The Phishing Funnel Model: A Design Artifact to Predict User Susceptibility to Phishing Websites
成果类型:
Article
署名作者:
Abbasi, Ahmed; Dobolyi, David; Vance, Anthony; Zahedi, Fatemeh Mariam
署名单位:
University of Notre Dame; Pennsylvania Commonwealth System of Higher Education (PCSHE); Temple University; University of Wisconsin System; University of Wisconsin Milwaukee
刊物名称:
INFORMATION SYSTEMS RESEARCH
ISSN/ISSBN:
1047-7047
DOI:
10.1287/isre.2020.0973
发表日期:
2021
页码:
410-436
关键词:
information-systems security
TECHNOLOGY
internet
analytics
threats
trust
vulnerability
metaanalysis
acceptance
Intention
摘要:
Phishing is a significant security concern for organizations, threatening employees and members of the public. Phishing threats against employees can lead to severe security incidents, whereas those against the public can undermine trust, satisfaction, and brand equity. At the root of the problem is the inability of Internet users to identify phishing attacks even when using anti-phishing tools. We propose the phishing funnel model (PFM), a design artifact for predicting user susceptibility to phishing websites. PFM incorporates user, threat, and tool-related factors to predict actions during four key stages of the phishing process: visit, browse, consider legitimate, and intention to transact. We used a support vector ordinal regression with a custom kernel encompassing a cumulative-link mixed model for representing users' decisions across funnel stages. We evaluated the efficacy of PFM in a 12-month longitudinal field experiment in two organizations involving 1,278 employees and 49,373 phishing interactions. PFM significantly outperformed competing models/methods by 8%-52% in area under the curve, correctly predicting visits to high-severity threats 96% of the time-a result 10% higher than the nearest competitor. A follow-up three-month field study revealed that employees using PFM were significantly less likely to interact with phishing threats relative to comparison models and baseline warnings. Furthermore, a cost-benefit analysis showed that interventions guided by PFM resulted in phishing-related cost reductions of nearly $1,900 per employee more than comparison prediction methods. These results indicate strong external validity for PFM. Our findings have important implications for practice by demonstrating (1) the effectiveness of predicting user susceptibility to phishing as a real-time protection strategy, (2) the value of modeling each stage of the phishing process together, rather than focusing on a single user action, and (3) the considerable impact of anti-phishing tool and threat-related factors on susceptibility to phishing.
来源URL: