1
|
Xu T, Singh K, Rajivan P. Personalized persuasion: Quantifying susceptibility to information exploitation in spear-phishing attacks. APPLIED ERGONOMICS 2023; 108:103908. [PMID: 36403509 DOI: 10.1016/j.apergo.2022.103908] [Citation(s) in RCA: 1] [Impact Index Per Article: 1.0] [Reference Citation Analysis] [Abstract] [Key Words] [MESH Headings] [Track Full Text] [Subscribe] [Scholar Register] [Received: 02/09/2022] [Revised: 06/10/2022] [Accepted: 09/20/2022] [Indexed: 06/16/2023]
Abstract
Many cyberattacks begin with a malicious email message, known as spear phishing, targeted at unsuspecting victims. Although security technologies have improved significantly in recent years, spear phishing continues to be successful due to the bespoke nature of such attacks. Crafting such emails requires attackers to conduct careful research about their victims and collect personal information about them and their acquaintances. Despite the widespread nature of spear-phishing attacks, little is understood about the human factors behind them. This is particularly the case when considering the role of attack personalization on end-user vulnerability. To study spear-phishing attacks in the laboratory, we developed a simulation environment called SpearSim that simulates the tasks involved in the generation and reception of spear-phishing messages. Using SpearSim, we conducted a laboratory experiment with human subjects to study the effect of information availability and information exploitation end-user vulnerability. The results of the experiment show that end-users in the high information-availability condition were 2.97 times more vulnerable to spear-phishing attacks than those in the low information-availability condition. We found that access to more personal information about targets can result in attacks involving contextually meaningful impersonation and narratives. We discuss the implications of this research for the design of anti-phishing training solutions.
Collapse
Affiliation(s)
- Tianhao Xu
- University of Washington, Department of Industrial and System Engineering, United States
| | - Kuldeep Singh
- The University of Texas at El Paso, Department of Computer Science, United States
| | - Prashanth Rajivan
- University of Washington, Department of Industrial and System Engineering, United States.
| |
Collapse
|
2
|
Cognitive elements of learning and discriminability in anti-phishing training. Comput Secur 2023. [DOI: 10.1016/j.cose.2023.103105] [Citation(s) in RCA: 0] [Impact Index Per Article: 0] [Reference Citation Analysis] [Track Full Text] [Journal Information] [Subscribe] [Scholar Register] [Indexed: 01/19/2023]
|
3
|
Abstract
Cognitive security is the interception between cognitive science and artificial intelligence techniques used to protect institutions against cyberattacks. However, this field has not been addressed deeply in research. This study aims to define a Cognitive Cybersecurity Model by exploring fundamental concepts for applying cognitive sciences in cybersecurity. For achieving this, we developed exploratory research based on two steps: (1) a text mining process to identify main interest areas of research in the cybersecurity field and (2) a valuable review of the papers chosen in a systematic literature review that was carried out using PRISMA methodology. The model we propose tries to fill the gap in automatizing cognitive science without taking into account the users’ learning processes. Its definition is supported by the main findings of the literature review, as it leads to more in-depth future studies in this area.
Collapse
|
4
|
Das S, Nippert-Eng C, Camp LJ. Evaluating user susceptibility to phishing attacks. INFORMATION AND COMPUTER SECURITY 2022. [DOI: 10.1108/ics-12-2020-0204] [Citation(s) in RCA: 1] [Impact Index Per Article: 0.5] [Reference Citation Analysis] [Abstract] [Track Full Text] [Journal Information] [Subscribe] [Scholar Register] [Indexed: 11/17/2022]
Abstract
Purpose
Phishing is a well-known cybersecurity attack that has rapidly increased in recent years. It poses risks to businesses, government agencies and all users due to sensitive data breaches and subsequent financial losses. To study the user side, this paper aims to conduct a literature review and user study.
Design/methodology/approach
To investigate phishing attacks, the authors provide a detailed overview of previous research on phishing techniques by conducting a systematic literature review of n = 367 peer-reviewed academic papers published in ACM Digital Library. Also, the authors report on an evaluation of a high school community. The authors engaged 57 high school students and faculty members (12 high school students, 45 staff members) as participants in research using signal detection theory (SDT).
