Effects of email users' behaviour and demographics on respond to each step of a phishing attack

Phishing is a process in which attackers send emails to Internet users and try to convince them to click on a link to steal their sensitive information or open an attachment to compromise their account, computer, organisation systems, etc. Users' behaviour, such as their risk-taking preference and decision-making style, can influence a phishing attempt's success. However, studies did not profoundly investigate the effects of the behaviours on each step of a phishing process (e.g., opening the email, clicking on the link, and submitting sensitive information on the phishing webpage). This study demonstrated the effects of risk-taking level and decision-making style, gender, age, and education level on the users' respond to each selected step of a phishing attempt. In this real-world study, we measured the behaviours of 135 participants from academia using psychological scales and tests. We then tested their phishability level by sending them simulated phishing emails. The regression analysis results showed that the general risk-taking preference and gender of the users could predict their phishability in the second step, i.e., clicking on the phishing link (p<0.05). We could not find any significant relation between their decision-making style and other demographic factors with the users' phishability level in the second step of the phishing. We also could not find any relations between the measured behaviours, age, gender, and education level of the users and their phishability level in the first and second steps (i.e., opening the phishing email and submitting sensitive data to the phishing website). The results of this study can help us develop proper mitigation actions to minimise phishing success in different steps. Organisations can use this approach to identify risky users and focus on decreasing their phishability level, for instance by providing more training to them or changing the behaviour (if possible). The developed model can be used as a comprehensive framework to investigate other behaviours’ effects in each step of phishing

Phishing happens beyond technology : the effects of human behaviors and demographics on each step of a phishing process

Prior studies have shown that the behaviours and attitudes of Internet users influence the likelihood of being victimised by phishing attacks. Many scammers design a step-by-step approach to phishing in order to gain the potential victim's trust and convince them to take the desired actions. It is important to understand which behaviours and attitudes can influence following the attacker in each step of a phishing scam. This will enable us to identify the root causes of phishing and to develop specific mitigation plans for each step of the phishing process and to increase prevention points. This study investigates to what extent people's risk-taking and decision-making styles influence the likelihood of phishing victimisation in three specific phishing steps. We asked participants to play a risk-taking game and to answer questions related to two psychological scales to measure their behaviours, and then conducted a simulated phishing campaign to assess their phishability throughout the three phishing steps selected. We find that the attitude to risk-taking and gender can predict users' phishability in the different steps selected. There are however other possible direct and indirect behavioural factors that could be investigated in future studies. The results of this study and the model developed can be used to build a comprehensive framework to prevent the success of phishing attempts, starting from their root causes

A solution to minimise the success of phishing attempts using the effects of human behaviour and emotions on falling into a phishing scam

Phishing is a social engineering scam that can cause data loss, reputational damages, identity theft, money loss, and many other damages to people and organisations. Multiple studies showed the effects of human behaviour, such as risk-taking and decision making, on Internet users' security behaviour. Researchers also investigated how email users' behaviour can influence the success of a phishing attempt. Moreover, the number of phishing attempts has been increased rapidly since the beginning of the COVID-19 outbreak. Several studies demonstrated the effects of the COVID-19 pandemic on human behaviour, impacting phishing attempts' success. Organisations can use the results of these studies to find potential high-risk users by measuring the users' behaviour and emotions, which are associated with falling into a phishing scam. In this study, we have developed a solution and guideline using previous studies to identify risky users (i.e., those at risk of clicking on phishing links). The solution will then suggest or assigns proper mitigation actions for those users. The system contains measurement (psychological scales), scoring (machine learning), and mitigation modules that can become more mature and accurate over time. Furthermore, specific situations, such as the pandemic, is also considered in the solution- that is, when a situation like the COVID-19 pandemic happens, the solution will consider the impacted human emotions in finding the high-risk users and might suggest other types of mitigations. We have used regression models for the machine learning module. The proposed solution will help organisations focus more on high-risk users and reduce cyber risks. This solution, however, should be used in combination with technical anti-phishing systems and cybersecurity awareness training campaigns to achieve better results

A hybrid encryption solution to improve cloud computing security using symmetric and asymmetric cryptography algorithms

Ensuring the security of cloud computing is one of the most critical challenges facing the cloud services sector. Dealing with data in a cloud environment, which uses shared resources, and providing reliable and secure cloud services, requires a robust encryption solution with no or low negative impact on performance. Thus, this study proposes an effective cryptography solution to improve security in cloud computing with a very low impact on performance. A complex cryptography algorithm is not helpful in cloud computing as computing speed is essential in this environment. Therefore, this solution uses an improved Blowfish algorithm in combination with an elliptic-curve-based algorithm. Blowfish will encrypt the data, and the elliptic curve algorithm will encrypt its key, which will increase security and performance. Moreover, a digital signature technique is used to ensure data integrity. The solution is evaluated, and the results show improvements in throughput, execution time, and memory consumption parameters

