Achieving a consensual definition of phishing based on a systematic review of the literature

Background:\ud Phishing is a widely known phenomenon, but currently lacks a commonly accepted definition. As a result, many studies about phishing use their own definition. The lack of a common definition prevents knowledge accumulation and makes analysing studies or aggregating data about phishing a difficult task.\ud Method:\ud To develop a definition, we used existing definitions as input and combined them using crime science theories as the theoretical framework. A systematic review of the literature up to August 2013 was conducted, resulting in 2458 publications mentioning the word phishing. All journal articles, together with both highly cited and recent conference papers were selected, giving a total of 536 peer-reviewed publications (22%) to be manually reviewed. This resulted in 113 distinct definitions to be analysed.\ud Results:\ud An analysis identified key concepts that were found in most definitions and formed the building blocks for a consensual definition. We propose a new definition that is based upon current ones, which defines phishing in a comprehensive way and - in our opinion - addresses all important elements of phishing: 'phishing is a scalable act of deception whereby impersonation is used to obtain information from a target'.\ud Conclusions:\ud A consensual definition allows future research to be aligned and it facilitates the interpretation and comparison of existing research. The findings suggest that the routine activity approach can be applied to the digital world. Finally, the 'scalability' concept of our definition provides a new theoretical notion to digital crime that is independent of the employed channel

Evaluating Privacy - Determining User Privacy Expectations on the Web

Individuals don’t often have privacy expectations. When asked to consider them, privacy realities were frequently perceived not to meet these expectations. Some websites exploit the trust of individuals by selling, sharing, or analysing their data. Without intervention, individuals do not often understand privacy implications, nor do anything to address it. This study has identified that many users do not have privacy expectations. An extension developed for this study improved privacy awareness, privacy behaviour, and created privacy expectations in participants. The extension also demonstrated that privacy-focused behavioural changes occur when individuals consider the implications of privacy policies, and are exposed to the ways in which their data is being used