Skip to main content
Springer Nature Link
Log in

Predicting Personal Susceptibility to Phishing

  • Conference paper
  • First Online:
Information Technology and Systems (ICITS 2020)

Part of the book series: Advances in Intelligent Systems and Computing ((AISC,volume 1137))

Included in the following conference series:

Abstract

Phishing is a confidence trick with damaging impacts on both individuals and society as a whole. In this paper, we examine the possible role of thinking styles, as assessed by the Cognitive Reflection Test (CRT), and other factors to predict personal susceptibility to phishes. We report the results of two large-scale national studies conducted on cross-sectional populations in Norway. Using a binary logistic regression method, we analyzed the relationship between CRT scores, willingness to share data and demographical variables, to susceptibility to comply with phishes. Our main finding was that both an intuitive thinking style, as operationalized by the CRT scores, and willingness to share personal, significantly predict the probability of falling for phishing. As these results are based on two large-scale studies of national populations, they can be expected to have greater validity than earlier studies. The finding that CRT scores and other personal characteristics can predict the likelihood of falling for phishing suggests methods of pre-emptive testing of individuals as part of private and organizational strategies for encouraging improved resistance to phishing and other forms of personal data theft.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. Jagatic, T., Johnson, N., Jakobsson, M., Menczer, F.: Social phishing. Commun. ACM 5(10), 94–100 (2007)

    Article  Google Scholar 

  2. Dhamija, R., Tygar, J.D., Hearst, M.: Why phishing works. In: Grinter, R., Rodden, T., Aoki, P., Cutrell, E., Jeffries, R., Olson, G. (eds.) Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, CHI 2006, Montréal, Québec, Canada, 22–27 April 2006, pp. 581–590. ACM Press, New York (2006)

    Google Scholar 

  3. Acquisti, A.: Privacy in electronic commerce and the economics of immediate gratification. In: EC 2004 Proceedings of the 5th ACM Conference on Electronic Commerce, USA, pp. 21–29 (2004)

    Google Scholar 

  4. Barnes, S.B.: A privacy paradox: social networking in the United States. First Monday 11(9) (2006). http://firstmonday.org/article/view/1394/1312

  5. Acquisti, A., Adjerid, I., Balebako, R., Brandimarte, L., Cranor, L., Komanduri, S., Leon, P., Sadeh, N., Schaub, F., Sleeper, M., Wang, Y., Wilson, S.: Nudges for privacy and security: understanding and assisting users choices online. ACM Comput. Surv. 50(3), 44 (2017). Article 44

    Article  Google Scholar 

  6. Nicholson, J., Coventry, L., Briggs, P.: Can we fight social engineering attacks by social means? Assessing social salience as a means to improve phishing detection. In: Proceedings of the Thirteenth Symposium on Usable Privacy and Security, SOUPS 2017. USENIX, Santa Clara (2017)

    Google Scholar 

  7. Frederick, S.: Cognitive reflection and decision making. J. Econ. Perspect. 19(4), 25–42 (2005)

    Article  Google Scholar 

  8. Toplak, M.E., West, R.F., Stanovich, K.E.: The Cognitive Reflection Test as a predictor of performance on heuristics and biases tasks. Memory Cogn. 39, 1275–1289 (2011)

    Article  Google Scholar 

  9. Ferreira, A., Vieira-Marques, P.: Phishing through time: a ten year story based on abstracts. In: Proceedings of the 4th International Conference on Information Systems Security and Privacy, vol. 1, pp. 225–232 (2018)

    Google Scholar 

  10. Volkamer, M., Renaud, K., Reinheimer, B., Kunz, A.: User experiences of TORPEDO: tooltip-powered phishing email detection Comput. Secur. 71, 100–113 (2017)

    Google Scholar 

  11. Stockhardt, S., Reinheimer, B., Volkamer, M., Mayer, P., Kunz, A., Rack, P., Lehmann, D.: Teaching phishing-security: which way is best? In: 31st IFIP TC 11 International Conference on Systems Security and Privacy Protection, SEC 2016, vol. 471, pp. 135–149. Springer, New York (2016)

