using Focus Group Techniques , 2000 .

[44]  Reza Barkhi Cognitive style may mitigate the impact of communication mode , 2002, Inf. Manag..

[45]  Kenton O'Hara,et al.  Social Impact , 2019, Encyclopedia of Food and Agricultural Ethics.