Click Me If You Can!

When Do Users Follow a Call to Action in an Online Message?
  • Thomas Pfeiffer
  • Heike Theuerling
  • Michaela Kauer
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8030)


Being able to predict how internet users react when confronted with a potentially dangerous call for action in an online message (such as an e-mail) is important for several reasons. On the one hand, users have to be protected from fraudulent e-mails such as phishing. On the other hand, over-cautious users would be difficult to communicate with on the internet, so senders of legitimate messages have to know how to convince recipients of the authenticity of their messages. Extensive research already exists from both of these perspectives, but each study only explores certain aspects of the complex system of factors influencing users’ reactions. In this paper the results of our efforts to integrate the various existing findings into one comprehensive model are presented, along with the results of a preliminary evaluation of some of the model’s predictions using quantitative as well as qualitative measures and eye-tracking.


decision model e-mail phishing social engineering e-commerce trust risk 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Pfeiffer, T., Kauer, M., Bruder, R.: Integrating e-commerce and social engineering perspectives on trust in online communication. In: Workshop “User-centered Trust in Interactive Systems” at NordiCHI 2012, Copenhagen (2012),
  2. 2.
    Tsow, A., Jakobsson, M.: Deceit and deception: A large user study of phishing (retrieved September 9, 2007)Google Scholar
  3. 3.
    Kumaraguru, P., Acquisti, A., Cranor, L.F.: Trust modelling for online transactions: a phishing scenario. In: Proceedings of the 2006 International Conference on Privacy, Security and Trust: Bridge the Gap Between PST Technologies and Business Services, PST 2006, pp. 11:1–11:9. ACM, New York (2006)Google Scholar
  4. 4.
    Ajzen, I.: The theory of planned behavior. Organizational Behavior and Human Decision Processes 50(2), 179–211 (1991)CrossRefGoogle Scholar
  5. 5.
    Kim, D.J., Ferrin, D.L., Rao, H.R.: A trust-based consumer decision-making model in electronic commerce: The role of trust, perceived risk, and their antecedents. Decision Support Systems 44(2), 544–564 (2008)CrossRefGoogle Scholar
  6. 6.
    Harrison McKnight, D., Choudhury, V., Kacmar, C.: The impact of initial consumer trust on intentions to transact with a web site: a trust building model. The Journal of Strategic Information Systems 11(3-4), 297–323 (2002)CrossRefGoogle Scholar
  7. 7.
    Chang, H.H., Chen, S.W.: The impact of online store environment cues on purchase intention: Trust and perceived risk as a mediator. Online Information Review 32(6), 818–841 (2008)MathSciNetCrossRefGoogle Scholar
  8. 8.
    Glover, S., Benbasat, I.: A comprehensive model of perceived risk of e-commerce transactions. International Journal of Electronic Commerce 15(2), 47–78 (2010)CrossRefGoogle Scholar
  9. 9.
    Aiken, K., Boush, D.: Trustmarks, objective-source ratings, and implied investments in advertising: Investigating online trust and the context-specific nature of internet signals. Journal of the Academy of Marketing Science 34(3), 308–323 (2006)CrossRefGoogle Scholar
  10. 10.
    Horst, M., Kuttschreuter, M., Gutteling, J.M.: Perceived usefulness, personal experiences, risk perception and trust as determinants of adoption of e-government services in the netherlands. Computers in Human Behavior 23(4), 1838–1852 (2007)CrossRefGoogle Scholar
  11. 11.
    Featherman, M.S., Pavlou, P.A.: Predicting e-services adoption: a perceived risk facets perspective. International Journal of Human-Computer Studies 59(4), 451–474 (2003)CrossRefGoogle Scholar
  12. 12.
    Hardee, J., Mayhorn, C., West, R.: I downloaded what?: An examination of computer security decisions. In: Proceedings of the Human Factors and Ergonomics Society Annual Meeting, vol. 50, pp. 1817–1820 (2006)Google Scholar
  13. 13.
    Blais, A.R., Weber, E.U.: A domain-specific risk-taking (DOSPERT) scale for adult populations. Judgment and Decision Making 1(1), 33–47 (2006)Google Scholar
  14. 14.
    Figner, B., Weber, E.U.: Who takes risks when and why? Current Directions in Psychological Science 20, 211–216 (2011)CrossRefGoogle Scholar
  15. 15.
    Weber, E., Hsee, C.: Cross-cultural differences in risk perception, but cross-cultural similarities in attitudes towards perceived risk. Management Science, 1205–1217 (1998)Google Scholar
  16. 16.
    Sunshine, J., Egelman, S., Almuhimedi, H., Atri, N., Cranor, L.F.: Crying wolf: an empirical study of SSL warning effectiveness. In: Proceedings of the 18th Conference on USENIX Security Symposium, SSYM 2009, pp. 399–416. USENIX Association, Berkeley (2009)Google Scholar