Findings
Through the literature review which goes back to as early as 2004, the authors found that only 13.9% of papers focused on user studies. In the user study, through scenario-based analysis, participants were tasked with distinguishing phishing e-mails from authentic e-mails. The results revealed an overconfidence bias in self-detection from the participants, regardless of their technical background.
Originality/value
The authors conducted a literature review with a focus on user study which is a first in this field as far the authors know. Additionally, the authors conducted a detailed user study with high school students and faculty using SDT which is also an understudied area and population.
Collapse
|
5
|
Rizzoni F, Magalini S, Casaroli A, Mari P, Dixon M, Coventry L. Phishing simulation exercise in a large hospital: A case study. Digit Health 2022; 8:20552076221081716. [PMID: 35321019 PMCID: PMC8935590 DOI: 10.1177/20552076221081716] [Citation(s) in RCA: 1] [Impact Index Per Article: 0.5] [Reference Citation Analysis] [Abstract] [Key Words] [Grants] [Track Full Text] [Download PDF] [Figures] [Journal Information] [Subscribe] [Scholar Register] [Received: 10/01/2021] [Accepted: 01/30/2022] [Indexed: 11/21/2022] Open
Abstract
Background Phishing is a major threat to the data and infrastructure of healthcare organizations and many cyberattacks utilize this socially engineered pathway. Phishing simulation is used to identify weaknesses and risks in the human defences of organizations. There are many factors influencing the difficulty of detecting a phishing email including fatigue and the nature of the deceptive message. Method A major Italian Hospital with over 6000 healthcare staff performed a phishing simulation as part of its annual training and risk assessment. Three campaigns were launched at approx. 4-month intervals, to compare staff reaction to a general phishing email and a customized one. Results The results show that customization of phishing emails makes them much more likely to be acted on. In the first campaign, 64% of staff did not open the general phish, significantly more than the 38% that did not open the custom phish. A significant difference was also found for the click rate, with significantly more staff clicking on the custom phish. However, the campaigns could not be run as intended, due to issues raised within the organization. Conclusions Phishing simulation is useful but not without its limitations. It requires contextual knowledge, skill and experience to ensure that it is effective. The exercise raised many issues within the Hospital. Successful, ethical phishing simulations require coordination across the organization, precise timing and lack of staff awareness. This can be complex to coordinate. Misleading messages containing false threats or promises can cause a backlash from staff and unions. The effectiveness of the message is dependent on the personalization of the message to current, local events. The lessons learned can be useful for other hospitals.
Collapse
Affiliation(s)
- Fabio Rizzoni
- Data Protection Office, Fondazione Policlinico Gemelli, Italy
| | - Sabina Magalini
- Department of Surgery, Catholic University of the Sacred Heart, Italy
| | - Alessandra Casaroli
- Information Communication Technology Service, Fondazione Policlinico Gemelli, Italy
| | - Pasquale Mari
- Department of Surgery, Catholic University of the Sacred Heart, Italy
| | - Matt Dixon
- Department of Psychology, Northumbria University, UK
| | | |
Collapse
|
6
|
Gonzalez C. Learning and Dynamic Decision Making. Top Cogn Sci 2021; 14:14-30. [PMID: 34767300 DOI: 10.1111/tops.12581] [Citation(s) in RCA: 7] [Impact Index Per Article: 2.3] [Reference Citation Analysis] [Abstract] [Key Words] [Track Full Text] [Journal Information] [Subscribe] [Scholar Register] [Received: 07/16/2021] [Revised: 09/27/2021] [Accepted: 09/29/2021] [Indexed: 10/19/2022]
Abstract
Humans make decisions in dynamic environments (increasingly complex, highly uncertain, and changing situations) by searching for potential alternatives sequentially over time, to determine the best option at a precise moment. Surprisingly, the field of behavioral decision making has little to offer in terms of theoretical principles and practical guidelines on how people make decisions in dynamic situations. My research program aims to fill in this gap by developing theoretical understandings of decision processes as well as practical demonstrations of how these theoretical developments can improve human dynamic decision making. Throughout my research career, I have helped create, test, and improve a general theory of dynamic decision making, instance-based learning theory, IBLT. The methods I have used to contribute to IBLT are (1) laboratory experiments that rely on dynamic games in which humans make choices over time and space, individually and in teams, and from which we extrapolate robust phenomena and behavioral insights; and (2) computational, actionable cognitive models, which specify the decision-making process and the cognitive mechanisms involved into a computational algorithm. The combination of these methods spawned novel applications in areas such as cybersecurity, phishing, climate change, and human-machine interactions. In this paper, I will take you through my own intellectual exploratory experience of computational modeling of human decision processes, and how the integration of experimental work and cognitive modeling helped in discovering and uncovering the field of dynamic decision making.
