Warning of Phishing Attacks: Supporting Human Information Processing, Identifying Phishing Deception Indicators, and Reducing Vulnerability - October 2016

Public Audience
Purpose: To highlight project progress. Information is generally at a higher level which is accessible to the interested public. All information contained in the report (regions 1-3) is a Government Deliverable/CDRL.

PI(s):  Christopher Mayhorn, Emerson Murphy-Hill
Researchers: Allaire Welk, Olga Zielinska

HARD PROBLEM(S) ADDRESSED

• Human Behavior - Ongoing efforts have focused on understanding how mental models vary between novice users, experts (such as IT professionals), and hackers should be useful in accomplishing the ultimate goal of the work: to build secure systems that reduce user vulnerability to phishing. Moreover, mapping out the mental models that underlie security-related decision making should also inform behavioral models of users, security-experts (i.e., system administrators), and adversaries seeking to exploit system functionality. 

PUBLICATIONS

• Pearson, C. J., Welk, A. K., Mayhorn, C. B..  2016.  In Automation We Trust? Identifying Varying Levels of Trust in Human and Automated Information Sources. Human Factors and Ergonomics Society. :201-205.

• Zielinska, O.A., Welk, A. K., Murphy-Hill, E. & Mayhorn, C. B. (2016). A temporal analysis of persuasion principles in phishing emails. Proceedings of the Human Factors and Ergonomics Society 60th Annual Meeting.  Santa Monica, CA: Human Factors and Ergonomics Society.

ACCOMPLISHMENT HIGHLIGHTS

• Data collection from 59 participants recruited from Amazon's mTurk website has been completed and data anlysis is underway. This study explores the interaction between personality and susceptibility to different phishing attacks (that vary by persuasion principles) identified from our corpus of phishing stimuli used in previous efforts. Participants completed the 100+ items from the comprehensive personality inventory (NEO-FFI Adult Form S) and judged the credibility of 50 phishing emails (representing various attack methods) and 50 authentic emails.
• At the annual meeting of the Human Factors & Ergonomics Society in Washington DC from Sept. 19-23, Matthew Canham at the Federal Bureau of Investigation (FBI) saw the phishing presentation by Ms. Zielinska and is traveling to NCSU this week (Sept. 29) to discuss our current ongoing work as well as potential future collaborations.