Human risk factors in cybersecurity: Experimental assessment of an academic human attack surface

Cuchta, Tom; Blackwood, Brian; Devine, Thomas R.; Niichel, Robert J.

doi:10.1075/is.22053.cuc

Article published In:

Interaction Studies
Vol. 24:3 (2023) ► pp.437–463

Human risk factors in cybersecurity

Experimental assessment of an academic human attack surface

Tom Cuchta | Fairmont State University | Marshall University

Brian Blackwood | Fairmont State University

Thomas R. Devine | West Virginia University

Robert J. Niichel | Fairmont State University

This article presents an experimental analysis of several cybersecurity risks affecting the human attack surface of Fairmont State University, a mid-size state university. We consider two social engineering experiments: a phishing email barrage and a targeted spearphishing campaign. In the phishing experiment, a total of 4,769 students, faculty, and staff on campus were targeted by 90,000 phishing emails. Throughout these experiments, we explored the effectiveness of three types of phishing awareness training. Our results show that phishing emails that make it through IT’s defenses pose a clear and present threat to large educational organizations. Moreover, we found that simple, visual, instructional guides are more effective training tools than long documents or interactive training.

Keywords: phishing, security, social engineering

Article outline

1.Introduction
- 1.1Research questions
2.Related work
3.Methodology
- 3.1Phishing emails
  - 3.1.1Structural overview
  - 3.1.2Phishing email design
  - 3.1.3Training types
  - 3.1.4Data collection
- 3.2Spearphishing
  - 3.2.1Survey overview
  - 3.2.2Data collection
- 3.3IRB approval process
4.Results
- 4.1Response analysis (Research Question 1)
- 4.2Effectiveness of training (Research Question 2)
- 4.3Time of day analysis (Research Question 3)
- 4.4Effectiveness of warning emails (Research Question 4)
5.Conclusion
- 5.1Limitations
Acknowledgements
Note
References

Published online: 15 February 2024

https://doi.org/10.1075/is.22053.cuc

References (23)

Amos, Z.

(2022) Why do phishing emails have such obvious typos? Security Boulevard.

Burns, A. J., Johnson, M. E., and Caputo, D. D.

(2019) Spear phishing in a barrel: Insights from a targeted phishing campaign. Journal of Organizational Computing and Electronic Commerce, 29(1):24–39.

Competition, A. and Commission, C.

(2018).

Cuchta, T., Blackwood, B., Devine, T. R., Niichel, R. J., Daniels, K. M., Lutjens, C. H., Maibach, S., and Stephenson, R. J.

(2019) Human risk factors in cybersecurity. In Proceedings of the 20th Annual SIG Conference on Information Technology Education. ACM.

Dhamija, R., Tygar, J. D., and Hearst, M.

(2006) Why phishing works. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, CHI ’06, pages 581–590, New York, NY, USA. ACM.

Downs, J. S., Holbrook, M., and Cranor, L. F.

(2007) Behavioral response to phishing risk. In Proceedings of the Anti-phishing Working Groups 2Nd Annual eCrime Researchers Summit, eCrime ’07, pages 37–44, New York, NY, USA. ACM.

Downs, J. S., Holbrook, M. B., and Cranor, L. F.

(2006) Decision strategies and susceptibility to phishing. In Proceedings of the Second Symposium on Usable Privacy and Security, SOUPS ’06, pages 79–90, New York, NY, USA. ACM.

Hanna, K. T.

(2021) Definition: attack surface. WhatIs.com.

Inc, P.

(2019) State of the phish. [URL]

Jones, M.

(2015) The effects of conformity and training in a phishing context: Conforming to the school of phish. Master’s thesis, The University of Alabama in Huntsville.

Khonji, M., Iraqi, Y., and Jones, A.

(2013) Phishing detection: A literature survey. IEEE Communications Surveys Tutorials, 15(4):2091–2121.

Matamoros-Macias;, R. B. K. S. N. S. B. and Ipsen, Y.

(2019) Phishing and cybercrime risks in a university student community. International Journal of Cybersecurity Intelligence & Cybercrime, 21.

Mathews, L.

(2017) Phishing scams cost american businesses half a billion dollars a year. Forbes.

Mimecast

(2019) Email security risk assessment: Quarterly report, june 2019. Accessed: 2019-05-30.

Moody, G. D., Galletta, D. F., and Dunn, B. K.

(2017) Which phish get caught? an exploratory study of individuals’ susceptibility to phishing. European Journal of Information Systems, 26(6):564–584.

Oliveira, D., Rocha, H., Yang, H., Ellis, D., Dommaraju, S., Muradoglu, M., Weir, D., Soliman, A., Lin, T., and Ebner, N.

(2017) Dissecting spear phishing emails for older vs young adults. In Proceedings of the 2017 CHI Conference on Human Factors in Computing Systems. ACM.

Sheng, S., Holbrook, M., Kumaraguru, P., Cranor, L. F., and Downs, J.

(2010) Who falls for phish?: A demographic analysis of phishing susceptibility and effectiveness of interventions. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, CHI ’10, pages 373–382, New York, NY, USA. ACM.

Sheng, S., Magnien, B., Kumaraguru, P., Acquisti, A., Cranor, L. F., Hong, J., and Nunge, E.

(2007) Anti-phishing phil: The design and evaluation of a game that teaches people not to fall for phish. In Proceedings of the 3rd Symposium on Usable Privacy and Security, SOUPS ’07, pages 88–99, New York, NY, USA. ACM.

Technologies, P.

(2019) Cybersecurity threatscape q4 2018. [URL]

Williams, E. J., Hinds, J., and Joinson, A. N.

(2018) Exploring susceptibility to phishing in the workplace. International Journal of Human-Computer Studies, 1201:1–13.

(2018) Exploring susceptibility to phishing in the workplace. International Journal of Human-Computer Studies, 201:1 – 13.

Young-McLear, K., Wyman, G., Benin, J., and Young-McLear, Y.

(2016) A White Hat Approach to Identifying Gaps Between Cybersecurity Education and Training: A Social Engineering Case Study, pages 229–237.

Zhao, R., John, S., Karas, S., Bussell, C., Roberts, J., Six, D., Gavett, B., and Yue, C.

(2017) Design and evaluation of the highly insidious extreme phishing attacks. Computers & Security, 701:634–647.