Posted by: David Harley | November 20, 2018

Susceptibility to phishing

A paper from the University of Maryland – Phishing in an Academic Community: A Study of User Susceptibility and Behavior – came up with an unexpected conclusion.

“Students who identified themselves as understanding the definition of phishing had a higher susceptibility than did their peers who were merely aware of phishing attacks, with both groups having a higher susceptibility than those with no knowledge of phishing. ”

It certainly seems counter-intuitive that greater knowledge of the phishing issue should result in greater susceptibility to phishing attacks. Perhaps the answer lies in the wide spread of demographic variables addressed in this study (“age, gender, college affiliation, academic year progression, time spent on a computer, cyber club/cyber scholarship program affiliation, cyber training, and phishing awareness demographics”). There are a number of factors that could have a bearing on this result:

  • The assumptions behind the weighting of that range of variables might be methodologically unsound.
  • My own informal (but longstanding…) experience suggests that people who have significant technological knowledge but are not specialists in security or the relationships between technology and human behaviour may be at least as susceptible to attacks involving psychological manipulation such as phishing, hoaxes and such as are members of the population at large.
  • A significant number of subjects may have overestimated their own understanding of phishing and security, an optimistic assessment that may have spilled over into the experimental design. The possibility of inaccurate self-assessment is a point made by the group conducting the experiment, and it does jibe with my own experience.
  • The group also suggests that the “the act of falling for the phishing scheme might have increased the user’s awareness about phishing.” If this is the case, it certainly suggests a weakness in the experimental design.

In any case, there’s certainly scope for some further research here, whether or not it’s in the specific context of the academic community.

Commentary from The Register here: A little phishing knowledge may be a dangerous thing

David Harley

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.


%d bloggers like this: