Warning of Phishing Attacks: Supporting Human Information Processing, Identifying Phishing Deception Indicators, and Reducing Vulnerability - July 2017

Public Audience
Purpose: To highlight project progress. Information is generally at a higher level which is accessible to the interested public. All information contained in the report (regions 1-3) is a Government Deliverable/CDRL.

PI(s):  Christopher Mayhorn, Emerson Murphy-Hill
Researchers: Allaire Welk, Olga Zielinska

HARD PROBLEM(S) ADDRESSED

• Human Behavior - Ongoing efforts have focused on understanding how mental models vary between novice users, experts (such as IT professionals), and hackers should be useful in accomplishing the ultimate goal of the work: to build secure systems that reduce user vulnerability to phishing. Moreover, mapping out the mental models that underlie security-related decision making should also inform behavioral models of users, security-experts (i.e., system administrators), and adversaries seeking to exploit system functionality. 

PUBLICATIONS

• Lawson, P. & Mayhorn, C.B. (in press). Interaction of personality and persuasion tactics in email phishing attacks. Proceedings of the Human Factors and Ergonomics Society 61st Annual Meeting.  Santa Monica, CA: Human Factors and Ergonomics Society.

ACCOMPLISHMENT HIGHLIGHTS

• Results from the current experiment have been informative in quantifying how personality attributes of users interact with the attributes of phishing emails thereby making some people more susecptible to certain phishing emails than others. Previous work evaluated phishing email content and assessed what persuasion characteristics were used by cyber-criminals during phishing. The current work effectively mapped who (based on observed personality traits) was susceptible to particular phishing messages that utilized combinations of persusasion (as defined by Cialdini).