Predicting susceptibility to social influence in phishing emails

Accepted Manuscript

Predicting Susceptibility to Social Influence in Phishing Emails Kathryn Parsons , Marcus Butavicius , Paul Delfabbro , Meredith Lillie PII: DOI: Reference:

S1071-5819(18)30388-4 https://doi.org/10.1016/j.ijhcs.2019.02.007 YIJHC 2294

To appear in:

International Journal of Human-Computer Studies

Received date: Revised date: Accepted date:

12 July 2018 14 February 2019 15 February 2019

Please cite this article as: Kathryn Parsons , Marcus Butavicius , Paul Delfabbro , Meredith Lillie , Predicting Susceptibility to Social Influence in Phishing Emails, International Journal of HumanComputer Studies (2019), doi: https://doi.org/10.1016/j.ijhcs.2019.02.007

This is a PDF file of an unedited manuscript that has been accepted for publication. As a service to our customers we are providing this early version of the manuscript. The manuscript will undergo copyediting, typesetting, and review of the resulting proof before it is published in its final form. Please note that during the production process errors may be discovered which could affect the content, and all legal disclaimers that apply to the journal pertain.

ACCEPTED MANUSCRIPT HIGHLIGHTS  A total of 985 participants completed a role play scenario-based phishing study The presence of social influence principles influenced phishing susceptibility



Phishing emails using consistency and reciprocity were most successful



Phishing emails using scarcity and social proof were least successful



Individual susceptibility to persuasion could predict susceptibility to phishing

AC

CE

PT

ED

M

AN US

CR IP T



1

ACCEPTED MANUSCRIPT Running head: Predicting Susceptibility to Social Influence in Phishing Emails

Kathryn Parsons

CR IP T

Predicting Susceptibility to Social Influence in Phishing Emails

AN US

School of Psychology, the University of Adelaide

Marcus Butavicius

M

Defence Science and Technology Group

ED

Paul Delfabbro

Meredith Lillie

CE

PT

School of Psychology, the University of Adelaide

AC

School of Psychology, the University of Adelaide

2

ACCEPTED MANUSCRIPT Predicting Susceptibility to Social Influence in Phishing Emails

Abstract

To reduce the threat caused by phishing attacks, it is vital to investigate why some

CR IP T

phishing attacks are successful, and why some people are more susceptible to them than

others. To examine this, we used a social influence framework, and applied the Susceptibility to Persuasion Strategies scale within a dual-process model of persuasion framework. A total of 985 participants took part in a role-play scenario-based phishing study. Results indicated

AN US

that phishing emails utilising scarcity and social proof principles were least successful,

whereas those applying consistency and reciprocity principles were most successful. The same principles were also considered least and most persuasive according to the

M

Susceptibility to Persuasion Strategies scale. For the majority of principles, participants who were susceptible to a specific principle were significantly more susceptible to emails

ED

containing that principle. Further results revealed that age; the percentage of time spent using a computer; susceptibility to the social proof principle; and, both dispositional and situational

PT

impulsivity, were significant predictors in people‟s ability to detect phishing emails. Practical

CE

implications of these findings as well as future directions are discussed.

AC

Keywords: influence principles; phishing; cybersecurity; dual-process models

3

ACCEPTED MANUSCRIPT

1. Introduction

Phishing is a form of deception that involves attempts to solicit personal or sensitive information through social engineering methods. Phishing is commonly conducted via email, in which an attacker acts as a reputable or trusted source with the intention of influencing the

CR IP T

recipient to click on a link or open an attachment within an email (Butavicius, Parsons,

Pattinson, & McCormac, 2015; Parsons, McCormac, Pattinson, Butavicius, & Jerram, 2013). Industry reports have consistently concluded that employees being deceived by phishing

AN US

emails is one of the greatest threats to organisational information security (Pricewaterhouse Coopers (PWC), 2015; Telstra Corporation, 2017). In addition, researchers have demonstrated that phishing emails often use social influence principles to persuade the user to comply (Akbar, 2014; Atkins & Huang, 2013), and the use of some of these principles is

M

increasing (Zielinska, Welk, Mayhorn, & Murphy-Hill, 2016). Accordingly, to reduce this threat and to protect sensitive, personal or organisational information, it is vital to investigate

ED

why some email phishing attacks are more successful than others, and why some people are

PT

more susceptible to these attacks.

In what follows, we first provide a literature review of social influence phishing

CE

research to shed light on why some phishing attacks are more successful than others. Next we provide a review of research investigating individual differences in susceptibility to social

AC

influence principles, including the use of dual-process models of persuasion. As we will show: it does not appear that any previous study has examined the relative effects of individual susceptibility to social influence principles in a phishing context. This observation provides the basis for the research study described in this paper.

4

ACCEPTED MANUSCRIPT

2. Literature Review 2.1 Social Influence in Phishing Attacks Social influence refers to attitude or behaviour change caused by external pressure that is either real or imagined (Cialdini, 2009; Guadagno & Cialdini, 2005; Guadagno, Muscanell, Rice, & Roberts, 2013). The most widely acknowledged and utilised framework

reciprocity, scarcity and social proof (Cialdini, 2009).

CR IP T

of social influence consists of six principles, namely: authority, consistency, liking,

The authority principle is based on the idea that people are more likely to respond to a

AN US

request by someone in a position of power or authority (Cialdini, 2009). For example, Australians have been targeted by phishing emails that impersonated authoritative

organisations such as the Australian Taxation Office (ATO, 2017). Under the consistency principle, people seek to honour their commitments and remain consistent in their words and

M

actions. Therefore, reminding an individual via email that they previously committed their support or money to a particular charity is likely to increase the chance that the individual

ED

will donate again (Guadagno & Cialdini, 2010). The liking principle indicates that people

PT

will be more easily persuaded by someone they like, which can be elicited by the use of compliments or attractiveness, and the reciprocity principle is based on the idea that people

CE

will feel obligated to repay for a service or favour they have received (Cialdini, 2009). Steinhoff and Palmatier (2016) explain that customer loyalty or reward programs exist to

AC

create customer gratitude, which should then induce a desire to behave reciprocally. In an example of the scarcity principle, email phishers have masqueraded as a delivery company and sent phishing emails describing a package that could not be delivered (Australia Post, 2018). Recipients were provided with a limited time period in which they could obtain this package. Such an example illustrates the use of „time pressure‟, another recognised element of Cialdini‟s (2009) scarcity principle. Finally, the social proof principle relies on the norm 5

ACCEPTED MANUSCRIPT that people want to be seen doing what other people, often peers, are doing. In a phishing context, people could be encouraged to click on a link by the claim that many other people have already undertaken this action (Butavicius et al., 2015). To date, few studies have empirically examined the effect of Cialdini‟s (2009) social influence principles within an email phishing context. However, there is evidence that these principles are all used, at least

CR IP T

to some extent, in real-world phishing emails. For example, Akbar (2014) and Atkins and Huang (2013) analysed phishing emails for the presence of persuasion techniques. In both studies, the most common principles were the authority, scarcity and liking principles.

Authority was identified in 96% and 100% of phishing emails, scarcity was identified in 85%

AN US

and 71% of phishing emails, and liking was identified in 45% and 74% of phishing emails. Akbar also assessed the phishing emails for the presence of the consistency, reciprocity, and social proof principles, and these were identified in 36%, 20% and 11% of phishing emails,

M

respectively.

