Phishing for the Truth: A Scenario-Based Experiment of Users’ Behavioural Response to Emails

  • Kathryn Parsons
  • Agata McCormac
  • Malcolm Pattinson
  • Marcus Butavicius
  • Cate Jerram
Conference paper
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 405)

Abstract

Using a role play scenario experiment, 117 participants were asked to manage 50 emails. To test whether the knowledge that participants are undertaking a phishing study impacts on their decisions, only half of the participants were informed that the study was assessing the ability to identify phishing emails. Results indicated that the participants who were informed that they were undertaking a phishing study were significantly better at correctly managing phishing emails and took longer to make decisions. This was not caused by a bias towards judging an email as a phishing attack, but instead, an increase in the ability to discriminate between phishing and real emails. Interestingly, participants who had formal training in information systems performed more poorly overall. Our results have implications for the interpretation of previous phishing studies, the design of future studies and for training and education campaigns, as it suggests that when people are primed about phishing risks, they adopt a more diligent screening approach to emails.

Keywords

phishing information security security behaviours email security security training 
Download to read the full conference paper text

References

  1. Anandpara, V., Dingman, A., Jakobsson, M., Liu, D., Roinestad, H.: Phishing IQ tests measure fear, not ability. In: Proceedings of the 11th International Conference on Financial Cryptography and 1st International Conference on Usable Security, Scarborough, Trinidad, Tobago, pp. 362–366 (2007)Google Scholar
  2. Anti-Phishing Working Group. Global Phishing Survey: Trends and Domain Name Use in 2H2009 (May 2010), http://www.antiphishing.org
  3. Downs, J.S., Holbrook, M.B., Cranor, L.: Decision strategies and susceptibility to phishing. In: Proceedings of the Second Symposium on Usable Privacy and Security, Pittsburgh, PA, USA, pp. 79–90 (2006)Google Scholar
  4. Downs, J.S., Holbrook, M., Cranor, L.: Behavioral response to phishing risk. In: Proceedings of the Anti-Phishing Working Groups 2nd Annual eCrime Researchers Summit, Pitsburgh, PA, USA, pp. 37–44 (2007)Google Scholar
  5. Frederick, S.: Cognitive reflection and decision making. Journal of Economic Perspectives 16(4), 25–42 (2005)CrossRefGoogle Scholar
  6. Furnell, S.: Phishing: can we spot the signs? Computer Fraud & Security 3, 10–15 (2007)CrossRefGoogle Scholar
  7. Furnell, S., Tsaganidi, V., Phippen, A.: Security beliefs and barriers for novice Internet users. Computers & Security 27, 235–240 (2008)CrossRefGoogle Scholar
  8. Green, D.M., Swets, J.: Signal Detection Theory and Psychophysics. Wiley, New York (1966)Google Scholar
  9. Herzberg, A.: Why Johnny can’t surf (safely)? Attacks and defenses for web users. Computers & Security 28, 63–71 (2009)CrossRefGoogle Scholar
  10. Jagatic, T.N., Johnson, N.A., Jakobsson, M., Menczer, F.: Social phishing. Communications of the ACM 50(10), 94–100 (2007)CrossRefGoogle Scholar
  11. John, O.P., Donahue, E.M., Kentle, R.: The Big Five Inventory–Versions 4a and 54. University of California, Berkeley, Institute of Personality and Social Research, Berkeley (1991)Google Scholar
  12. John, O.P., Naumann, L.P., Soto, C.J.: Paradigm shift to the integrative big-five trait taxonomy: History, measurement, and conceptual issues. In: John, O.P., Robins, R.W., Pervin, L.A. (eds.) Handbook of Personality: Theory and Research, 3rd edn., pp. 114–158. Guilford Press, New York (2008)Google Scholar
  13. John, O.P., Srivastava, S.: The big-five trait taxonomy: History, measurement, and theoretical perspectives. In: Pervin, L.A., John, O.P. (eds.) Handbook of Personality: Theory and Research, 2nd edn., pp. 102–139. Guilford Press, New York (1999)Google Scholar
  14. Kumaraguru, P., Rhee, Y., Sheng, S., Hasan, S., Acquisti, A., Cranor, L.F., Hong, J.: Getting users to pay attention to anti-phishing education: Evaluation of retention and transfer. In: Proceedings of the 2nd Annual eCrime Researchers Summit, Pittsburgh, PA, pp. 70–81 (2007)Google Scholar
  15. Moore, T., Clayton, R.: An empirical analysis of the current state of phishing attack and defence. In: Proceedings of the Sixth Workshop on the Economics of Information Security, Pittsburgh, PA, USA, pp. 1–20 (2007)Google Scholar
  16. Parsons, K., McCormac, A., Butavicius, M., Ferguson, L.: Human Factors and Information Security: Individual, Culture and Security Environment. DSTO Technical Report, DSTO-TR2484 (2010)Google Scholar
  17. Sheng, S., Holbrook, M., Kumaraguru, P., Cranor, L., Downs, J.: Who falls for phish? A demo-graphic analysis of phishing susceptibility and effectiveness of interventions. In: Proceedings of the 28th International Conference on Human Factors in Computing Systems, Atlanta, Georgia, USA, pp. 373–382 (2010)Google Scholar
  18. Stanislaw, H., Todorov, N.: Calculation of signal detection theory measures. Behavior Research Methods Instruments & Computers 31(1), 137–149 (1999)CrossRefGoogle Scholar
  19. Tam, L., Glassman, M., Vandenwauver, M.: The psychology of password management: a tradeoff between security and convenience. Behaviour & Information Technology 29(3), 233–244 (2010)CrossRefGoogle Scholar
  20. Tversky, A., Kahneman, D.: The framing of decisions and the psychology of choice. Science 185, 453–458 (1981)MathSciNetCrossRefMATHGoogle Scholar

Copyright information

© IFIP International Federation for Information Processing 2013

Authors and Affiliations

  • Kathryn Parsons
    • 1
  • Agata McCormac
    • 1
  • Malcolm Pattinson
    • 2
  • Marcus Butavicius
    • 1
  • Cate Jerram
    • 2
  1. 1.Defence Science and Technology OrganisationEdinburghAustralia
  2. 2.Business SchoolThe University of AdelaideAdelaideAustralia

Personalised recommendations