Factors Affecting Individuals' Susceptibility to Cyber Attacks: Insights and Recommendations
Explore the factors influencing individuals' vulnerability to cyber attacks and the impact of training on mitigating risks. Discover the significance of cognitive control, skepticism, trust, and demographics in countering phishing threats. Gain valuable insights from prior literature to enhance cybersecurity awareness and protect against social engineering tactics.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
E N D
Presentation Transcript
Factors Affecting Individuals Susceptibility to Cyber Attacks Efrim Boritz, *University of Waterloo jeboritz@uwaterloo.ca Katharine Elizabeth Patterson, University of Waterloo katharine.patterson@uwaterloo.ca Jessie Ge, University of Waterloo c23ge@uwaterloo.ca professionals go professionals go#beyondideas SCHOOL OF ACCOUNTING AND FINANCE
Sample Phishing Email Dear employee, A verification of your records shows an error with your UB email account settings. To prevent closure of your account, please click the following link http://example.com to access your account and resolve the problem. You need to complete the request within two days of receiving the email in order to continue accessing your email account. Email Administrator
Cyberattacks Corporate susceptibility versus individual susceptibility Social engineering Employee awareness being raised through simulated phishing attacks; but effects of these campaings don t last Suggests need for more focused training tied to individual needs
Prior Literature Suspicion Buss and Durkee 1957; Deutsch 19858 Interpersonal Trust Rotter 1967 Suspicion re: Communication Levine & McCornack 1991; Wright & Marrett 2010 Professional Skepticism Hurtt 2010 Heuristic Processing Vishwanath, Harrison and Ng 2018 Understanding Phishing Emails Karakasiliotis et al. 2006 Training via Simulated Phishing Attacks Kumaraguru et al. 2008
Focusing on Individual Training Needs to Counter Cyberattacks (Phishing) Risk Taking Cognitve Control Social Inference Skeptism Suspicion Trust Demographics Susceptibiliy to Being Phished
Focusing on Individual Training Needs to Counter Cyberattacks (Phishing) BART STROOP TASIT-E HPSS GSS/SSH RITS Age, Gender Culture SS Work Environment Phished in Simulated Attack?
Measures Used Construct Reference Literature (Hurrt, 2010); 30 items; 6-point scale where 1 = strongly disagree and 6 = strongly agree (Levine & McCornack, 1991); here 5 items; 7-point scale where 1 = strongly disagree and 7 = strongly agree Professional Skepticism (HPSS) Generalized Communication Suspicion (GCS) Suspicion Scale (Hostility) (SSH) (Buss & Durkee, 1957); 10 items; 7-point scale where 1 = strongly disagree and 7 = strongly agree (Rotter J. B., 1967); 25 items; 5-point scale where 1 = strongly disagree and 5 = strongly agree (Bobko, Barelka, Hirshfield, & Lyons, 2014); 20 items; 5-point scale where 1 = strongly disagree and 5 = strongly agree (Lejuez, et al., 2002); 20-30 rounds of pumps Interpersonal Trust (RITS) State Suspicion (SS) Risk-taking Propensity (BART) Cognitive Inhibitory Control (STROOP) (Stroop, 1935); the calculation of the score uses 3 main metrics total time, number of errors, mean time per word; the analysis compares scores among different conditions and different unitary metrics (McDonald, Flanagan, Martin, & Saunders, 2004); 4 questions each scene, multi-scene for each scenario (sarcasm, lie, sincere); the analysis distinguishes among different scenarios Social Cognition (TASIT-E)
Demographics Age Gender Culture first language Perception of Cyber Risk at Work Volume of Email Pace of Work Environment Media Distraction Facebook vs. LinkedIn Reporting vulnerabilities/breaches
Participants Employees of professional services firm who had previously been exposed to a simulated phishing attack and volunteered to take our survey # surveys sent # responses received Toronto Montreal Totals Toronto Montreal Totals 6 45 101 51 128 2 1 5 3 executives phished executives not phished non-executive employees phished non-executive employees not phished Totals 27 18 23 3 60 63 0 4 4 27 63 204 410 231 473 11 31 13 23 24 54
Prliminary Results Survey p-value 2 tail Specific survey item Correlation Phished=1 0.025 0.004 0.087 0.115 0.044 0.074 HPSS HPSS HPSS HPSS HPSS HPSS I am confident of my abilities. (HPSS Q6) [C2] I tend to immediately accept what other people tell me. (HPSS Q10) [C1] I usually accept things I see, read or hear at face value. (HPSS Q16) [C1] I dislike having to make decisions quickly. (HPSS Q20) [C2] It is easy for other people to convince me. (HPSS Q25) [C1] The actions people take and the reasons for those actions are fascinating. (HPSS Q30) [C1] It is safe to believe that in spite of what people say most people are primarily interested in their own welfare. (RITS Q 10) [C3] Fear and social disgrace or punishment rather than conscience prevents most people from breaking the law. (RITS Q4) [C3] Most students in school would not cheat even if they are sure of getting away with it. (RITS Q22) [C2] I sometimes have the feeling that others are laughing at me. (SSH Q5) -.306 .388 .235 -.217 .276 .245 0.070 RITS -.249 0.029 RITS -.297 0.116 RITS -.216 0.057 SSH -.260
Future Work Run survey with 5000 employees of a Bank Identify factors correlated with being phished Create model to predict need for focused training
