Greene, K.
, Steves, M.
, Theofanos, M.
and Kostick, J.
(2018),
User Context: An Explanatory Variable in Phishing Susceptibility, Proceedings of the Network and Distributed Systems Security (NDSS) Symposium, San Diego, CA, US, [online], https://doi.org/10.14722/usec.2018.23016, https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=925206
(Accessed April 24, 2024)
Official websites use .gov
A .gov website belongs to an official government organization in the United States.
Secure .gov websites use HTTPS
A lock (
) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.
User Context: An Explanatory Variable in Phishing Susceptibility
Published
Author(s)
, , ,
Abstract
Extensive research has been performed to examine the effectiveness of phishing defenses, but much of this research was performed in laboratory settings. In contrast, this work presents 4.5 years of workplace-situated, embedded phishing email training exercise data, focusing on the last three phishing exercises with participant feedback. The sample was an operating unit consisting of approximately 70 stratified staff members within a U.S. government research institution. A multiple methods assessment approach revealed that the individual's work context is the lens through which email cues are interpreted. Not only do clickers and non-clickers attend to different cues, they interpret the same cues differently depending on the alignment of the user's work context and the premise of the phishing email. Clickers were concerned over consequences arising from not clicking, such as failing to be responsive. In contrast, non-clickers were concerned with consequences from clicking, such as downloading malware. This finding firmly identifies the alignment of user context and the phishing attack premise as a significant explanatory factor in phishing susceptibility. We present additional findings that have actionable operational security implications. The long-term, embedded and ecologically valid conditions surrounding these phishing exercises provided the crucial elements necessary for these findings to surface and be confirmed.Proceedings Title
Proceedings of the Network and Distributed Systems Security (NDSS) Symposium
Conference Dates
February 18-21, 2018
Conference Location
San Diego, CA, US
Conference Title
Workshop on Usable Security (USEC) at the Network and Distributed Systems Security (NDSS) Symposium 2018
Pub Type
Conferences
Download Paper
Keywords
decision-making, embedded phishing awareness training, user-centered approach, survey instrument, long-term assessment, operational data, trial deployment, network security, security defenses
Citation
Created July 15, 2018, Updated April 12, 2022