Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • harvard1
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Using phishing experiments and scenario-based surveys to understand security behaviours in practice
KTH, School of Electrical Engineering (EES), Industrial Information and Control Systems.
KTH, School of Electrical Engineering (EES), Industrial Information and Control Systems.
KTH, School of Electrical Engineering (EES), Industrial Information and Control Systems.
Swedish national grid.
2014 (English)In: Information Management & Computer Security, ISSN 0968-5227, E-ISSN 1758-5805, Vol. 22, no 4, 393-406 p.Article in journal (Refereed) Published
Abstract [en]

Purpose - The purpose of the study was threefold: to understand security behaviours in practice by investigating factors that may cause an individual to comply with a request posed by a perpetrator; to investigate if adding information about the victim to an attack increases the probability of the attack being successful; and, finally, to investigate if there is a correlation between self-reported and observed behaviour.

Design/methodology/approach - Factors for investigation were identified based on a review of existing literature. Data were collected through a scenario-based survey, phishing experiments, journals and follow-up interviews in three organisations.

Findings - The results from the experiment revealed that the degree of target information in an attack increased the likelihood that an organisational employee falls victim to an actual attack. Further, an individual's trust and risk behaviour significantly affected the actual behaviour during the phishing experiment. Computer experience at work, helpfulness and gender (females tend to be less susceptible to a generic attack than men), had a significant correlation with behaviour reported by respondents in the scenario-based survey. No correlation between the results from the scenario-based survey and the experiments was found.

Research limitations/implications - One limitation is that the scenario-based survey may have been interpreted differently by the participants. Another is that controlling how the participants reacted when receiving the phishing mail, and what actually triggered each and every participant to click on the attached link, was not possible. Data were however collected to capture these aspects during and after the experiments. In conclusion, the results do not imply that one or the other method should be ruled out, as they have both advantages and disadvantages which should be considered in the context of collecting data in the critical domain of information security.

Originality/value - Two different methods to collect data to understand security behaviours have rarely been used in previous research. Studies that add target information to understand if such information could increase the probability of attack success is sparse. This paper includes both approaches.

Place, publisher, year, edition, pages
2014. Vol. 22, no 4, 393-406 p.
Keyword [en]
Experiment, Phishing, Security behaviour, Social engineering, Survey method
National Category
Electrical Engineering, Electronic Engineering, Information Engineering
Identifiers
URN: urn:nbn:se:kth:diva-142446DOI: 10.1108/IMCS-11-2013-0083Scopus ID: 2-s2.0-84898073317OAI: oai:DiVA.org:kth-142446DiVA: diva2:701370
Note

QC 20150206. Updated from accepted to published.

Available from: 2014-03-04 Created: 2014-03-04 Last updated: 2017-12-05Bibliographically approved

Open Access in DiVA

No full text

Other links

Publisher's full textScopus

Search in DiVA

By author/editor
Rocha Flores, WaldoHolm, HannesSvensson, Gustav
By organisation
Industrial Information and Control Systems
In the same journal
Information Management & Computer Security
Electrical Engineering, Electronic Engineering, Information Engineering

Search outside of DiVA

GoogleGoogle Scholar

doi
urn-nbn

Altmetric score

doi
urn-nbn
Total: 61 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • harvard1
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf