Jones, Helen and Towse, John and Race, Nicholas (2016) What makes people click : assessing individual differences in susceptibility to email fraud. PhD thesis, Lancaster University.
2016_HelenJones_PhD.pdf - Accepted Version
Available under License Creative Commons Attribution.
Download (8MB)
Abstract
Cyber security experts have acknowledged that human users are consistently the most vulnerable part of a computer network, however little psychological research has considered why. This thesis focuses on susceptibility to email fraud, and highlights three core approaches to understanding why some users are more likely to respond than others, using a mixed methods approach across seven experiments. The first approach considers the persuasive techniques employed by the sender to make an email more believable. Qualitative data from Studies 1 and 5 demonstrate that authority, familiarity, and the relevance of a communication are important factors when users are considering the legitimacy of an email. The second approach focuses on the situational factors that may make users more susceptible under specific circumstances. Findings demonstrate that time pressure (Study 3) and a secondary verbal task (Study 6) can impair accuracy in judging email legitimacy. Finally, individual differences in cognitive make-up between users are considered, with two distinct tasks used to measure susceptibility. Using a forced-choice email legitimacy task (Study 3) and an office simulation, in which participants were naïve to the purpose of the research (Study 7), cognitive reflection, inhibition, and sensation seeking were found to be influential in the decision-making process. The findings from this thesis outline key influencing factors, which explain some of the variance in individual differences in susceptibility to email fraud. These provide valuable points for consideration in future efforts to educate users on issues surrounding email fraud. Further to this, the development of two lab-based measures of susceptibility, with findings replicated between the two, provides a platform for further research in understanding and reducing susceptibility. Variations upon the email legitimacy task demonstrate how this can be used to assess effects of a number of manipulations, such as different proportions of phishing and legitimate stimuli (Study 4) and dual-task paradigms (Study 6). The incorporation of additional qualitative data analysis in the thesis, from the use of focus group discussions (Study 1) and think-aloud protocols (Study 5), also provides convergent evidence for the quantitative research findings reported.