Other studies have demonstrated that these principles can be effective in real-world

ED

phishing research. Real-world phishing research describes a methodology in which

PT

researchers create a phishing email and send it to people who are not aware that they are participating in a study. For example, in Jagatic, Johnson, Jakobsson, and Menczer (2007),

CE

over 900 university students were unknowing participants in a phishing study. The researchers used information on social media to identify real-world friendships, and then half

AC

of the students were sent an email that appeared to be from one of their friends. This social context is likely to have triggered the liking principle, and 72% of these students clicked on the link and provided personal information. In contrast, only 16% of their control group, who were sent an email from a fictitious university email address, clicked on the link and provided personal information. Another real-world phishing study demonstrated the effectiveness of the authority principle (Ferguson, 2005). Over 500 students from West Point Military 6

ACCEPTED MANUSCRIPT Academy were sent an email that claimed to be from a colonel, instructing students to click on an embedded link. Despite cues in the email that the request was illegitimate, 80% of students clicked on the link within the email, perhaps because the email appeared to be from a person of authority. However, this study did not include a control group. Other studies have examined these principles in related contexts. For example, in a

CR IP T

study of social engineering in a face-to-face situation rather than via email, Bullée, Montoya, Pieters, Junger, and Hartel (2015) found that authority had no effect on the likelihood of

someone giving away personal information. However, the level of authority differed only in regards to the clothing of the „attacker‟, where formal clothing represented high authority and

AN US

casual clothing represented low authority. As Guéguen and Jacob (2002) found that including authority cues in an email signature increased compliance with a request, this suggests that authority might be more persuasive when represented via a position of power rather than

M

clothing.

Only two studies were found that empirically examined the effect of more than one

ED

social influence principle in a single phishing experiment. In Butavicius et al. (2015),

PT

phishing emails that incorporated the scarcity and social proof principles were far less likely to be considered safe than emails that included no-principle or the authority principle.

CE

However, the consistency, reciprocity and liking principles were not assessed in this study. Although Wright, Jensen, Thatcher, Dinger, and Marett (2014) empirically examined the

AC

effect of all social influence principles in phishing emails, this study used a between-subjects design, in which each participant saw only one phishing email, and that one email could contain anywhere between zero and six principles. In contrast to the findings of Butavicius et al. (2015), participants were least susceptible to emails containing the authority principle and most susceptible to emails containing the social proof and scarcity principles (as well as the liking principle, which was not examined in Butavicius et al., 2015). However, participants 7

ACCEPTED MANUSCRIPT may have seen up to six principles in one email, and it is unclear how the combination of principles may have affected results. For example, Wright et al. (2014) used compliments, exclamation marks and informality in their liking manipulation, which may have appeared incompatible with the authority manipulation, in which the email purported to be from the Chief Information Officer. However, participants‟ perception of these combined factors was

highlight the need for further research in this area.

2.2 Individual Differences in Social Influence

CR IP T

beyond the scope of their study, so this remains conjecture. These inconsistent findings

AN US

Kaptein and Eckles (2012) argue that, although specific social influence principles are often demonstrated to be effective on average, the variation in participant responses is large enough that any specific principle will have detrimental effects on the persuasion of some

M

individuals. These individual differences may help to explain the contradictory findings, detailed above. For example, the authority principle has been found to produce the opposite

ED

effect for approximately 35% of the population (Kaptein & Eckles, 2012). To assess these

PT

individual differences in susceptibility to persuasion, Kaptein, de Ruyter, Markopoulos, and Aarts (2012) constructed and validated the Susceptibility to Persuasion Strategies (STPS)

CE

scale, which provides a „susceptibility profile‟ for each respondent based on Cialdini‟s (2009) social influence framework. In other words, it determines the principles that an individual is

AC

most and least susceptible to. This scale was used in an intervention of snacking behaviour and participants who received messages tailored to their preferred influence strategy snacked less than those who received a counter-tailored message or message using a randomly selected influence principle (Kaptein et al., 2012). These differences in susceptibility to persuasion might help to explain why some people are susceptible to phishing emails whilst

8

ACCEPTED MANUSCRIPT others remain unaffected. However, to date, it appears that no studies have evaluated how people‟s susceptibility to social influence strategies affects their response to phishing emails.

2.2.1 Dual-Process Models of Persuasion. Previous research has highlighted the potential affect of processing mode on the detection of phishing emails. According to dual-

CR IP T

process models of persuasion such as the Elaboration Likelihood Model and HeuristicSystematic Model (Chaiken, Wood, & Eagly, 1996; Petty & Cacioppo, 1986), when

presented with a persuasive message, people can use two different techniques to evaluate that message. The first technique involves „central‟ or „systematic‟ processing. When people use

AN US

this technique, they evaluate the content and quality of an argument in a primarily analytic manner (Lowry et al., 2012). The second technique involves „peripheral‟ or „heuristic‟ processing, which means that people are more influenced by superficial cues, such as the

M

likeability or attractiveness of the source of the message (Guadagno & Cialdini, 2007; Lowry et al., 2012). Based on this, influence principles tend to be more effective when they are

ED

processed in a heuristic manner (Kaptein, Markopoulos, de Ruyter, & Aarts, 2015).

PT

Researchers have argued that people tend to use a rote or habitual technique when processing emails (Wang, Chen, Herath, Vishwanath, & Rao, 2012; Wright et al., 2014).

CE

However, empirical findings are somewhat inconsistent. For example, one study demonstrated a significant relationship between a dispositional measure of impulsivity

AC

(where higher impulsivity is associated with a tendency towards heuristic processing) and lower phishing susceptibility (Welk et al., 2015). This has been corroborated using the Cognitive Refection Test (CRT) (Frederick, 2005), which is a situational measure of an individual‟s level of impulsivity, where higher scores on the CRT are associated with a tendency towards the systematic processing mode. In Butavicius et al. (2015) and Parsons et al. (2013), individuals who scored higher on the CRT, and were therefore better able to 9

ACCEPTED MANUSCRIPT control their impulsivity, were better at discriminating between legitimate and phishing emails. However, Kumaraguru et al. (2007) found that higher CRT scores were associated with greater phishing susceptibility, and an empirical study using eye-tracking revealed that even when participants were alert and vigilant, they were unable to reliably detect phishing emails (Alsharnouby, Alaca, & Chiasson, 2015). These inconsistent findings also highlight

CR IP T

the need for further research.

2.3 The Present Study

This study used a role-play scenario-based methodology to investigate why some

AN US

email phishing attacks are successful, and why some people are more susceptible to them. To examine which email phishing attacks are most successful, we utilised a social influence framework, based on Cialdini‟s (2009) six principles of influence. Participants were exposed

M

to both genuine and phishing emails which contained these influence principles. To examine which people are most susceptible to phishing attacks, we incorporated the Susceptibility to

ED

Persuasion Strategies scale, which allowed us to study the relationship between an

PT

individual‟s susceptibility profile and their response to phishing emails. We also applied a dual-process model of persuasion, and measured both dispositional and situational

CE

impulsivity. In summary, the aims of the study were: 1. To determine the extent to which Cialdini‟s (2009) social influence principles

AC

affect an individual‟s ability to detect phishing emails (e.g., are certain principles more effective than others?)

