The Role of Contextualization in Individuals’ Vulnerability to Phishing Attempts
Hackers who engage in phishing manipulate their victims into revealing confidential information by exploiting their motives, habits, and cognitive biases. Drawing on heuristic-systematic processing and the anchoring effect, this study examines how the contextualization of phishing messages, in the form of modifications to their framing and content, affects individuals’ susceptibility to phishing. This study also investigates if there is a discrepancy between the way individuals believe they will react to phishing attempts and their actual reactions. Using two fake phishing campaigns and an online survey, we find that individuals are more susceptible to phishing attempts when the phishing messages they receive are specific to their context, thereby appealing to their psychological vulnerabilities. There is also a significant gap between how individuals believe they will react and their actual reactions to phishing attempts.
Aleroud, A., & Zhou, L. (2017). Phishing environments, techniques, and countermeasures: A survey. Computers & Security, 68, 160-196.
Alsharnouby, M., Alaca, F., & Chiasson, S. (2015). Why phishing still works: User strategies for combating phishing attacks. International Journal of Human-Computer Studies, 82, 69-82.
Anderson, B. B., Vance, A., Kirwan, C. B., Jenkins, J. L., & Eargle, D. (2016). From warning to wallpaper: Why the brain habituates to security warnings and what can be done about it. Journal of Management Information Systems, 33(3), 713-743.
Arachchilage, N. A. G., & Love, S. (2013). A game design framework for avoiding phishing attacks. Computers in Human Behavior, 29(3), 706-714.
Arachchilage, N. A. G., & Love, S. (2014). Security awareness of computer users: A phishing threat avoidance perspective. Computers in Human Behavior, 38, 304-312.
Arachchilage, N. A. G., Love, S., & Beznosov, K. (2016). Phishing threat avoidance behaviour: An empirical investigation. Computers in Human Behavior, 60, 185-197.
Bailey, J. L., Mitchell, D., Robert, B., & Bradley, K. (2008). Analysis of student vulnerabilities to phishing. AMCIS 2008 Proceedings, 271.
Beycioglu, K. (2009). A cyberphilosophical issue in education: Unethical computer using behavior–The case of prospective teachers. Computers & Education, 53(2), 201-208.
Blythe, M., Petrie, H., & Clark, J. A. (2011). F for fake: four studies on how we fall for phish Symposium conducted at the meeting of the Proceedings of the SIGCHI Conference on Human Factors in Computing Systems https://dl.acm.org/doi/pdf/10.1145/1978942.1979459
CERTNZ. (2019). Quarter Three Report 2019. Retrieved 2019, https://www.cert.govt.nz/about/quarterly-report/quarter-three-report-2019/
Chaiken, S. (1982). The heuristic/systematic processing distinction in persuasion Symposium conducted at the meeting of the Symposium on Automatic Processing, Society for Experimental Social Psychology, Nashville, IN
Chaiken, S. (1987). The heuristic model of persuasion. Hillsdale, NJ: Lawrence Erlbaum. Symposium conducted at the meeting of the Social influence: the Ontario symposium. 5 (3-39).
Chen, S., & Chaiken, S. (1999). The heuristic-systematic model in its broader context. In S. Chaiken & Y. Trope (Eds.), Dual-process Theories in Social and Cognitive Psychology (pp. 73-96). New York (NY): Guilford.
Chen, X., Chen, L., & Wu, D. (2018). Factors that influence employees’ security policy compliance: an awareness-motivation-capability perspective. Journal of Computer Information Systems, 58(4), 312-324.
Chen, Y., Ramamurthy, K., & Wen, K.-W. (2015). Impacts of comprehensive information security programs on information security culture. Journal of Computer Information Systems, 55(3), 11-19.
Chou, H.-L., & Sun, J. C. Y. (2017). The moderating roles of gender and social norms on the relationship between protection motivation and risky online behavior among in-service teachers. Computers & Education, 112, 83-96.
Cohen, J. B., & Reed, A. (2006). A multiple pathway anchoring and adjustment (MPAA) model of attitude generation and recruitment. Journal of Consumer Research, 33(1), 1-15.
D'Arcy, J., Hovav, A., & Galletta, D. (2009). User awareness of security countermeasures and its impact on information systems misuse: A deterrence approach. Information Systems Research, 20(1), 79-98.
