It's the deceiver and the receiver: Individual differences in phishing susceptibility and false positives with item profiling

Phishing email is one of the biggest risks to online information security due to its ability to exploit human trust and naivety. Prior research has examined whether some people are more susceptible to phishing than others and what characteristics may predict this susceptibility. Given that there are...

Full description

Saved in:
Bibliographic Details
Published in:PloS one 2018-10, Vol.13 (10), p.e0205089-e0205089
Main Authors: Kleitman, Sabina, Law, Marvin K H, Kay, Judy
Format: Article
Language:English
Subjects:
Accuracy
Biology and Life Sciences
Cognitive ability
Computer and Information Sciences
Computer security
Confidence
Cybercrime
Cybersecurity
Electronic mail
Email
Familiarity
Females
Fraud
Higher education
Human performance
Identity theft
Information systems
Intelligence
Internet crime
Learning
Malware
Metacognition
Methods
Perception
Personality
Phishing
Psychology
Regression analysis
Regression models
Robustness (mathematics)
Safety and security measures
Security
Social aspects
Social Sciences
Students
Studies
Variables
Variance
Citations: Items that this one cites
Items that cite this one
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Phishing email is one of the biggest risks to online information security due to its ability to exploit human trust and naivety. Prior research has examined whether some people are more susceptible to phishing than others and what characteristics may predict this susceptibility. Given that there are no standardised measures or methodologies to detect phishing susceptibility, results have conflicted. To address this issue, the current study created a 40-item phishing detection task to measure both cognitive and behavioural indicators of phishing susceptibility and false positives (misjudged genuine email). The task is based on current real-life email stimuli (i.e., phishing and genuine) relevant to the student and general population. Extending previous literature we also designed a methodology for assessing phishing susceptibility by allowing participants to indicate perception of maliciousness of each email type and the actions they would take (keep it, trash it or seek further information). This enabled us to: (1) examine the relationships that psychological variables share with phishing susceptibility and false positives-both captured as consistent tendencies; (2) determine the relationships between perceptions of maliciousness with behavioural outcomes and psychological variables; and (3) determine the relationships between these tendencies and email characteristics. In our study, 150 undergraduate psychology students participated in exchange for partial course credit (98 Females; Mean age = 19.70, SD = 2.27). Participants also completed a comprehensive battery of psychometric tests assessing intelligence, pre- and on-task confidence, Big 6 personality, and familiarity/competence in computing and phishing. Results revealed that people showed distinct and robust tendencies for phishing susceptibility and false positives. A series of regression analyses looking at the accuracy of both phishing and false positives detection revealed that human-centred variables accounted for a good degree of variance in phishing susceptibility (about 54%), with perceptions of maliciousness, intelligence, knowledge of phishing, and on-task confidence contributing significantly, directly and/or indirectly via perception of maliciousness. A regression model looking at discriminating false positives has also shown that human-centred variables accounted for a reasonable degree of variance (41%), with perceptions of maliciousness, intelligence and on-task confidence contributing
ISSN:1932-6203
1932-6203
DOI:10.1371/journal.pone.0205089