Skip to main content
Springer Nature Link
Log in

Not All Victims Are Created Equal: Investigating Differential Phishing Susceptibility

  • Conference paper
  • First Online:
Augmented Cognition (HCII 2024)

Part of the book series: Lecture Notes in Computer Science ((LNAI,volume 14694))

Included in the following conference series:

  • 411 Accesses

Abstract

Repeat clickers refer to individuals who repeatedly fall prey to phishing attempts, posing a disproportionately higher risk to the organizations they inhabit. This study sought to explore the potential influence of three factors on repeat clicking behavior. First, building from previous research, we examined the impact of individual characteristics such as personality traits (Big 5 and Locus of Control), expertise (security and phishing knowledge), and technology usage. Second, social engineering tactics were considered as a potential factor, based on the specifications of the NIST Phish Scale, a metric for rating an email’s human phishing detection difficulty. Third, the impact of contextual factors, such as world events, were investigated. Data was collected from study participants via a survey on their individual differences, followed by campaigns in which they were emailed a total of eight messages (four phishing and four controls) over a four-week period of time. Repeat clickers were found to spend less time working online, check email more often, have a more internally oriented locus of control, and a lower need for cognition than the comparison groups. The Phish Scale resulted in difficulty scores closely corresponding to observed click-rates in phishing emails, suggesting that it is an effective metric of evaluating human phishing detection difficulty in a university environment.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    1C and ZC were chosen to reduce confusion between the number 0 and the capital O.

  2. 2.

    A pre-print version of this manuscript is available which contains the full versions of all scales in the appendix.

  3. 3.

    * Indicates p < .05, ** p < .01, and *** p < .001.

References

  1. Hadnagy, C.: Social Engineering: The Science of Human Hacking, 1st ed. Wiley (2018). https://doi.org/10.1002/9781119433729

  2. Canham, M., Fiore, S.M., Constantino, M., Caulkins, B., Reinerman-Jones, L.: The Enduring Mystery of the Repeat Clickers (2019)

    Google Scholar 

  3. Verizon. 2023 Data Breach Investigations Report (DBIR). Verizon Enterprise Solutions. https://www.verizon.com/business/resources/reports/2023-data-breach-investigations-report-dbir.pdf. Accessed 19 Jun 2023

  4. Caputo, D.D., Pfleeger, S.L., Freeman, J.D., Johnson, M.E.: Going spear phishing: exploring embedded training and awareness. IEEE Secur. Priv. 12(1), 28–38 (2013). https://doi.org/10.1109/MSP.2013.106

    Article  Google Scholar 

  5. Canham, M., Posey, C., Strickland, D., Constantino, M.: Phishing for long tails: examining organizational repeat clickers and protective stewards. SAGE Open 11(1), 215824402199065 (2021). https://doi.org/10.1177/2158244021990656

    Article  Google Scholar 

  6. Canham, M.: Repeat Clicking: A Lack of Awareness Is Not the Problem. PsyArXiv, preprint (2023). https://doi.org/10.31234/osf.io/36eqn

  7. Li, W., Lee, J., Purl, J., Greitzer, F., Yousefi, B., Laskey, K.: Experimental Investigation of Demographic Factors Related to Phishing Susceptibility (2020). https://doi.org/10.24251/HICSS.2020.274

  8. Lain, D., Kostiainen, K., Čapkun, S.: Phishing in Organizations: Findings from a Large-Scale and Long-Term Study. In: 2022 IEEE Symposium on Security and Privacy (SP), pp. 842–859 (2022). https://doi.org/10.1109/SP46214.2022.9833766

  9. Greene, K., Steves, M., Theofanos, M., Kostick, J.: User context: an explanatory variable in phishing susceptibility. In: Proceedings 2018 Workshop on Usable Security, San Diego, CA: Internet Society (2018). https://doi.org/10.14722/usec.2018.23016

  10. Elevate Security. High Risk Users and Where to Find Them (2023)

    Google Scholar 

  11. PhishMe. Enterprise Phishing Susceptibility Report (2015). https://cofense.com/wp-content/uploads/2017/10/PhishMe_EnterprisePhishingSusceptibilityReport_2015_Final.pdf