    Chapter  Google Scholar 

  12. Kahneman, D.: Thinking. Fast and Slow. Macmillan, New York (2011)

    Google Scholar 

  13. Toplak, M.V., West, R.F., Stanovich, K.E.: Assessing miserly information processing: an expansion of the Cognitive Reflection Test. Think. Reason. 20, 147–168 (2014)

    Article  Google Scholar 

  14. Pennycook, G., Cheyne, J.A., Koehler, D.J., Fugelsang, J.A.: Is the cognitive reflection test a measure of both reflection and intuition? Behav. Res. Methods 48(1), 341–348 (2016)

    Article  Google Scholar 

  15. Pennycook, G., Rand, D.: Lazy, Not biased: susceptibility to partisan fake news is better explained by lack of reasoning than by motivated reasoning. Cognition 188, 39–50 (2018)

    Article  Google Scholar 

  16. Bialek, M., Pennycook, G.: The Cognitive Reflection Test is robust to multiple exposures. Behav. Res. Methods. 50, 1953–1959 (2018)

    Article  Google Scholar 

  17. Mata, A., Ferreira, M.B., Sherman, S.J.: The metacognitive advantage of deliberative thinkers: a dual-process perspective on overconfidence. J. Pers. Soc. Psychol. 105, 353–373 (2013)

    Article  Google Scholar 

  18. Campitelli, G., Gerrans, P.: Does the cognitive reflection test measure cognitive reflection? A mathematical modeling approach. Memory Cogn. 42(3), 434–447 (2014)

    Article  Google Scholar 

  19. Cokely, E.T., Kelley, C.M.: Cognitive abilities and superior decision making under risk: a protocol analysis and process model evaluation. Judgm. Decis. Making 4, 20–33 (2009)

    Google Scholar 

  20. Liberali, J.M., Reyna, V.F., Furlan, S., Stein, L.M., Pardo, S.T.: Individual differences in numeracy and cognitive reflection, with implications for biases and fallacies in probability judgment. J. Behav. Decis. Making 25, 361–381 (2012)

    Article  Google Scholar 

  21. Kumaraguru, P., Rhee, Y., Sheng, S., et al.: Getting users to pay attention to anti-phishing education: evaluation of retention and transfer. In: Proceedings of the Anti-Phishing Working Group’s Second Annual eCrime Researchers (2017)

    Google Scholar 

  22. Butavicius, M., Parsons, K., Pattinson, M., McCormac, A.: Breaching the Human Firewall: Social engineering in Phishing and Spear-Phishing Emails, May 2016

    Google Scholar 

  23. Petraityte, M., Dehghantanha, A., Epiphaniou, G.: Mobile phone forensics: an investigative framework based on user impulsivity and secure collaboration errors (Chap. 6). In: Contemporary Digital Forensic Investigations of Cloud and Mobile Applications, pp. 79–89. Syngress (2017)

    Google Scholar 

  24. Jones, H.S., Towse, J.N., Race, N., Harrison, T.: Email fraud: the search for psychological predictors of susceptibility. PLoS One 14(1), e0209684 (2019)

    Article  Google Scholar 

  25. Elvy, S.A.: Paying for privacy and the personal data economy. Columbia Law Rev. 117(6), 1369–1459 (2017)

    Google Scholar 

  26. Hacker, P., Petkova, B.: Reining in the big promise of big data: transparency, inequality, and new regulatory frontiers. Northwest. J. Technol. Intellect. Prop. 15, 1–42 (2017)

    Google Scholar 

  27. Greengard, S.: Weighing the impact of GDPR. Commun. ACM 61(11), 16–18 (2018)

    Article  Google Scholar 

  28. European Union 2017. 5661. Special Eurobarometer 464a “European attitudes towards cyber security”, September 2017

    Google Scholar 

  29. McCall, R.: Can you pass the world’s shortest IQ test? It’s just three questions long, but few can get them all right (2017). http://www.iflscience.com