Collapse
Affiliation(s)
- Cleotilde Gonzalez
- Dynamic Decision Making Laboratory, Social and Decision Sciences Department, Carnegie Mellon University
| |
Collapse
|
7
|
Moustafa AA, Bello A, Maurushat A. The Role of User Behaviour in Improving Cyber Security Management. Front Psychol 2021; 12:561011. [PMID: 34220596 PMCID: PMC8253569 DOI: 10.3389/fpsyg.2021.561011] [Citation(s) in RCA: 4] [Impact Index Per Article: 1.3] [Reference Citation Analysis] [Abstract] [Key Words] [Track Full Text] [Download PDF] [Journal Information] [Subscribe] [Scholar Register] [Received: 05/11/2020] [Accepted: 05/03/2021] [Indexed: 11/13/2022] Open
Abstract
Information security has for long time been a field of study in computer science, software engineering, and information communications technology. The term 'information security' has recently been replaced with the more generic term cybersecurity. The goal of this paper is to show that, in addition to computer science studies, behavioural sciences focused on user behaviour can provide key techniques to help increase cyber security and mitigate the impact of attackers' social engineering and cognitive hacking methods (i.e., spreading false information). Accordingly, in this paper, we identify current research on psychological traits and individual differences among computer system users that explain vulnerabilities to cyber security attacks and crimes. Our review shows that computer system users possess different cognitive capabilities which determine their ability to counter information security threats. We identify gaps in the existing research and provide possible psychological methods to help computer system users comply with security policies and thus increase network and information security.
Collapse
Affiliation(s)
- Ahmed A Moustafa
- School of Psychology, Western Sydney University, Sydney, NSW, Australia.,The Marcs Institute for Brain, Behaviour and Development, Western Sydney University, Sydney, NSW, Australia.,Department of Human Anatomy and Physiology, Faculty of Health Sciences, University of Johannesburg, Johannesburg, South Africa
| | - Abubakar Bello
- School of Social Sciences, Western Sydney University, Sydney, NSW, Australia
| | - Alana Maurushat
- School of Social Sciences, Western Sydney University, Sydney, NSW, Australia
| |
Collapse
|
8
|
The Phishing Email Suspicion Test (PEST) a lab-based task for evaluating the cognitive mechanisms of phishing detection. Behav Res Methods 2020; 53:1342-1352. [PMID: 33078362 DOI: 10.3758/s13428-020-01495-0] [Citation(s) in RCA: 8] [Impact Index Per Article: 2.0] [Reference Citation Analysis] [Abstract] [Key Words] [Track Full Text] [Journal Information] [Subscribe] [Scholar Register] [Accepted: 09/30/2020] [Indexed: 11/08/2022]
Abstract
Phishing emails constitute a major problem, linked to fraud and exploitation as well as subsequent negative health outcomes including depression and suicide. Because of their sheer volume, and because phishing emails are designed to deceive, purely technological solutions can only go so far, leaving human judgment as the last line of defense. However, because it is difficult to phish people in the lab, little is known about the cognitive and neural mechanisms underlying phishing susceptibility. There is therefore a critical need to develop an ecologically valid lab-based measure of phishing susceptibility that will allow evaluation of the cognitive mechanisms involved in phishing detection. Here we present such a measure based on a task, the Phishing Email Suspicion Test (PEST), and a cognitive model to quantify behavior. In PEST, participants rate a series of phishing and non-phishing emails according to their level of suspicion. By comparing suspicion scores for each email to its real-world efficacy, we find initial support for the ecological validity of PEST - phishing emails that were more effective in the real world were more effective at deceiving people in the lab. In the proposed computational model, we quantify behavior in terms of participants' overall level of suspicion of emails, their ability to distinguish phishing from non-phishing emails, and the extent to which emails from the recent past bias their current decision. Together, our task and model provide a framework for studying the cognitive neuroscience of phishing detection.
