The effect of time pressure on human behavior regarding phishing susceptibility : Human aspects in information security

Abbasi, Muhammad Abbas Khan

January 2023

Human errors are common in the contemporary cyber ecosystem, and in an organization’s cybersecurity chain, humans are considered the weakest link. Cybercriminals exploit human vulnerabilities using sophisticated attacks such as phishing. Human susceptibility to phishing is a persistent threat, and has a devastating effect on organizational and personal security. Previous researchers found that human susceptibility to phishing increases in presence of some factors such as organizational, individual, and environmental. Various studies highlight time pressure as one of the influencing factors that can negatively or positively impact human behavior. This research study aimed to investigate the effect of time pressure on human cybersecurity behavior regarding the ability to detect phishing. The study used quantitative research and developed a questionnaire comprising interactive phishing emails distributed online to 03 random groups having different time limits to complete the questionnaire. The study received 356 complete responses. The study's result shows a slight change in user behavior under time pressure, and the impact of time pressure can be positive or negative. However, the results are not statistically significant for all demographic groups to accept this slight change in variance. Moreover, this study's results validate previous studies on human susceptibility to phishing and found more than 50 % of respondents vulnerable to phishing. Thus, the results of this study indicate that the factor of time pressure itself does not significantly impact the human ability to detect phishing. However, it is essential to note that other work-related tasks or stress associated with time pressure can influence human behavior in detecting phishing attempts. In conclusion, the author also proposes further testing and some methodology tweaking by modifying the time given to each tested group and adding more elements to the questionnaire. Finally, the study also suggested conducting the same analysis on physically controlled groups in an organizational or institutional setting.

Cybersecurity behavior

phishing susceptibility

cybersecurity awareness

time pressure

the human factor

Information Systems, Social aspects

Phishing Susceptibility and Mitigation in the 2FA Context : An Investigation of How the Interplay of Psychological and Individual Factors and UX Design Can Influence Users’ Decisions to Login to a Suspicious Website

Gerken, Jorina Freya, Wang, Zhaoying

January 2024

Phishing is a form of social engineering, in which attackers attempt to trick victims with e-mails designed to look like legitimate requests (Vishwanath et al., 2011), aiming “to exploit human error or human behaviour with the objective of gaining access to information or services” (European Union Agency for Cybersecurity [ENISA], 2023, p. 7). According to the ENISA Threat Landscape 2023 report, phishing is the most prevalent form of social engineering and predicted to continue posing a significant threat to users (ENISA, 2023). In this, attackers have also already succeeded in circumventing second-factor authentication (2FA) (ENISA, 2023). This thesis aimed to contribute to the ongoing research concerning the mitigation of social engineering attacks by investigating phishing susceptibility and a UX-based mitigation approach in the context of 2FA, which to the best of our knowledge had not been previously researched. Based on prior research in other contexts, stress, attention, elaboration, involvement and 2FA frequency were identified as potentially relevant factors. Under consideration of these factors, a 2FA implementation was designed, combining automated URL verification with verification-basedwarnings. An online study (N = 94) was conducted to investigate how the posited susceptibility factors as well as the UX design can influence users’ decisions to abort or proceed with logging in to a suspicious website. In this, a between-subject study design was used to investigate howmuch of an impact specifically the “opinionatedness” of a warning design, i.e. its “use of visual design cues to promote a recommended course of action” (Felt et al., 2015, p. 2893), can have in the 2FA context compared to an otherwise identical design offering a neutral choice. In the collected sample, involvement had a significant negative effect on the likelihood to proceed with the login, in accordance with its posited influence. In addition, confidence in the decision made was discovered as another potential predictor, also showing a significant negativeeffect on the likelihood to proceed in the collected sample. The observed effect of the opinionated design can be seen to contradict the posited assumption that users would be more likely to go with the promoted action. However, overall, the results can be seen to suggest thattaking susceptibility factors into consideration when designing 2FA implementations might be a promising approach towards phishing mitigation. Further research is needed to validate these indications, due to the insufficient sample size and use of convenience sampling in this thesis.

phishing susceptibility

phishing mitigation

2FA

second-factor authentication

psychological factors

involvement

confidence in the decision made

warning design

opinionated design

Elektroteknik och elektronik