Warning of Phishing Attacks: Supporting Human Information Processing, Identifying Phishing Deception Indicators, and Reducing Vulnerability - July 2015

Public Audience
Purpose: To highlight project progress. Information is generally at a higher level which is accessible to the interested public. All information contained in the report (regions 1-3) is a Government Deliverable/CDRL.

PI(s):  Christopher Mayhorn, Emerson Murphy-Hill
Researchers: Allaire Welk, Olga Zielinska

HARD PROBLEM(S) ADDRESSED

• Human Behavior - Ongoing efforts have focused on understanding how mental models vary between novice users, experts (such as IT professionals), and hackers should be useful in accomplishing the ultimate goal of the work: to build secure systems that reduce user vulnerability to phishing. Moreover, mapping out the mental models that underlie security-related decision making should also inform behavioral models of users, security-experts (i.e., system administrators), and adversaries seeking to exploit system functionality. 

PUBLICATIONS

• Mayhorn, C.B., Murphy-Hill, E., *Zielinska, O. A., & *Welk, A. K. (in press). "The social engineering behind phishing." The Next Wave.

• Mayhorn, C. B., *Welk, A.K., *Zielinska, O. A., & Murphy-Hill, E. (2015). "Assessing individual differences in a phishing detection task." Proceedings of the 19th World Congress of the International Ergonomics Association.  Melbourne, Australia.

• *Welk, A. K., & Mayhorn, C. B. (2015). "All signals go: Investigating how individual differences affect performance on a medical diagnosis task designed to parallel a signal analyst task."  Proceedings of HotSoS: Symposium and Bootcamp on the Science of Security. Urbana-Champaign, IL.

• *Zielinska, O.A., *Welk, A. K., Murphy-Hill, E. & Mayhorn, C. B. (2015). "Exploring expert and novice mental models of phishing." Proceedings of the Human Factors and Ergonomics Society 59th Annual Meeting.  Santa Monica, CA: Human Factors and Ergonomics Society.

ACCOMPLISHMENT HIGHLIGHTS

• We bolstered participation in the mental models study such that the final results included data from 20 novices and 15 experts. Consistent with our preliminary results, observed expert mental models were more complex with more links between concepts. Specifically, experts had sixteen, thirteen, and fifteen links in the networks describing the prevention, trends, and consequences of phishing, respectively; however, novices only had eleven, nine, and nine links in the networks describing prevention, trends, and consequences of phishing, respectively. These results provide quantifiable network displays of mental models of novices and experts that cannot be seen through interviews or other more qualitative investigation techniques. This information could provide a basis for future research on how mental models could be used to determine phishing vulnerability and the effectiveness of phishing training.

• In collaboration with the NCSU university IT group, we have begun a qualitative study to investigate the content of past phishing emails that were compiled and housed in databases published by Cornell and Brown University. Using classical persuasion articles by authors such as Cialdini and others, we have developed a preliminary coding scheme to allow for the systematic classification of attributes such as source and other factors that will inform our social engineering framework. Initial training of coders and preliminary coding is already underway.

• Recently (on June 19, 2015), we were informed of a successful, large-scale phishing attack that compromised the personal information and login credentials of a large number of NCSU personnel within the College of Education. We are currently collaborating with the COE IT group to understand the characteristics of the attack (it appeared to come from the Dean of the College). Our goal is to pursue this fortuitous research opportunity and develop a small qualitative study to investigate how many people were targeted and how many "fell" for the phony request.