2. To determine the extent to which the Susceptibility to Persuasion Strategies scale can predict an individual‟s ability to detect phishing emails. 3. To determine the extent to which measured individual differences (e.g., age, impulsivity) can predict a person‟s ability to detect phishing emails. 10

ACCEPTED MANUSCRIPT

3. Methodology 3.1 Participants The current study utilised a web-based survey with a sample of working Australians who spend at least some of their work time using a computer or portable device. The final

CR IP T

sample consisted of 985 participants (53% male and 47% female), and they were all recruited via Qualtrics panels. This data was screened for overly quick responses and for poor data quality based on the recommendations of Meade and Craig (2012), and does not include

participants who were excluded for responding inattentively (e.g., repeatedly providing the

AN US

same response option). Approximately 18% of participants were between 18 and 29 years of age; 23% were between 30 to 39 years; 21% between 40 and 49 years; 22% in the 50 to 59 age category; and 16% were aged 60 years and older. The median time taken to complete the

M

experiment was 29.15 minutes (interquartile range = 28.48 minutes).

ED

3.2 Materials

3.2.1 Emails. Consistent with the approach of Chen, Mishler, Hu, Li, and Proctor

PT

(2018) and Butavicius et al. (2015), the emails used for this project were adapted directly

CE

from „actual‟ emails, that is, emails that were either received by the authors, or found online. All emails appeared to be sent by large national or international organisations, and examples

AC

of emails used are provided in Appendix A. To limit respondent fatigue, where participants may pay less attention to questions posed later in a questionnaire of 30 or more minutes (Galesic & Bosnjak, 2009), 14 emails were used. All participants were exposed to seven genuine emails and seven phishing emails. For both genuine and phishing emails, this consisted of one email with no social influence principle, and one with each of Cialdini‟s (2009) six social influence principles (i.e., authority, consistency, liking, reciprocity, scarcity 11

ACCEPTED MANUSCRIPT and social proof). As people are usually exposed to phishing emails infrequently, this ratio of genuine to phishing emails may lack real-world face validity. In addition, real-world phishing emails often use a combination of principles (Lawson, Zielinska, Pearson, & Mayhorn, 2017), and testing the influence of multiple principles is beyond the scope of this study. However, this design allows a comprehensive measure of user behaviour (i.e., how each

CR IP T

participant responded to each principle and email type) and allows additional measures of individual difference without risking excessive respondent fatigue. To limit the effect of any respondent fatigue, emails were presented in a random order. In line with previous research (Parsons, McCormac, et al., 2015), the emails represent the types of topics that would be

AN US

expected in a typical inbox, as well as the types of institutions that are commonly targeted in email phishing attacks. The same types of emails were used for both genuine and phishing emails, with examples provided in Table 1. Within the emails, all personal details were

M

modified to that of a fictitious individual with a gender neutral name (i.e., „Alex Jones‟). Emails were constructed such that the only indication of the legitimacy of an email was the

ED

link, and participants were instructed that they could „hover‟ their mouse over a link to see

AC

CE

PT

where the link would take them.

12

ACCEPTED MANUSCRIPT Table 1: Examples of email type for each social influence principle Influence

Email Topic

Sample Text

Authority

Legal matter

“you have been issued with an Infringement Notice”

Consistency

Charity donation

“thank you for your previous donations”

Liking

Survey requests

“Hi there! We‟re excited to let you know that you are invited to participate”

CR IP T

Principle

Loyalty voucher

“you‟ve earned yourself a $30 voucher”

Scarcity

Competition

“this is your chance to win”

Social Proof

Improved service

“80% of customers have already updated to the new

AN US

Reciprocity

version” None

Password reset

“to reset your [Company name] account password,

M

click the link below”

ED

3.2.2 Manipulation Check. To ensure the influence principles had the intended effect

PT

on participants, a manipulation check was conducted. In line with the recommendations of Perdue and Summers (1986) and Hauser, Ellsworth, and Gonzalez (2018), the manipulation

CE

check was conducted as a pilot study with participants recruited from the same participant pool as the main study (i.e., Qualtrics panels). However, the participants who took part in the

AC

pilot study were not invited to take part in the main study. Consistent with the directions in the main study, these participants were not informed that some of the emails were phishing emails. The manipulation check consisted of 39 participants. Participants were presented with definitions of the social influence principles, and they were asked to rank up to three principles that were most present in each email. Participants were also provided with a „noprinciple‟ option. The results are shown in Appendix B. For 13 of the 14 emails, the social 13

ACCEPTED MANUSCRIPT influence principle that was most frequently selected to be most present matched the intended principle (e.g., for the authority phishing email, authority was chosen as the most present principle by 74% of participants). The only email where this was not the case was the noprinciple phishing email; however „no-principle‟ received the second highest rank (behind the authority principle) and „no-principle‟ was ranked in the top three by 41% of respondents.

CR IP T

Thus, there was sufficient evidence to suggest that participants would perceive the intended influence principles in the main study.

3.3.3 Measures of Individual Differences. Participants responded to demographic

AN US

questions, such as age, gender and percentage of time spent using a computer. Participants were asked to complete the Susceptibility to Persuasion Strategies (STPS) Scale (Kaptein et al., 2012). This consists of 20 questions, measured on a five-point Likert scale (1: „strongly

M

disagree‟ to 5: „strongly agree‟), and measures the extent to which an individual is susceptible to each of Cialdini‟s (2009) influence principles. A higher score represents more

ED

susceptibility to a given principle. The overall Cronbach‟s alpha score for this scale was .84,

PT

and the Cronbach‟s alpha scores for each principle ranged between .50 and .70. However, since each principle is measured with a small number of items (i.e., three or four items), in

CE

line with the recommendation of Briggs and Cheek (1986), average inter-item correlations were also calculated as a more appropriate measure of internal consistency. Results were

AC

within the recommended range from .2 to .4 across all influence principles: authority (rav = .38), consistency (rav = .41), liking (rav = .30), reciprocity (rav = .22), scarcity (rav = .41) and social proof (rav = .25). Participants‟ tendency to favour systematic or heuristic decisionmaking was measured using both dispositional and situational measures of impulsivity. Dispositional impulsivity was measured using the Rational and Intuitive Decision Styles Scale, which is a 10-item measure that determines whether an individual favours systematic 14

ACCEPTED MANUSCRIPT or heuristic decision-making (Hamilton, Shih, & Mohammed, 2016). Cronbach‟s alpha scores for this scale were .84 for the rational subscale (which represents a tendency towards systematic decision-making) and .82 for the intuitive subscale (which represents a tendency towards heuristic decision-making). Situational impulsivity was measured using the Cognitive Reflection Test (CRT), which consists of three items, where the most obvious

CR IP T

response is not correct (Frederick, 2005). A higher score on this test relates to a better ability to control impulsivity, or stop and consider the question before providing an answer.