Dennis, A. R., & Minas, R. K. (2018). Security on autopilot: Why current security theories hijack our thinking and lead us astray. ACM SIGMIS DATABASE for Advances in Information Systems, 49(SI), 15-38.
Dinev, T., & Hu, Q. (2007). The centrality of awareness in the formation of user behavioral intention toward protective information technologies. Journal of the Association for Information Systems, 8(7), 386-408.
Downs, J. S., Holbrook, M. B., & Cranor, L. F. (2006). Decision strategies and susceptibility to phishing Symposium conducted at the meeting of the Proceedings of the second symposium on Usable privacy and security. https://dl.acm.org/doi/pdf/10.1145/1143120.1143131
Eagly, A. H., & Chaiken, S. (1993). The psychology of attitudes: Harcourt brace Jovanovich college publishers.
Epley, N., & Gilovich, T. (2006). The anchoring-and-adjustment heuristic: Why the adjustments are insufficient. Psychological science, 17(4), 311-318.
Eroglu, C., & Croxton, K. L. (2010). Biases in judgmental adjustments of statistical forecasts: The role of individual differences. International Journal of Forecasting, 26(1), 116-133.
Esch, F. R., Schmitt, B. H., Redler, J., & Langner, T. (2009). The brand anchoring effect: A judgment bias resulting from brand awareness and temporary accessibility. Psychology & Marketing, 26(4), 383-395.
Flores, W. R., Holm, H., Nohlberg, M., & Ekstedt, M. (2015). Investigating personal determinants of phishing and the effect of national culture. Information & Computer Security, 23(2), 178-199.
Furnham, A., & Boo, H. C. (2011). A literature review of the anchoring effect. Socio-Economics, 40(1), 35-42.
Goel, S., Williams, K., & Dincelli, E. (2017). Got phished? Internet security and human vulnerability. Journal of the Association for Information Systems, 18(1), 22-44.
Haeussinger, F., & Kranz, J. (2017). Antecedents of employees’ information security awareness –review, synthesis, and directions for future research. Proceedings of the 25th European Conference on Information Systems, Guimarães, Portugal.
Hajli, N., & Lin, X. (2016). Exploring the security of information sharing on social networking sites: The role of perceived control of information. Journal of Business Ethics, 133(1), 111-123.
Halevi, T., Lewis, J., & Memon, N. (2013). Phishing, personality traits and Facebook. arXiv preprint arXiv:1301.7643.
Halevi, T., Memon, N., & Nov, O. (2015). Spear-Phishing in the Wild: A Real-World Study of Personality, Phishing Self-Efficacy and Vulnerability to Spear-Phishing Attacks. Available at SSRN: https://ssrn.com/abstract=2544742
Hanus, B., & Wu, Y. A. (2016). Impact of users’ security awareness on desktop security behavior: A protection motivation theory perspective. Information Systems Management, 33(1), 2-16.
Hassandoust, F., & Techatassanasoontorn, A. A. (2020). Understanding users' information security awareness and intentions: A full nomology of protection motivation theory. In Cyber Influence and Cognitive Threats (pp. 129-143): Elsevier.
Hilligoss, B., & Rieh, S. Y. (2008). Developing a unifying framework of credibility assessment: Construct, heuristics, and interaction in context. Information Processing & Management, 44(4), 1467-1484.
Hovav, A., & D’Arcy, J. (2012). Applying an extended model of deterrence across cultures: An investigation of information systems misuse in the US and South Korea. Information & Management, 49(2), 99-110.
Irwin, L. (2020). The 5 most common types of phishing attack. Retrieved from https://www.itgovernance.eu/blog/en/the-5-most-common-types-of-phishing-attack
Iuga, C., Nurse, J. R., & Erola, A. (2016). Baiting the hook: factors impacting susceptibility to phishing attacks. Human-centric Computing and Information Sciences, 6(1), 1-20.
Jacowitz, K. E., & Kahneman, D. (1995). Measures of anchoring in estimation tasks. Personality and Social Psychology Bulletin, 21(11), 1161-1166.
Jagatic, T. N., Johnson, N. A., Jakobsson, M., & Menczer, F. (2007). Social phishing. Communications of the ACM, 50(10), 94-100.
