Human Risk Factors in Cybersecurity

Abstract

Phishing emails present a serious threat to any institution, costing individuals and companies millions of dollars every year in damages. This paper attempts to assess the human risks of a mid-sized state university by conducting an experiment in which users were phished multiple times and presented with different training types. The phishing emails contained links to a controlled server that prompted users to enter login credentials into a spoofed university login page and gathered relevant data. Our analysis shows that 44.3% of users clicked on at least one of the phishing emails, and 18.6% entered valid credentials. Additionally, we found that the majority of users (64.5%) responded to the phishing emails via mobile devices running iOS or Android and we received 98% of responses within the first twelve hours of sending the emails. Finally, our data suggests that the most effective training method to prevent users from clicking subsequent phishing emails was to provide easy-to-read documents with visual cues when users were caught in the act.