Which Phish will Bite? Two Studies of Individual Susceptibility to Phishing
by
Dennis Galletta
Ben L. Fryrear Faculty Fellow, Professor of Business Administration, Director of the Doctoral Program
University of Pittsburgh
Katz Graduate School of Business
Friday, October 4
10:30 – 12:00 pm | Speakman 200
Abstact:
Phishing, or the practice of sending deceptive electronic communications to acquire private information from victims, results in significant financial losses to individuals and businesses. I will cover two studies in the area of phishing. The first study attempts to identify and test situational and personality factors that might explain why certain individuals are susceptible to such attacks. We employed the Delphi method to identify seven personality factors that may influence this susceptibility (trust, distrust, curiosity, entertainment drive, boredom proneness, lack of focus, and risk propensity). Our regression model included these as well as variables examined in previous studies. We found that emails sent from a known source significantly increase user susceptibility to phishing, as does a user’s curiosity, risk propensity, general Internet usage, and Internet anxiety. In post hoc tests, we also find that trust and distrust can be significant predictors of susceptibility and that this significance is dependent on the characteristics of the message. However, the results are rather weak and do not explain more than 10% of the variance in individuals’ propensity to click on a link in a phishing message. The second study, in process, follows from the weak results of the first study, which approaches the antecedents to clicking on a phishing message in a different manner. We focus on heredity in this study and in our study of twins, preliminary analysis has found that heredity explains over 40% of the variance in the ability of people to discern real websites and emails from fake ones. Our first three phishing attempts largely failed, with a very low propensity of anyone to click (contrary to our first study). We have since expanded our sample, verifying email addresses right at the subject recruiting site, and are currently preparing to phish the subjects over two dozen further times. Discerning the role of heredity might help practitioners understand the need to follow up, rather than simply assuming that all users respond similarly (and immediately) to warnings and training provided to them.
Reference: Moody, G.D., Galletta, D.F. & Dunn, B.K. Eur J Inf Syst (2017) 26: 564. https://doi.org/10.1057/s41303-017-0058-x
Link to the first paper: Click here