How the Presence of Cognitive Biases in Phishing Emails Affects Human Decision-Making?

Abstract

The rate of phishing attacks is increasing over time. Although hackers design emails with cognitive biases for their phishing attacks to succeed, little is known about how effectively these biases fool people via phishing emails. Also, little is known how machine learning algorithms can predict human tendency to get phished via phishing emails in the presence of human attributes. In this paper, the main objective is to investigate how the presence of two cognitive biases, authority bias (the tendency of humans to get influenced by the emails sent by authority) and hyperbolic discounting bias (the inclination of humans towards immediate rewards), influence human decision making via a phishing email detection simulation. In an experiment, 210 participants judged emails to be genuine or phishing. The next part of this research predicted the human responses to phishing emails captured in the experiment via machine learning models such as logistic regression (LR), multinomial Naive Bayes (MNB), decision tree (DT), and Random Forest (RF). The results from the study conducted on humans revealed that the authority bias was more effective compared to hyperbolic discounting in phishing humans. Furthermore, the LR classifier effectively predicted human responses in the presence of cognitive biases and human attributes with training and test accuracy of around 90.77% and 82.70%, respectively. We discuss the implications of this work for real-world phishing attacks.