Abstract
While the email traffic is growing around the world, such questions often arise to recipients: to click or not to click? Should I trust or should I distrust? When interacting with computers or digital artefacts, individuals try to replicate interpersonal trust and distrust mechanisms in order to calibrate their trust. Such mechanisms rely on the ways individuals interpret and understand information.
Technical information systems security solutions may reduce external and technical threats; yet the academic literature as well as industrial professionals warn on the risks associated with insider threats, those coming from inside the organization and induced by legitimate users.
This article focuses on phishing emails as an unintentional insider threat. After a literature review on interpretation and knowledge management, insider threats and security, trust and distrust, we present a methodology and experimental protocol used to conduct a study with 250 participants and understand the ways they interpret, decide to trust or to distrust phishing emails. In this article, we discuss the preliminary results of this study and outline future works and directions.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Aberer, K., Despotovic, Z.: Managing trust in a peer-2-peer information system. In: Proceedings of the Tenth International Conference on Information and Knowledge Management, pp. 310–317. ACM (2001)
Anderson, B., Bjornn, D., Jenkins, J., Kirwan, B., Vance, A.: Improving security message adherence through improved comprehension: neural and behavioral insights. In: 2018 Americas Conference on Information Systems (AMCIS). AIS (2018)
Arduin, P.-E.: On the use of cognitive maps to identify meaning variance. In: Zaraté, P., Kersten, G.E., Hernández, J.E. (eds.) GDN 2014. LNBIP, vol. 180, pp. 73–80. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-07179-4_8
Arduin, P.E.: On the measurement of cooperative compatibility to predict meaning variance. In: Proceedings of IEEE International Conference on Computer Supported Cooperative Work in Design (CSCWD), Calabria, Italy, 6–8 May, pp. 42–47 (2015)
Arduin, P.E.: Insider Threats. Wiley, New York (2018)
Barber, B.: The Logic and Limits of Trust. Rutgers University Press, New Brunswick (1983)
Barnhoorn, J.S., Haasnoot, E., Bocanegra, B.R., van Steenbergen, H.: QRTEngine: an easy solution for running online reaction time experiments using qualtrics. Behav. Res. Methods 47(4), 918–929 (2015). https://doi.org/10.3758/s13428-014-0530-7
Bojko, A.A.: Informative or misleading? Heatmaps deconstructed. In: Jacko, J.A. (ed.) HCI 2009. LNCS, vol. 5610, pp. 30–39. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-02574-7_4
Canohoto, A., Dibb, S., Simkin, L., Quinn, L., Analogbei, M.: Preparing for the future - how managers perceive, interpret and assess the impact of digital technologies for business. In: Proceedings of the 48th Hawaii International Conference on System Sciences, Kauai, HI (2015)
Castelfranchi, C., Falcone, R.: Trust is much more than subjective probability: mental components and sources of trust. In: Proceedings of the 33th Hawaii International Conference on System Sciences, Piscataway, NJ (2000)
Costé, B., Ray, C., Coatrieux, G.: Trust assessment for the security of information systems. In: Pinaud, B., Guillet, F., Gandon, F., Largeron, C. (eds.) Advances in Knowledge Discovery and Management. SCI, vol. 834, pp. 159–181. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-18129-1_8
Crossler, R.E., Johnston, A.C., Lowry, P.B., Hu, Q., Warkentin, M., Baskerville, R.: Future directions for behavioral information security research. Comput. Secur. 32, 90–101 (2013)
Deutsch, M.: Trust and suspicion. J. Conflict Resolut. 2(4), 265–279 (1958)
Felt, A.P., et al.: Improving SSL warnings: comprehension and adherence. In: Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems, pp. 2893–2902. ACM (2015)
Guo, K., Yuan, Y., Archer, N., Connely, C.: Understanding nonmalicious security violations in the workplace: a composite behavior model. J. Manag. Inf. Syst. 28(2), 203–236 (2011)
