Tag Archives: phishing

Anatomy of Phishing Tactics and Susceptibility

Bera, Debalina, Gene Moo Lee, Dan J. Kim “Anatomy of Phishing Tactics and Susceptibility: An Investigation of the Dynamics of Phishing Tactics and Contextual Traits in Susceptibility,” Working Paper.

Phishing is a deceptive tactic to create a front of apparent credibility to fraudulently acquire sensitive personal or financial information from an unsuspecting user or espionage system by infiltrating malware or crimeware. Despite automated technological solutions and training interventions, recent phishing statistics show that specifically few phishing tactics are increasing users’ phishing susceptibility (PS). Further, assessing the moderating role of phishing contextual traits in the relationship between phishing tactics and PS indicates the importance of their trait differences. Based on theoretical postulation, employing a sequential mixed method design, and using two sets of data (simulated phishing penetration testing results and scenario-based experiments), we examine the effect of phishing tactics along with the moderating role of individual phishing contextual traits on PS. This study extends the theoretical boundary relevant to phishing tactics and provides practical guidance to identify the most dangerous phishing tactics that increase PS and phishing contextual traits that help to combat phishing attacks.

Understanding Security Vulnerability Awareness, Firm Incentives, and ICT Development in Pan-Asia (JMIS 2020)

Zhuang, Yunhui, Yunsik Choi, Shu He, Alvin Chung Man Leung, Gene Moo Lee, Andrew B. Whinston (2020) Understanding Security Vulnerability Awareness, Firm Incentives, and ICT Development in Pan-Asia. Journal of Management Information Systems, 37(3): 668-693.

This paper investigates how the awareness of a security vulnerability index affects firms’ security protection strategy and how the information awareness effect interacts with firm incentives and country-wide IT development level. The security index is constructed based on outgoing spams and phishing website hosting, which may serve as an indicator of a firm’s security controls. To study whether security vulnerability awareness causes firms to improve their security, we conducted a randomized field experiment on 1,262 firms in six Pan-Asian countries and regions. Among 631 randomly selected treated firms, we alerted them of their security vulnerability index and their relative rankings compared to their peers via advisory emails and websites. Difference-in-differences analyses show that compared with the controls, the treated firms improve their security over time, with a statistically significant reduction of outgoing spam volume according to one of the data sources but not phishing website hosting. However, a statistically significant reduction in phishing website hosting was observed among non-web hosting firms, suggesting that firms’ underlying incentives play an important role in the treatment effect. Lastly, exploiting the multi-country nature of the data, we found that firms in countries with high information and communications technology (ICT) development are more responsive to our intervention because they have higher IT capabilities and more resources to resolve security issues. Our study provides cybersecurity policymakers with useful insights on how firm incentives and ICT environments play roles in firms’ security measure adoption.