Evaluating user susceptibility to phishing attacks
Information and Computer Security
ISSN: 2056-4961
Article publication date: 5 January 2022
Issue publication date: 31 January 2022
Abstract
Purpose
Phishing is a well-known cybersecurity attack that has rapidly increased in recent years. It poses risks to businesses, government agencies and all users due to sensitive data breaches and subsequent financial losses. To study the user side, this paper aims to conduct a literature review and user study.
Design/methodology/approach
To investigate phishing attacks, the authors provide a detailed overview of previous research on phishing techniques by conducting a systematic literature review of n = 367 peer-reviewed academic papers published in ACM Digital Library. Also, the authors report on an evaluation of a high school community. The authors engaged 57 high school students and faculty members (12 high school students, 45 staff members) as participants in research using signal detection theory (SDT).
Findings
Through the literature review which goes back to as early as 2004, the authors found that only 13.9% of papers focused on user studies. In the user study, through scenario-based analysis, participants were tasked with distinguishing phishing e-mails from authentic e-mails. The results revealed an overconfidence bias in self-detection from the participants, regardless of their technical background.
Originality/value
The authors conducted a literature review with a focus on user study which is a first in this field as far the authors know. Additionally, the authors conducted a detailed user study with high school students and faculty using SDT which is also an understudied area and population.
Keywords
Acknowledgements
The authors would like to thank Ploy Unchit, Zachary Tingle and Andrew Kim for the initial analysis of the work as published earlier (Das et al., 2019b, Unchit et al., 2020). The authors would also like to thank the participants of the high school for their valuable contribution and Stephanie Davis for their help with the data collection process. The authors would also acknowledge Kevin Gingerich from Eli Lilly for their expert advice on phishing and Faiza Tazi from the Security and Privacy Research in New-Age Technology (SPRINT) lab of the University of Denver for proofreading this paper. This research was supported in part by the National Science Foundation under CNS 1565375, Cisco Research Support and the Comcast Innovation Fund. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s). They do not necessarily reflect the views of the US Government, NSF, Cisco, Comcast, Indiana University, Security and Privacy Research in New-Age Technology or the University of Denver.
Citation
Das, S., Nippert-Eng, C. and Camp, L.J. (2022), "Evaluating user susceptibility to phishing attacks", Information and Computer Security, Vol. 30 No. 1, pp. 1-18. https://doi.org/10.1108/ICS-12-2020-0204
Publisher
:Emerald Publishing Limited
Copyright © 2021, Emerald Publishing Limited