Does trainer gender make a difference when delivering phishing training? A new experimental design to capture bias
Authors: 
André Palheiros Da Silva, Winnie Mbaka, Johann Mayer, Jan-Willem Bullee, Katja TumaAuthors Info & Claims
André Palheiros Da Silva, Winnie Mbaka, Johann Mayer, Jan-Willem Bullee, Katja TumaAuthors Info & ClaimsPages 130 - 139
Abstract
Phishing is the most common attack vector for initial access. Current defenses such as spam filters and self-reporting phishing are unfortunately insufficient. Past research has found that gender may impact the perception of risk and that background may impact an individual’s susceptibility to phishing threats. However, no previous research has empirically measured the role of the trainer’s gender in identifying and assessing the risk of phishing. To address this gap, we designed a novel experimental setup focused on the trainer and surveyed 145 students at two universities. By adopting a controlled approach with AI-generated trainers we measured (a) the effect of gender and background on the perception of the trainer and (b) the effect of gender and background on identifying and assessing phishing risks. We found that background has a significant impact on the identification and assessment of phishing risks and that no gender bias was present towards the trainer in either a technical or non-technical population.
References
[1]
Hossein Abroshan, Jan Devos, Geert Poels, and Eric Laermans. 2021. Covid-19 and phishing: Effects of human emotions, behavior, and demographics on the success of phishing attempts during the pandemic. Ieee Access 9 (2021), 121916–121929.
[2]
Hossein Abroshan, Jan Devos, Geert Poels, and Eric Laermans. 2021. Phishing happens beyond technology: The effects of human behaviors and demographics on each step of a phishing process. IEEE Access 9 (2021), 44928–44949.
[3]
Anonymous. 2023. Effect of gender and background on the risk of email phishing. https://doi.org/10.5281/zenodo.8341639
[4]
Claudio Ardagna, Stephen Corbiaux, Koen Van Impe, and Andreas Sfakianakis. 2022. ENISA THREAT LANDSCAPE 2022. Technical Report. The European Union Agency for Cybersecurity (ENISA).
[5]
Benjamin Berens, Katerina Dimitrova, Mattia Mossano, and Melanie Volkamer. 2022. Phishing awareness and education–When to best remind?. In Workshop on Usable Security and Privacy (USEC).
[6]
Mark Blythe, Helen Petrie, and John A Clark. 2011. F for fake: four studies on how we fall for phish. In Proceedings of the SIGCHI conference on human factors in computing systems. 3469–3478.
[7]
CNBC Bob Violino. 2023. Phishing attacks are increasing and getting more sophisticated. Here’s how to avoid them. https://www.cnbc.com/2023/01/07/phishing-attacks-are-increasing-and-getting-more-sophisticated.html
[8]
Jan-Willem Bullee and Marianne Junger. 2020. How effective are social engineering interventions? A meta-analysis. Information & Computer Security 28, 5 (2020), 801–830.
[9]
AJ Burns, M Eric Johnson, and Deanna D Caputo. 2019. Spear phishing in a barrel: Insights from a targeted phishing campaign. Journal of Organizational Computing and Electronic Commerce 29, 1 (2019), 24–39.
[10]
Marcus Butavicius, Ronnie Taib, and Simon J Han. 2022. Why people keep falling for phishing scams: The effects of time pressure and deception cues on the detection of phishing emails. Computers & Security 123 (2022), 102937.
[11]
Anthony Carella, Murat Kotsoev, and Traian Marius Truta. 2017. Impact of security awareness training on phishing click-through rates. In 2017 IEEE International Conference on Big Data (Big Data). IEEE, 4458–4466.
[12]
Sanchari Das, Christena Nippert-Eng, and L Jean Camp. 2022. Evaluating user susceptibility to phishing attacks. Information & Computer Security 30, 1 (2022), 1–18.
[13]
Marco De Bona and Federica Paci. 2020. A real world study on employees’ susceptibility to phishing attacks. In Proceedings of the 15th International Conference on Availability, Reliability and Security. 1–10.
[14]
Julie S Downs, Mandy Holbrook, and Lorrie Faith Cranor. 2007. Behavioral response to phishing risk. In Proceedings of the anti-phishing working groups 2nd annual eCrime researchers summit. 37–44.
[15]
Laurie Giddens, Laura C Amo, and Dianna Cichocki. 2020. Gender bias and the impact on managerial evaluation of insider security threats. Computers & Security 99 (2020), 102066.
