AbstractPhishing e-mails are fraudulent e-mails used to gain access to sensitive information or secure computer systems. They persuade users to click on malicious links, download attachments or provide sensitive information, such as usernames or passwords. One approach that aims to reduce people’s susceptibility to phishing is the provision of information to users regarding the phishing threat and the techniques used within phishing e-mails. In line with this, awareness campaigns are often used within organizations and wider society to raise awareness of phishing and encourage people to engage with protective information. However, the potential effectiveness of such approaches in reducing susceptibility remains uncertain. In particular, there is a lack of research investigating (i) whether the propensity to access such information may in itself influence susceptibility to phishing and (ii) the different factors that motivate people to engage with information in the first place. In order to understand how current and future interventions regarding phishing may be consumed by users, as well as their potential impact on phishing susceptibility, it is important to conduct theoretically based research that provides a foundation to investigate these issues. This study provides a first step in addressing this by developing and validating a theoretically based survey measure across two studies centred upon the constructs of protection motivation theory (perceived vulnerability, severity, self-efficacy and response efficacy) to assess the factors that influence whether people choose to keep up to date with protective information about phishing. This survey measure is then used within Study 2 to provide an initial investigation of the role of these constructs in (i) self-reported user intentions to keep up to date with phishing techniques in the future and (ii) phishing discrimination ability, assessed using a phishing quiz. Overall, higher perceived threat severity, self-efficacy and response efficacy were associated with greater intentions, while greater perceived vulnerability was associated with lower intentions. No relationship was found with phishing discrimination ability. By understanding the factors that influence user intention to maintain knowledge and seek information about phishing threats, it will be possible to ensure that, as effective interventions are developed, their potential impact can be maximized.
Read full abstract