Abstract
Every electronic message poses some threat of being a phishing attack. If recipients underestimate that threat, they expose themselves, and those connected to them, to identity theft, ransom, malware, or worse. If recipients overestimate that threat, then they incur needless costs, perhaps reducing their willingness and ability to respond over time. In two experiments, we examined the appropriateness of individuals' confidence in their judgments of whether email messages were legitimate or phishing, using calibration and resolution as metacognition metrics. Both experiments found that participants had reasonable calibration but poor resolution, reflecting a weak correlation between their confidence and knowledge. These patterns differed for legitimate and phishing emails, with participants being better calibrated for legitimate emails, except when expressing complete confidence in their judgments, but consistently overconfident for phishing emails. The second experiment compared performance on the laboratory task with individuals' actual vulnerability, and found that participants with better resolution were less likely to have malicious files on their home computers. That comparison raised general questions about the design of anti-phishing training and of providing feedback essential to self-regulated learning.
Recommended Citation
C. I. Canfield et al., "Better Beware: Comparing Metacognition for Phishing and Legitimate Emails," Metacognition and Learning, vol. 14, no. 3, pp. 343 - 362, Springer New York LLC, Dec 2019.
The definitive version is available at https://doi.org/10.1007/s11409-019-09197-5
Department(s)
Engineering Management and Systems Engineering
Research Center/Lab(s)
Center for Research in Energy and Environment (CREE)
Second Research Center/Lab
Intelligent Systems Center
Keywords and Phrases
Calibration; Deception detection; Digital literacy; Phishing; Resolution
International Standard Serial Number (ISSN)
1556-1623; 1556-1631
Document Type
Article - Journal
Document Version
Final Version
File Type
text
Language(s)
English
Rights
© 2019 Springer New York LLC, All rights reserved.
Creative Commons Licensing
This work is licensed under a Creative Commons Attribution 4.0 License.
Publication Date
01 Dec 2019
Comments
The Security Behavior Observatory was partially funded by the NSA Science of Security Lablet at Carnegie Mellon University (contract #H9823014C0140); the National Science Foundation, Grant CNS-1012763 (Nudging Users Towards Privacy); and the Hewlett Foundation, through the Center for Long-Term Cybersecurity (CLTC) at the University of California, Berkeley. In addition, this work was supported by the Swedish Foundation for the Humanities and Social Sciences and Riksbankens Jubileumsfond.
This article was originally published electronically on the publisher’s internet portal (currently SpringerLink) on 20 July 2019 without open access: Correction.