Abstract
Although phishing is the most common social engineering tactic employed by cyber criminals, not everyone is equally susceptible. An important finding emerging across several research studies on phishing is that a subset of employees is especially susceptible to social engineering tactics and is responsible for a disproportionate number of successful phishing attempts. Sometimes referred to as repeat clickers, these employees habitually fail simulated phishing tests and are suspected of being responsible for a significant number of real-world phishing related data breaches. In contrast to repeat clickers, protective stewards are those employees who never fail simulated phishing exercises and habitually report phishing simulations to their security departments. This study explored some of the potential causes of these persistent behaviors (both good and bad) by administering six semi-structured interviews (three repeat clickers and three protective stewards). Surprisingly, both groups were able to identify message cues for identifying potentially malicious emails. Repeat clickers reported a more internally oriented locus of control and higher confidence in their ability to identify phishing emails, but also described more rigid email checking habits than did protective stewards. One unexpected finding was that repeat clickers failed to recall an identifier which they were explicitly informed that they would need to later recall, while the protective stewards recalled the identifier without error. Due to the small sample and exploratory nature of this study additional research should seek to confirm whether these findings extrapolate to larger populations.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Butavicius, M., Parsons, K., Pattinson, M., McCormac, A.: Breaching the Human Firewall: Social engineering in Phishing and Spear-Phishing Emails (2016). [Cs] http://arxiv.org/abs/1606.00887
Cacioppo, J.T., Petty, R.E.: The need for cognition. J. Pers. Soc. Psychol. 42(1), 116–131 (1982). https://doi.org/10.1037/0022-3514.42.1.116
Canham, M., Fiore, S.M., Constantino, M., Caulkins, B., Reinerman-Jones, L.: The Enduring Mystery of the Repeat Clickers (2019)
Canham, M., Posey, C., Constantino, M.: Phish Derby: shoring the human shield through gamified phishing attacks. Front. Educ. 6 (2022). https://doi.org/10.3389/feduc.2021.807277
Canham, M., Posey, C., Strickland, D., Constantino, M.: Phishing for long tails: examining organizational repeat clickers and protective stewards. SAGE Open 11(1), 215824402199065 (2021). https://doi.org/10.1177/2158244021990656
Caputo, D.D., Pfleeger, S.L., Freeman, J.D., Johnson, M.E.: Going spear phishing: exploring embedded training and awareness. IEEE Secur. Privacy 12(1), 28–38 (2013). https://doi.org/10.1109/MSP.2013.106
Carella, A., Kotsoev, M., Truta, T.M.: Impact of security awareness training on phishing click-through rates. In: 2017 IEEE International Conference on Big Data (Big Data), pp. 4458–4466 (2017). https://doi.org/10.1109/BigData.2017.8258485
Collins, R.P., Litman, J.A., Spielberger, C.D.: The measurement of perceptual curiosity. Personal. Individ. Differ. 36(5), 1127–1141 (2004). https://doi.org/10.1016/S0191-8869(03)00205-8
Conway, D., Taib, R., Harris, M., Yu, K., Berkovsky, S., Chen, F.: A Qualitative Investigation of Bank Employee Experiences of Information Security and Phishing, pp. 115–129 (2017). https://www.usenix.org/conference/soups2017/technical-sessions/presentation/conway
Correia, S.G.: Patterns of online repeat victimisation and implications for crime prevention. In: 2020 APWG Symposium on Electronic Crime Research (ECrime), pp. 1–11 (2020). https://doi.org/10.1109/eCrime51433.2020.9493258
Greene, K., Steves, M., Theofanos, M., Kostick, J.: User context: an explanatory variable in phishing susceptibility. In: Proceedings 2018 Workshop on Usable Security. Workshop on Usable Security, San Diego, CA (2018). https://doi.org/10.14722/usec.2018.23016
Hadnagy, C.: Social Engineering: The Science of Human Hacking, 1st edn. Wiley (2018). https://doi.org/10.1002/9781119433729
Halevi, T., Memon, N., Nov, O.: Spear-phishing in the wild: a real-world study of personality, phishing self-efficacy and vulnerability to spear-phishing attacks (SSRN Scholarly Paper ID 2544742). Soc. Sci. Res. Netw. (2015). https://doi.org/10.2139/ssrn.2544742
Harrison, B., Vishwanath, A., Rao, R.: A user-centered approach to phishing susceptibility: the role of a suspicious personality in protecting against phishing. In: 2016 49th Hawaii International Conference on System Sciences (HICSS), pp. 5628–5634 (2016). https://doi.org/10.1109/HICSS.2016.696
Hassold, C.: Life After Phishing: What’s Next? InfoSec World 2018. InfoSec World 2018, Orlando, FLl USA (2018)
Herman, J.L., Stevens, M.J., Bird, A., Mendenhall, M., Oddou, G.: The tolerance for ambiguity scale: towards a more refined measure for international management research. Int. J. Intercult. Relat. 34(1), 58–65 (2010). https://doi.org/10.1016/j.ijintrel.2009.09.004
Joiner, R., Brosnan, M., Duffield, J., Gavin, J., Maras, P.: The relationship between Internet identification, Internet anxiety and Internet use. Comput. Hum. Behav. 23(3), 1408–1420 (2007). https://doi.org/10.1016/j.chb.2005.03.002
Jones, D.: Protecting the overclaimers in cybersecurity w/ Dr. Daniel N. Jones | CSI Talks #7 (2023). https://www.youtube.com/watch?v=lsly2Q_74V4
