Abstract
Cyber security training emphasises checking the sender’s email address to identify phishing emails. Dual process theories of cognition suggest that with practice such tactics can transition from effortful, analytic processes to involuntary heuristics and become ‘automatic’. We tested the automaticity of this email habit by developing a scale for cyber security experience and then deployed an interference task where participants (n = 61) had to make a decision about text colour and ignore sender’s addresses from either legitimate or phishing emails. A surprising result emerged: the more cyber security training participants had, the less interference they exhibited in the colour selection task and the more they were able to ignore the content of the sender’s addresses. This suggests that evaluating sender’s addresses does not fulfill the criterion for ‘automatic’ processes when practiced and that more experienced people seem to be able to ignore this important cue when extraneous task goals are present.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Akbar, N.: Analysing persuasion principles in phishing emails (2014). http://essay.utwente.nl/66177/. Accessed 29 May (2021)
Barrett, L.F., Tugade, M.M., Engle, R.W.: Individual differences in working memory capacity and dual-process theories of the mind. Psychol. Bull. 130(4), 553–573 (2004). https://doi.org/10.1037/0033-2909.130.4.553
Burita, L., Klaban, I., Racil, T.: Education and training against threat of phishing emails. Int. Conf. Cyber Warfare Secur. 17(1), 7–18 (2022). https://doi.org/10.34190/iccws.17.1.28
Butavicius, M., Taib, R., Han, S.J.: Why people keep falling for phishing scams: The effects of time pressure and deception cues on the detection of phishing emails. Comput. Secur. 123, 102937 (2022). https://doi.org/10.1016/j.cose.2022.102937
Cialdini, R.B.: The Psychology of Persuasion. New York (1993)
Conway, D., Taib, R., Harris, M., Yu, K., Berkovsky, S., Chen, F.: A qualitative investigation of bank employee experiences of information security and phishing, pp. 115–129 (2017). https://www.usenix.org/conference/soups2017/technical-sessions/presentation/conway. Accessed 8 Mar 2021
Conway, D., Yu, K., Butavicius, M., Chen, F.: Are phishing emails conflict problems? Dual process theory applied to an email identification task (2022)
De Neys, W.: Automatic-heuristic and executive-analytic processing during reasoning: chronometric and dual-task considerations. Q. J. Exp. Psychol. 59(6), 1070–1100 (2006). https://doi.org/10.1080/02724980543000123
Dodge, R., Coronges, K., Rovira, E.: Empirical benefits of training to phishing susceptibility. In: Gritzalis, D., Furnell, S., Theoharidou, M. (eds.) SEC 2012. IAICT, vol. 376, pp. 457–464. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-30436-1_37
Downs, J.S., Holbrook, M.B., Cranor, L.F.: Decision strategies and susceptibility to phishing. In: Proceedings of the Second Symposium on Usable Privacy and Security (SOUPS 2006), pp. 79–90 (2006). https://doi.org/10.1145/1143120.1143131
Evans, J.S.B.T., Stanovich, K.E.: Dual-process theories of higher cognition: advancing the debate. Perspect. Psychol. Sci. 8(3), 223–241 (2013). https://doi.org/10.1177/1745691612460685
FBI. Internet Crime Complaint Center(IC3)—Annual Report 2018. Federal Bureau of Investigations. https://www.ic3.gov/Home/AnnualReports. Accessed 14 Jan 2023
Gigerenzer, G., Goldstein, D.G.: The recognition heuristic: a decade of research. Judgm. Decis. Mak. 6(1), 100–121 (2011)
Gupta, A., Sharda, R., Greve, R.A.: You’ve got email! Does it really matter to process emails now or later? Inf. Syst. Front. 13(5), 637–653 (2011). https://doi.org/10.1007/s10796-010-9242-4
Halevi, T., Memon N., Nov, O.: Spear-phishing in the wild: a real-world study of personality, phishing self-efficacy and vulnerability to spear-phishing attacks. Social Science Research Network, Rochester, NY (2015). https://doi.org/10.2139/ssrn.2544742
