Every electronic message poses some threat of being a phishing attack. If recipients underestimate that threat, they expose themselves, and those connected to them, to identity theft, ransom, malware, or worse. If recipients overestimate that threat, then they incur needless costs, perhaps reducing their willingness and ability to respond over time. In two experiments, we examined the appropriateness of individuals' confidence in their judgments of whether email messages were legitimate or phishing, using calibration and resolution as metacognition metrics. Both experiments found that participants had reasonable calibration but poor resolution, reflecting a weak correlation between their confidence and knowledge. These patterns differed for legitimate and phishing emails, with participants being better calibrated for legitimate emails, except when expressing complete confidence in their judgments, but consistently overconfident for phishing emails. The second experiment compared performance on the laboratory task with individuals' actual vulnerability, and found that participants with better resolution were less likely to have malicious files on their home computers. That comparison raised general questions about the design of anti-phishing training and of providing feedback essential to self-regulated learning.
C. I. Canfield et al., "Better Beware: Comparing Metacognition for Phishing and Legitimate Emails," Metacognition and Learning, vol. 14, no. 3, pp. 343-362, Springer New York LLC, Dec 2019.
The definitive version is available at https://doi.org/10.1007/s11409-019-09197-5
Engineering Management and Systems Engineering
Keywords and Phrases
Calibration; Deception detection; Digital literacy; Phishing; Resolution
International Standard Serial Number (ISSN)
Article - Journal
© 2019 Springer New York LLC, All rights reserved.
Creative Commons Licensing
This work is licensed under a Creative Commons Attribution 4.0 License.