Monday, March 26, 2012

Behavioral Respnse to Phishing Risk

Julie S. Downs, Mandy Holbrook, and Lorrie F. Cranor conducted a survey exploring what factors are associated with falling for phishing attacks using a role-playing exercise. The study found that knowledge and experience predict behavioral responses to phishing attacks in ways that support the idea that better understanding can help to minimize or eliminate such attacks.

Members of the Carnegie Mellon community were asked to participate in an online survey. A role-playing email was answered by 232 participants. The email contained images of emails and web sites, a URL evaluation section where respondents identified features of URLs, a section asking how respondents would react to different warning messages, a knowledge section where respondents interpreted the meaning of lock icons and jargo words, past experience with web sites, and ratings of potential negative consequences of phishing. During the email role play, participants were asked to view five emails as if they were 'Pat Jones' who works at Cognix. The emails contained the following features:

Predictive Ability:
Overall rates at which respondents fell for the phishing scams did not represent meaningful data about their bahavior, as they were driven by the content of the stimuli used rather than random phishing emails. The participants who correctly answered the knowledge question about the definition of phishing were significantly less likely to fall for phishing emails. However, knowledge about other computer risks and concepts were unrelated to clicking on the phishing link, whether about cookies, spyware, or viruses. Similar correlations were found with the images of the lock icon.

The role-play exercise appeared to be a reliable measure of behavioral response to phishing attacks. Understanding what phishing attacks are and the ability to understand URL links accounts for decreasing the likelihood of falling for phishing scams. This suggests that education about how to interpret cues in browsers may have a role in helping people to avoid phishing attacks. The findings can be used to influence anti-phishing education. Additionally, developers of anti-phishing tools for end users can use insights into the behaviors in the design of more effective user interface messages that users will be less likely to ignore.

The sample was derived of members of a specific community, so the results can not be effectively extrapolated to the population at large. A second limitation is that the small set of stimuli were used. A third limitation is the lack of direct consequences for behavior. Participants may have been more willing to engage in risk behavior in the role play since they are immune to any negative outcomes.

Downs, Julie S.; Holbrook, Mady; and Cranor, Lorrie F., "Behavioral Response to Phishing Risk" (2007). Institute for Software Research. Paper 35.


  1. This was a very interesting way to apply role-playing technique, but I have a question. What population group (little computer/cyber security experience vs. computer savvy students and faculty) were the respondents from Carnegie Mellon representative of?

  2. Well, the school is famous for having extremely strong technology-oriented programs, not terribly far off from MIT level for grads. That doesn't guarantee anything, but I'd estimate a high probability that most of these respondents were fairly tech-savvy.

    I would be very interested in seeing, for example, my parents and grandparents attempt a roleplaying exercise like this, to see how their generational differences played out in the results.

  3. The study did cite that the study was comprised of people with at least an interest in technology. It was made up of students, faculty and staff. It would be interesting to replicate with what I would consider "normal" computer users.