  12. Vernon, H.M.: An investigation of the factors concerned in the causation of industrial accidents. J. Manag. Hist. 1(2), 65–78 (1918)

    Google Scholar 

  13. Hogan, R.: The accident-prone personality. People Strategy 39(1), 20–24 (2016)

    Google Scholar 

  14. Hansen, C.P.: Personality characteristics of the accident involved employee. J. Bus. Psychol. 2(4), 346–365 (1988)

    Article  Google Scholar 

  15. Rotter, J.B.: Rotter’s Internal-External Control Scale. Psychological Monographs: General and Applied (1966)

    Google Scholar 

  16. Bridge, R.G.: “Internal-external control and seat-belt use”, presented at the Western Psychological Association. American Psychological Association, San Francisco (1971)

    Google Scholar 

  17. Hoyt, M.F.: Internal-external control and beliefs about automobile travel. J. Res. Pers. 7, 288–293 (1973)

    Article  Google Scholar 

  18. Denning, D.L.: Correlates of employee safety performance. In: Presented at the Southeastern I/O Psychology Association Meeting, Atlanta, Georgia (1983)

    Google Scholar 

  19. Wichman, H., Ball, J.: Locus of control, self-serving biases, and attitudes towards safety in general aviation pilots. Aviat. Space Environ. Med. 54(6), 507–510 (1983)

    Google Scholar 

  20. Jones, J.W.: The Safety Locus of Control Scale. St. Paul, MN: The St. Paul Companies (1984)

    Google Scholar 

  21. Jones, J.W., Wuebker, L.: Development and validation of the Safety Locus of Control (SLC) scale. Percept. Mot. Skills 61, 151–161 (1985)

    Article  Google Scholar 

  22. Mayer, R.E., Treat, J.R.: Psychological, social, and cognitive characteristics of high-risk drivers: a pilot study. Accid. Anal. Prev. 9, 1–8 (1977)

    Article  Google Scholar 

  23. Ayaburi, E., Andoh-Baidoo, F.K.: Understanding phishing susceptibility: an integrated model of cue-utilization and habits. In: ICIS 2019 Proceedings (2019). https://aisel.aisnet.org/icis2019/cyber_security_privacy_ethics_IS/cyber_security_privacy/43

  24. Parsons, K., McCormac, A., Pattinson, M., Butavicius, M., Jerram, C.: The design of phishing studies: Challenges for researchers. Comput. Secur. 52, 194–206 (2015). https://doi.org/10.1016/j.cose.2015.02.008

    Article  Google Scholar 

  25. Hadlington, L., Popovac, M., Janicke, H., Yevseyeva, I., Jones, K.: Exploring the role of work identity and work locus of control in information security awareness. Comput. Secur. 81, 41–48 (2018)

    Article  Google Scholar 

  26. Johnson, K.: Better Safe than Sorry: The Relationship between Locus of Control, Perception of Risk, and Cyber Misbehaviors – ProQuest. In: Doctoral dissertation, University of South Florida (2018). https://www.proquest.com/openview/42ccd20fc5e2b6403ece12dff9686055/1?pq-origsite=gscholar&cbl=18750. Accessed 30 Dec 2023

  27. Whitty, M.T.: Is there a scam for everyone? Psychologically profiling cyberscam victims. Eur. J. Crim. Policy Res. 26(3), 399–409 (2020). https://doi.org/10.1007/s10610-020-09458-z

    Article  Google Scholar 

  28. McCrae, R.R., Costa, P.T.: Validation of the five-factor model of personality across instruments and observers. J. Pers. Soc. Psychol. 52(1), 81–90 (1987). https://doi.org/10.1037/0022-3514.52.1.81

    Article  Google Scholar 

  29. Lawson, P., Zielinska, O., Pearson, C., Mayhorn, C.B.: Interaction of personality and persuasion tactics in email phishing attacks. Proc. Hum. Factors Ergon. Soc. Ann. Meet. 61(1), 1331–1333 (2017). https://doi.org/10.1177/1541931213601815

