Phishing and Organisational Learning

Kearney, Wayne D.; Kruger, Hendrik G.

doi:10.1007/978-3-642-39218-4_28

Cited by 6 publications

(5 citation statements)

References 18 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Lab Student [61], [204], [211]- [218] [153], [219]- [225], [226] a , [227] a [228]- [233], [234] a Employee [235] a Unrestricted [203], [236], [237] a [238], [239], [240] a , [241] a [242], [243], [244] a Real Student [245] [202], [246], [247] [201], [248]-[251] Employee [252] [253]- [255] [10], [256], [257] Unrestricted [217], [258]- [260] [213], [261]- [266] a Studies that only asked participants about their vulnerability (Q/A) instead of showing them the email/website [220], [221], [228], [246], [251], [259] [10], [201], [223], [231], [248], [255], [257] 3 [202],…”

Section: Selected User Study Literaturementioning

confidence: 99%

SoK: A Comprehensive Reexamination of Phishing Research From the Security Perspective

Das

Baki

Aassal

et al. 2020

IEEE Commun. Surv. Tutorials

101

View full text Add to dashboard Cite

Phishing and spear phishing are typical examples of masquerade attacks since trust is built up through impersonation for the attack to succeed. Given the prevalence of these attacks, considerable research has been conducted on these problems along multiple dimensions. We reexamine the existing research on phishing and spear phishing from the perspective of the unique needs of the security domain, which we call security challenges: real-time detection, active attacker, dataset quality and baserate fallacy. We explain these challenges and then survey the existing phishing/spear phishing solutions in their light. This viewpoint consolidates the literature and illuminates several opportunities for improving existing solutions. We organize the existing literature based on detection techniques for different attack vectors (e.g., URLs, websites, emails) along with studies on user awareness. For detection techniques we examine properties of the dataset, feature extraction, detection algorithms used, and performance evaluation metrics. This work can help guide the development of more effective defenses for phishing, spear phishing and email masquerade attacks of the future, as well as provide a framework for a thorough evaluation and comparison.

show abstract

Section: Selected User Study Literaturementioning

confidence: 99%

SoK: A Comprehensive Reexamination of Phishing Research From the Security Perspective

Das

Baki

Aassal

et al. 2020

IEEE Commun. Surv. Tutorials

101

View full text Add to dashboard Cite

show abstract

“…Vulnerabilities References ` Financial benefit/ desire for monetary gain (Aggarwal, Kumar, & Sudarsan, 2014;Bere et al, 2015;Sahu & Dubey, 2014;Vayansky & Kumar, 2018;Zhou, Zhang, Xiao, Wang, & Lin, W. 2014;Oliveira et al, 2017) Curiosity (Aggarwal, Kumar, & Sudarsan, 2014;Bere et al, 2015;Cho, Cam, & Oltramari, 2016;Fette, Sadeh, Tomasic, 2007;Wash & Cooper, 2018;O'Kane, Sezer, & Carlin, 2018) Carelessness (Aburrous et al, 2010;Bere et al, 2015;Chiew, Chang, & Tiong, 2015;Kearney & Kruger, 2013;Laszka, Lou, & Vorobeychik, 2016;Miyamoto, Hazeyama, & Kadobayashi, 2005;Nagalingam, Narayana Samy, Ahmad, Maarop, & Ibrahim, R. 2015;Parmar, 2012;Workman, 2008;Wright & Marett, 2010;Zhang, Ren, & Jiang, 2016;Zhou et al, 2014) Trust in the sender (Alseadoon, Othman, Foo, & Chan, 2013;Bere et al, 2015;Cho, Cam, & Oltramari, 2016;Harrison, Vishwanath, & Rao, 2016;Huang, Tan, & Liu, 2009;Ivaturi, & Janczewski, 2012;Komatsu, Takagi, & Takemura, 2013;Patel & Luo, 2007;Romanov, Semenov, Mazhelis, & Veijalainen, J. 2017;Vayansky & Kumar, 2018) Lack of awareness; ignorance (Bann, Singh, & Samsudin, 2015;Caputo et ...…”

Section: Constructsmentioning

confidence: 99%

Evaluating user vulnerabilities vs phisher skills in spear phishing

Nicho¹,

Fakhry²,

Egbue³

2018

IJCSIS

View full text Add to dashboard Cite

Spear phishing emails pose great danger to employees of organizations due to the inherent weakness of the employees in identifying the threat from spear phishing cues, as well as the spear phisher's skill in crafting contextually convincing emails. This raises the main question of which construct (user vulnerabilities or phisher skills) has a greater influence on the vulnerable user. Researchers have provided enough evidence of user vulnerabilities, namely the desire for monetary gain, curiosity of the computer user, carelessness on the part of the user, the trust placed in the purported sender by the user, and a lack of awareness on the part of the computer user. However, there is a lack of research on the magnitude of each of these factors in influencing an unsuspecting user to fall for a phishing or spear phishing attack which we explored in this paper. While user vulnerabilities pose major risk, the effect of the spear phisher's ability in skillfully crafting convincing emails (using fear appeals, urgency of action, and email contextualization) to trap even skillful IT security personnel is an area that needs to be explored. Therefore, we explored the relationships between the two major constructs namely 'user vulnerabilities' and 'email contextualization', through the theory of planned behavior with the objective to find out the major factors that lead to computer users biting the phishers' bait. In this theoretical version of the paper, we provided the resulting two constructs that needed to be tested.

show abstract

“…In an effort to demonstrate (not to prove) the possible presence of homeostatic principles in information security behaviour, the ensuing paragraphs of this section refer to case studies that were conducted earlier and that have already been reported in the literature (Kearney and Kruger, 2013, 2014). The case studies entail practical information security exercises that were conducted at a very large utility company with over 3,500 information technology users.…”

Section: The Theory Of Risk Homeostasismentioning

confidence: 99%

“…The results were unexpected and contradictory to the high levels of security awareness; of the 280 users who responded over a short period of time, 231 (83 per cent) revealed the required personal details. Complete details of the phishing exercise were reported in Kearney and Kruger (2013). This test was later on followed up with a similar phishing test, and results showed that there was no improvement in terms of the number of people who gave away their personal details; in fact, the numbers increased from the first to the second test.…”

Section: The Theory Of Risk Homeostasismentioning

confidence: 99%

“…Despite all the comprehensive and well-researched theories, models and factors that influence information security behaviour, it may take only one simple phishing test to prove that there are still significant and perhaps serious challenges in the security behaviour arena – an example of such a phishing test can be found in Kearney and Kruger (2013). With this brief mention of the more prominent theories and influential factors in mind, the ensuing paper theorises on risk homeostasis as a relevant factor (or possible theory) in information security and subsequently discusses one or two other relevant options that may be associated with information security and the theories surrounding it.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Theorising on risk homeostasis in the context of information security behaviour

Kearney

Kruger

2016

Info and Computer Security

Self Cite

View full text Add to dashboard Cite

Purpose The purpose of this paper is to discuss and theorise on the appropriateness and potential impact of risk homeostasis in the context of information security. Design/methodology/approach The discussion is mainly based on a literature survey backed up by illustrative empirical examples. Findings Risk homeostasis in the context of information security is an under-explored topic. The principles, assumptions and methodology of a risk homeostasis framework offer new insights and knowledge to explain and predict contradictory human behaviour in information security. Practical implications The paper shows that explanations for contradictory human behaviour (e.g. the privacy paradox) would gain from considering risk homeostasis as an information security risk management model. The ideas discussed open up the prospect to theorise on risk homeostasis as a framework in information security and should form a basis for further research and practical implementations. On a more practical level, it offers decision makers useful information and new insights that could be advantageous in a strategic security planning process. Originality/value This is the first systematic comprehensive review of risk homeostasis in the context of information security behaviour and readers of the paper will find new theories, guidelines and insights on risk homeostasis.

show abstract

Phishing and Organisational Learning

Cited by 6 publications

References 18 publications

SoK: A Comprehensive Reexamination of Phishing Research From the Security Perspective

SoK: A Comprehensive Reexamination of Phishing Research From the Security Perspective

Evaluating user vulnerabilities vs phisher skills in spear phishing

Theorising on risk homeostasis in the context of information security behaviour

Contact Info

Product

Resources

About