Tianhao Xu and Prashanth Rajivan
Distinguishing phishing emails from legitimate emails continues to be a difficult task for most individuals. This study aims to investigate the psycholinguistic factors associated…
Abstract
Purpose
Distinguishing phishing emails from legitimate emails continues to be a difficult task for most individuals. This study aims to investigate the psycholinguistic factors associated with deception in phishing email text and their effect on end-user ability to discriminate phishing emails from legitimate emails.
Design/methodology/approach
Email messages and end-user decisions collected from a laboratory phishing study were validated and analyzed using natural language processing methods (Linguistic Inquiry Word Count) and penalized regression models (LASSO and Elastic Net) to determine the linguistic dimensions that attackers may use in phishing emails to deceive end-users and measure the impact of such choices on end-user susceptibility to phishing.
Findings
We found that most participants, who played the role of a phisher in the study, chose to deceive their end-user targets by pretending to be a familiar individual and presenting time pressure or deadlines. Results show that use of words conveying certainty (e.g. always, never) and work-related features in the phishing messages predicted higher end-user vulnerability. On the contrary, use of words that convey achievement (e.g. earn, win) or reward (cash, money) in the phishing messages predicted lower end-user vulnerability because such features are usually observed in scam-like messages.
Practical implications
Insights from this research show that analyzing emails for psycholinguistic features associated with computer-mediated deception could be used to fine-tune and improve spam and phishing detection technologies. This research also informs the kinds of phishing attacks that must be prioritized in antiphishing training programs.
Originality/value
Applying natural language processing and statistical modeling methods to analyze results from a laboratory phishing experiment to understand deception from both attacker and end-user is novel. Furthermore, results from this work advance our understanding of the linguistic factors associated with deception in phishing email text and its impact on end-user susceptibility.
Details
Keywords
Prashanth Rajivan, Pablo Moriano, Timothy Kelley and L. Jean Camp
The purpose of this study is to identify factors that determine computer and security expertise in end users. They can be significant determinants of human behaviour and…
Abstract
Purpose
The purpose of this study is to identify factors that determine computer and security expertise in end users. They can be significant determinants of human behaviour and interactions in the security and privacy context. Standardized, externally valid instruments for measuring end-user security expertise are non-existent.
Design/methodology/approach
A questionnaire encompassing skills and knowledge-based questions was developed to identify critical factors that constitute expertise in end users. Exploratory factor analysis was applied on the results from 898 participants from a wide range of populations. Cluster analysis was applied to characterize the relationship between computer and security expertise. Ordered logistic regression models were applied to measure efficacy of the proposed security and computing factors in predicting user comprehension of security concepts: phishing and certificates.
Findings
There are levels to peoples’ computer and security expertise that could be reasonably measured and operationalized. Four factors that constitute computer security-related skills and knowledge are, namely, basic computer skills, advanced computer skills, security knowledge and advanced security skills, and these are identified as determinants of computer expertise.
Practical implications
Findings from this work can be used to guide the design of security interfaces such that it caters to people with different expertise levels and does not force users to exercise more cognitive processes than required.
Originality/value
This work identified four factors that constitute security expertise in end users. Findings from this work were integrated to propose a framework called Security SRK for guiding further research on security expertise. This work posits that security expertise instrument for end user should measure three cognitive dimensions: security skills, rules and knowledge.
Details
Keywords
Timothy Kelley and Bennett I. Bertenthal
Modern browsers are designed to inform users as to whether it is secure to login to a website, but most users are not aware of this information and even those who are sometimes…
Abstract
Purpose
Modern browsers are designed to inform users as to whether it is secure to login to a website, but most users are not aware of this information and even those who are sometimes ignore it. This study aims to assess users’ knowledge of security warnings communicated via browser indicators and the likelihood that their online decision-making adheres to this knowledge.
Design/methodology/approach
Participants from Amazon’s Mechanical Turk visited a series of secure and insecure websites and decided as quickly and as accurately as possible whether it was safe to login. An online survey was then used to assess their knowledge of information security.
Findings
Knowledge of information security was not necessarily a good predictor of decisions regarding whether to sign-in to a website. Moreover, these decisions were modulated by attention to security indicators, familiarity of the website and psychosocial stress induced by bonus payments determined by response times and accuracy.
Practical implications
Even individuals with security knowledge are unable to draw the necessary conclusions about digital risks when browsing the web. Users are being educated through daily use to ignore recommended security indicators.
Originality/value
This study represents a new way to entice participants into risky behavior by monetizing both speed and accuracy. This approach could be broadly useful as a way to study risky environments without placing participants at risk.