    Article  Google Scholar 

  30. Pattinson, M., Jerram, C., Parsons, K., McCormac, A., Butavicius, M.: Why do some people manage phishing e-mails better than others? Inf. Manag. Comput. Secur. 20(1), 18–28 (2012). https://doi.org/10.1108/09685221211219173

    Article  Google Scholar 

  31. Sudzina, F., Pavlicek, A.: Propensity to click on suspicious links: impact of gender, of age, and of personality traits. In: Digital Transformation – From Connecting Things to Transforming Our Lives, University of Maribor Press, pp. 593–601 (2017). https://doi.org/10.18690/978-961-286-043-1.41

  32. Workman, M.: Wisecrackers: A theory-grounded investigation of phishing and pretext social engineering threats to information security. J. Am. Soc. Inform. Sci. Technol. 59(4), 662–674 (2008). https://doi.org/10.1002/asi.20779

    Article  Google Scholar 

  33. Steves, M.P. Greene, K.K., Theofanos, M.F.: A phish scale: rating human phishing message detection difficulty. In: Proceedings 2019 Workshop on Usable Security, San Diego, CA: Internet Society (2019). https://doi.org/10.14722/usec.2019.23028

  34. Canham, M., Hegarty, M.: Effects of knowledge and display design on comprehension of complex graphics. Learn. Instr. 20(2), 155–166 (2010). https://doi.org/10.1016/j.learninstruc.2009.02.014

    Article  Google Scholar 

  35. Steves, M., Greene, K., Theofanos, M.: Categorizing human phishing difficulty: a Phish Scale. J. Cybersecurity 6(1), 1–16 (2020). https://doi.org/10.1093/cybsec/tyaa009

    Article  Google Scholar 

  36. Dawkins, S., Jacobs, J.: NIST Phish Scale User Guide. National Institute of Standards and Technology, Gaithersburg, MD, NIST TN 2276 (2023). https://doi.org/10.6028/NIST.TN.2276

  37. Shah, K.R., Sinha, B.K.: 4 Row-Column Designs. Theory of Optimal Designs. In: Lecture Notes in Statistics, no. 54. Springer-Verlag (1989). https://doi.org/10.1007/978-1-4612-3662-7

  38. Carella, A., Kotsoev, M., Truta, T.M.: Impact of security awareness training on phishing click-through rates. In: 2017 IEEE International Conference on Big Data (Big Data), pp. 4458–4466 (2017). https://doi.org/10.1109/BigData.2017.8258485

  39. Halevi, T., Memon, N., Nov, O.: Spear-phishing in the wild: a real-world study of personality, phishing self-efficacy and vulnerability to spear-phishing attacks. In: Social Science Research Network, Rochester, NY, SSRN Scholarly Paper ID 2544742 (2015). https://doi.org/10.2139/ssrn.2544742

  40. Moody, G.D., Galletta, D.F., Dunn, B.K.: Which phish get caught? An exploratory study of individuals′ susceptibility to phishing. Eur. J. Inf. Syst. 26(6), 564–584 (2017). https://doi.org/10.1057/s41303-017-0058-x

    Article  Google Scholar 

  41. Joiner, R., Brosnan, M., Duffield, J., Gavin, J., Maras, P.: The relationship between Internet identification, Internet anxiety and Internet use. Comput. Hum. Behav. 23(3), 1408–1420 (2007). https://doi.org/10.1016/j.chb.2005.03.002

    Article  Google Scholar 

  42. Maples-Keller, J.L., Williamson, R.L., Sleep, C.E., Carter, N.T., Campbell, W.K., Miller, J.D.: Using item response theory to develop a 60-item representation of the NEO PI–R using the international personality item pool: development of the IPIP–NEO–60. J. Pers. Assess. 101(1), 4–15 (2019). https://doi.org/10.1080/00223891.2017.1381968

    Article  Google Scholar 

  43. Cacioppo, J.T., Petty, R.E.: The need for cognition. J. Pers. Soc. Psychol. 42(1), 116–131 (1982). https://doi.org/10.1037/0022-3514.42.1.116