Lain, D., Kostiainen, K., Čapkun, S.: Phishing in organizations: findings from a large-scale and long-term study. In: 2022 IEEE Symposium on Security and Privacy (SP), pp. 842–859 (2022). https://doi.org/10.1109/SP46214.2022.9833766
Lawson, P., Zielinska, O., Pearson, C., Mayhorn, C.B.: Interaction of personality and persuasion tactics in email phishing attacks. In: Proceedings of the Human Factors and Ergonomics Society Annual Meeting, vol. 61, issue 1, pp. 1331–1333 (2017). https://doi.org/10.1177/1541931213601815
Levenson, H.: Differentiating among internality, powerful others, and chance. In: Lefcourt, H.M. (ed.) Research with the Locus of Control Construct, pp. 1–15. Academic Press (1981)
Li, W., Lee, J., Purl, J., Greitzer, F., Yousefi, B., Laskey, K.: Experimental Investigation of Demographic Factors Related to Phishing Susceptibility (2020). https://doi.org/10.24251/HICSS.2020.274
Nicholson, N., Soane, E., Fenton-O’Creevy, M., Willman, P.: Personality and domain-specific risk taking. J. Risk Res. 8(2), 157–176 (2005). https://doi.org/10.1080/1366987032000123856
Pattinson, M., Jerram, C., Parsons, K., McCormac, A., Butavicius, M.: Why do some people manage phishing e-mails better than others? Inf. Manag. Comput. Secur. 20(1), 18–28 (2012). https://doi.org/10.1108/09685221211219173
Posey, C., Canham, M.: A computational social science approach to examine the duality between productivity and cybersecurity policy compliance within organizations. In: 2018 International Conference on Social Computing, Behavioral-Cultural Modeling, and Prediction and Behavior Representation in Modeling and Simulation, BRiMS 2018 (2018). https://stars.library.ucf.edu/scopus2015/7904
Sackett, P.R., Walmsley, P.T.: Which personality attributes are most important in the workplace? Perspect. Psychol. Sci. 9(5), 538–551 (2014). https://doi.org/10.1177/1745691614543972
Steves, M.P., Greene, K.K., Theofanos, M.F.: A phish scale: rating human phishing message detection difficulty. In: Proceedings 2019 Workshop on Usable Security. Workshop on Usable Security. San Diego, CA (2019). https://doi.org/10.14722/usec.2019.23028
Sudzina, F., Pavlicek, A.: Propensity to Click on Suspicious Links: Impact of Gender, of Age, and of Personality Traits. Digital Transformation – From Connecting Things to Transforming Our Lives, pp. 593–601 (2017). https://doi.org/10.18690/978-961-286-043-1.41
Sudzina, F., Pavlicek, A.: Virtual offenses: role of demographic factors and personality traits. Information 11(4), 188 (2020)
Tellegen, A.: Multidimensional Personality Questionnaire-276 (MPQ-276) Test Booklet, 1st edn., vol. 1. University of Minnesota Press (1995)
Uebelacker and Quiel, 2014.Uebelacker, S., Quiel, S.: The social engineering personality framework. In: 2014 Workshop on Socio-Technical Aspects in Security and Trust, pp. 24–30 (2014). https://doi.org/10.1109/STAST.2014.12
Verizon. 2023 Data Breach Investigations Report (DBIR). Verizon Enterprise Solutions (2023). https://www.verizon.com/business/resources/reports/2023-data-breach-investigations-report-dbir.pdf
Vishwanath, A.: The Weakest Link: How to Diagnose, Detect, and Defend Users From Phishing. The MIT Press (2022)
Welk, A.K., Hong, K.W., Zielinska, O.A., Tembe, R., Murphy-Hill, E., Mayhorn, C.B.: Will the “Phisher-Men” reel you in?: assessing individual differences in a phishing detection task. Int. J. Cyber Behav. Psychol. Learn. 5(4), 1–17 (2015). https://doi.org/10.4018/IJCBPL.2015100101
Whitty, M.T.: Predicting susceptibility to cyber-fraud victimhood. J. Finan. Crime 26(1), 277–292 (2019). https://doi.org/10.1108/JFC-10-2017-0095
Williams, E.J., Beardmore, A., Joinson, A.N.: Individual differences in susceptibility to online influence: a theoretical review. Comput. Hum. Behav. 72, 412–421 (2017). https://doi.org/10.1016/j.chb.2017.03.002
Workman, M.: Wisecrackers: a theory-grounded investigation of phishing and pretext social engineering threats to information security. J. Am. Soc. Inform. Sci. Technol. 59(4), 662–674 (2008). https://doi.org/10.1002/asi.20779
Zhao, K., Smillie, L.D.: The role of interpersonal traits in social decision making: exploring sources of behavioral heterogeneity in economic games. Pers. Soc. Psychol. Rev. 19(3), 277–302 (2015). https://doi.org/10.1177/1088868314553709
Acknowledgements
The author wishes to thank Dr. Clay Posey, Michael Constantino, Dr. Shanee Dawkins, and Alexandra Figueroa for their assistance in collecting and analyzing the data for this study. The author also wishes to acknowledge the support of the National Institute of Standards and Technology (NIST) under Financial Assistance Award Number: 60NANB19D123. The views and conclusions contained in this document are those of the author and should not be interpreted as representing the official policies, either expressed or implied, of NIST or the U.S. Government.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Canham, M. (2023). Repeat Clicking: A Lack of Awareness is Not the Problem. In: Degen, H., Ntoa, S., Moallem, A. (eds) HCI International 2023 – Late Breaking Papers. HCII 2023. Lecture Notes in Computer Science, vol 14059. Springer, Cham. https://doi.org/10.1007/978-3-031-48057-7_20
Download citation
DOI: https://doi.org/10.1007/978-3-031-48057-7_20
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-48056-0
Online ISBN: 978-3-031-48057-7
eBook Packages: Computer ScienceComputer Science (R0)