Quantifying Phishing Susceptibility for Detection and Behavior Decisions
Objective: We use signal detection theory to measure vulnerability to phishing attacks, including variation in performance across task conditions.
Background: Phishing attacks are difficult to prevent with technology alone, as long as technology is operated by people. Those responsible for managing security risks must understand user decision making in order to create and evaluate potential solutions.
Method: Using a scenario-based online task, we performed two experiments comparing performance on two tasks: detection, deciding whether an e-mail is phishing, and behavior, deciding what to do with an e-mail. In Experiment 1, we manipulated the order of the tasks and notification of the phishing base rate. In Experiment 2, we varied which task participants performed.
Results: In both experiments, despite exhibiting cautious behavior, participants' limited detection ability left them vulnerable to phishing attacks. Greater sensitivity was positively correlated with confidence. Greater willingness to treat e-mails as legitimate was negatively correlated with perceived consequences from their actions and positively correlated with confidence. These patterns were robust across experimental conditions.
Conclusion: Phishing-related decisions are sensitive to individuals' detection ability, response bias, confidence, and perception of consequences. Performance differs when people evaluate messages or respond to them but not when their task varies in other ways.
Application: Based on these results, potential interventions include providing users with feedback on their abilities and information about the consequences of phishing, perhaps targeting those with the worst performance. Signal detection methods offer system operators quantitative assessments of the impacts of interventions and their residual vulnerability.
C. I. Canfield et al., "Quantifying Phishing Susceptibility for Detection and Behavior Decisions," Human Factors, vol. 58, no. 8, pp. 1158-1172, SAGE Publications Inc., Dec 2016.
The definitive version is available at https://doi.org/10.1177/0018720816665025
Engineering Management and Systems Engineering
Keywords and Phrases
Cybersecurity; Metacognition; Perception-Action; Signal Detection Theory; Vigilance
International Standard Serial Number (ISSN)
Article - Journal
© 2016 Human Factors and Ergonomics Society, All rights reserved.