Spear-Phishing in the Wild: A Real-World Study of Personality, Phishing Self-Efficacy and Vulnerability to Spear-Phishing Attacks

10 Pages Posted: 4 Jan 2015

See all articles by Tzipora Halevi

Tzipora Halevi

New York University (NYU) - NYU Tandon School of Engineering

Nasir Memon

New York University (NYU) - NYU Polytechnic School of Engineering

Oded Nov

New York University

Date Written: January 2, 2015

Abstract

Recent research has begun to focus on the factors that cause people to respond to phishing attacks. In this study a real-world spear-phishing attack was performed on employees in organizational settings in order to examine how users’ personality, attitudinal and perceived efficacy factors affect their tendency to expose themselves to such an attack. Spear-phishing attacks are more sophisticated than regular phishing attacks as they use personal information about their intended victim and present a stronger challenge for detection by both the potential victims as well as email phishing filters.

While previous research showed that certain phishing attacks can lure a higher response rate from people with a higher level of the personality trait of Neuroticism, other traits were not explored in this context. The present study included a field-experiment which revealed a number of factors that increase the likelihood of users falling for a phishing attack: the factor that was found to be most correlated to the phishing response was users’ Conscientiousness personality trait. The study also found gender-based difference in the response, with women more likely to respond to a spear-phishing message than men. In addition, this work detected negative correlation between the participants subjective estimate of their own vulnerability to phishing attacks and the likelihood that they will be phished. Put together, the finding suggests that vulnerability to phishing is in part a function of users’ personality and that vulnerability is not due to lack of awareness of phishing risks. This implies that real-time response to phishing is hard to predict in advance by the users themselves, and that a targeted approach to defense may increase security effectiveness.

Keywords: Phishing, Personality traits, Security

Suggested Citation

Halevi, Tzipora and Memon, Nasir and Nov, Oded, Spear-Phishing in the Wild: A Real-World Study of Personality, Phishing Self-Efficacy and Vulnerability to Spear-Phishing Attacks (January 2, 2015). Available at SSRN: https://ssrn.com/abstract=2544742 or http://dx.doi.org/10.2139/ssrn.2544742

Tzipora Halevi (Contact Author)

New York University (NYU) - NYU Tandon School of Engineering ( email )

Brooklyn, NY 11201
United States
718 260 3600 (Phone)
718 260 3136 (Fax)

HOME PAGE: http://www.poly.edu

Nasir Memon

New York University (NYU) - NYU Polytechnic School of Engineering ( email )

Brooklyn, NY 11201
United States

Oded Nov

New York University ( email )

Brooklyn, NY 11201
United States

Here is the Coronavirus
related research on SSRN

Paper statistics

Downloads
1,081
Abstract Views
3,428
rank
20,446
PlumX Metrics