量化钓鱼攻击易感性以支持检测与行为决策

Quantifying Phishing Susceptibility for Detection and Behavior Decisions

Human Factors The Journal of the Human Factors and Ergonomics Society · 2016
被引 123 · 同刊同年前 10%
ABS 3

中文导读

运用信号检测理论测量用户对钓鱼攻击的易感性,发现检测能力有限且与信心正相关,行为决策受后果感知影响,为安全干预提供量化评估方法。

Abstract

OBJECTIVE: We use signal detection theory to measure vulnerability to phishing attacks, including variation in performance across task conditions. BACKGROUND: Phishing attacks are difficult to prevent with technology alone, as long as technology is operated by people. Those responsible for managing security risks must understand user decision making in order to create and evaluate potential solutions. METHOD: Using a scenario-based online task, we performed two experiments comparing performance on two tasks: detection, deciding whether an e-mail is phishing, and behavior, deciding what to do with an e-mail. In Experiment 1, we manipulated the order of the tasks and notification of the phishing base rate. In Experiment 2, we varied which task participants performed. RESULTS: In both experiments, despite exhibiting cautious behavior, participants' limited detection ability left them vulnerable to phishing attacks. Greater sensitivity was positively correlated with confidence. Greater willingness to treat e-mails as legitimate was negatively correlated with perceived consequences from their actions and positively correlated with confidence. These patterns were robust across experimental conditions. CONCLUSION: Phishing-related decisions are sensitive to individuals' detection ability, response bias, confidence, and perception of consequences. Performance differs when people evaluate messages or respond to them but not when their task varies in other ways. APPLICATION: Based on these results, potential interventions include providing users with feedback on their abilities and information about the consequences of phishing, perhaps targeting those with the worst performance. Signal detection methods offer system operators quantitative assessments of the impacts of interventions and their residual vulnerability.

网络安全用户行为信号检测理论钓鱼攻击