    Article  Google Scholar 

  44. Collins, R.P., Litman, J.A., Spielberger, C.D.: The measurement of perceptual curiosity. Personality Individ. Differ. 36(5), 1127–1141 (2004). https://doi.org/10.1016/S0191-8869(03)00205-8

    Article  Google Scholar 

  45. Herman, J.L., Stevens, M.J., Bird, A., Mendenhall, M., Oddou, G.: The tolerance for ambiguity scale: towards a more refined measure for international management research. Int. J. Intercult. Relat. 34(1), 58–65 (2010). https://doi.org/10.1016/j.ijintrel.2009.09.004

    Article  Google Scholar 

  46. Nicholson, N., Soane, E., Fenton‐O’Creevy, M., Willman, P.: Personality and domain‐specific risk taking. J. Risk Res. 8(2), 157–176 (2005). https://doi.org/10.1080/1366987032000123856

  47. Tellegen, A.: Multidimensional Personality Questionnaire-276 (MPQ-276) Test Booklet, 1st ed., vol. 1. University of Minnesota Press, Minneapolis (1995)

    Google Scholar 

  48. Levenson, H.: Differentiating among internality, powerful others, and chance. In: Research with the Locus of Control Construct, Lefcourt, H.M., Ed., Academic Press, pp. 1–15 (1981)

    Google Scholar 

  49. Oregon Research Institute. Locus of Control, Single Construct Scoring Keys, International Personality Item Pool (2022). https://ipip.ori.org/newSingleConstructsKey.htm

  50. (Robert) Luo, X., Zhang, W., Burd, S., Seazzu, A.: Investigating phishing victimization with the Heuristic–Systematic Model: A theoretical framework and an exploration. Comput. Secur. 38, 28–38 (2013). https://doi.org/10.1016/j.cose.2012.12.003

  51. Cialdini, R.B.: Pre-Suasion: A Revolutionary Way to Influence and Persuade, Reprint edition. Simon & Schuster, New York (2016)

    Google Scholar 

  52. Mayer, R.E., Alexander, P.A.: Handbook of Research on Learning and Instruction. Taylor & Francis, Florence (2016)

    Google Scholar 

  53. Vygotsky, L.S., Cole, M.: Mind in Society: Development of Higher Psychological Processes. Harvard University Press, Cambridge (1978)

    Google Scholar 

Download references

Acknowledgements

The authors wish to thank Dr. Ben D. Sawyer, Dr. Erica Castilho Grao, Dr. Clay Posey, Michael Constantino, and Delainey Strickland for their assistance in collecting and analyzing the data for this study.

This research was conducted with the support of the National Institute of Standards and Technology (NIST) under Financial Assistance Award Number: 60NANB19D123. The views and conclusions contained in this document are those of the author and should not be interpreted as representing the official policies, either expressed or implied, of NIST or the U.S. Government.

Author information

Authors and Affiliations

  1. Quantum Improvements Consulting, Orlando, FL, 32803, USA

    Matthew Canham

  2. National Institute of Standards and Technology (NIST), Gaithersburg, MD, 20899, USA

    Shanée Dawkins & Jody Jacobs

Authors
  1. Matthew Canham
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Shanée Dawkins
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Jody Jacobs
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Matthew Canham .

Editor information

Editors and Affiliations

  1. Soar Technology Inc., Orlando, FL, USA

    Dylan D. Schmorrow

  2. Katmai Government Services, Orlando, FL, USA

    Cali M. Fidopiastis

Rights and permissions

Reprints and permissions

Copyright information

© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Canham, M., Dawkins, S., Jacobs, J. (2024). Not All Victims Are Created Equal: Investigating Differential Phishing Susceptibility. In: Schmorrow, D.D., Fidopiastis, C.M. (eds) Augmented Cognition. HCII 2024. Lecture Notes in Computer Science(), vol 14694. Springer, Cham. https://doi.org/10.1007/978-3-031-61569-6_1

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-61569-6_1

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-61568-9

  • Online ISBN: 978-3-031-61569-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics