SoK: Human-Centered Phishing Susceptibility

Abstract: Phishing is recognised as a serious threat to organisations and individuals. While there have been significant technical advances in blocking phishing attacks, people remain the last line of defence after phishing emails reach their email client. Most of the existing literature on this subject has focused on the technical aspects related to phishing. However, the factors that cause humans to be susceptible to phishing attacks are still not well-understood. To fill this gap, we reviewed the available literature… Show more

“…In other words, the predictive models we built are specific to the community whose data were used during training. Thus, the personality [153], psychology [154], culture, technical background [74], business place, and job type [74] can be listed as significant influential factors driving the audience's response. Apart from these, according to [155], experiential and dispositional factors play a key role in decision-making processes so phishing victimization does.…”

“…In a very recent study, Zhuo et al [154] described the two dimensions of the quality of evidence affecting the ecological validity of the experimental setup for awareness training simulation based anti-phishing studies: (1) experiment type and (2) sample size in terms of user groups. Instead of conducting an "email management" approach which is cost-effective but less accurate, we followed the way of rolling out real-world phishing simulations that are much more accurate despite being restricted by legal and ethical issues.…”

“…Ever-growing anti-phishing literature has sought answers for the underlying social-psychological and behavioral factors driving the behaviour of falling into phishing. Studies like [23], [74], [130], [140], [153], [154] aimed at finding or verifying influential factors triggering users to fall into phishing contents. For instance, a recent study [74] points out that the type of computer use is more decisive than the amount of usage.…”

“…Thus, cognitive properties of individuals should also be taken into the account since the perception of email phishing is highly subjective and dynamic. As pointed out by [154], most of the anti-phishing literature has put much effort into the technical aspects leaving the factors for phishing susceptibility not explored yet. In line with our opinions, [154] explained the largest research gap -user's situational factors -in phishing susceptibility by exampling some key factors such as "in the moment emotion", "stress", "mental fatigue", "distraction" each of which requires careful and realistic future studies.…”

“…As pointed out by [154], most of the anti-phishing literature has put much effort into the technical aspects leaving the factors for phishing susceptibility not explored yet. In line with our opinions, [154] explained the largest research gap -user's situational factors -in phishing susceptibility by exampling some key factors such as "in the moment emotion", "stress", "mental fatigue", "distraction" each of which requires careful and realistic future studies. Likewise, it is obvious that measuring these factors are currently not straightforward yet presence of any of these actors will likely contribute to our model.…”

Avoiding the Hook: Influential Factors of Phishing Awareness Training on Click-Rates and a Data-Driven Approach to Predict Email Difficulty Perception

“…In other words, the predictive models we built are specific to the community whose data were used during training. Thus, the personality [153], psychology [154], culture, technical background [74], business place, and job type [74] can be listed as significant influential factors driving the audience's response. Apart from these, according to [155], experiential and dispositional factors play a key role in decision-making processes so phishing victimization does.…”

“…In a very recent study, Zhuo et al [154] described the two dimensions of the quality of evidence affecting the ecological validity of the experimental setup for awareness training simulation based anti-phishing studies: (1) experiment type and (2) sample size in terms of user groups. Instead of conducting an "email management" approach which is cost-effective but less accurate, we followed the way of rolling out real-world phishing simulations that are much more accurate despite being restricted by legal and ethical issues.…”

“…Ever-growing anti-phishing literature has sought answers for the underlying social-psychological and behavioral factors driving the behaviour of falling into phishing. Studies like [23], [74], [130], [140], [153], [154] aimed at finding or verifying influential factors triggering users to fall into phishing contents. For instance, a recent study [74] points out that the type of computer use is more decisive than the amount of usage.…”

“…Thus, cognitive properties of individuals should also be taken into the account since the perception of email phishing is highly subjective and dynamic. As pointed out by [154], most of the anti-phishing literature has put much effort into the technical aspects leaving the factors for phishing susceptibility not explored yet. In line with our opinions, [154] explained the largest research gap -user's situational factors -in phishing susceptibility by exampling some key factors such as "in the moment emotion", "stress", "mental fatigue", "distraction" each of which requires careful and realistic future studies.…”

“…As pointed out by [154], most of the anti-phishing literature has put much effort into the technical aspects leaving the factors for phishing susceptibility not explored yet. In line with our opinions, [154] explained the largest research gap -user's situational factors -in phishing susceptibility by exampling some key factors such as "in the moment emotion", "stress", "mental fatigue", "distraction" each of which requires careful and realistic future studies. Likewise, it is obvious that measuring these factors are currently not straightforward yet presence of any of these actors will likely contribute to our model.…”

Avoiding the Hook: Influential Factors of Phishing Awareness Training on Click-Rates and a Data-Driven Approach to Predict Email Difficulty Perception