Hancock, P.A., Billings, D.R., Schaefer, K.E., Chen, J.Y., De Visser, E.J., Parasuraman, R.: A meta-analysis of factors affecting trust in human-robot interaction. Hum. Factors 53(5), 517–527 (2011)
Hansen, J.V., Lowry, P.B., Meservy, R.D., McDonald, D.M.: Genetic programming for prevention of cyberterrorism through dynamic and evolving intrusion detection. Decis. Support Syst. 43(4), 1362–1374 (2007)
Hasselbring, W., Reussner, R.: Toward trustworthy software systems. Computer 39(4), 91–92 (2006)
Hornung, B.: Constructing sociology from first order cybernetics: basic concepts for a sociocybernetic analysis of information society. In: Proceedings of the 4th Conference of Sociocybernetics, Corfu, Greece (2009)
Hu, Q., Dinev, T., Hart, P., Cooke, D.: Managing employee compliance with information security policies: the critical role of top management and organizational culture. Decis. Sci. 43(4), 615–660 (2012)
Hurley, R.: The decision to trust. Harvard Bus. Rev. 84, 55–62 (2006)
ISO/IEC: ISO/IEC 27001, information security management. Technical report (2013)
Jones, N., Ross, H., Lynam, T., Perez, P., Leitch, A.: Mental models: an interdisciplinary synthesis of theory and methods. Ecol. Soc. 16(1), 46 (2011)
Kramer, R.M.: Trust and distrust in organizations: emerging perspectives, enduring questions. Annu. Rev. Psychol. 50(1), 569–598 (1999)
Kuhn, T.: Reflections on my critics. In: Criticism and the Growth of Knowledge. Cambridge University Press (1970)
Lamsal, P.: Understanding trust and security. Department of Computer Science, University of Helsinki, Finland (2001)
Lane, C., Bachmann, R., Bachmann, L.: Trust Within and Between Organizations: Conceptual Issues and Empirical Applications. Oxford University Press, Oxford (1998)
Lavion, D.: PwC’s global economic crime and fraud survey 2018. Technical report (2018)
Leach, J.: Improving user security behaviour. Comput. Secur. 22(8), 685–692 (2003)
Lee, J.D., See, K.A.: Trust in automation: designing for appropriate reliance. Hum. Factors 46(1), 50–80 (2004)
Lewicki, R.J., Bunker, B.B.: Developing and maintaining trust in work relationships. In: Trust in Organizations: Frontiers of Theory and Research, pp. 114–139 (1996)
Lewicki, R.J., Mc Allister, D.J., Bies, R.J.: Trust and distrust: new relationships and realities. Acad. Manag. Rev. 23(3), 438–458 (1998)
Lewis, J.D., Weigert, A.: Trust as a social reality. Soc. Forces 63(4), 967–985 (1985)
Li, X., Hess, T.J., Valacich, J.S.: Why do we trust new technology? A study of initial trust formation with organizational information systems. J. Strateg. Inf. Syst. 17(1), 39–71 (2008)
Loch, K.D., Carr, H.H., Warkentin, M.E.: Threats to information systems: today’s reality, yesterday’s understanding. MIS Q. 16, 173–186 (1992)
Luhmann, N.: Trust and Power. Wiley, Chichester (1979)
Luhmann, N.: Familiarity, confidence, trust: problems and alternatives. Trust: Making Breaking Coop. Relat. 6, 94–107 (2000)
Mayer, R.C., Davis, J.H., Schoorman, F.D.: An integrative model of organizational trust. Acad. Manag. Rev. 20(3), 709–734 (1995)
Mc Knight, D.H., Carter, M., Thatcher, J.B., Clay, P.F.: Trust in a specific technology: an investigation of its components and measures. ACM Trans. Manag. Inf. Syst. (TMIS) 2(2), 12 (2011)
McKnight, D.H., Chervany, N.L.: Trust and distrust definitions: one bite at a time. In: Falcone, R., Singh, M., Tan, Y.-H. (eds.) Trust in Cyber-societies. LNCS (LNAI), vol. 2246, pp. 27–54. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45547-7_3
McKnight, D.H., Chervany, N.L.: Handbook of Trust Research, pp. 29–51 (2006)
Mitnick, K., Simon, W.: The Art of Deception: Controlling the Human Element of Security. Wiley, New York (2003)
Morgan, S.: Cybercrime damages \$ 6 trillion by 2021. Technical report (2016)
Muir, B.M.: Trust between humans and machines, and the design of decision aids. Int. J. Man Mach. Stud. 27(5–6), 527–539 (1987)
Muir, B.M.: Trust in automation: part i. Theoretical issues in the study of trust and human intervention in automated systems. Ergonomics 37(11), 1905–1922 (1994)
Ayuso, P.N., Gasca, R.M., Lefevre, L.: FT-FW: a cluster-based fault-tolerant architecture for stateful firewalls. Comput. Secur. 31, 524–539 (2012)
