Olga A. Zielinska

Will the Phisher-Men Reel You In?: Assessing Individual Differences in a Phishing Detection Task

Some authors suggest that regardless of how good security technology is, it is the “people problem” that must be overcome for successful cybersecurity (West, Mayhorn, Hardee, & Mendel, 2009). While security threats to the average computer user might take a variety of forms such as viruses or worms delivered via nefarious websites or USB drives, identity theft tactics such as phishing are becoming increasingly problematic and common. Phishing is a technology-based, social engineering tactic where attackers attempt to appear as authorized sources to target individuals and obtain personal and/or sensitive information. The current research aims to explore how individuals differ in phishing susceptibility within the context of a real world email-related decision making task.

One Phish, Two Phish, How to Avoid the Internet Phish Analysis of Training Strategies to Detect Phishing Emails

Phishing is a social engineering tactic that targets internet users in an attempt to trick them into divulging personal information. When opening an email, users are faced with the decision of determining if an email is legitimate or an attempt at phishing. Although software has been developed to assist the user, studies have shown they are not foolproof, leaving the user vulnerable. Multiple training programs have been developed to educate users in their efforts to make informed decisions; however, training that conveys the real world consequences of phishing or training that increases a user’s fear level have not been developed. Conveying real world consequences of a situation and increasing a user’s fear level have been proven to enhance the effects of training in other fields. Ninety-six participants were recruited and randomly assigned to training programs with phishing consequences, training programs designed to increase fear, or a control group. Preliminary results indicate that training helped users identify phishing emails; however, little difference was seen among the three groups. Future analysis will include a factor analysis of personality and individual differences that influence training efficacy.

A Temporal Analysis of Persuasion Principles in Phishing Emails

Eight hundred eighty-seven phishing emails from Arizona State University, Brown University, and Cornell University were assessed by two reviewers for Cialdini’s six principles of persuasion: authority, social proof, liking/similarity, commitment/consistency, scarcity, and reciprocation. A correlational analysis of email characteristics by year revealed that the persuasion principles of commitment/consistency and scarcity have increased over time, while the principles of reciprocation and social proof have decreased over time. Authority and liking/similarity revealed mixed results with certain characteristics increasing and others decreasing. Results from this study can inform user training of phishing emails and help cybersecurity software to become more effective.

Exploring expert and novice mental models of phishing

Mental models are internal representations of a concept or system that develop with experience. By rating pairs of concepts on the strength of their relationship, networks can be created showing an in-depth analysis of how information is organized. We asked novice and expert computer users to rate 10 terms related to the prevention of phishing. Expert mental models were more complex with more links between concepts. Relatedness ratings provide quantifiable network displays of mental models of novices and experts that cannot be seen through interviews. This information could provide a basis for future research on how mental models could be used to determine phishing vulnerability and the effectiveness of phishing training.

Exploring Expert and Novice Mental Models of Phishing

Experience influences actions people take in protecting themselves against phishing. One way to measure experience is through mental models. Mental models are internal representations of a concept or system that develop with experience. By rating pairs of concepts on the strength of their relationship, networks can be created through Pathfinder, showing an in-depth analysis of how information is organized. Researchers had novice and expert computer users rate three sets of terms related to phishing. The terms were divided into three categories: prevention of phishing, trends and characteristics of phishing attacks, and the consequences of phishing. Results indicated that expert mental models were more complex with more links between concepts. Specifically, experts had sixteen, thirteen, and fifteen links in the networks describing the prevention, trends, and consequences of phishing, respectively; however, novices only had eleven, nine, and nine links in the networks describing prevention, trends, and consequences of phishing, respectively. These preliminary results provide quantifiable network displays of mental models of novices and experts that cannot be seen through interviews. This information could provide a basis for future research on how mental models could be used to determine phishing vulnerability and the effectiveness of phishing training.

A Perceptual Analysis of Standard Safety, Fluorescent, and Neon Colors

Twenty-six standard safety colors specified by the American National Standards Institute (ANSI), International Standards Organization (ISO), and the Federal Highway Association (FHWA) were compared to seven fluorescent and neon colors on perceived hazard and perceived importance. Results indicated that the fluorescent orange, ANSI red, fluorescent yellow, FHWA red, fluorescent yellow green, and ISO red were the highest rated colors on perceived hazard. ANSI red, FHWA red, ISO red, fluorescent orange, fluorescent yellow, and fluorescent yellow green were rated the highest on perceived importance. The implications of these findings and the potential use of fluorescent colors in product warnings are discussed.

Interaction of Personality and Persuasion Tactics in Email Phishing Attacks

Phishing is a social engineering tactic where a malicious actor impersonates a trustworthy third party with the intention of tricking the user into divulging sensitive information. Previous social engineering research has shown an interaction between personality and the persuasion principle used. This study was conducted to investigate whether this interaction is present in the realm of email phishing. To investigate this, we used a personality inventory and an email identification task (phishing or legitimate). The emails used in the identification task utilize four of Cialdini’s persuasion principles. Our data confirms previous findings that high extroversion is predictive of increased susceptibility to phishing attacks. In addition, we identify multiple interactions between personality and specific persuasion principles. We also report the overarching efficacy of various persuasion principles on phishing email identification accuracy.

