CCE Theses and Dissertations

Date of Award


Document Type


Degree Name

Doctor of Philosophy (PhD)


College of Computing and Engineering


Yair Levy

Committee Member

Laurie P. Dringus

Committee Member

Martha M. Snyder


Social engineering costs organizations billions of dollars a year. Social engineering exploits the weakest link of information security systems, the people who are using them. Phishing is a form of social engineering in which the perpetrator depends on the victim’s instinctual thinking towards an email designed to create a fear or excitement response. It is well-documented in literature that users continue to click on phishing emails costing them and their employers significant monetary resources and data loss. Training does not appear to mitigate the effects of phishing much; other solutions are necessary to mitigate phishing.

Kahneman introduced the concepts of System One and System Two thinking. System One is a quick, instinctual decision-making process. Examples of System One processes are orienting to a sudden sound or an experienced driver pressing the brake when faced with road danger. In contrast, Kahneman identified the process by which humans use a slow, logical process as System Two. System Two requires attention, is much slower, and is easily disrupted. Examples of System Two are looking for a person with a certain characteristic or checking the validity of a complex logical argument. The key aim of this study was to investigate if requiring the user to pause by presenting a countdown or count-up timer when a possible phishing email is opened will influence the user to enter System Two thinking.

This study designed, developed, and empirically tested a Pause and Think (PAT) mobile app that presented a user with a warning dialog and either a countdown or count-up timer whenever an email with a link was opened. The user was not able to interact with the email until the timer expired. The main goal of this research study was to determine whether requiring e-mail users to pause and wait for a colored warning with a timer when they are presented with a potentially malicious link has any effect on the percentage of falling to phishing attempts. The experimental field study was completed in three phases in which 42 subject matter experts and 107 participants took part. The results indicated that a countdown timer set at three seconds accompanied by red warning text was most effective (p<0.001) on the user’s ability to avoid clicking on a malicious link or attachment. Recommendations for future research include enhancements to the PAT mobile app and investigating what effect the time of day has on susceptibility to phishing.