Dawn M. Sarno scite author profile

Objective To determine if there are age-related differences in phishing vulnerability and if those differences exist under various task conditions (e.g., framing and time pressure). Background Previous research suggests that older adults may be a vulnerable population to phishing attacks. Most research exploring age differences has used limiting designs, including retrospective self-report measures and restricted email sets. Method The present studies explored how older and younger adults classify a diverse sample of 100 legitimate and phishing emails. In Experiment 1, participants rated the emails as either spam or not spam. Experiment 2 explored how framing would alter the results when participants rated emails as safe or not safe. In Experiment 3, participants performed the same task as Experiment 1, but were put under time pressure. Results No age differences were observed in overall classification accuracy across the three experiments, rather all participants exhibited poor performance (20%–30% errors). Older adults took significantly longer to make classifications and were more liberal in classifying emails as spam or not safe. Time pressure seemed to remove this bias but did not influence overall accuracy. Conclusion Older adults appear to be more cautious when classifying emails. However, being extra careful may come at the cost of classification speed and does not seem to improve accuracy. Application Age demographics should be considered in the implementation of a cyber-training methodology. Younger adults may be less vigilant against cyber threats than initially predicted; older adults might be less prone to deception when given unlimited time to respond.

show abstract

Who are Phishers luring?: A Demographic Analysis of Those Susceptible to Fake Emails

Sarno

Lewis

Bohil

et al. 2017

Proceedings of the Human Factors and Ergonomics Society Annual

View full text Add to dashboard Cite

Previous research has identified several populations that are susceptible to inauthentic emails (e.g., spam). However, these studies utilize retrospective, self-report measures to assess email users’ interactions with limited sets of inauthentic emails. In order to fill this gap in the literature, the present study assessed participants’ likelihood to rate a wide variety of emails as spam, authentic, and dangerous. The results highlighted several key findings, 1) there were no gender differences for the email ratings, there were only differences in experience with email, 2) those who do not regularly email and read other electronic documents were more likely to rate emails as spam, possibly indicating an increase in false positives, and 3) the relationship between age and rating an email as spam indicates that younger users may be more susceptible to spam. Overall, the present study identified demographic characteristics that should be considered when training users to detect inauthentic emails.

show abstract

Is the key to phishing training persistence?: Developing a novel persistent intervention.

Sarno¹,

McPherson²,

Neider³

2022

Journal of Experimental Psychology: Applied

View full text Add to dashboard Cite

Most previous phishing interventions have employed discrete training approaches, such as brief instructions aimed at improving phishing detection. However, these discrete interventions have demonstrated limited success. The present studies focused on developing an alternative to discrete training by providing collegeage adults with a persistent classification aid that guided them on what characteristics a phishing email might include. Experiment 1 determined if this classification aid improved email categorization performance relative to feedback and control. Experiment 2 continued the evaluation of the classification aid to determine whether performance improvements were due to increased systematic processing of emails. Experiment 3 explored whether the classification aid would be more effective when embedded directly into the email interface. The results suggested three major findings. (a) Persistent interventions can improve phishing email detection. (b) Performance improvements were largest when the classification aid was embedded into the task. (c) These benefits were likely driven by an improved systematic processing of the emails. This novel phishing classification aid serves as a promising persistent intervention that can be adaptable to specific email environments and individuals. Public Significance StatementThe present studies developed a persistent phishing intervention as an alternative to standard discrete methods. The results indicate that persistent interventions may be a promising strategy for improving phishing detection, particularly when embedded into the task, for both organizations and researchers.

show abstract

So Many Phish, So Little Time: Exploring Email Task Factors and Phishing Susceptibility

Sarno

Neider

2021

Hum Factors

View full text Add to dashboard Cite

Objective The present studies examine how task factors (e.g., email load, phishing prevalence) influence email performance. Background Phishing emails are a paramount cybersecurity threat for the modern email user. Research attempting to understand how users are susceptible to phishing attacks has been limited and has not fully explored how task factors (e.g., prevalence, email load) influence accurate detection. Method In three experiments, participants classified emails as either legitimate or not legitimate and reported on a variety of other categorizations. The first two experiments examined how email load and phishing prevalence influence phishing detection independently. The third experiment examined the interaction of these two factors to determine whether they have compounding effects. All three experiments utilized individual difference variables to examine how cognitive, behavioral, and personality factors may influence classifications. Results Experiment 1 suggests that high email load can make the task appear more challenging. Experiment 2 indicates that low phishing prevalence can decrease sensitivity for phishing emails. Experiment 3 demonstrates that high levels of email load can decrease classification accuracy under 50/50 prevalence rates. Notably, performance was poor across all experiments, with phishing detection near chance levels and low discriminability for emails. Participants demonstrated poor metacognition with over confidence, low self-reported difficulty, and low perceived threat for the emails. Conclusion Overall, the present studies suggest that high email load and low phishing prevalence can influence email classifications. Application Organizations and researchers should consider the influences of both email load and phishing prevalence when implementing phishing interventions.

show abstract

The psychological interaction of spam email features

et al. 2019

View full text Add to dashboard Cite

scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.

Contact Info

customersupport@researchsolutions.com

10624 S. Eastern Ave., Ste. A-614

Henderson, NV 89052, USA

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Blog Terms and Conditions API Terms Privacy Policy Contact Cookie Preferences Do Not Sell or Share My Personal Information

Made with 💙 for researchers

Part of the Research Solutions Family.

Dawn M. Sarno

Which Phish Is on the Hook? Phishing Vulnerability for Older Versus Younger Adults

Who are Phishers luring?: A Demographic Analysis of Those Susceptible to Fake Emails

Is the key to phishing training persistence?: Developing a novel persistent intervention.

So Many Phish, So Little Time: Exploring Email Task Factors and Phishing Susceptibility

The psychological interaction of spam email features

Contact Info

Product

Resources

About