Warning of Phishing Attacks: Supporting Human Information Processing, Identifying Phishing Deception Indicators, and Reducing Vulnerability - January 2017

Public Audience
Purpose: To highlight project progress. Information is generally at a higher level which is accessible to the interested public. All information contained in the report (regions 1-3) is a Government Deliverable/CDRL.

PI(s):  Christopher Mayhorn, Emerson Murphy-Hill
Researchers: Allaire Welk, Olga Zielinska

HARD PROBLEM(S) ADDRESSED

• Human Behavior - Ongoing efforts have focused on understanding how mental models vary between novice users, experts (such as IT professionals), and hackers should be useful in accomplishing the ultimate goal of the work: to build secure systems that reduce user vulnerability to phishing. Moreover, mapping out the mental models that underlie security-related decision making should also inform behavioral models of users, security-experts (i.e., system administrators), and adversaries seeking to exploit system functionality. 

PUBLICATIONS

• .

ACCOMPLISHMENT HIGHLIGHTS

• We have completed data collection on the study to investigate how personality factors interact with the contents of phishing emails. Previous work provided a detailed qualitative analysis of 887 phishing emails in terms of Cialdini's (2007) persuasion principles. During this reporting period, we collected preliminary data from 59 participants recruited through Amazon's M-Turk and followed up with a second wave of data collection from 102 undergraduate participants recruited at NCSU. Both waves of participants completed an extensive personality inventory and we examined what personality factors (across samples) contributed to susceptibility for phishing messages (as measured by an email identification task where participants had to identify emails as either legitimate or phishing) that relied on particular principles of persuasion. The most robust finding was that extroversion was associated with overall susceptibility to phishing emails. 

• Knowing the likelihood that a user will identify a legitimate email as a phishing attempt may be of interest to organizations, in that they can attempt to avoid persuasion principles that arouse suspicion, such as authority & scarcity.

• PI Mayhorn met with Lablet collaborators, Lucas Layman and David Maimon, to discuss potential work where the instruments developed in our Lablet work regarding phishing might be extended to ongoing NSF-funded research that investigates cybercrime victimization via smartphone responses from participants "in the wild." This poptential collaboration could be instrumental is showing that our lab-based work generalizes to the real world.

• PI Mayhorn and students Zielinska and new graduate student, Patrick Lawson, met with the NCSU OIT Department Head Mardecia Bell and other staff members to request data on current student, faculty, and staff anti-phishing training and phishing victimization at NCSU. Our hope is to collect data to contribute NCSU-specific phishing messages to the existing corpus of phishing email content.