Developing a User Profile to Predict Phishing Susceptibility and … · 2013. 3. 26. ·...
Transcript of Developing a User Profile to Predict Phishing Susceptibility and … · 2013. 3. 26. ·...
Science of Security Lablet
Understanding & Accounting Human Behavior
Developing a User Profile to Predict Phishing Susceptibility
and Security Technology Acceptance Kyung Wha Hong , Dr. Emerson Murphy-Hill Computer Science Department
Christopher M. Kelly, Dr. Christopher B. Mayhorn Psychology Department
Science of Security Lablet
Understanding & Accounting Human Behavior
What is Phishing?
Science of Security Lablet
Understanding & Accounting Human Behavior
How is Phishing doing?
Science of Security Lablet
Understanding & Accounting Human Behavior
Problem Area Previous approach Our approach
Technology
Science of Security Lablet
Understanding & Accounting Human Behavior
Research Questions
•What behavioral characteristics make some users more susceptible to phishing?
• Are “at-risk” users willing to use new security related tools?
Science of Security Lablet
Understanding & Accounting Human Behavior
Goal
• Develop a user-profile that predict when and where phishing attacks will be successful
• Build a user friendly tool to help users distinguish phishing attempts
Science of Security Lablet
Understanding & Accounting Human Behavior
Initial Survey
Phishing ?
Science of Security Lablet
Understanding & Accounting Human Behavior
Initial Survey
• Goal – Provide pilot data on perceptions of phishing
and related characteristics • Participants
– 155 people recruited from Amazon’s Mechanical Turk
Science of Security Lablet
Understanding & Accounting Human Behavior
Initial Survey
•Methods – Computer Usage and Risk Profile Tool – Perceptions of phishing – Factors related to phishing – Personal phishing experiences
Science of Security Lablet
Understanding & Accounting Human Behavior
Initial Survey: Results
• Almost everyone had experienced a phishing attempt (22% actually had loss)
• Participants actively engage efforts to protect themselves online
Science of Security Lablet
Understanding & Accounting Human Behavior
Initial Survey: Results
• Phishers often poses as members of organizations
• The consequences of phishing attacks go beyond financial loss (e.g., embarrassment , erosion of trust)
Science of Security Lablet
Understanding & Accounting Human Behavior
Study 2
• Specific Aim – Identify behavioral, cognitive, and perceptual
attributes that might make some users more susceptible to phishing than others
Science of Security Lablet
Understanding & Accounting Human Behavior
Study 2
• Participants – 53 undergraduate students
•Material – Self-reported measures – Behavioral measures
Science of Security Lablet
Understanding & Accounting Human Behavior
Study 2
(1) Online Survey – Previous experiences with phishing – Online purchasing behavior – General computing behavior – Dispositional trust – Impulsivity – Personality
Science of Security Lablet
Understanding & Accounting Human Behavior
Study 2
(2) Lab Test – Vision Test – Working Memory Capacity Test – Sustained Attention Test – Evaluate Phishing Susceptibility via Email Task – Vocabulary Test – Spatial Ability Test
Science of Security Lablet
Understanding & Accounting Human Behavior
Study 2
• Email Task – Ask user to determine whether provided email
is legitimate or suspicious – Let user response through marking each email
either as important, archive, or trash
Science of Security Lablet
Understanding & Accounting Human Behavior
Study 2: Results
• Individual Differences – Less trusting individuals, introverts, those less
open to new experiences were more likely to trash legitimate emails
– Women less likely to identify phishing emails
Science of Security Lablet
Understanding & Accounting Human Behavior
Study 2: Results
• Email Task Performance – More than 92% were susceptible to phishing – 52% had misclassified more than half of the
phishing emails
Science of Security Lablet
Understanding & Accounting Human Behavior
Study 3: Plan
• Develop an anti-phishing training tool – Adapting user profiles developed from Study 2
•Measure participant’s phishing susceptibility before and after the training
Science of Security Lablet
Understanding & Accounting Human Behavior
Study 3: Plan
Science of Security Lablet
Understanding & Accounting Human Behavior
Possible Collaboration • Helping us find participants for Study 2 • Contacts
– Dr. Christopher B. Mayhorn <[email protected]> – Dr. Emerson Murphy-Hill <[email protected]> – Christopher M. Kelly <[email protected]> – Kyung Wha Hong <[email protected]>