Root causes of falling victim to phishing : the effects of human behavior, emotions and demographics

Phishing is a social engineering scam that can result in data loss, reputational damage, identity theft, the loss of money, and many other damages to peoples and organisations. A phishing scam usually starts with an email trying to gain the potential victim's trust and convince them to take the attacker's desired actions, such as clicking on a link or opening an attachment. In the next step, the user might enter their sensitive information on a phishing website, or open an infected attachment that can compromise their account, computer, or even an organisation's network and systems. Prior studies have investigated the impacts of user traits on the success of phishing attacks and how they can increase or decrease susceptibility to phishing emails. However, little is known about the effect of users' behaviour in the different steps in a phishing attack, nor in different situations such as a pandemic, as exemplified by the COVID-19 outbreak in early 2020. Researchers and solution vendors have developed many technical anti-phishing solutions which can prevent phishing emails and websites. Nonetheless, users remain the weakest link and attackers know how to fool them by manipulating their behaviour. They always design new phishing campaigns and there are always users who fall into the scammers' traps. Knowing the behaviours and emotions of users that influence the success of phishing attacks will help us tackle this problem from its root causes. This study investigates which behaviour on the part of the users might affect the success of phishing and provides a framework that can be used to figure out the impact of more root causes. Based on the insights obtained, it also suggests a guideline to minimise phishing success by addressing human factors which might influence users' responses to phishing emails. This suggested guideline is flexible and can be enhanced by adding more predictors (i.e., behaviour and emotions) and learning from users' responses to phishing in the real world over time. However, there are some limitations which future studies can address to gain more accurate results and develop a comprehensive solution using the proposed guideline. This is a paper-based PhD dissertation consisting of six chapters. The dissertation starts with an introduction and continues with four papers (chapters 2-5). The first paper has been published in a post-conference proceeding of an international conference, the second has been published in an international peer-reviewed journal, the third paper is, at the time of writing, under revision with an international peer-reviewed journal, and the last paper is published in ACM proceeding

Guideline for the Production of Digital Rights Management (DRM)

Multiple news sources over the years have reported on the problematic effects of Digital Rights Management, yet there are no reforms for DRM development, simply removal. The issues are well-known to the public, frequently repeated even when addressed: impact on the software and the devices that run them. Yet few, if any, have discussed it in recent years, especially with the intent of eliminating the shown issues. This study reviews Digital Rights Management as a general topic, including the various forms it can take, the current laws that affect DRM, and the current public reception and responses. This study describes the different types of DRM in general terms and then lists both positive and negative examples.</p

A phishing mitigation solution using human behaviour and emotions that influence the success of phishing attacks

Phishing is a social engineering scam that can cause financial and reputational damages to people and organisations. Studies have demonstrated the effects of human behaviour and emotions on people's security behaviour, such as falling into a phishing scam. Moreover, several studies show the effects of the COVID-19 outbreak on human emotions, impacting phishing attempts' success. In this study, we have developed a solution using previous studies' results to identify vulnerable users (i.e., those at risk of clicking on phishing links) in organisations. The solution assigns proper mitigation actions to those high-risk users. The system contains behaviour measurement, risk score, and mitigation modules that can mature and develop accuracy over time. Furthermore, situations similar to a pandemic are considered in the solution. The proposed solution will help organisations focus more on protecting high-risk users and reducing successful phishing attacks. This solution should be used in combination with technical anti-phishing and cybersecurity awareness training campaigns to achieve better results

COVID-19 and phishing : effects of human emotions, behavior, and demographics on the success of phishing attempts during the pandemic

Phishing is an online scam where criminals trick users with various strategies, with the goal of obtaining sensitive information or compromising accounts, systems, and/or other personal or organisational Information Technology resources. Multiple studies have shown that human factors influence the success of phishing attempts. However, these studies were conducted before the COVID-19 pandemic, which is significant because security reports show that the numbers of phishing attacks have been rapidly increasing since the start of COVID-19. This study investigates the extent to which users' fear, anxiety and stress levels regarding COVID-19, impact falling for common and COVID-19 themed phishing scams during the outbreak period. Prior studies have depicted the effects of human behaviour on phishing attacks before the pandemic, such as risk-taking preferences and users' demographic factors, hence this study also focuses on the effects of those factors on the likelihood of phishing victimisation. More concretely, we present the results of a scenario-based roleplay experiment to study the relationship between fear, anxiety, stress, risk-taking, and demographic factors and the success of phishing attacks during the pandemic. The findings indicate that fear of COVID-19 influences the success of COVID-19 specific themed phishing scams, while anxiety, stress, and risk-taking influences the success of both the COVID-19 themed and common phishing scams. Our findings also suggest that the users' education level impacts common phishing attacks during the pandemic