Pause for a Cybersecurity Cause: Assessing the Influence of a Waiting Period on User Habituation in Mitigation of Phishing Attacks

Author

Amy Antonucci, Nova Southeastern UniversityFollow

Date of Award

2021

Document Type

Dissertation

Degree Name

Doctor of Philosophy (PhD)

Department

College of Computing and Engineering

Advisor

Yair Levy

Committee Member

Laurie P. Dringus

Committee Member

Martha M. Snyder

Keywords

cybersecurity, mobile, phishing, timers

Abstract

Social engineering costs organizations billions of dollars a year. Social engineering exploits the weakest link of information security systems, the people who are using them. Phishing is a form of social engineering in which the perpetrator depends on the victim’s instinctual thinking towards an email designed to create a fear or excitement response. It is well-documented in literature that users continue to click on phishing emails costing them and their employers significant monetary resources and data loss. Training does not appear to mitigate the effects of phishing much; other solutions are necessary to mitigate phishing.

Kahneman introduced the concepts of System One and System Two thinking. System One is a quick, instinctual decision-making process. Examples of System One processes are orienting to a sudden sound or an experienced driver pressing the brake when faced with road danger. In contrast, Kahneman identified the process by which humans use a slow, logical process as System Two. System Two requires attention, is much slower, and is easily disrupted. Examples of System Two are looking for a person with a certain characteristic or checking the validity of a complex logical argument. The key aim of this study was to investigate if requiring the user to pause by presenting a countdown or count-up timer when a possible phishing email is opened will influence the user to enter System Two thinking.

This study designed, developed, and empirically tested a Pause and Think (PAT) mobile app that presented a user with a warning dialog and either a countdown or count-up timer whenever an email with a link was opened. The user was not able to interact with the email until the timer expired. The main goal of this research study was to determine whether requiring e-mail users to pause and wait for a colored warning with a timer when they are presented with a potentially malicious link has any effect on the percentage of falling to phishing attempts. The experimental field study was completed in three phases in which 42 subject matter experts and 107 participants took part. The results indicated that a countdown timer set at three seconds accompanied by red warning text was most effective (p<0.001) on the user’s ability to avoid clicking on a malicious link or attachment. Recommendations for future research include enhancements to the PAT mobile app and investigating what effect the time of day has on susceptibility to phishing.

NSUWorks Citation

Amy Antonucci. 2021. Pause for a Cybersecurity Cause: Assessing the Influence of a Waiting Period on User Habituation in Mitigation of Phishing Attacks. Doctoral dissertation. Nova Southeastern University. Retrieved from NSUWorks, College of Computing and Engineering. (1152)
https://nsuworks.nova.edu/gscis_etd/1152.