Beruflich Dokumente
Kultur Dokumente
Participants were shown an image of the lock icon found within 2.3.5 Negative consequences
the chrome area of the browser and asked if they had seen “this Participants were asked to rate a series of possible outcomes from
lock image” before: computer malice. To avoid ceiling effects, the first question asked
about extremely negative outcomes, and the remaining questions
asked about a range of negative consequences. Respondents used
Respondents were asked four questions about what this lock a 7-point scale to indicate how bad it would be if:
image meant about a web site: • all of your money and belongings were stolen and you had no
• that you need a key or a password to enter the site insurance or way to get any of it back
• that a website is trustworthy • someone stole your credit card number or made bad charges on
• that any information you enter will be sent securely your credit card
• that any information being displayed will be sent securely • someone got your bank account number and PIN
• someone stole your social security number or your identity 3.2.2 Convergent and divergent validity
• your computer automatically sent bad software to everyone in We assessed respondents’ reported link clicks and other behaviors
your online address book that would land them at the web site in emails (such as typing in
• someone you didn’t know could see everything that you typed the URL of the link) with related themes, controlling for their
on your computer overall propensity to visit sites. We assessed overall visiting
• your computer started to crash several times a day propensity by their response to the initial email, which was a
simple email about changing a meeting that contained a link to the
3. RESULTS company website in the signature line.
Those who visited either of the two sites from valid links (for the
3.1 Past Web Behavior NASA site and the eBay site) were significantly more likely to
Most participants (85%) were PC users, and most of the rest visit the other, r=.33, p<.01. Similarly, those who visited either of
(12%) were Mac users. Almost all (98%) respondents had made a the two pages in financial emails (the eBay and PayPal sites) were
purchase on the web at some point in the past. Most had also more likely to visit the other, r=.36, p<.001. These results show
engaged to some degree with altering the protections on their convergent validity in the role play task. Importantly, however,
computer, such as installing anti-virus software (93%) or the two sites without shared attributes (the NASA and PayPal
adjusting their security preferences (79%), although the latter sites) were not significantly correlated in frequency of visits,
could be making the security settings tighter or more lax. r=.15. This shows divergent validity, suggesting that this measure
A minority had experienced some negative consequences of the does not merely capture a willingness to visit links in emails, but
type threatened by phishing, although not necessarily as a result of rather a differentiation between different kinds of emails. A
phishing. They reported having had a credit card stolen (21%), similar pattern, with slightly stronger correlations, was found
having had information stolen or compromised (14%), and a small when limiting the behavior to clicking on links.
number reported having had their social security number stolen or The clicks and website visits for the spear phishing email showed
had someone try to steal their identity (3%). no clear pattern in relation to the other emails, suggesting that this
behavior is not very reliable. This indicates that the spear phishing
3.2 Validity of Role Play email may be problematic in this test. However, the sensible
One strength of the methodology used in this study is the pattern of partial correlations among the other three emails
embedded role play, which goes beyond mere self-report provides convergent and divergent validity to their use in the role
measures of behavior. Although not identical to real behavior in play. Thus, we will use the behavior of clicking on the link in the
the wild, this tool is valuable to the extent that is provides a close phishing (PayPal) email, visiting that site by any means, and
approximation of real world patterns of behavior. entering information on the phishing web site as proxies for
susceptibility to phishing attacks.
3.2.1 Face validity
In response to the open-ended question about whether Pat’s 3.3 Predictors of Behavior in Role Play
emails were similar to the respondent’s own and whether the In this section we explore what factors are predictive of
respondent treated the role play any differently from his or her susceptibility to phishing, as measured by the behavior of clicking
own email, over 95% of participants gave a meaningful response. on the link in the phishing email in the role play, and of warranted
A minority of respondents (25%) gave simple responses email responses, as measured by the behavior of clicking on the
indicating that this experience was similar. The remainder gave links in the two legitimate emails. Overall rates at which
explanations, many indicating the similarity, e.g., “I have received respondents fell for the phishing scams do not represent
some emails like Pat’s and I responded in the way I always do.” meaningful data about behavior, as they are driven by the content
Others described superficial differences between the role play of the stimuli used rather than a representative sample of phishing
emails and their own email, e.g., “this is how I would have emails from the wild. Thus, only comparisons are reported, to
responded, except I get a lot more spam.” Others indicated indicate the degree to which different predictors were related to
differences between their own experience and the role play, with behavior.
explanations of how they interpreted things that may have been
different from their own experience, e.g., 3.3.1 Knowledge
I would generally respond the same way as Pat would. I Those who correctly answered the knowledge question about the
personally don’t have an eBay or PayPal account but know definition of phishing were significantly less likely to fall for
many people that do, and generally believe that it’s a large phishing emails, either by clicking on the phishing link (χ2=10.90,
site, so it’s safe and reliable. p<.001), visiting the site (χ2=4.62, p<.05), or entering information
on the website (χ2=9.79, p<.01), as shown in Figure 1.
Although we cannot be certain that people respond identically to
these role play emails as they would to real emails with However, knowledge about other computer risks and concepts
consequences for their own information, it does appear that people was unrelated to clicking on the phishing link, whether about
took this task seriously and made a reasonable effort to respond as cookies (χ2=0.3), spyware (χ2=0.4), or viruses (χ2=0.3). This
they would normally respond. Thus, patterns of responses to these pattern of results suggests that those who recognized the term
emails should be roughly indicative of respondents’ relative “phishing” were also familiar enough with the concept to better
sophistication protect themselves against the risk, but that general knowledge
about other computer risks was not associated with better
protection.
3.3.2 Use of situational cues
There were various cues present that people could use to evaluate
the emails in the role play, most notably the linked URL as shown
in the status bar. We don’t know how many people used that
information, since we couldn’t easily ask them about it without
alerting them to its relevance. However, because we asked them
about these URLS at a later point in the survey, we can explore
the relationship between their assessments of the URLs and their
behavior in the role play to determine whether their judgments
were correlated with their behavior.
For the legitimate emails, those who believed that they could tell
that the site was trustworthy were more likely to visit the site than
others, both for the legitimate email from eBay (63% vs. 40%,
Figure 1. Behavior of participants who gave correct and χ2=7.67, p<.01), and for the email linking to NASA’s site (64%
incorrect definitions of phishing vs. 37%, χ2=11.00, p<.001). Once at the eBay site, those thinking
the URL was trustworthy were also more likely to say that they
Participants who correctly reported that none of the 3 non-chrome
would enter the requested login information (33% vs. 16%,
lock images meant the same thing as the standard lock image in
χ2=6.43, p=.01).
chrome were less likely to fall for phishing emails, either by
clicking on the link (χ2=8.06, p<.01), visiting the phishing site For the phishing email, thinking that the linked site was
(χ2=10.39, p<.001), or entering their information (χ2=10.25, untrustworthy was a significant predictor of behavior, with those
p<.001), as shown in Figure 2. thinking it was untrustworthy being less likely to click on the link
than others (9% vs. 30%, χ2=10.30, p<.001), and less likely to
enter information on the page (8% vs. 29%, χ2=11.45, p<.001).
Additionally, those who recognized from the URL that the site
was not secure were less likely to click on the link than others
(12% vs. 33%, χ2=11.74, p<.001), and less likely to enter
information on the page (8% vs. 34%, χ2=17.80, p<.001).