Collapse
|
9
|
Montañez R, Golob E, Xu S. Human Cognition Through the Lens of Social Engineering Cyberattacks. Front Psychol 2020; 11:1755. [PMID: 33101096 PMCID: PMC7554349 DOI: 10.3389/fpsyg.2020.01755] [Citation(s) in RCA: 14] [Impact Index Per Article: 3.5] [Reference Citation Analysis] [Abstract] [Key Words] [Track Full Text] [Download PDF] [Figures] [Journal Information] [Subscribe] [Scholar Register] [Received: 01/19/2020] [Accepted: 06/25/2020] [Indexed: 11/13/2022] Open
Abstract
Social engineering cyberattacks are a major threat because they often prelude sophisticated and devastating cyberattacks. Social engineering cyberattacks are a kind of psychological attack that exploits weaknesses in human cognitive functions. Adequate defense against social engineering cyberattacks requires a deeper understanding of what aspects of human cognition are exploited by these cyberattacks, why humans are susceptible to these cyberattacks, and how we can minimize or at least mitigate their damage. These questions have received some amount of attention, but the state-of-the-art understanding is superficial and scattered in the literature. In this paper, we review human cognition through the lens of social engineering cyberattacks. Then, we propose an extended framework of human cognitive functions to accommodate social engineering cyberattacks. We cast existing studies on various aspects of social engineering cyberattacks into the extended framework, while drawing a number of insights that represent the current understanding and shed light on future research directions. The extended framework might inspire future research endeavor toward a new sub-field that can be called Cybersecurity Cognitive Psychology, which tailors or adapts principles of Cognitive Psychology to the cybersecurity domain while embracing new notions and concepts that are unique to the cybersecurity domain.
Collapse
Affiliation(s)
- Rosana Montañez
- Department of Computer Science, University of Texas at San Antonio, San Antonio, TX, United States
| | - Edward Golob
- Department of Psychology, University of Texas at San Antonio, San Antonio, TX, United States
| | - Shouhuai Xu
- Department of Computer Science, University of Texas at San Antonio, San Antonio, TX, United States
| |
Collapse
|
10
|
Jampen D, Gür G, Sutter T, Tellenbach B. Don’t click: towards an effective anti-phishing training. A comparative literature review. HUMAN-CENTRIC COMPUTING AND INFORMATION SCIENCES 2020. [DOI: 10.1186/s13673-020-00237-7] [Citation(s) in RCA: 17] [Impact Index Per Article: 4.3] [Reference Citation Analysis] [Abstract] [Track Full Text] [Subscribe] [Scholar Register] [Indexed: 01/26/2023]
Abstract
AbstractEmail is of critical importance as a communication channel for both business and personal matters. Unfortunately, it is also often exploited for phishing attacks. To defend against such threats, many organizations have begun to provide anti-phishing training programs to their employees. A central question in the development of such programs is how they can be designed sustainably and effectively to minimize the vulnerability of employees to phishing attacks. In this paper, we survey and categorize works that consider different elements of such programs via a clearly laid-out methodology, and identify key findings in the technical literature. Overall, we find that researchers agree on the answers to many relevant questions regarding the utility and effectiveness of anti-phishing training. However, we identified influencing factors, such as the impact of age on the success of anti-phishing training programs, for which mixed findings are available. Finally, based on our comprehensive analysis, we describe how a well-founded anti-phishing training program should be designed and parameterized with a set of proposed research directions.