[16]
Nikolas Gordon and Omar Alam. 2021. The role of race and gender in teaching evaluation of computer science professors: A large scale analysis on RateMyProfessor data. In Proceedings of the 52nd ACM Technical Symposium on Computer Science Education. 980–986.
[17]
Per E Gustafsod. 1998. Gender Differences in risk perception: Theoretical and methodological erspectives. Risk analysis 18, 6 (1998), 805–811.
[18]
Tzipora Halevi, Nasir Memon, and Oded Nov. 2015. Spear-phishing in the wild: A real-world study of personality, phishing self-efficacy and vulnerability to spear-phishing attacks. Phishing Self-Efficacy and Vulnerability to Spear-Phishing Attacks (January 2, 2015) (2015).
[19]
Sigrid Haunberger and Andreas Hadjar. 2022. Why are male students less likely to opt for social science courses? A theory-driven analysis. International Social Work 65, 1 (2022), 20–37.
[20]
Eric Jardine. 2020. The case against commercial antivirus software: Risk homeostasis and information problems in cybersecurity. Risk Analysis 40, 8 (2020), 1571–1588.
[21]
Stephen RG Jones. 1992. Was there a Hawthorne effect?American Journal of sociology 98, 3 (1992), 451–468.
[22]
Shao-Hsun Keng. 2020. Gender bias and statistical discrimination against female instructors in student evaluations of teaching. Labour Economics 66 (2020), 101889.
[23]
G. F Kuder and M.W Richardson. 1937. The theory of the estimation of test reliability. Psychometrika 2 (1937), 151–160.
[24]
Ponnurangam Kumaraguru, Justin Cranshaw, Alessandro Acquisti, Lorrie Cranor, Jason Hong, Mary Ann Blair, and Theodore Pham. 2009. School of phish: a real-world evaluation of anti-phishing training. In Proceedings of the 5th Symposium on Usable Privacy and Security. 1–12.
[25]
Youngsun Kwak, Seyoung Lee, Amanda Damiano, and Arun Vishwanath. 2020. Why do users not report spear phishing emails?Telematics and Informatics 48 (2020), 101343.
[26]
Daniele Lain, Kari Kostiainen, and Srdjan Čapkun. 2022. Phishing in organizations: Findings from a large-scale and long-term study. In 2022 IEEE Symposium on Security and Privacy (SP). IEEE, 842–859.
[27]
Elmer Lastdrager, Inés Carvajal Gallardo, Pieter Hartel, and Marianne Junger. 2017. How Effective is { Anti-Phishing} Training for Children?. In Thirteenth symposium on usable privacy and security (soups 2017). 229–239.
[28]
Benjamín E Liberman, Caryn J Block, and Sandy M Koch. 2011. Diversity trainer preconceptions: The effects of trainer race and gender on perceptions of diversity trainer effectiveness. Basic and Applied Social Psychology 33, 3 (2011), 279–293.
[29]
Tian Lin, Daniel E Capecci, Donovan M Ellis, Harold A Rocha, Sandeep Dommaraju, Daniela S Oliveira, and Natalie C Ebner. 2019. Susceptibility to spear-phishing emails: Effects of internet user demographics and email content. ACM Transactions on Computer-Human Interaction (TOCHI) 26, 5 (2019), 1–28.
[30]
Zhihui Liu, Lina Zhou, and Dongsong Zhang. 2020. Effects of Demographic Factors on Phishing Victimization in the Workplace. In PACIS. 75.
[31]
Ioana Andreea Marin, Pavlo Burda, Nicola Zannone, and Luca Allodi. 2023. The Influence of Human Factors on the Intention to Report Phishing Emails. In Proceedings of the 2023 CHI Conference on Human Factors in Computing Systems. 1–18.
[32]
Michael Meyners. 2012. Equivalence tests–A review. Food quality and preference 26, 2 (2012), 231–245.
[33]
Gregory D Moody, Dennis F Galletta, and Brian Kimball Dunn. 2017. Which phish get caught? An exploratory study of individuals’ susceptibility to phishing. European Journal of Information Systems 26 (2017), 564–584.
[34]
Larissa Myaskovsky, Emily Unikel, and Mary Amanda Dew. 2005. Effects of gender diversity on performance and interpersonal behavior in small work groups. Sex Roles 52, 9 (2005), 645–657.