3.4 Procedure

AN US

The experiment used a 2 x 7 within-subjects design, with email legitimacy (phishing and genuine) and influence principle (authority, consistency, liking, reciprocity, scarcity, social proof and none) as within subject factors. This means that all participants were

M

presented with each of the 14 distinct emails. Participants were informed that they were taking part in an experiment on how people manage their emails, and the factors that may

ED

affect email use. They were told that they would be presented with 14 emails, taken from the

PT

inbox of „Alex Jones‟. They were asked to assume that all emails were sent to Alex deliberately and that all emails discuss topics that are relevant to Alex. For each email,

CE

participants were asked to respond to the statement, “It is okay to click on the link in this email” on a five-point scale from „strongly disagree‟ to „strongly agree‟. This statement was

AC

chosen to allow an indirect measure of phishing susceptibility, because previous research has indicated that priming people about phishing improves their performance (Parsons, McCormac, Pattinson, Butavicius, & Jerram, 2015). Although the reference to the link being „okay‟ may have encouraged more cautious behaviour, it was important to balance the intention to not prime participants with the need to have an accurate measure of phishing susceptibility (rather than, for example, the perceived usefulness of an email). When 15

ACCEPTED MANUSCRIPT responding to a phishing email, a response of „strongly disagree‟ was considered most appropriate, and when responding to a genuine email, a response to „strongly agree‟ was considered most appropriate. Emails were presented in a randomised order. After responding

4. Results

CR IP T

to all 14 emails, participants were required to complete the individual difference measures.

In this section, we analyse the effect of social influence principles on both phishing and genuine emails followed by results of the self-reported persuasiveness of the influence principles. These results are then combined to examine the effect of individual differences on

AN US

susceptibility to social influence. Finally, results of a regression analysis are presented to demonstrate the overall variance explained by these variables.

M

4.1 Overall Effect of Social Influence Principles

In line with the 2 x 7 within-subjects design, a two-way repeated measures analysis of

ED

variance (ANOVA) was conducted to assess the effect of email legitimacy and influence principle (i.e., authority, consistency, liking, reciprocity, scarcity, social proof and none) on

PT

participants‟ response to the statement, “It is okay to click on the link in this email”. Where

CE

appropriate, a Greenhouse-Geisser correction is presented. There was a significant main effect for email legitimacy F (1, 984) = 198.19, p < .001, partial eta-squared (ηp2) = .168, and

AC

a significant main effect for influence principle, F (5.38, 5295.32) = 46.95, p < .001, ηp2 = .046. There was also a significant interaction between email legitimacy and influence principle, F (5.87, 5776.98) = 47.13, p < .001, ηp2 = .046. This relationship is shown in Figure 1, and indicates that genuine emails were most likely to be considered okay to click on (i.e., an appropriate response) when the reciprocity principle was used (M = 3.09, SD = 1.21) and least likely to be considered okay to click on when the social proof principle was used 16

ACCEPTED MANUSCRIPT (M = 2.48, SD = 1.20). In contrast, phishing emails were most likely to be considered okay to click on (i.e., an inappropriate response) when the consistency principle was used (M = 2.72, SD = 1.29) and least likely to be considered okay to click on (i.e., an appropriate response) when the scarcity principle was used (M = 2.15, SD = 1.21). Figure 1 also depicts that participants responded in a very similar manner for emails that contained authority,

CR IP T

consistency and social proof, regardless of whether they were phishing or genuine emails. This suggests that the relative persuasiveness was the same across both types of emails. In contrast, participants appeared to have much less difficulty discriminating between phishing and genuine emails that contained the liking, reciprocity and scarcity principles or no-

AN US

principle. It is important to note that the statement „It is okay to click on the link in this email‟ may have primed some participants to think about phishing. We could therefore expect that real-world susceptibility may be higher than the findings in this study. This is discussed

AC

CE

PT

ED

M

further in Section 5.2.

17

ACCEPTED MANUSCRIPT

3.50 Genuine Phishing

2.50

CR IP T

Okay to Click on?

3.00

1.50 AUTHORITY CONSISTENCY

LIKING

AN US

2.00

RECIPROCITY

SCARCITY

SOCIALPROOF

NONE

Figure 1: Okay to click on rating based on email legitimacy and influence principle.

M

Error bars represent standard error.

ED

4.2 Individual Persuasiveness of Social Influence Principles

PT

Participants‟ responses to the STPS scale are depicted in Figure 2. A series of onesample t-tests with a Bonferroni correction revealed that mean STPS scale scores were

CE

statistically significantly different to the neutral rating of 3.0 for all principles1. As shown in Figure 2, the authority, consistency, liking, reciprocity and scarcity principles were

AC

persuasive, whereas the social proof principle had the opposite effect on participants. In

1

Authority (M = 3.23, SD = .68), t (984) = 10.77, p < .001, Consistency (M = 3.58, SD = .57),

t (984) = 31.85, p < .001, Liking (M = 3.52, SD = .58), t (984) = 28.23, p < .001, Reciprocity (M = 3.75, SD = .63), t (984) = 37.31, p < .001, Scarcity (M = 3.07, SD = .74), t (984) = 3.01, p = .003, Social Proof (M = 2.89, SD = .76), t (984) = -4.59, p < .001,

18

ACCEPTED MANUSCRIPT regards to individual responses, 74% of participants had a single principle that they considered most persuasive and 77% had a single principle that they considered least persuasive. As shown in Table 2, STPS scores suggest that 30% of participants would be most persuaded by the reciprocity principle and 32% would be least persuaded by the social

ED

M

AN US

CR IP T

proof principle.

Figure 2: Responses to the STPS scale to demonstrate relative persuasiveness of the

AC

CE

PT

influence principles. Error bars represent a 95% confidence interval.

19

ACCEPTED MANUSCRIPT Table 2: Participants’ results for the STPS scale Most preferred principle

N (%)

N (%)

Authority

139 (14%)

75 (8%)

Consistency

44 (5%)

162 (16%)

Liking

43 (4%)

127 (13%)

Reciprocity

24 (2%)

Scarcity

193 (20%)

Social Proof

319 (32%)

Multiple strategies

223 (23%)

CR IP T

Least preferred principle

294 (30%) 42 (4%) 26 (3%)

259 (26%)

AN US

Influence Principle

To further examine the effect of STPS scores on participants‟ susceptibility to social

M

influence principles in emails, a binary score was calculated for each principle for each participant. These scores indicate whether a participant was susceptible to a particular

ED

principle. An average score of greater than three for a given principle indicates that a

PT

participant was susceptible to that principle. Figure 3 shows these results based on individual susceptibility, email legitimacy and influence principle, where the black lines represent

CE

participants‟ responses to genuine emails, the grey lines represent participants‟ responses to phishing emails, the solid lines represent responses from participants who are susceptible to a

AC

given principle and the dotted lines represent responses from participants who are not susceptible to that given principle. In all cases, mean scores for susceptible participants (i.e., the solid lines) are greater than scores for non-susceptible participants (i.e., the dotted lines), suggesting that participants who were susceptible to a given principle were more likely to consider links in emails containing the principle to be okay to click on than non-susceptible participants. To further assess the size of these differences, a series of independent samples t20

ACCEPTED MANUSCRIPT tests were also conducted and these results are presented in Table 3. With the exception of the consistency principle, participants who were susceptible to a given principle were significantly more likely to consider genuine emails containing it to be okay to click on than those who were not susceptible to that principle. In the case of phishing emails, the same significant pattern was found for all principles except for the consistency and reciprocity

CR IP T

principles. This difference was greatest for the social proof principle, where the effect size of .60 for phishing emails and .40 for genuine emails (calculated using Cohen‟s d) indicates a

AC

CE

PT

ED

M

AN US

medium effect.