Collapse
|
11
|
Jalali MS, Bruckes M, Westmattelmann D, Schewe G. Why Employees (Still) Click on Phishing Links: Investigation in Hospitals. J Med Internet Res 2020; 22:e16775. [PMID: 32012071 PMCID: PMC7005690 DOI: 10.2196/16775] [Citation(s) in RCA: 31] [Impact Index Per Article: 7.8] [Reference Citation Analysis] [Abstract] [Key Words] [Track Full Text] [Figures] [Journal Information] [Subscribe] [Scholar Register] [Received: 10/23/2019] [Revised: 12/11/2019] [Accepted: 12/16/2019] [Indexed: 12/25/2022] Open
Abstract
Background Hospitals have been one of the major targets for phishing attacks. Despite efforts to improve information security compliance, hospitals still significantly suffer from such attacks, impacting the quality of care and the safety of patients. Objective This study aimed to investigate why hospital employees decide to click on phishing emails by analyzing actual clicking data. Methods We first gauged the factors that influence clicking behavior using the theory of planned behavior (TPB) and integrating trust theories. We then conducted a survey in hospitals and used structural equation modeling to investigate the components of compliance intention. We matched employees’ survey results with their actual clicking data from phishing campaigns. Results Our analysis (N=397) reveals that TPB factors (attitude, subjective norms, and perceived behavioral control), as well as collective felt trust and trust in information security technology, are positively related to compliance intention. However, compliance intention is not significantly related to compliance behavior. Only the level of employees’ workload is positively associated with the likelihood of employees clicking on a phishing link. Conclusions This is one of the few studies in information security and decision making that observed compliance behavior by analyzing clicking data rather than using self-reported data. We show that, in the context of phishing emails, intention and compliance might not be as strongly linked as previously assumed; hence, hospitals must remain vigilant with vulnerabilities that cannot be easily managed. Importantly, given the significant association between workload and noncompliance behavior (ie, clicking on phishing links), hospitals should better manage employees’ workload to increase information security. Our findings can help health care organizations augment employees’ compliance with their cybersecurity policies and reduce the likelihood of clicking on phishing links.
Collapse
Affiliation(s)
- Mohammad S Jalali
- Massachusetts General Hospital Institute for Technology Assessment, Harvard Medical School, Boston, MA, United States.,Massachusetts Institute of Technology Sloan School of Management, Cambridge, MA, United States
| | - Maike Bruckes
- Center for Management, University of Muenster, Muenster, Germany
| | | | - Gerhard Schewe
- Center for Management, University of Muenster, Muenster, Germany
| |
Collapse
|
12
|
Singh K, Aggarwal P, Rajivan P, Gonzalez C. Training to Detect Phishing Emails: Effects of the Frequency of Experienced Phishing Emails. ACTA ACUST UNITED AC 2019. [DOI: 10.1177/1071181319631355] [Citation(s) in RCA: 13] [Impact Index Per Article: 2.6] [Reference Citation Analysis] [Abstract] [Track Full Text] [Journal Information] [Subscribe] [Scholar Register] [Indexed: 11/15/2022]
Abstract
We studied people’s success on the detection of phishing emails after they were trained under one of three phishing frequency conditions, where the proportion of the phishing emails during training varied as: low frequency (25% phishing emails), medium frequency (50% phishing emails) and high frequency (75% phishing emails). Individual base susceptibility to phishing emails was measured in a pre-training phase in which 20% of the emails were phishing; this performance was then compared to a post-training phase in which participants aimed at detecting new rare phishing emails (20% were phishing emails). The Hit rates, False Alarm rates, sensitivities and response criterion were analyzed. Results revealed that participants receiving higher frequency of phishing emails had a higher hit rate but also higher false alarm rate at detecting phishing emails at post-training compared to participants encountering lower frequency levels during training. These results have implications for designing new training protocols for improving detection of phishing emails.
Collapse
Affiliation(s)
- Kuldeep Singh
- Dynamic Decision Making Laboratory, Carnegie Mellon University, Pittsburgh, USA
| | - Palvi Aggarwal
- Dynamic Decision Making Laboratory, Carnegie Mellon University, Pittsburgh, USA
| | - Prashanth Rajivan
- Department of Industrial and Systems Engineering, University of Washington, Seattle, WA
| | - Cleotilde Gonzalez
- Dynamic Decision Making Laboratory, Carnegie Mellon University, Pittsburgh, USA
| |
Collapse
|
13
|
Curtis SR, Rajivan P, Jones DN, Gonzalez C. Phishing attempts among the dark triad: Patterns of attack and vulnerability. COMPUTERS IN HUMAN BEHAVIOR 2018. [DOI: 10.1016/j.chb.2018.05.037] [Citation(s) in RCA: 28] [Impact Index Per Article: 4.7] [Reference Citation Analysis] [Track Full Text] [Journal Information] [Subscribe] [Scholar Register] [Indexed: 11/16/2022]
|