Using Vigilance to Quantify Human Behavior for Phishing Risk

Phishing attacks target individuals or organizations to steal information (such as credentials) or plant malware to gain broader access to IT systems. This thesis applies research on vigilance, people’s ability to detect anomalies for a sustained period, to phishing risk. I (1) measure the human component of phishing susceptibility, (2) evaluate the validity of that measurement, and (3) demonstrate an approach for applying those measurements to risk analysis and evaluating behavioral interventions. I quantify human performance using signal detection theory (SDT) for a detection task (deciding whether a message is phishing) and a behavior task (deciding what to do about a message). As applied to phishing, SDT distinguishes between users’ ability to tell the difference between phishing and legitimate emails (called sensitivity, or d’) and bias toward identifying uncertain emails as phishing or legitimate (called response bias, or c). I find that users do not sufficiently compensate for their limited detection ability when choosing behaviors, despite incorporating confidence in their ability and their assessment of the consequences of errors into their decisions. I find similar results in an initial convenience (mTurk) sample and a community sample (enrolled in the Security Behavior Observatory (SBO) study). I find weak evidence for external validity of these tasks, given no relationship between performance in the experiment and negative computer security outcomes in real life (e.g. visits to malicious URLs or presence of malicious files). These results prompt discussion of the challenges of comparing behavior in laboratory and complex real-world settings. Lastly, I create an analytic model for evaluating anti-phishing behavioral interventions in the face of random and spear phishing attacks. Our results suggest the value of focusing on more susceptible users, particularly when defending against random attacks. This recommendation applies even when the ability to identify poor detectors is imperfect. Overall, this thesis bridges the vigilance and computer security literature to improve measurement of phishing susceptibility and show the value of assessing behavioral interventions in terms of signal detection theory.