The Phishing Email Suspicion Test (PEST) a lab-based task for evaluating the cognitive mechanisms of phishing detection
- PDF / 675,835 Bytes
- 11 Pages / 595.276 x 790.866 pts Page_size
- 17 Downloads / 205 Views
The Phishing Email Suspicion Test (PEST) a lab-based task for evaluating the cognitive mechanisms of phishing detection Ziad M. Hakim 1,2 & Natalie C. Ebner 2,3,4,5 & Daniela S. Oliveira 6 & Sarah J. Getz 5,7 & Bonnie E. Levin 5,7 & Tian Lin 2 & Kaitlin Lloyd 1 & Vicky T. Lai 1,8 & Matthew D. Grilli 1,5 & Robert C. Wilson 1,5,8 Accepted: 30 September 2020 # The Psychonomic Society, Inc. 2020
Abstract Phishing emails constitute a major problem, linked to fraud and exploitation as well as subsequent negative health outcomes including depression and suicide. Because of their sheer volume, and because phishing emails are designed to deceive, purely technological solutions can only go so far, leaving human judgment as the last line of defense. However, because it is difficult to phish people in the lab, little is known about the cognitive and neural mechanisms underlying phishing susceptibility. There is therefore a critical need to develop an ecologically valid lab-based measure of phishing susceptibility that will allow evaluation of the cognitive mechanisms involved in phishing detection. Here we present such a measure based on a task, the Phishing Email Suspicion Test (PEST), and a cognitive model to quantify behavior. In PEST, participants rate a series of phishing and nonphishing emails according to their level of suspicion. By comparing suspicion scores for each email to its real-world efficacy, we find initial support for the ecological validity of PEST – phishing emails that were more effective in the real world were more effective at deceiving people in the lab. In the proposed computational model, we quantify behavior in terms of participants’ overall level of suspicion of emails, their ability to distinguish phishing from non-phishing emails, and the extent to which emails from the recent past bias their current decision. Together, our task and model provide a framework for studying the cognitive neuroscience of phishing detection. Keywords Phishing . Cybersecurity . Decision making . Sequential effects
Introduction Supplementary Information The online version contains supplementary material available at https://doi.org/10.3758/s13428-02001495-0. * Robert C. Wilson [email protected] 1
Department of Psychology, University of Arizona, Tucson, AZ, USA
2
Department of Psychology, University of Florida, Gainesville, FL, USA
3
Department of Aging and Geriatric Research, Institute on Aging, University of Florida, Gainesville, FL, USA
4
Florida Institute for Cybersecurity, University of Florida, Gainesville, FL, USA
5
Evelyn F. McKnight Brain Institute, Gainesville, FL, USA
6
Department of Electrical and Computer Engineering, University of Florida, Gainesville, FL, USA
7
Department of Neurology, Miller School of Medicine, University of Miami, Coral Gables, FL, USA
8
Cognitive Science Program, University of Arizona, Tucson, AZ, USA
Email phishing is a type of cyber social engineering attack in which seemingly legitimate emails attempt to lure the receiver into performing an action with negative conseq
Data Loading...
