Experimental Investigation of Demographic Factors Related to Phishing Susceptibility

Li, Wanru; Lee, James; Purl, Justin; Greitzer, Frank L.; Yousefi, Bahram Hooshyar; Laskey, Kathryn Blackmond

doi:10.24251/hicss.2020.274

Cited by 33 publications

(32 citation statements)

References 8 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…To our knowledge, this research represents the first time that all forms of employee responses to phishing attacks-both negative and positive-have been explored simultaneously from a repeat perspective. While a handful of research studies have explored repeat clicking in a limited number of campaigns (Caputo et al, 2013;Li et al, 2020;Workman, 2008), we have not been successful at locating previous research that has explored the opposite, repeat reporting (i.e., protective stewardship) in relation to phishing emails. We will mention, however, that Caputo et al ( 2013) suggested a potential cause of repeat clicking behavior: email usage habits.…”

Section: Scientific Implicationsmentioning

confidence: 92%

“…Despite the need to better understand these repeat offenders (Proofpoint, 2020), research on the matter is surprisingly limited. For example, the few studies that have examined repeat victimization have considered situations with fewer than five trials only (Caputo et al, 2013;Li et al, 2020) or have not reported differences between repeat and nonrepeat victims (Workman, 2008). A study of 1,359 employees from a Washington, DC, organization was sent three simulated phishing emails over a 90-day period.…”

Section: Employee Behaviormentioning

confidence: 99%

“…A study of 1,359 employees from a Washington, DC, organization was sent three simulated phishing emails over a 90-day period. The researchers found that approximately 11% of the participants clicked the embedded hyperlink in all three emails, while approximately 22% did not click the link in a single simulated phishing email (Caputo et al, 2013;Li et al, 2020). Another study of nearly 7,000 employees at a major university looked at responses to simulated phishing emails across three campaigns over 3 weeks.…”

Section: Employee Behaviormentioning

confidence: 99%

“…Another study of nearly 7,000 employees at a major university looked at responses to simulated phishing emails across three campaigns over 3 weeks. These researchers found that employees who clicked an embedded hyperlink in the previous week's campaign were more likely to click the link on the next week's campaign (Caputo et al, 2013;Li et al, 2020). This effect could be due to individual differences in phishing-detection overconfidence from previous campaigns (R. Chen et al, 2020).…”

Section: Employee Behaviormentioning

confidence: 99%

See 3 more Smart Citations

Phishing for Long Tails: Examining Organizational Repeat Clickers and Protective Stewards

et al. 2021

View full text Add to dashboard Cite

Organizational cybersecurity efforts depend largely on the employees who reside within organizational walls. These individuals are central to the effectiveness of organizational actions to protect sensitive assets, and research has shown that they can be detrimental (e.g., sabotage and computer abuse) as well as beneficial (e.g., protective motivated behaviors) to their organizations. One major context where employees affect their organizations is phishing via email systems, which is a common attack vector used by external actors to penetrate organizational networks, steal employee credentials, and create other forms of harm. In analyzing the behavior of more than 6,000 employees at a large university in the Southeast United States during 20 mock phishing campaigns over a 19-month period, this research effort makes several contributions. First, employees’ negative behaviors like clicking links and then entering data are evaluated alongside the positive behaviors of reporting the suspected phishing attempts to the proper organizational representatives. The analysis displays evidence of both repeat clicker and repeat reporter phenomena and their frequency and Pareto distributions across the study time frame. Second, we find that employees can be categorized according to one of the four unique clusters with respect to their behavioral responses to phishing attacks—“Gaffes,” “Beacons,” “Spectators,” and “Gushers.” While each of the clusters exhibits some level of phishing failures and reports, significant variation exists among the employee classifications. Our findings are helpful in driving a new and more holistic stream of research in the realm of all forms of employee responses to phishing attacks, and we provide avenues for such future research.

show abstract

Section: Scientific Implicationsmentioning

confidence: 92%

Section: Employee Behaviormentioning

confidence: 99%

Section: Employee Behaviormentioning

confidence: 99%

Section: Employee Behaviormentioning

confidence: 99%

See 2 more Smart Citations

Phishing for Long Tails: Examining Organizational Repeat Clickers and Protective Stewards

et al. 2021

View full text Add to dashboard Cite

show abstract

“…Several studies have found that susceptibility is highest for users aged 18-25 and decreases with age (Jagatic et al, 2007, Kumaraguru et al, 2009Parsons et al, 2019). However, other studies have failed to show a difference in phishing susceptibility by age (Gavett et al, 2017;Mohebzada et al, 2012;Moody et al, 2017;Zielinska et al, 2014), have shown gender, education, and Internet experience to be mediating factors (Lin et al, 2019;Sheng et al, 2010), or suggest that older adults may in fact be more susceptible than younger adults (Li et al, 2020;Lin et al, 2019;Whitty, 2019).…”

Section: Demographicsmentioning

confidence: 99%

Characteristics that Predict Phishing Susceptibility: A Review

Tornblad¹,

Jones²,

Namin

et al. 2021

Proceedings of the Human Factors and Ergonomics Society Annual

View full text Add to dashboard Cite

Phishing attack countermeasures have previously relied on technical solutions or user training. As phishing attacks continue to impact users resulting in adverse consequences, mitigation efforts may be strengthened through an understanding of how user characteristics predict phishing susceptibility. Several studies have identified factors of interest that may contribute to susceptibility. Others have begun to build predictive models to better understand the relationships among factors in addition to their prediction power, although these studies have only used a handful of predictors. As a step toward creating a holistic model to predict phishing susceptibility, it was first necessary to catalog all known predictors that have been identified in the literature. We identified 32 predictors related to personality traits, demographics, educational background, cybersecurity experience and beliefs, platform experience, email behaviors, and work commitment style.

show abstract