[35]
ChongWoo Park and Dong-gook Kim. 2020. Exploring the roles of social presence and gender difference in online learning. Decision Sciences Journal of Innovative Education 18, 2 (2020), 291–312.
[36]
Kathryn Parsons, Agata McCormac, Malcolm Pattinson, Marcus Butavicius, and Cate Jerram. 2013. Phishing for the truth: A scenario-based experiment of users’ behavioural response to emails. In Security and Privacy Protection in Information Processing Systems: 28th IFIP TC 11 International Conference, SEC 2013, Auckland, New Zealand, July 8-10, 2013. Proceedings 28. Springer, 366–378.
[37]
Benjamin Reinheimer, Lukas Aldag, Peter Mayer, Mattia Mossano, Reyhan Duezguen, Bettina Lofthouse, Tatiana Von Landesberger, and Melanie Volkamer. 2020. An investigation of phishing awareness and education over time: When and how to best remind users. In Sixteenth Symposium on Usable Privacy and Security (SOUPS 2020). 259–284.
[38]
Steve Sheng, Mandy Holbrook, Ponnurangam Kumaraguru, Lorrie Faith Cranor, and Julie Downs. 2010. Who falls for phish? A demographic analysis of phishing susceptibility and effectiveness of interventions. In Proceedings of the SIGCHI conference on human factors in computing systems. 373–382.
[39]
Keith S Taber. 2018. The use of Cronbach’s alpha when developing and reporting research instruments in science education. Research in science education 48 (2018), 1273–1296.
[40]
Carmen Vallis, Stephanie Wilson, Daniel Gozman, and John Buchanan. 2023. Student Perceptions of AI-Generated Avatars in Teaching Business Ethics: We Might not be Impressed. Postdigital Science and Education (2023), 1–19.
[41]
DBIR Verizon. 2022. Data Breach Investigations Report 2022. Technical Report. Verizon.
[42]
Rick Wash and Molly M Cooper. 2018. Who provides phishing training? facts, stories, and people like me. In Proceedings of the 2018 chi conference on human factors in computing systems. 1–12.
[43]
Miranda Wei, Pardis Emami-Naeini, Franziska Roesner, and Tadayoshi Kohno. 2023. Skilled or Gullible? Gender Stereotypes Related to Computer Security and Privacy. In IEEE Symposium on Security and Privacy.
[44]
Zikai Alex Wen, Zhiqiu Lin, Rowena Chen, and Erik Andersen. 2019. What. hack: engaging anti-phishing training through a role-playing phishing simulation game. In Proceedings of the 2019 CHI Conference on Human Factors in Computing Systems. 1–12.
[45]
Zacharias C Zacharia, Nikoletta Xenofontos, Ms Maria Irakleous, 2020. Education and employment of women in science, technology and the digital economy, including AI and its influence on gender equality. (2020).
Recommendations
Gender bias in invention
ABSTRACTGender bias exists not only throughout society but also in inventing. In this study, we identify the gender of 15,752,108 inventor in USPTO to analyze gender bias in invent. There are 3,525,055 invent teams led by male inventors (who are named ...
A Design of an Anti-Phishing Training System Collaborated with Multiple Organizations
iiWAS2019: Proceedings of the 21st International Conference on Information Integration and Web-based Applications & ServicesPhishing is a dangerous threat to organizations. A sender of a phishing email pretends to be a trusted person to steal valuable information, including personal identity data and credentials. If a targeted organization is sent a large number of attack ...
Comments
Information & Contributors
Information
Published In
June 2024
728 pages
ISBN:9798400717017
DOI:10.1145/3661167
Copyright © 2024 Owner/Author.
This work is licensed under a Creative Commons Attribution International 4.0 License.
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 18 June 2024
Check for updates
Qualifiers
- Research-article
- Research
- Refereed limited
Conference
EASE 2024
EASE 2024: 28th International Conference on Evaluation and Assessment in Software Engineering
June 18 - 21, 2024
Salerno, Italy
Acceptance Rates
Overall Acceptance Rate 71 of 232 submissions, 31%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 222Total Downloads
- Downloads (Last 12 months)222
- Downloads (Last 6 weeks)37
Reflects downloads up to 05 Mar 2025
Other Metrics
Citations
View Options
View options
View or Download as a PDF file.
PDFeReader
View online with eReader.
eReaderHTML Format
View this article in HTML Format.
HTML FormatLogin options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in