Experimental Investigation of Technical and Human Factors Related to Phishing Susceptibility

Abstract

This article reports on a simulated phishing experiment targeting 6,938 faculty and staff at George Mason University. The three-week phishing campaign employed three types of phishing exploits and examined demographic, linked workstation/network monitoring audit data, and a variety of behavioral and psychological factors measured via pre- and post-campaign surveys. While earlier research studies have reported disparate effects of gender and age, the present results suggest that these effects are not significant or are of limited strength and that other underlying factors may be more important. Specifically, significant differences in phishing susceptibility were obtained for different email contexts and based on whether individuals have been successfully phished before (these people were more likely to succumb to subsequent phishing emails in our study). Further, participants who responded to phishing exploits scored higher on impulsivity than the non-clickers. Also, participants whose survey responses indicated that they had more appropriate online “security hygiene habits,” such as checking the legitimacy of links, were less likely to be successfully phished in our campaign. Participants whose post-campaign survey responses indicated that they were suspicious of a phishing email message in our campaign were far less likely to click on the phishing link than those who were not suspicious. Similar results were obtained for judgments of pertinence of the email. Participants who indicated that they thought about the negative consequences of clicking the link were less likely to do so than participants who did not think about the negative consequences. Implications for effective training and awareness are discussed.