21

CR IP T

ACCEPTED MANUSCRIPT

Table 3: Descriptive statistics, M (SD), and independent samples t-test scores for phishing and genuine emails Phishing Emails

Genuine Emails

NSusceptible^

Susceptible

Not Susceptible

t

d

Susceptible

Not Susceptible

t

d

Authority

536

2.59 (1.56)

2.17 (1.37)

-4.41**

.29

2.65 (1.32)

2.41 (1.35)

-2.88**

.18

Consistency

751

2.74 (1.32)

2.67 (1.19)

-0.73

.06

2.86 (1.23)

2.79 (1.20)

-0.89

.06

Liking

737

2.67 (1.25)

2.34 (1.20)

-3.59**

.27

2.99 (1.20)

2.71 (1.25)

-3.13**

.23

Reciprocity

810

2.66 (1.27)

2.50 (1.14)

-1.63

.13

3.14 (1.22)

2.86 (1.17)

-2.81**

.23

Scarcity

428

2.42 (1.26)

1.94 (1.12)

-6.26**

.40

3.08 (1.16)

2.82 (1.20)

-3.33**

.22

Social Proof

354

2.93 (1.28)

2.20 (1.16)

-8.82**

.60

2.79 (1.21)

2.31 (1.17)

-6.04**

.40

M

AN US

Principle

AC

CE

PT

ED

* p < .05, ** p < .01, ^ NNotSusceptible is 985 (i.e., total N) minus NSusceptible.

22

ACCEPTED MANUSCRIPT

3.50

Genuine: Susceptible Genuine: Not susceptible Phishing: Susceptible Phishing: Not susceptible

CR IP T

Okay to Click?

3.00

2.50

AN US

2.00

1.50 AUTHORITY

CONSISTENCY

LIKING

RECIPROCITY

SCARCITY

SOCIALPROOF

Figure 3: Okay to click rating based on individual susceptibility, email legitimacy and

ED

M

social influence principle. Error bars represent standard error.

Finally, we conducted a hierarchical regression to determine the overall variance in

PT

phishing susceptibility explained by the measured individual difference variables. To determine phishing susceptibility scores, the hit rate was calculated, which is the portion of

CE

phishing emails managed correctly. A response was considered correct if participants

AC

disagreed or strongly disagreed that a phishing email was okay to click on. A correlation matrix between the measured individual difference variables revealed significant relationships (see Appendix C), and Variance Inflation Factor (VIF) values were calculated and were all below 2, suggesting that multicollinearity had not occurred. As age, gender and frequency of computer use (measured in this study as percentage of time spent using a computer) are established predictors of phishing susceptibility and 23

ACCEPTED MANUSCRIPT cybersecurity behaviour (McCormac et al., 2017; Pattinson, Jerram, Parsons, McCormac, & Butavicius, 2012; Sheng, Holbrook, Kumaraguru, Cranor, & Downs, 2010) they were entered in Step 1 to control for their effects. Both age and percentage of time spent using a computer were significant, together explaining approximately 11% of the variance in hit rate (see Table 4). Susceptibility to phishing decreased with age, and participants who spent more time

CR IP T

using a computer outperformed those with less computer familiarity. The dispositional

variables, namely, responses to the STPS scale and the intuitive subscale of the decisionmaking scale as a measure of impulsivity, were added in Step 2. These variables explained approximately 9% of additional variance, and susceptibility to the social proof principle and

AN US

the impulsivity measure were significant predictors. The results indicated that participants who were less susceptible to the social proof principle and less impulsive (i.e., more likely to use the systematic processing mode) were significantly less susceptible to phishing (i.e.,

M

obtained higher hit rates). Finally, the situational measure of impulsivity (i.e., CRT scores) was added in Step 3, and it was also a significant predictor, again supporting the relevance of

ED

a dual-process model of persuasion to explain phishing susceptibility. Together, these

AC

CE

PT

variables explained approximately 20% of the variance in hit rate.

24

CR IP T

ACCEPTED MANUSCRIPT

Table 4: Summary of hierarchical regression analysis for individual variables predicting susceptibility to phishing Variable

Model 1

Model 2

Model 3

B

Beta

t-value

B

Beta

t-value

B

Beta

t-value

Gender (Female = 2)

.01

.01

.43

.00

.004

.13

Age

.08

.33

10.74**

Percentage of time

.03

.14

4.45**

STPS Consistency STPS Liking STPS Reciprocity

STPS Social Proof

CRT

.06

.23

7.36**

.03

.12

4.01**

.03

.11

3.82**

-.03

-.07

-1.86

-.03

-.06

-1.66

.03

.05

1.34

.03

.04

1.24

-.02

-.03

-.99

-.02

-.04

-1.11

.02

.03

.85

.01

.03

.80

-.20

-.04

-1.09

-.02

-.04

-1.10

-.10

-.21

-5.85**

-.10

-.21

-5.81**

-.01

-.08

-2.54**

-.01

-.06

-1.96*

.03

.08

2.69**

.11

Δ Adj R²

.11

F

41.51

.19

.20

.08

.01

24.00

22.62

AC

CE

PT

Adj R

ED

Intuitive 2

.53

7.42**

M

STPS Scarcity

.02

.23

AN US

STPS Authority

.01

.06

25

ACCEPTED MANUSCRIPT

5. Discussion This study has used a social influence framework to assess why some phishing emails are more effective than others. We also presented an analysis of individual differences, including a dual-process model of persuasion, to assess why some people are more

CR IP T

susceptible to email phishing attacks. In line with the findings of Butavicius et al. (2015), people were least susceptible to phishing emails that contained the scarcity principle. This finding can be explained via the inoculation theory (McGuire, 1961). Essentially, scarcity is commonly used in phishing emails (Akbar, 2014; Atkins & Huang, 2013), and the use of this

AN US

principle in phishing emails has increased over time (Zielinska et al., 2016). This means that people are likely to have been exposed to phishing emails with appeals to urgent action, and may therefore have little difficulty recognising and resisting this persuasion technique. In line

M

with this, participants were most susceptible to the consistency and reciprocity principles, which were two of the least common principles in the real-world phishing emails evaluated

ED

by Akbar (2014). As these principles are less common in phishing emails, people may not

PT

have been exposed to those emails enough to develop immunity. This study is also believed to be the first to validate the use of the Susceptibility to

CE

Persuasion Strategies Scale to predict an individual‟s email susceptibility profile. Participants were most likely to consider reciprocity to be the most persuasive principle, both in regards to

AC

the average persuasion score and the number of people for whom it was their most preferred principle. Consistent with this, both genuine and phishing emails containing the reciprocity principle were most likely to be considered okay to click on. In contrast, participants were least likely to consider the social proof and scarcity principles to be persuasive (chosen as most persuasive by only 3% and 4% of participants, respectively), and the results revealed that the genuine email containing social proof was the least persuasive genuine email, and the 26

ACCEPTED MANUSCRIPT phishing email containing scarcity was the least persuasive phishing email. The fact that performance was particularly poor for the social proof genuine email is consistent with the finding that the average STPS scores indicated the social proof principle would have the opposite effect on participants. In other words, because the average score was significantly below the neutral rating, this suggests people are likely to reject emails containing that

CR IP T

principle.

Results also indicate that participants were quite poor at correctly judging the safety of a link, regardless of whether the email was phishing or genuine. This is consistent with previous research, which has indicated that people lack knowledge of what constitutes a

AN US

genuine or phishing URL (Kumaraguru, Sheng, Acquisti, Cranor, & Hong, 2010). Previous research has also suggested that participants in role-play experiments, where they are not directly informed that they are taking part in a phishing study, often make decisions based on

M

their perception of the usefulness of an email rather than any perception of security (Parsons, McCormac, Pattinson, Butavicius, & Jerram, 2014). Although participants in the current

ED

study were asked to assume the emails were relevant to „Alex Jones‟, they may have assumed

PT

that topics like charity donation, survey requests, loyalty vouchers and competitions were not important. This study also highlights the importance of considering individual differences in

CE

susceptibility to phishing emails. With the exception of the consistency and reciprocity principles, participants who were personally susceptible to a specific principle were

AC

significantly more susceptible to emails containing that principle than people who were not susceptible to that principle. This therefore suggests that the Susceptibility to Persuasion Strategies scale can help to predict an individual‟s ability to detect phishing emails. This effect was strongest for the social proof principle, a fact that was also replicated in this study‟s regression analysis.

27

ACCEPTED MANUSCRIPT The regression analysis found that age, percentage of time spent using a computer, susceptibility to the social proof principle and both dispositional and situational impulsivity were significant contributors, with the whole model explaining approximately 20% of the variance in a people‟s ability to detect phishing emails. Although Sheng et al. (2010) found that women were more susceptible to phishing emails than men, the current study supports

CR IP T

the findings of Butavicius et al. (2017), with no differences in phishing susceptibility on the basis of gender. These inconsistent results may be associated with the measures of individual difference that were included in both Butavicius at al. (2017) and the current study. In the current study, any gender differences may have been explained by aspects such as impulsivity

AN US

or susceptibility to social influence principles. Regardless, the relationship between gender and phishing susceptibility warrants further investigation in future studies.

M

5.1 Practical Implications

These findings have practical applications for phishing education, training and

ED

awareness programs. First, these findings highlight the importance of teaching people about

PT

less common types of phishing emails, such as those using the consistency and reciprocity principles. Although these types of phishing emails have been found to be less common

CE

(Akbar, 2014), and may therefore be less of a threat, because they are unfamiliar, susceptibility is likely to be higher than for the more common email phishing scams. It is also

AC

possible that scammers will start to use these less common principles more frequently, in an effort to increase susceptibility. For example, businesses have recently been targeted by fake invoice or billing scams, which appeal to a business‟s existing relationship with a particular service or product and provide updated banking information, which will result in money being paid to the scammer rather than the existing supplier (Australian Competition and Consumer Commission, 2018). In this scam, they are appealing to the previous commitment 28

ACCEPTED MANUSCRIPT to the existing supplier (i.e., the consistency principle) and the obligation to pay for a service you have received (i.e., the reciprocity principle). A second practical application of these findings is the likely usefulness of the Susceptibility to Persuasion Strategies scale as a tool to help people understand (and subsequently resist) the principles that they are personally most susceptible to. These findings

CR IP T

demonstrated that people who are personally susceptible to the authority, liking, scarcity or social proof principles were significantly more susceptible to phishing emails containing those principles. These findings could help to create tailored training, where individuals are presented with information to help them to identify and resist principles that they find most

AN US

persuasive. This is particularly true since findings also highlighted the role of both

dispositional and situational impulsivity in phishing susceptibility, which supports a dualprocess model of persuasion. This suggests that teaching people to use systematic rather than

M

intuitive processing may reduce the effectiveness of these influence principles, and therefore highlights the importance of stopping and thinking before responding to, or clicking on, any

ED

email. The methodology of this study could also be used to improve anti-phishing training.

PT

In line with previous research (e.g., Kumaraguru et al., 2010), participants still seem to lack knowledge of how to identify a safe link. In this study, participants were told that they could

CE

hover over the link, but many still made poor decisions when asked to judge whether it was okay to click on the link. From a practical perspective, incorrectly judging genuine emails as

AC

phishing can be a costly problem, from both an individual and organisational perspective. From an individual perspective, this could result in people missing out on important or useful information, whereas from an organisational perspective, incorrect phishing identification could affect customer trust and reputation. It is therefore important to ensure anti-phishing training improves phishing discrimination rather than simply biasing people towards more risk-averse behaviour. 29

ACCEPTED MANUSCRIPT Kumaraguru et al. (2007) found that participants were motivated to learn and reduce their future susceptibility when they were presented with immediate feedback after falling for phishing emails. However, real-world phishing studies have been found to induce negative feedback from participants who feel that they have been tricked or deceived (Jagatic et al., 2007). Therefore, the role-play methodology in this paper could be combined with the

CR IP T

principles of effective anti-phishing training such as learning-by-doing and immediate

feedback (Kumaraguru et al., 2007). Essentially, participants who incorrectly judge a genuine email as phishing or a phishing email as genuine could be provided with immediate feedback on the correct decision. The social influence principles within an email could also be

AN US

immediately highlighted to the participant to assist them to detect these persuasion attempts in the future. In line with the recommendation of Canfield and Fischhoff (2018), a training technique such as this could also be used to identify the most vulnerable users, who could

ED

in a cost-effective manner.

M

then receive additional, targeted training, ensuring that organisational resources are allocated

PT

5.2 Limitations and Future Directions Despite the theoretical and practical contributions of this paper, there are also

CE

limitations to the generalisability of its findings. For example, this study included only one phishing and one genuine email with each of the principles, and did not test the influence of

AC

multiple principles within an email. Although this was important to limit the effects of respondent fatigue, this still means that the findings in this study may not generalise to other types of emails. Future studies could replicate this methodology with different emails to verify these findings. It is also important to note that social influence can be subjective and although a manipulation check verified that the intended principle matched the principle most frequently perceived to be most present by participants, these principles may not have had the 30

ACCEPTED MANUSCRIPT intended effect on all participants in the main study. There are also certain principles, primarily the reciprocity and consistency principles, which tend to rely on an ongoing relationship or communication. For example, the consistency emails used in this study indicate that the recipient has previously donated to charity. This social influence principle is likely to be much more effective if it reflected an actual ongoing relationship, such as the

CR IP T

invoice scams described earlier, which appeal to a business‟s existing relationship with a particular service or product. To minimise this limitation, we used a role-play design, in

which participants were told to assume the emails were taken from the inbox of „Alex Jones‟ and that „all emails discuss topics that are relevant to Alex‟. However, future research could

AN US

target participants from a specific university or organisation and present them with both genuine and spear-phishing emails, which are targeted to that particular university or

organisation. In this context, social influence principles could appeal to existing relationships

M

and authority figures, likely further increasing participants‟ susceptibility. Although this study used an indirect measure of phishing susceptibility, which avoided directly informing

ED

participants that they were taking part in a phishing study, the fact that participants were

PT

asked to judge whether it was okay to click on the link may still have prompted some participants to respond in a more cautious manner. This suggests that actual susceptibility

CE

may be higher than the findings in this study. However, it may also have changed behaviour in a qualitatively different manner. Future research should address this limitation more

AC

directly by using a methodology less likely to prime participants.