The Oddball Effect and Inattentional Blindness: How Unexpected Events Influence Our Perceptions Of Time

Inattentional blindness is a phenomenon in which an unexpected event goes unnoticed (at a conscious level) during a demanding task. The oddball effect is a perceptual phenomenon whereby novel or unexpected stimuli result in longer perceived time durations. The two phenomenon – inattentional blindness and the oddball effect—seem to have no surface relationship, however they share an important commonality: both occur in the presence of unexpected events. The present research aims to connect the two bodies of work, and examine if and how the oddball effect manifests itself within an inattentional blindness paradigm. The results of this research have important implications including understanding the effect of unexpected events on conscious attention and how the conscious processing of the event influences time perception. Results may also inform the design of systems that support tasks that require keeping track of elapsed duration when unexpected events may occur.

Manipulating the Display of Probability Rates on Web Health Searches

The Internet offers many benefits to people seeking health information, such as the convenience of accessing information at any time, and the protection of viewing information anonymously; however, such information is unregulated and can be misinterpreted (Raine et al., 2000; Starcevic & Berle, 2013). Escalation, the observed increase in medical severity of search terms within a single search session, could occur. For example, escalation occurs when an initial search for “headache” leads to a later search for “brain tumor”. Researchers have recommended including incidence rates to reduce escalation; however, this phenomenon has yet to be tested empirically. The purpose of the current research is to investigate the effects of adding probability rates to Internet health search results. One-hundred-and-fifty undergraduates were randomly assigned to one of three presentation groups (control, pictorial, and numeric) where they evaluated four search results pages. Incidence rates were not displayed in the control whereas participants in the pictorial condition saw incidence rates displayed as bar graphs and those in the numeric condition saw incidence rates displayed as percentages. Escalation was evaluated using the severity and susceptibility measures from the Risk Behavior Diagnosis Scale. Severity was defined as the magnitude of harm expected from a threat or the significance or seriousness of a threat (Witte, Meyer, & Martell, 2001). The Risk Behavior Diagnosis Scale evaluated severity in three questions: (Symptom) is a serious threat; (Symptom) is harmful; and (Symptom) is a severe threat. Susceptibility is the likelihood that a specific person will experience a threat, the degree of vulnerability, or risk of experience a threat. In the current study, three questions were used to assess susceptibility: If I have (symptom), I am at risk for having (serious condition); It is likely that I have (serious condition) if I experience (symptom); (Symptom) is nothing to worry about. Four symptoms were evaluated and each symptom was paired with four conditions: two benign and two serious. Results indicated that participants believed symptoms were more severe after reviewing search result pages than before reviewing search result pages (p<.001); however, there were no display group differences in perceived severity. Participants also believed that they were the most susceptible to benign conditions when incidence rates were shown numerically, followed by pictorially, and the least susceptible when there were no incidence rates present. The numeric group was significantly higher than the control group (p=.002); however, there were no differences between the numeric and pictorial group, and between the control and pictorial group (p<.10). Similarly in the serious condition, the highest ratings were in the numeric group, followed by pictorial, and the lowest perceived susceptibility was in the control. Numeric was significantly higher than the control (p=.003) and pictorial (p=.028), but there was no difference between the pictorial group and the control (p<.10). Although susceptibility was higher when incidence rates were present for both benign and serious conditions, rates were higher for benign conditions than the serious conditions (p<.001) suggesting that people are not escalating. These results also fall in line with the statistical results shown on the search result’s page. Previous escalation studies suggested this phenomenon (Aiken et al., 2012; Starcevic & Berle, 2013; White & Horvitz, 2009), but it has not been tested up until this point. It would be beneficial to replicate the study with a more diverse population to obtain more generalizable results; however, the findings from this study could be helpful in understanding how patients comprehend healthcare information and could conceivably provide direction for how health care professionals distribute information to their patients.

Wash Away Your Troubles: Examining the Effect of Organization and Information Availability with a Car Wash Cashier Interface

An existing car wash user interface was evaluated and redesigned to improve novice and experienced-user performance by implementing human factors methods. Researchers conducted a heuristic evaluation, user needs, environmental, and task analyses to outline usability issues within the existing system, in addition to critical considerations regarding the redesign. Results revealed five areas of difficulty within the existing system: organization, visibility, visual distractions, system feedback, and error correction. Researchers generated design strategies to mitigate the aforementioned areas of difficulty, and incorporated them into prototype iterations. A/B usability testing was conducted with the prototype iterations to compare novice and experienced-user performance with horizontal and vertical navigation bars containing and excluding price information. Results indicated that overall the revised system was a success, with the horizontal no price iteration being most effective. However, there were several remaining areas of difficulty that require further modification and testing.