An Assessment Of User Response To Phishing Attacks: The Effects Of Fear And Self-confidence

Abstract

Phishing attacks have threatened the security of both home users and organizations in recent years. Individuals of varying levels of computer proficiency are potential targets for a phishing attack; all that is needed is an email address and Internet access. Phishing uses social engineering to fraudulently obtain information that is confidential or sensitive. Individuals are targeted to take action by clicking on a link or providing information. At present, phishing research is lacking in both theory and actual behavioral data. This research aims to fill that gap by introducing a new model and collecting data from multiple sources (including an attempted phishing attack). The research draws upon existing theory and research in healthcare, criminology, psychology, and information systems and security. The survey results indicated that when individuals had a high level of fear arousal related to providing login credentials they had a decreased intention to respond to a phishing attack. Self-confidence did not significantly moderate the relationship between fear arousal related to providing login credentials and intention to respond to a phishing attack but it did have a significant direct positive influence on intention. The results from the experiment indicated that 18% of individuals overall clicked on the link. Level of training did make a difference in the number of clicks (although not significant). More subjects clicked on the link when only basic training was received versus those that received expert level training. The combined data corroborated with the survey data to indicate that level of fear related to providing login credentials resulted in a decreased intention to respond to a phishing attack and a decreased actual click behavior. This research provides valuable information about similarities between self-reported data and actual behavior. The research explores how fear of providing login credentials influences both intention to respond and actual response to a phishing attack. When fear arousal related to providing login credentials is high, individuals are less likely to respond. This is interesting because there is an underlying concept of suspicion. When an individual is fearful of providing login credentials they may be suspicious of an email being fraudulent, thus making them less likely to respond. The experiment has provided an excellent foundation to build upon for future fear appeal experimental research to explore both the importance of the targeted website (i.e. bank information versus online shopping versus online wall street journal) and the fear appeal verbiage.