  17. 17.
    Weber, E., Blais, A., Betz, N.: A domain-specific risk-attitude scale: Measuring risk perceptions and risk behaviors. Journal of Behavioral Decision Making 15(4), 263–290 (2002)CrossRefGoogle Scholar
  18. 18.
    Hanoch, Y., Johnson, J.G., Wilke, A.: Domain specificity in experimental measures and participant recruitment an application to risk-taking behavior. Psychological Science 17(4), 300–304 (2006)CrossRefGoogle Scholar
  19. 19.
    Evans, A.M., Krueger, J.I.: Elements of trust: Risk and perspective-taking. Journal of Experimental Social Psychology 47(1), 171–177 (2011)CrossRefGoogle Scholar
  20. 20.
    Fogg, B.J., Soohoo, C., Danielson, D.R., Marable, L., Stanford, J., Tauber, E.R.: How do users evaluate the credibility of web sites?: a study with over 2,500 participants. In: Proceedings of the 2003 Conference on Designing for User Experiences, DUX 2003, pp. 1–15. ACM, New York (2003)CrossRefGoogle Scholar
  21. 21.
    Mayer, R.C., Davis, J.H., Schoorman, F.D.: An integrative model of organizational trust. Academy of Management Review, 709–734 (1995)Google Scholar
  22. 22.
    Gill, H., Boies, K., Finegan, J.E., McNally, J.: Antecedents of trust: Establishing a boundary condition for the relation between propensity to trust and intention to trust. Journal of Business and Psychology 19(3), 287–302 (2005)CrossRefGoogle Scholar
  23. 23.
    Bekmeier-Feuerhahn, S., Eichenlaub, A.: What makes for trusting relationships in online communication? Journal of Communication Management 14, 337–355 (2010)CrossRefGoogle Scholar
  24. 24.
    Workman, M.: Wisecrackers: A theory-grounded investigation of phishing and pretext social engineering threats to information security. Journal of the American Society for Information Science and Technology 59(4), 662–674 (2008)CrossRefGoogle Scholar
  25. 25.
    Schlosser, A.E., White, T.B., Lloyd, S.M.: Converting web site visitors into buyers: How web site investment increases consumer trusting beliefs and online purchase intentions. Journal of Marketing 70(2), 133–148 (2006)CrossRefGoogle Scholar
  26. 26.
    Walczuch, R., Lundgren, H.: Psychological antecedents of institution-based consumer trust in e-retailing. Information & Management 42(1), 159–177 (2004)CrossRefGoogle Scholar
  27. 27.
    Yang, Y., Hu, Y., Chen, J.: A web trust-inducing model for e-commerce and empirical research. In: Proceedings of the 7th International Conference on Electronic Commerce, ICEC 2005, pp. 188–194. ACM, New York (2005)Google Scholar
  28. 28.
    Lin, E., Greenberg, S., Trotter, E., Ma, D., Aycock, J.: Does domain highlighting help people identify phishing sites? In: CHI 2011, pp. 2075–2084. ACM, New York (2011)Google Scholar
  29. 29.
    Downs, J.S., Holbrook, M.B., Cranor, L.F.: Decision strategies and susceptibility to phishing. In: Proceedings of the Second Symposium on Usable Privacy and Security, SOUPS 2006, pp. 79–90. ACM, New York (2006)CrossRefGoogle Scholar
  30. 30.
    Karakasiliotis, A., Furnell, S., Papadaki, M.: Assessing end-user awareness of social engineering and phishing. In: Information Warfare and Security Conference, pp. 60–72 (2006)Google Scholar
  31. 31.
    Dhamija, R., Tygar, J.D., Hearst, M.: Why phishing works. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, CHI 2006, pp. 581–590. ACM, New York (2006)Google Scholar
  32. 32.
    Jagatic, T.N., Johnson, N.A., Jakobsson, M., Menczer, F.: Social phishing. Commun. ACM 50(10), 94–100 (2007)CrossRefGoogle Scholar
  33. 33.
    Vishwanath, A., Herath, T., Chen, R., Wang, J., Rao, H.R.: Why do people get phished? testing individual differences in phishing vulnerability within an integrated, information processing model. Decision Support Systems 51(3), 576–586 (2011)CrossRefGoogle Scholar
  34. 34.
    Downs, J.S., Holbrook, M., Cranor, L.F.: Behavioral response to phishing risk. In: Proceedings of the Anti-Phishing Working Groups 2nd Annual eCrime Researchers Summit, eCrime 2007, pp. 37–44. ACM, New York (2007)CrossRefGoogle Scholar
  35. 35.
    Sheng, S., Holbrook, M., Kumaraguru, P., Cranor, L.F., Downs, J.: Who falls for phish?: a demographic analysis of phishing susceptibility and effectiveness of interventions. In: Proceedings of the 28th International Conference on Human Factors in Computing Systems, CHI 2010, pp. 373–382. ACM, New York (2010)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Thomas Pfeiffer
    • 1
  • Heike Theuerling
    • 2
  • Michaela Kauer
    • 2
  1. 1.Center for Advanced Security Research DarmstadtGermany
  2. 2.Insitute of ErgonomicsTechnische Universität DarmstadtGermany

Personalised recommendations