Numan, J.: Knowledge-based systems as companions. Trust, human computer interaction and complex systems. Ph.D. thesis, Groningen, NL (1998)
Offor, P.I.: Managing risk in secure system: antecedents to system engineers’ trust assumptions decisions. In: 2013 International Conference on Social Computing (SocialCom), pp. 478–485. IEEE (2013)
Polanyi, M.: Personal Knowledge: Towards a Post Critical Philosophy. Routledge, London (1958)
Polanyi, M.: Sense-giving and sense-reading. Philos.: J. Roy. Inst. Philos. 42(162), 301–323 (1967)
Rajaonah, B.: A view of trust and information system security under the perspective of critical infrastructure protection. Ingénierie des Systèmes d’Information 22(1), 109 (2017)
Rath, J., Ischi, M., Perkins, D.: Evolution of different dual-use concepts in international and national law and its implications on research ethics and governance. Sci. Eng. Ethics 20(3), 769–790 (2014)
Ruotsalainen, P., Nykänen, P., Seppälä, A., Blobel, B.: Trust-based information system architecture for personal wellness. In: MIE, pp. 136–140 (2014)
Sasse, M.A., Brostoff, S., Weirich, D.: Transforming the ‘weakest link’—a human/computer interaction approach to usable and effective security. BT Technol. J. 19(3), 122–131 (2001)
Schaefer, K.E., Chen, J.Y., Szalma, J.L., Hancock, P.A.: A meta-analysis of factors influencing the development of trust in automation: implications for understanding autonomy in future systems. Hum. Factors 58(3), 377–400 (2016)
Schneier, B.: The process of security. Inf. Secur. 3(4), 32 (2000)
Schoorman, F.D., Mayer, R.C., Davis, J.H.: An integrative model of organizational trust: past, present, and future. Acad. Manag. Rev. 32(2), 344–354 (2007)
Shropshire, J.: A canonical analysis of intentional information security breaches by insiders. Inf. Manag. Comput. Secur. 17(4), 221–234 (2009)
Stanton, J., Stam, K., Mastrangelo, P., Jolton, J.: Analysis of end user security behaviors. Comput. Secur. 24(2), 124–133 (2005)
Swamynathan, G., Zhao, B.Y., Almeroth, K.C.: Decoupling service and feedback trust in a peer-to-peer reputation system. In: Chen, G., Pan, Y., Guo, M., Lu, J. (eds.) ISPA 2005. LNCS, vol. 3759, pp. 82–90. Springer, Heidelberg (2005). https://doi.org/10.1007/11576259_10
Sztompka, P.: Trust: A Sociological Theory. Cambridge Cultural Social Studies. Cambridge University Press, Cambridge (1999)
Truong, N.B., Um, T.W., Lee, G.M.: A reputation and knowledge based trust service platform for trustworthy social internet of things. In: Innovations in Clouds, Internet and Networks (ICIN), Paris, France (2016)
Tsuchiya, S.: Improving knowledge creation ability through organizational learning. In: ISMICK 1993: Proceedings of the International Symposium on the Management of Industrial and Corporate Knowledge, pp. 87–95 (1993)
Vroom, C., Von Solms, R.: Towards information security behavioural compliance. Comput. Secur. 23(3), 191–198 (2004)
Warkentin, M., Willison, R.: Behavioral and policy issues in information systems security: the insider threat. Eur. J. Inf. Syst. 18(2), 101–105 (2009)
Willison, R., Warkentin, M.: Beyond deterrence: an expanded view of employee computer abuse. MIS Q. 37(1), 1–20 (2013)
Yamakawa, Y., Naito, E.: From physical brain to social brain. In: Cognitive Maps. InTech (2010)
Zhi-Jun, W., Hai-Tao, Z., Ming-Hua, W., Bao-Song, P.: MSABMS-based approach of detecting LDoS attack. Comput. Secur. 31(4), 402–417 (2012)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Arduin, PE. (2020). To Click or Not to Click? Deciding to Trust or Distrust Phishing Emails. In: Moreno-Jiménez, J., Linden, I., Dargam, F., Jayawickrama, U. (eds) Decision Support Systems X: Cognitive Decision Support Systems and Technologies. ICDSST 2020. Lecture Notes in Business Information Processing, vol 384. Springer, Cham. https://doi.org/10.1007/978-3-030-46224-6_6
Download citation
DOI: https://doi.org/10.1007/978-3-030-46224-6_6
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-46223-9
Online ISBN: 978-3-030-46224-6
eBook Packages: Computer ScienceComputer Science (R0)