User Context: An Explanatory Variable in Phishing Susceptibility

Greene, Kristen; Steves, Michelle P.; Theofanos, Mary F.; Kostick, Jennifer

doi:10.14722/usec.2018.23016

Cited by 36 publications

(45 citation statements)

References 12 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…There were more clickers on the IT help desk email than the other two emails. This result may suggest that university employees pay more attention to emails related to their work context, which is consistent with findings from Greene et al [5]. The financial email fooled the smallest proportion of users, which may suggest that people are more alert to the emails that come from an unfamiliar bank that they were not enrolled.…”

Section: Discussionsupporting

confidence: 88%

“…Jagatic et al [9] suggest that a sender address from the university domain lowers students' guard. Greene et al [5] argue that the alignment of user context and the phishing attack premise is a significant factor in phishing susceptibility. Vishwanath et al [14] found the level of attention to urgency cues or to email subject lines significantly affects clicking response to phishing emails; however, levels of attention to grammar or spelling were significantly less likely to affect users being phished.…”

Section: Phishing Email Content Previous Researchmentioning

confidence: 99%

“…Will the content of phishing emails (source of message, visual cues) impact the likelihood of responding to the exploit? Previous research suggests that certain characteristics of a phishing email may affect clicking behavior (e.g., [5]). We focus on the type or source (IT/tech support, package delivery, credit card warning) that presents different message content or context.…”

Section: Research Questionmentioning

confidence: 99%

“…A survey was sent after the experiment to analyze some additional demographic factors such as computer usage time and antiphishing training experience. Another recent example is a study by Greene et al [5], who launched three phishing exercises (Mar, Aug, Dec) targeting approximately 70 staff at the National Institute of Standards and Technology. The purpose was to study the reasons why email users were clicking or not clicking on phishing links and attachments.…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

Experimental Investigation of Demographic Factors Related to Phishing Susceptibility

Lee

Purl

et al. 2020

Proceedings of the Annual Hawaii International Conference on System Sciences

View full text Add to dashboard Cite

This paper reports on a simulated phishing experiment targeting 6,938 faculty and staff at George Mason University. The study examined various possible predictors of phishing susceptibility. The focus of the present paper is on demographic factors (including age, gender and position/employment). Since previous studies of age and gender have yielded discrepant results, one purpose of the study was to disambiguate these findings. A second purpose was to compare different types of email phishing exploits. A third objective was to compare the effect of different types of feedback given to those who clicked on one or more of three simulated phishing exploits that were deployed over a three-week period. Our analysis of demographic factors, effects of phishing email content, and effects of repeated exposure to phishing exploits revealed significant age effects, marginally significant gender differences, and significant differences in email type. A multi-level model estimated effects of multiple variables simultaneously.

show abstract

Section: Discussionsupporting

confidence: 88%

Section: Phishing Email Content Previous Researchmentioning

confidence: 99%

Section: Research Questionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Experimental Investigation of Demographic Factors Related to Phishing Susceptibility

Lee

Purl

et al. 2020

Proceedings of the Annual Hawaii International Conference on System Sciences

View full text Add to dashboard Cite

show abstract

“…Past work [14] has shown that click rates will vary based on the contextual relevance of the phish, with highly contextually relevant phish resulting in extreme spikes in click rates-despite years of phishing awareness training. Furthermore, attackers continue to refine and vary phishing attack premises.…”

Section: Introductionmentioning

confidence: 99%

A Phish Scale: Rating Human Phishing Message Detection Difficulty

Steves¹,

Greene²,

Theofanos³

2019

Proceedings 2019 Workshop on Usable Security

View full text Add to dashboard Cite

As organizations continue to invest in phishing awareness training programs, many Chief Information Security Officers (CISOs) are concerned when their training exercise click rates are high or variable, as they must justify training budgets to those who question the efficacy of training when click rates are not declining. We argue that click rates should be expected to vary based on the difficulty of the phishing email for a target audience. Past research has shown that when the premise of a phishing email aligns with a user's work context, it is much more challenging for users to detect a phish. Given this, we propose a Phish Scale, so CISOs and phishing training implementers can easily rate the difficulty of their phishing exercises and help explain associated click rates. We based our scale on past research in phishing cues and user context, and applied it to previously published data and new data from organization-wide phishing exercises targeting approximately 5 000 employees. The Phish Scale performed well with the current phishing dataset, but future work is needed to validate it with a larger variety of phishing emails. The Phish Scale shows great promise as a tool to help frame data sharing on phishing exercise click rates across sectors.

show abstract