Why Johnny can’t rely on anti-phishing educational interventions to protect himself against contemporary phishing attacks?

Phishing is a way of stealing people’s sensitive information such as username, password and banking details by disguising as a legitimate entity (i.e. email, website). Anti-phishing education considered to be vital in strengthening “human”, the weakest link in information security. Previous research in anti-phishing education focuses on improving educational interventions to better interact the end user. However, one can argue that existing anti-phishing educational interventions are limited in success due to their outdated teaching content incorporated. Furthermore, teaching outdated anti-phishing techniques might not help combat contemporary phishing attacks. Therefore, this research focuses on investigating the obfuscation techniques of phishing URLs used in anti-phishing education against the contemporary phishing attacks reported in PhishTank.com. Our results showed that URL obfuscation with IP address has become insignificant and it revealed two emerging URL obfuscation techniques, that attackers use lately, haven’t been incorporated into existing anti-phishing educational interventions

Informing, simulating experience, or both: A field experiment on phishing risks

Cybersecurity cannot be ensured with mere technical solutions. Hackers often use fraudulent emails to simply ask people for their password to breach into organizations. This technique, called phishing, is a major threat for many organizations. A typical prevention measure is to inform employees but is there a better way to reduce phishing risks? Experience and feedback have often been claimed to be effective in helping people make better decisions. In a large field experiment involving more than 10,000 employees of a Dutch ministry, we tested the effect of information provision, simulated experience, and their combination to reduce the risks of falling into a phishing attack. Both approaches substantially reduced the proportion of employees giving away their password. Combining both interventions did not have a larger impact

Misperceptions of Uncertainty and Their Applications to Prevention

This thesis studies how people misperceive risk and uncertainty, and how this cognitive bias affects individuals' preventive actions. Chapter 1, in a lab experiment, shows that how we present rare events affects how big people perceive those events. I show by means of a lab experiment that people perceive rare events bigger than what they actually are when those events are presented to them separately rather than all together. Chapter 2 shows theoretically that it is actually the same phenomenon that makes people both overinsure and prevent little, namely probability weighting. Chapter 3, with an application to cybersecurity, analyses an intervention aiming at increasing prevention at the organizational level in a field experiment. I test whether communicating information in a more effective way or letting employees experience a simulated phishing attack help to reduce falling for phishing attacks. Chapter 4 deals with the issue that people’s judgements of risk might differ in different contexts. In a lab experiment, it shows that sexual context has an impact on ambiguity attitudes

Predictors of Email Response: Determinants of the Intention of not Following Security Recommendations

Organizations and government leaders are concerned about cyber incidents. For some time, researchers have studied what motivates people to act in ways that put the confidentiality, integrity, and availability of information in organizations at risk. Still, several areas remained unexplored, including the role of employees’ evaluation of the organizational systems and the role of value orientation at work as precursors of secure and insecure actions in relation to information technologies (information security [IS] action). The objective of this research project was to examine how the evaluations of formal and informal security norms are associated with the intention to follow them and to explore the role of work values, security systems, monitoring employees, and demographics in this association. It is essential to understand the determinants of IS action in the workplace so that interventions aim for organizational behavioral change focusing on a few determinants of IS action. In the execution of the project, several scenarios were formulated. In the scenarios, a character whose actions enact a particular value orientation at work fails to follow security recommendations. Several items were formulated to capture the variables of interest. After ensuring that the materials had good psychometric properties, a sample of 661 U.S. workers was collected and the data submitted to several analyses. The results revealed that the negative evaluation of the importance of security recommendations and the negative evaluation of others relative to following security recommendations were positively associated with the intention of not following those security recommendations. The evaluation of the completeness of security recommendations was negatively associated with the intention of not following them. The perception of others following security recommendations was not associated with the intention of not following them. It was also found that work values, security systems, monitoring, and demographics play a role in the association found. This research project does not support causality but provides evidence of the investigated association. The survey research did not investigate actual actions; however, several precautions were taken to ensure that the results provide preliminary evidence of the precursors of IS action at work