Overview
Phishing represents a persistent cybersecurity threat, with an increasing focus on human cognitive and psychological factors rather than solely technological vulnerabilities. This research investigated the multidimensional nature of user susceptibility to phishing by analyzing data from a realistic phishing detection task.
Research Context
The study aligns with the trend in phishing research to concentrate on human aspects and the profiling of vulnerable users. It explores factors contributing to user susceptibility to phishing attacks, moving beyond a purely technical understanding of cybersecurity.
Approach
The study utilized the Spamley dataset, which included 1,086 participants who performed a realistic phishing detection task. Exploratory Factor Analysis (EFA) was applied to identify latent constructs underpinning user susceptibility. The research also involved analyzing behavioral findings, specifically the relationship between self-reported impulsivity and response times. K-Means clustering was subsequently employed to distinguish user profiles based on identified dimensions.
Identified Latent Constructs
EFA revealed five latent constructs related to user vulnerability:
- Seniority (F1)
- Expertise
- Creativity (F3)
- Stability
- Vulnerability
Behavioral Analysis
The study found a negative correlation between self-reported impulsivity and response times. This correlation indicated that faster decision-making significantly differentiated vulnerable users from resilient users within the phishing detection task.
User Profiling
A K-Means clustering procedure, guided by the dimensions of Seniority (F1) and Creativity (F3), resulted in the identification of two distinct user profiles:
- The Aware User
- The High-Risk User
Findings
The research indicated that technical knowledge on its own does not guarantee resilience against phishing. Instead, effectiveness in detecting phishing was determined by the interaction among operational maturity, decision-making speed, and the cognitive approach of the user. A majority of users were categorized into the High-Risk profile, characterized by hasty evaluation processes and lower critical analysis skills.
Why This Matters
The findings underscore a need to transition from undifferentiated cybersecurity training programs to personalized, adaptive approaches. These adaptive programs should actively address cognitive biases and behavioral tendencies to enhance user resilience against phishing.