5.3 Conclusion In conclusion, these findings extend research on email phishing susceptibility, by showing that both social influence and impulsivity can affect how people respond to phishing emails. This supports a dual-process model of persuasion to explain phishing susceptibility. 31

ACCEPTED MANUSCRIPT From an individual perspective, the principles that participants considered themselves to be least persuaded by corresponded with the phishing emails they were least susceptible to, and the principles that participants considered to be most persuasive corresponded with the phishing emails they were most susceptible to . These findings imply that an individual‟s susceptibility to social influence and their tendency towards systematic or intuitive

CR IP T

processing could be used to inform training and education, and ultimately reduce the phishing

AC

CE

PT

ED

M

AN US

threat.

32

ACCEPTED MANUSCRIPT

6. References Akbar, N. (2014). Analysing persuasion principles in phishing emails. (Masters degree), University of Twente, Alsharnouby, M., Alaca, F., & Chiasson, S. (2015). Why phishing still works: User strategies for combating phishing attacks. International Journal of Human-Computer Studies, 82, 69-82.

Journal of Social Sciences, 1(03), 23-32.

CR IP T

Atkins, B., & Huang, W. (2013). A study of social engineering in online frauds. Open

ATO. (2017). Scam alerts. Retrieved from https://www.ato.gov.au/General/Onlineservices/Identity-security/Scam-alerts/

Australia Post. (2018). Scam alerts. Retrieved from https://auspost.com.au/about-us/about-

AN US

our-site/online-security-scams-fraud/scam-alerts

Australian Competition and Consumer Commission. (2018). False Billing | Scam Watch. Retrieved from https://www.scamwatch.gov.au/types-of-scams/buying-orselling/false-billing

M

Briggs, S. R., & Cheek, J. M. (1986). The role of factor analysis in the development and evaluation of personality scales. Journal of Personality, 54(1), 106-148.

ED

Bullée, J.-W. H., Montoya, L., Pieters, W., Junger, M., & Hartel, P. H. (2015). The persuasion and security awareness experiment: reducing the success of social engineering attacks. Journal of Experimental Criminology, 11(1), 97-115.

PT

Butavicius, M., Parsons, K., Pattinson, M., & McCormac, A. (2015, 30 Nov - 4 Dec). Breaching the Human Firewall: Social Engineering in Phishing and Spear-Phishing

CE

Emails. Paper presented at the 26th Australasian Conference of Information Systems (ACIS), Adelaide.

AC

Butavicius, M., Parsons, K., Pattinson, M., McCormac, A., Calic, D., & Lillie, M. (2017). Understanding susceptibility to phishing emails: Assessing the impact of individual differences and culture. In S. Furnell & N. L. Clarke (Eds.), Proceedings of the 11th International Symposium on Human Aspects of Information Security & Assurance (HAISA 2017) (pp. 12-23). University of Plymouth. Canfield, C. I., & Fischhoff, B. (2018). Setting Priorities in Behavioral Interventions: An Application to Reducing Phishing Risk. Risk Analysis, 38(4), 826-838.

33

ACCEPTED MANUSCRIPT Chaiken, S., Wood, W., & Eagly, A. H. (1996). Principles of persuasion. In E. T. Higgins & A. W. Kruglanski (Eds.), Social Psychology: Handbook of Basic Principles (pp. 702744). New York: Guilford. Chen, J., Mishler, S., Hu, B., Li, N., & Proctor, R. W. (2018). The description-experience gap in the effect of warning reliability on user trust and performance in a phishing detection context. International Journal of Human-Computer Studies, Advance online publication.

CR IP T

Cialdini, R. B. (2009). Influence: Science and Practice. New York: William Morrow.

Ferguson, A. J. (2005). Fostering e-mail security awareness: The West Point carronade. EDUCASE Quarterly, 28(1), 54-57.

Frederick, S. (2005). Cognitive reflection and decision making. Journal of Economic perspectives, 16(4), 25-42.

AN US

Galesic, M., & Bosnjak, M. (2009). Effects of questionnaire length on participation and

indicators of response quality in a web survey. Public Opinion Quarterly, 73(2), 349360.

Guadagno, R. E., & Cialdini, R. B. (2005). Online persuasion and compliance: Social

M

influence on the Internet and beyond. In Y. Amichai-Hamburger (Ed.), The Social Net: The Social Psychology of the Internet (pp. 91-113). Oxford, UK: Oxford

ED

University Press.

Guadagno, R. E., & Cialdini, R. B. (2007). Persuade him by email, but see her in person: Online persuasion revisited. Computers in Human Behavior, 23(2), 999-1015.

PT

Guadagno, R. E., & Cialdini, R. B. (2010). Preference for consistency and social influence: A review of current research findings. Social Influence, 5(3), 152-163.

CE

Guadagno, R. E., Muscanell, N. L., Rice, L. M., & Roberts, N. (2013). Social influence online: The impact of social validation and likability on compliance. Psychology of

AC

Popular Media Culture, 2, 51. Guéguen, N., & Jacob, C. (2002). Solicitation by e-mail and solicitor's status: A field study of social influence on the web. CyberPsychology & Behavior, 5(4), 377-383.

Hamilton, K., Shih, S.-I., & Mohammed, S. (2016). The development and validation of the rational and intuitive decision styles scale. Journal of Personality Assessment, 98(5), 523-535. Hauser, D. J., Ellsworth, P. C., & Gonzalez, R. (2018). Are manipulation checks necessary? Frontiers in Psychology, 9(998), 1-10. doi:10.3389/fpsyg.2018.00998 34

ACCEPTED MANUSCRIPT Jagatic, T. N., Johnson, N. A., Jakobsson, M., & Menczer, F. (2007). Social phishing. Communications of the ACM, 50(10), 94-100. Kaptein, M., de Ruyter, B., Markopoulos, P., & Aarts, E. (2012). Adaptive persuasive systems: a study of tailored persuasive text messages to reduce snacking. ACM Transactions on Interactive Intelligent Systems (TiiS), 2(2), 10. Kaptein, M., & Eckles, D. (2012). Heterogeneity in the effects of online persuasion. Journal of Interactive Marketing, 26(3), 176-188.

CR IP T

Kaptein, M., Markopoulos, P., de Ruyter, B., & Aarts, E. (2015). Personalizing persuasive technologies: Explicit and implicit personalization using persuasion profiles. International Journal of Human-Computer Studies, 77, 38-51.

Kumaraguru, P., Rhee, Y., Sheng, S., Hasan, S., Acquisti, A., Cranor, L. F., & Hong, J. (2007). Getting users to pay attention to anti-phishing education: evaluation of

AN US

retention and transfer. Paper presented at the Proceedings of the Anti-Phishing Working Groups 2nd Annual eCrime Researchers Summit, Pittsburgh, PA.

Kumaraguru, P., Sheng, S., Acquisti, A., Cranor, L. F., & Hong, J. (2010). Teaching Johnny not to fall for phish. ACM Transactions on Internet Technology (TOIT), 10(2), 7.

M

Lawson, P., Zielinska, O. A., Pearson, C., & Mayhorn, C. B. (2017). Interaction of personality and persuasion tactics in email phishing attacks. Proceedings of the

ED

Human Factors and Ergonomics Society 2017 Annual Meeting, 61 (1), 1331–1333. Lowry, P. B., Moody, G., Vance, A., Jensen, M., Jenkins, J., & Wells, T. (2012). Using an elaboration likelihood approach to better understand the persuasiveness of website

PT

privacy assurance cues for online consumers. Journal of the American Society for Information Science and Technology, 63(4), 755-776.

