Sage Journals: Discover world-class research

Abstract

Despite significant advancements in security technologies, phishing attacks continue to be rampant and successful because distinguishing phishing emails from real messages remains difficult to most end-users, mainly the targeted kind known as spear-phishing. There is a severe lack of human factor studies on spear-phishing attacks due to lack of methods and datasets. We have designed a novel multi-player synthetic task environment, called SpearSim, for conducting laboratory experiments on spear-phishing attacks. Using SpearSim, we have conducted an experiment to understand how information exploitation in spear-phishing attacks influences end-user decision-making. This paper describes the SpearSim system’s design and discusses the results from the experiment conducted with SpearSim. The experiment results show that people are more vulnerable to spear-phishing attacks when attackers can explore and exploit different kinds of personal information available to them about their targets. We discuss the implications of this research for the design of anti-phishing training solutions and privacy enhancing technologies.

Get full access to this article

View all access options for this article.

References

Alsharnouby

Alaca

Chiasson

(2015). Why phishing still works: User strategies for combating phishing attacks. International Journal of Human-Computer Studies, 82, 69–82.

Das

Baki

El Aassal

Verma

Dunbar

(2019). Sok: a comprehensive reexamination of phishing research from the security perspective. IEEE Communications Surveys & Tutorials, 22(1), 671–708.

Haran

Ritov

Mellers

B. A.

(2013). The role of actively open-minded thinking in information acquisition, accuracy, and calibration.

Cidon

Gavish

Schweighauser

Paxson

Savage

… Wagner

(2019). Detecting and characterizing lateral phishing at scale. In 28th USENIX security symposium (pp. 1273–1290). Santa Clara, CA.

Horton

W. S.

Rapp

D. N

. (2003). Out of sight, out of mind: Occlusion and the accessibility of information in narrative comprehension. Psychonomic Bulletin & Review, 10(i), 104–110.

Hovland

Janis

I. L.

Kelley

H. H.

(1953). Communication and persuasion: Psychological studiesof opinion change, new haven, ct: Yale university-press. Hovland Communication and Persuasion: Psychological Studies of Opinion Change1953.

Klimt

Yang

(2004). The enron corpus: A new dataset for email classification research. In European conference on machine learning (pp. 217–226).

Kumaraguru

Sheng

Acquisti

Cranor

L. F.

Hong

(2010). Teaching johnny not to fall for phish. ACM TOIT, 10(2), 7.

Martin

Dube

Coovert

M. D.

(2018). Signal detection theory (sdt) is effective for modeling user behavior toward phishing and spear-phishing attacks. Human factors, 60(8), 1179–1191.

10.

Parsons

McCormac

Pattinson

Butavicius

Jerram

(2015). The design of phishing studies: Challenges for researchers. Computers & Security, 52, 194–206.

11.

Rajivan

Gonzalez

(2018). Creative persuasion: A study on adversarial behaviors and strategies in phishing attacks. Frontiers in psychology, 9, 135.

12.

Singh

Aggarwal

Rajivan

Gonzalez

(2019). Training to detect phishing emails: Effects of the frequency of experienced phishing emails. In Proceedings ofthe human factors and ergonomics society annual meeting (Vol. 63, pp. 453–457).

13.

StrauB

(2017). Privacy analysis-privacy impact assessment. The Ethics of Technology: Methods and Approaches, 143–156.

14.

Zwaan

R. A.

(1999). Situation models: The mental leap into imagined worlds. Current directions in psychological science, 8(1), 15–18.

SpearSim : Design and Evaluation of Synthetic Task Environment for Studies on Spear Phishing Attacks

Abstract

Get full access to this article

References