  30. Jones, H.: What makes people click: assessing individual differences in susceptibility to email fraud (2016). eprints.lancs.ac.uk

    Google Scholar 

  31. Parsons, K., McCormac, A. Pattinson, M., Butavicius, M., Jerram, C.: Phishing for the truth: a scenario-based study of users’ behavioural response to emails. In: IFIP International Information Security Conference, pp. 366–378. Springer, Berlin (2013)

    Google Scholar 

  32. Charness, G., Gneezy, U.: Strong evidence for gender differences in risk-taking. J. Econ. Behav. Organ. 83, 50–58 (2012)

    Article  Google Scholar 

  33. Hosmer, W., Lemeshow, S.: Applied Logistic Regression. Wiley, New York (1989)

    MATH  Google Scholar 

  34. Archer, K.J., Lemeshow, S., Hosmer, D.W.: Goodness of fit tests for logistic regression models when data are collected using a complex sampling design. Comput. Stat. Data Anal. 51, 4450–4464 (2007)

    Article  MathSciNet  Google Scholar 

  35. Primi, C., Morsanyi, K., Chiesi, F., Donati, M.A., Hamilton, J.: The development and testing of a new version of the cognitive reflection test applying item response theory (IRT). J. Behav. Decis. Making 29, 453–469 (2016)

    Article  Google Scholar 

  36. Sirota, M., Juanchich, M.: Effect of response format on cognitive reflection: validating a two- and four-option multiple choice question version of the Cognitive Reflection Test. Behav. Res. Methods (2018). https://doi.org/10.3758/s13428-018-1029-4

    Article  Google Scholar 

  37. Da Silva, S., Da Costa Jr., N., Matsushita, R., Vieira, C., Correa, A., De Faveri, D.: Debt of high-income consumers may reflect leverage rather than poor cognitive reflection. Rev. Behav. Finance 10, 42–52 (2017)

    Article  Google Scholar 

  38. MacKenzie, S.B., Podsakoff, P.M.: Common method bias in marketing: causes, mechanisms, and procedural remedies. J. Retail. 88, 542–555 (2012)

    Article  Google Scholar 

  39. Lejuez, C.W., Read, J.P., Kahler, C.W., Richards, J.B., Ramsey, S.E., Stuart, G.L., Strong, D.R., Brown, R.A.: Evaluation of a behavioral measure of risk taking: the Balloon Analogue Risk Task (BART). J. Exp. Psychol. Appl. 8(2), 75–84 (2002)

    Article  Google Scholar 

Download references

Acknowledgements

This research was supported by Research Council Norway under the grant 270969, the research programme IKTpluss.

Author information

Authors and Affiliations

  1. Norwegian Computing Center, P.O. Box 114 Blindern, 0314, Oslo, Norway

    Ingvar Tjostheim

  2. Umeå University, Main Campus, 901 87, Umeå, Sweden

    John A. Waterworth

Authors
  1. Ingvar Tjostheim
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. John A. Waterworth
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Ingvar Tjostheim .

Editor information

Editors and Affiliations

  1. DEI/FCT, University of Coimbra, Coimbra, Portugal

    Álvaro Rocha

  2. Facultad de Geografia, University of Santiago de Compostela, Santiago de Compostela, Spain

    Carlos Ferrás

  3. Facultad de Ingeniería, Universidad Distrital Francisco José de, Bogota, Colombia

    Carlos Enrique Montenegro Marin

  4. Facultad de Ingeniería, Universidad Distrital Francisco José de, Bogota, Colombia

    Víctor Hugo Medina García

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Tjostheim, I., Waterworth, J.A. (2020). Predicting Personal Susceptibility to Phishing. In: Rocha, Á., Ferrás, C., Montenegro Marin, C., Medina García, V. (eds) Information Technology and Systems. ICITS 2020. Advances in Intelligent Systems and Computing, vol 1137. Springer, Cham. https://doi.org/10.1007/978-3-030-40690-5_54

Download citation

Publish with us

Policies and ethics