Jakobsson, M., & Ratkiewicz, J. (2006). Designing ethical phishing experiments: a study of (ROT13) rOnl query features Symposium conducted at the meeting of the Proceedings of the 15th international conference on World Wide Web. https://dl.acm.org/doi/pdf/10.1145/1135777.1135853
Jansen, J., & Van Schaik, P. (2018). Persuading end users to act cautiously online: A fear appeals study on phishing. Information & Computer Security, 26(3), 264-276.
Johnston, A. C., & Warkentin, M. (2010). Fear appeals and information security behaviors: an empirical study. MIS Quarterly, 34(3), 549-566.
Kahneman, D. (2011). Thinking, fast and slow: Macmillan.
Kim, D., & Kim, J. H. (2013). Understanding persuasive elements in phishing e-mails. Online Information Review.
Kumaraguru, P., Rhee, Y., Sheng, S., Hasan, S., Acquisti, A., Cranor, L. F., & Hong, J. (2007). Getting users to pay attention to anti-phishing education: evaluation of retention and transfer Symposium conducted at the meeting of the Proceedings of the anti-phishing working groups 2nd annual eCrime researchers summit https://dl.acm.org/doi/pdf/10.1145/1299015.1299022
Kumaraguru, P., Sheng, S., Acquisti, A., Cranor, L. F., & Hong, J. (2010). Teaching Johnny not to fall for phish. ACM Transactions on Internet Technology, 10(2), 1-31.
Lim, J. S., Ahmad, A., Chang, S., & Maynard, S. B. (2010). Embedding Information Security Culture Emerging Concerns and Challenges Symposium conducted at the meeting of the Pacific Asia Conference on Information Systems https://aisel.aisnet.org/cgi/viewcontent.cgi?article=1041&context=pacis2010
Loewenstein, G., O'Donoghue, T., & Bhatia, S. (2015). Modeling the interplay between affect and deliberation. Decision, 2(2), 55-81.
Luo, X. R., Zhang, W., Burd, S., & Seazzu, A. (2013). Investigating phishing victimization with the Heuristic–Systematic Model: A theoretical framework and an exploration. Computers & Security, 38, 28-38.
McElwee, S., Murphy, G., & Shelton, P. (2018). Influencing Outcomes and Behaviors in Simulated Phishing ExercisesIEEE. Symposium conducted at the meeting of the SoutheastCon 2018. https://ieeexplore.ieee.org/document/8479109
McHugh, M. L. (2013). The chi-square test of independence. Biochemia Medica, 23(2), 143-149.
Mitnick, K. D., & Simon, W. L. (2003). The art of deception: Controlling the human element of security: John Wiley & Sons.
Moody, G. D., Galletta, D. F., & Dunn, B. K. (2017). Which phish get caught? An exploratory study of individuals′ susceptibility to phishing. European Journal of Information Systems, 26(6), 564-584.
Musuva, P. M., Getao, K. W., & Chepken, C. K. (2019). A new approach to modelling the effects of cognitive processing and threat detection on phishing susceptibility. Computers in Human Behavior, 94, 154-175.
Nouh, M., Nurse, J. R., Webb, H., & Goldsmith, M. (2019). Cybercrime investigators are users too! Understanding the socio-technical challenges faced by law enforcement. arXiv preprint arXiv:1902.06961.
Parsons, K., McCormac, A., Pattinson, M., Butavicius, M., & Jerram, C. (2015). The design of phishing studies: Challenges for researchers. Computers & Security, 52, 194-206.
Pattinson, M., Butavicius, M., Parsons, K., McCormac, A., & Calic, D. (2015). Factors that influence information security behavior: An Australian web-based study. International Conference on Human Aspects of Information Security, Privacy, and Trust. (pp. 231-241). Springer, Cham.
Petty, R. E., & Cacioppo, J. T. (1984). The effects of involvement on responses to argument quantity and quality: Central and peripheral routes to persuasion. Journal of Personality and Social Psychology, 46(1), 69.
Pienta, D., Thatcher, J. B., & Johnston, A. (2020). Protecting a whale in a sea of phish. Journal of Information Technology, 0268396220918594.
Resnik, D. B., & Finn, P. R. (2018). Ethics and phishing experiments. Science and Engineering Ethics, 24(4), 1241-1252.