CE

McCormac, A., Zwaans, T., Parsons, K., Calic, D., Butavicius, M., & Pattinson, M. (2017). Individual Differences and Information Security Awareness. Computers in Human

AC

Behavior, 69, 151-156. McGuire, W. J. (1961). Resistance to persuasion conferred by active and passive prior refutation of the same and alternative counterarguments. The Journal of Abnormal and Social Psychology, 63(2), 326-332.

Meade, A. W., & Craig, S. D. (2012). Identifying careless responses in survey data. Psychological Methods, 17(3), 437-455. Parsons, K., McCormac, A., Pattinson, M., Butavicius, M., & Jerram, C. (2013). Phishing for the Truth: A Scenario-Based Experiment of Users‟ Behavioural Response to Emails. 35

ACCEPTED MANUSCRIPT In L. J. Janczewski, H. Wolf, & S. Shenoi (Eds.), Security and Privacy Protection in Information Processing Systems - IFIP Advances in Information and Communication Technology (Vol. 405, pp. 366-378): Springer. Parsons, K., McCormac, A., Pattinson, M., Butavicius, M., & Jerram, C. (2014). Using Actions and Intentions to Evaluate Categorical Responses to Phishing and Genuine Emails. Paper presented at the Proceedings of the Eighth International Symposium on

UK.

CR IP T

Human Aspects of Information Security and Assurance (HAISA 2014), Plymouth,

Parsons, K., McCormac, A., Pattinson, M., Butavicius, M., & Jerram, C. (2015). The design of phishing studies: Challenges for researchers. Computers & Security: Special Issue on SEC 2013 Conference, 52, 194-206.

Pattinson, M., Jerram, C., Parsons, K., McCormac, A., & Butavicius, M. (2012). Why do

Computer Security, 20(1), 18-28.

AN US

some people manage phishing emails better than others? Information Management &

Perdue, B. C., & Summers, J. O. (1986). Checking the success of manipulations in marketing experiments. Journal of Marketing Research, 23(4), 317-326.

M

Petty, R. E., & Cacioppo, J. T. (1986). The elaboration likelihood model of persuasion. Advances in experimental social psychology, 19, 123-205.

ED

Pricewaterhouse Coopers (PWC). (2015). Turnaround and transformation in cybersecurity: Key findings from The Global State of Information Security Survey 2016. Retrieved from www.pwc.com/gsiss

PT

Sheng, S., Holbrook, M., Kumaraguru, P., Cranor, L. F., & Downs, J. (2010). Who falls for phish?: a demographic analysis of phishing susceptibility and effectiveness of

CE

interventions. Paper presented at the Proceedings of the SIGCHI Conference on Human Factors in Computing Systems.

AC

Steinhoff, L., & Palmatier, R. W. (2016). Understanding loyalty program effectiveness: managing target and bystander effects. Journal of the Academy of Marketing Science, 44(1), 88-107.

Telstra Corporation. (2017). Telstra Cyber Security Report 2017. Retrieved from https://www.telstraglobal.com/images/assets/insights/resources/Telstra_Cyber_Securit y_Report_2017_-_Whitepaper.pdf

36

ACCEPTED MANUSCRIPT Wang, J., Chen, R., Herath, T., Vishwanath, A., & Rao, H. (2012). Phishing Susceptibility: An Investigation into the Processing of a Targeted Spear Phishing Email. IEEE Transactions on Professional Communication, 55(4), 345-362. Welk, A. K., Hong, K. W., Zielinska, O. A., Tembe, R., Murphy-Hill, E., & Mayhorn, C. B. (2015). Will the “Phisher-Men” reel you in?: Assessing individual differences in a phishing detection task. International Journal of Cyber Behavior, Psychology and Learning, 5(4), 1-17.

CR IP T

Wright, R. T., Jensen, M. L., Thatcher, J. B., Dinger, M., & Marett, K. (2014). Research note - Influence techniques in phishing attacks: An examination of vulnerability and resistance. Information Systems Research, 25, 385-400.

Zielinska, O. A., Welk, A. K., Mayhorn, C. B., & Murphy-Hill, E. (2016). A temporal analysis of persuasion principles in phishing emails. Paper presented at the

AC

CE

PT

ED

M

AN US

Proceedings of the Human Factors and Ergonomics Society Annual Meeting.

37

ACCEPTED MANUSCRIPT

AC

CE

PT

ED

M

AN US

CR IP T

Appendix A: Image of consistency and authority emails

38

CR IP T

ACCEPTED MANUSCRIPT

Appendix B: Manipulation check results showing the highest ranked principle for each email and participant Authority

Consistency

Liking

Authority Genuine

24

2

2

Authority Phishing

29

1

2

Consistency Genuine

2

13

5

Consistency Phishing

4

12

6

Liking Genuine

2

4

20

Liking Phishing

3

3

19

Reciprocity Genuine

2

2

8

Reciprocity Phishing

3

4

Scarcity Genuine

1

2

Scarcity Phishing

3

Social Proof Genuine

1

Social Proof Phishing

9

None Genuine

11

AC

0

Scarcity

0

Social Proof

No-Principle

Percentage Correct

4

7

62%

0

3

4

74%

9

3

4

3

33%

7

0

7

3

31%

1

1

3

8

51%

1

4

2

7

49%

9

7

3

8

23%

7

12

3

4

6

31%

7

4

17

4

4

44%

0

5

0

24

2

5

51%

2

5

8

4

15

4

38%

2

3

1

0

19

5

49%

2

1

1

3

2

19

49%

4

2

0

2

3

12

31%

ED

M

0

PT 16

CE

None Phishing

Reciprocity

AN US

Email

39

Appendix C: Correlation Table 1

1. Hit Rate

1

2. Age

.31**

1

3. Gender (2 = Female)

-.01

-.09**

1

4. Percentage of Time

.09**

-.14**

.07*

1

5. STPS Authority

-.24**

-.21**

.01

.00

1

6. STPS Consistency

-.08*

-.08*

.11**

.03

.37**

1

7. STPS Liking

-.16**

-.10**

.00

.01

.25**

.31**

1

8. STPS Reciprocity

-.05

-.06*

.05

.05

.21**

.47**

.39**

1

9. STPS Scarcity

-.24**

-.25**

.03

.03

.47**

.38**

.35**

.30**

1

10. STPS Social Proof

-.35**

-.28**

-.03

.01

.49**

.27**

.36**

.20**

.48**

1

11. Intuitive

-.22**

-.17**

.12**

-.08*

.24**

.22**

.24**

.13**

.38**

.30**

1

12. CRT

.15**

.08**

-.16**

.08*

-.12**

-.03

-.01

.01

-.10**

-.10**

-.24**

1

Mean

.53

3.94

1.47

4.20

3.23

3.58

3.52

3.75

3.07

2.89

16.27

.74

SD

.35

1.37

.50

1.40

.68

.57

.58

.63

.74

.76

3.42

.99

5

6

M

4

ED

PT

CE AC

3

7

8

9

10

11

12

AN US

Variables

* p < .05, ** p < .01,

2

CR IP T

ACCEPTED MANUSCRIPT

40