Ifinedo, P.: Understanding information systems security policy compliance: an integration of the theory of planned behavior and the protection motivation theory. Comput. Secur. 31(1), 83–95 (2012). https://doi.org/10.1016/j.cose.2011.10.007
Jakobsson, M.: The human factor in phishing. Priv. Secur. Consum. Inf. 7, 1–19 (2007)
Kahneman, D.: Thinking, Fast and Slow. Farrar, New York (2011)
Kumaraguru, P., Rhee, Y., Acquisti, A., Cranor, L.F., Hong, J., Nunge, E.: Protecting people from phishing: the design and evaluation of an embedded training email system. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI 2007), pp. 905–914 (2007). https://doi.org/10.1145/1240624.1240760
Musuva, P.M.W., Getao, K.W., Chepken, C.K.: A new approach to modelling the effects of cognitive processing and threat detection on phishing susceptibility. Comput. Hum. Behav. 94, 154–175 (2019). https://doi.org/10.1016/j.chb.2018.12.036
Ng, B.Y., Kankanhalli, A., Xu, Y.C.: Studying users’ computer security behavior: a health belief perspective. Decis. Support Syst. 46(4), 815–825 (2009). https://doi.org/10.1016/j.dss.2008.11.010
Norris, G., Brookes, A., Dowell, D.: The psychology of internet fraud victimisation: a systematic review. J. Police Crim. Psychol. 34(3), 231–245 (2019). https://doi.org/10.1007/s11896-019-09334-5
Peirce, J., et al.: PsychoPy2: experiments in behavior made easy. Behav. Res. Methods 51(1), 195–203 (2019). https://doi.org/10.3758/s13428-018-01193-y
Purcell, Z.A., Wastell, C.A., Sweller, N.: Domain-specific experience and dual-process thinking. Think. Reason. 27(2), 239–267 (2021). https://doi.org/10.1080/13546783.2020.1793813
Rawson, K.A.: Exploring automaticity in text processing: syntactic ambiguity as a test case. Cogn. Psychol. 49(4), 333–369 (2004). https://doi.org/10.1016/j.cogpsych.2004.04.001
Siu, N., Iverson, L., Tang, A.: Going with the flow: email awareness and task management. In: Proceedings of the 2006 20th Anniversary Conference on Computer Supported Cooperative Work (CSCW 2006), pp. 441–450 (2006). https://doi.org/10.1145/1180875.1180942
Stroop, J.: Studies of interference in serial verbal reactions. J. Exp. Psychol. Gen. 18(6), 643–662 (1935)
Thompson, V.A., et al.: The role of answer fluency and perceptual fluency as metacognitive cues for initiating analytic thinking. Cognition 128(2), 237–251 (2013). https://doi.org/10.1016/j.cognition.2012.09.012
Vishwanath, A., Herath, T., Chen, R., Wang, J., Raghav Rao, H.: Why do people get phished? Testing individual differences in phishing vulnerability within an integrated, information processing model. Decis. Support Syst. 51(3), 576–586 (2011). https://doi.org/10.1016/j.dss.2011.03.002
Workman, M.: Wisecrackers: a theory-grounded investigation of phishing and pretext social engineering threats to information security. J. Am. Soc. Inform. Sci. Technol. 59(4), 662–674 (2008). https://doi.org/10.1002/asi.20779
Yan, Z., Gozu, H.Y.: Online decision-making in receiving spam emails among college students. Int. J. Cyber Behav. Psychol. Learn. (IJCBPL) 2(1), 1–12 (2012). https://doi.org/10.4018/ijcbpl.2012010101
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 IFIP International Federation for Information Processing
About this paper
Cite this paper
Conway, D., Butavicius, M., Yu, K., Chen, F. (2023). Are People with Cyber Security Training Worse at Checking Phishing Email Addresses? Testing the Automaticity of Verifying the Sender’s Address. In: Furnell, S., Clarke, N. (eds) Human Aspects of Information Security and Assurance. HAISA 2023. IFIP Advances in Information and Communication Technology, vol 674. Springer, Cham. https://doi.org/10.1007/978-3-031-38530-8_25
Download citation
DOI: https://doi.org/10.1007/978-3-031-38530-8_25
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-38529-2
Online ISBN: 978-3-031-38530-8
eBook Packages: Computer ScienceComputer Science (R0)