Salah El-Din, R (2012) To Deceive or not to Deceive! Ethical Questions in Phishing Research. In HCI Research in Sensitive Contexts: Ethical Considerations Workshop at HCI, Birmingham, UK. http://eprints.leedsbeckett.ac.uk/4834/
Sheng, S., Holbrook, M., Kumaraguru, P., Cranor, L. F., & Downs, J. (2010). Who falls for phish? A demographic analysis of phishing susceptibility and effectiveness of interventions Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. https://dl.acm.org/doi/pdf/10.1145/1753326.1753383
Simon, H. A. (1965). Administrative Behavior. A Study of Decision-making Processes in Administrative Organization: Macmillan.
Siponen, M. T. (2000). A conceptual foundation for organizational information security awareness. Information Management & Computer Security, 8(1), 31-41.
Soghoian, C. (2008, October). Legal risks for phishing researchers. In 2008 eCrime Researchers Summit (pp. 1-11). IEEE. https://ieeexplore.ieee.org/document/4696971
Stanciu, V., & Tinca, A. (2016). Students' awareness on information security between own perception and reality–an empirical study. Accounting and Management Information Systems, 15(1), 112-130.
Straub, D., Boudreau, M. C., & Gefen, D. (2004). Validation guidelines for IS positivist research. Communications of the Association for Information systems, 13(1), 380-427.
Turner, C. G., & Monk‐Turner, E. (2007). Gender differences in occupational status in the South Korean labor market: 1988‐1998. International Journal of Social Economics.
Tversky, A., & Kahneman, D. (1974). Judgment under uncertainty: Heuristics and biases. Science, 185(4157), 1124-1131.
Vishwanath, A., Harrison, B., & Ng, Y. J. (2018). Suspicion, cognition, and automaticity model of phishing susceptibility. Communication Research, 45(8), 1146-1166.
Wang, J., Li, Y., & Rao, H. R. (2016). Overconfidence in phishing email detection. Journal of the Association for Information Systems, 17(11), 759-783.
Wang, J., Li, Y., & Rao, H. R. (2017). Coping responses in phishing detection: an investigation of antecedents and consequences. Information Systems Research, 28(2), 378-396.
Wegener, D. T., Petty, R. E., Detweiler-Bedell, B. T., & Jarvis, W. B. G. (2001). Implications of attitude change theories for numerical anchoring: Anchor plausibility and the limits of anchor effectiveness. Journal of Experimental Social Psychology, 37(1), 62-69.
Whetten, D. A. (2009). An examination of the interface between context and theory applied to the study of Chinese organizations. Management and Organization Review, 5(1), 29-56.
White, G., Ekin, T., & Visinescu, L. (2017). Analysis of protective behavior and security incidents for home computers. Journal of Computer Information Systems, 57(4), 353-363.
White, G. L. (2015). Education and prevention relationships on security incidents for home computers. Journal of Computer Information Systems, 55(3), 29-37.
Wilson, T. D., Houston, C. E., Etling, K. M., & Brekke, N. (1996). A new look at anchoring effects: basic anchoring and its antecedents. Journal of Experimental Psychology: General, 125(4), 387.
Wirth, W., Böcking, T., Karnowski, V., & Von Pape, T. (2007). Heuristic and systematic use of search engines. Journal of Computer-Mediated Communication, 12(3), 778-800.
Wright, R. T., Jensen, M. L., Thatcher, J. B., Dinger, M., & Marett, K. (2014). Research note—influence techniques in phishing attacks: an examination of vulnerability and resistance. Information Systems Research, 25(2), 385-400.
Wu, J. Y. (2014). Gender differences in online reading engagement, metacognitive strategies, navigation skills and reading literacy. Journal of Computer Assisted Learning, 30(3), 252-271.
Wu, M., Miller, R. C., & Garfinkel, S. L. (2006). Do security toolbars actually prevent phishing attacks? Proceedings of the SIGCHI conference on Human Factors in computing systems. https://dl.acm.org/doi/pdf/10.1145/1124772.1124863
AJIS publishes open-access articles distributed under the terms of a Creative Commons Non-Commercial and Attribution License which permits non-commercial use, distribution, and reproduction in any medium, provided the original author and AJIS are credited. All other rights including granting permissions beyond those in the above license remain the property of the author(s).