Using phishing experiments and scenario-based surveys to understand security behaviours in practice

Information Management and Computer Security

Volumn 22, Issue 4, 2014, Pages 393-406

  Rocha Flores, Waldo ^a   Holm, Hannes ^a   Svensson, Gustav ^a   Ericsson, Göran ^b  

^a ROYAL INSTITUTE OF TECHNOLOGY   (Sweden)

^b Swedish National Grid   (Sweden)

Author keywords

Experiment; Phishing; Security behaviour; Social engineering; Survey method

Indexed keywords

COMPUTER CRIME; DATA ACQUISITION; EXPERIMENTS; SECURITY OF DATA;

COMPUTER EXPERIENCE; DESIGN/METHODOLOGY/APPROACH; PHISHING; PROBABILITY OF ATTACK; SECURITY BEHAVIOUR; SOCIAL ENGINEERING; SURVEY METHODS; TARGET INFORMATION;

SURVEYS;

EID: 84898073317     PISSN: 09685227     EISSN: None     Source Type: Journal    
DOI: 10.1108/IMCS-11-2013-0083     Document Type: Article

References (22)

1. Alseadoon, I., Chan, T., Foo, E. and Nieto, J.G. (2012), "Who is more susceptible to phishing emails?: a Saudi Arabian study", Proceedings of the 23rd Australasian Conference on Information Systems 2012, 3-5 December 2012, Geelong.
2. Applegate, S.D. (2009), "Social engineering: hacking the wetware!", Information Security Journal: A Global Perspective, Vol. 18 No. 1, pp. 40-46.
3. Bakhshi, T., Papadaki, M. and Furnell, S. (2009), "Social engineering: assessing vulnerabilities in practice", Information Management & Computer Security, Vol. 17 No. 1, pp. 53-63.
4. Barwick, H. (2012), "Social engineering, big data top security priorities for 2013: gartner", Computerworld, available at: www. computerworld.com.au/article/441539/social-engineering-big-data-top-security-priorities-2013-gartner-/(accessed 10 January 2013).
5. Bergkvist, L. and Rossiter, J.R. (2007), "The predictive validity of multiple-item versus single-item measures of the same constructs", Journal of Marketing Research, Vol. 44 No. 2, pp. 175-184.
6. Crossler, R.E. Johnston, A.C., Lowry, P.B., Hu, Q., Warkentin, M. and Baskerville, R. (2013), "Future directions for behavioral information security research", Computers & Security, Vol. 32 No. 1, pp. 90-101.
7. Dhamija, R., Tygar, J.D. and Hearst, M. (2006), "Why phishing works", in Proceedings of the SIGCHI conference on Human Factors in computing systems.
8. D Mitnick, K. and L Simon, W. (2002), The Art of Deception: Controlling the Human Element of Security, Wiley Publishing, Indianapolis, IN.
9. Dodge, R., Carver, C. and Ferguson, A. (2007), "Phishing for user security awareness", Computers & Security, Vol. 26 No. 1, pp. 73-80.
10. Glass, G.V. and Hopkins, K.D. (1995), Statistical Methods in Education and Psychology, 3rd ed., Allyn & Bacon, The University of Michigan, Boston.
11. Holm, H., Rocha Flores, W. and Ericsson, G. (2013), "Cyber security for a smart grid - what about Phishing?", Proceedings of the 4th European Innovative Smart Grid Technologies (ISGT) Conference, Lyngby.
12. Jagatic, T.N., Johnson, N.A., Jakobsson, M. and Menczer, F. (2007), "Social phishing", Communications of the ACM, Vol. 50 No. 10, pp. 94-100.
13. Jakobsson, M. and Ratkiewicz, J. (2006), "Designing ethical phishing experiments", Proceedings of the 15th international conference on World Wide Web -WWW'06, ACM Press, New York, NY, p. 513.
14. Jansson, K. and von Solms, R. (2013), "Phishing for phishing awareness", Behaviour & Information Technology, Vol. 32 No. 6, pp. 584-593.
15. Luo, X., Brody, R., Seazzu, A. and Burd, S. (2011), "Social engineering: the neglected human factor for information security management", Information Resources Management Journal, Vol. 24 No. 3, pp. 1-8.
16. Moos, D.C. and Azevedo, R. (2009), "Learning with computer-based learning environments: a literature review of computer self-efficacy", Review of Educational Research, Vol. 79 No. 2, pp. 576-600.
17. Nohlberg, M. (2005), "Social engineering audits using anonymous surveys - conning the users in order to know if they can be conned", Proceedings of the 4th Security Conference, Las Vegas.
18. Podsakoff, P.M., Mackenzie, S.B., Lee, J.Y. and Podsakoff, N.P. (2003), "Common method biases in behavioral research: a critical review of the literature and recommended remedies", The Journal of applied psychology, Vol. 88 No. 5, pp. 879-903.
19. Provos, N., Mavrommatis, P., Rajab, M.A. and Monrose, F. (2008), "All your iFRAMEs point to Us", Proceedings of the 17th conference on Security symposium, USENIX Association, Johns Hopkins University, pp. 1-15.
20. Rhee, H.-S., Kim, C. and Ryu, Y.U. (2009), "Self-efficacy in information security: its influence on end users' information security practice behavior", Computers & Security, Vol. 28 No. 8, pp. 816-826.
21. Sheng, S., Holbrook, M., Kumaraguru, P., Cranor, L.F. and Downs, J. (2010), "Who falls for phish?", Proceedings of the 28th International Conference on Human Factors in Computing Systems - CHI '10, ACM Press, New York, NY, p. 373.
22. Workman, M. (2008), "Wisecrackers: a theory-grounded investigation of phishing and pretext social engineering threats to information security", Journal of the American Society for Information Science and Technology, Vol. 59 No. 4, pp. 662-674.