A safe and productive society increasingly depends on a safe and trustworthy cyberspace. However, extensive research has repeatedly shown that the human factor is often the weakest part in cyberspace, and that users of information systems are often exposed to great risks when they respond to credible-looking emails. Thus, spear phishing attacks - which attempt to get personal or confidential information from users through well-targeted deceptive emails - represent a particularly severe security threat. Addressing this threat, in this project we use a combination of surveys and experiments to examine the psychological, educational and cultural factors that contribute to the users' vulnerability and response to spear phishing attacks, and their ability to detect deception. An important aspect of the project is an in vivo, multi-site setting: studies are conducted in university and commercial enterprise setting, as well as across different cultures - in all cases using realistic spear phishing email attacks. Using a three-dimensional experimental design, in this cross-disciplinary research project we (i) identify the underlying factors for the success of different spear phishing attack strategies; (ii) develop novel types of cyber-defenses that are tailored to users' idiosyncratic characteristics; (iii) validate the usefulness of personality-targeted defense in a comparative, multi-organizational, real-world settings; and (iv) develop a new, collaborative avenue for cross-disciplinary research of social scientists and computer scientists.
EAGER: Exploring Spear-Phishing: A Socio-Technical Experimental Framework