developing a user profile to predict phishing susceptibility and … · 2013. 3. 26. ·...

Science of Security Lablet

Understanding & Accounting Human Behavior

Developing a User Profile to Predict Phishing Susceptibility

and Security Technology Acceptance Kyung Wha Hong , Dr. Emerson Murphy-Hill Computer Science Department

Christopher M. Kelly, Dr. Christopher B. Mayhorn Psychology Department

Science of Security Lablet

Understanding & Accounting Human Behavior

What is Phishing?

Science of Security Lablet

Understanding & Accounting Human Behavior

How is Phishing doing?

Science of Security Lablet

Understanding & Accounting Human Behavior

Problem Area Previous approach Our approach

Technology

Science of Security Lablet

Understanding & Accounting Human Behavior

Research Questions

•What behavioral characteristics make some users more susceptible to phishing?

• Are “at-risk” users willing to use new security related tools?

Science of Security Lablet

Understanding & Accounting Human Behavior

Goal

• Develop a user-profile that predict when and where phishing attacks will be successful

• Build a user friendly tool to help users distinguish phishing attempts

Science of Security Lablet

Understanding & Accounting Human Behavior

Initial Survey

Phishing ?

Science of Security Lablet

Understanding & Accounting Human Behavior

Initial Survey

• Goal – Provide pilot data on perceptions of phishing

and related characteristics • Participants

– 155 people recruited from Amazon’s Mechanical Turk

Science of Security Lablet

Understanding & Accounting Human Behavior

Initial Survey

•Methods – Computer Usage and Risk Profile Tool – Perceptions of phishing – Factors related to phishing – Personal phishing experiences

Science of Security Lablet

Understanding & Accounting Human Behavior

Initial Survey: Results

• Almost everyone had experienced a phishing attempt (22% actually had loss)

• Participants actively engage efforts to protect themselves online

Science of Security Lablet

Understanding & Accounting Human Behavior

Initial Survey: Results

• Phishers often poses as members of organizations

• The consequences of phishing attacks go beyond financial loss (e.g., embarrassment , erosion of trust)

Science of Security Lablet

Understanding & Accounting Human Behavior

Study 2

• Specific Aim – Identify behavioral, cognitive, and perceptual

attributes that might make some users more susceptible to phishing than others

Science of Security Lablet

Understanding & Accounting Human Behavior

Study 2

• Participants – 53 undergraduate students

•Material – Self-reported measures – Behavioral measures

Science of Security Lablet

Understanding & Accounting Human Behavior

Study 2

(1) Online Survey – Previous experiences with phishing – Online purchasing behavior – General computing behavior – Dispositional trust – Impulsivity – Personality

Science of Security Lablet

Understanding & Accounting Human Behavior

Study 2

(2) Lab Test – Vision Test – Working Memory Capacity Test – Sustained Attention Test – Evaluate Phishing Susceptibility via Email Task – Vocabulary Test – Spatial Ability Test

Science of Security Lablet

Understanding & Accounting Human Behavior

Study 2

• Email Task – Ask user to determine whether provided email

is legitimate or suspicious – Let user response through marking each email

either as important, archive, or trash

Science of Security Lablet

Understanding & Accounting Human Behavior

Study 2: Results

• Individual Differences – Less trusting individuals, introverts, those less

open to new experiences were more likely to trash legitimate emails

– Women less likely to identify phishing emails

Science of Security Lablet

Understanding & Accounting Human Behavior

Study 2: Results

• Email Task Performance – More than 92% were susceptible to phishing – 52% had misclassified more than half of the

phishing emails

Science of Security Lablet

Understanding & Accounting Human Behavior

Study 3: Plan

• Develop an anti-phishing training tool – Adapting user profiles developed from Study 2

•Measure participant’s phishing susceptibility before and after the training

Science of Security Lablet

Understanding & Accounting Human Behavior

Study 3: Plan

Science of Security Lablet

Understanding & Accounting Human Behavior

Possible Collaboration • Helping us find participants for Study 2 • Contacts

– Dr. Christopher B. Mayhorn <cbmayhor@ncsu.edu> – Dr. Emerson Murphy-Hill <emerson@csc.ncsu.edu> – Christopher M. Kelly <chris_kelley@ncsu.edu> – Kyung Wha Hong <khong@ncsu.edu>