CCE Theses and Dissertations
Campus Access Only
All rights reserved. This publication is intended for use solely by faculty, students, and staff of Nova Southeastern University. No part of this publication may be reproduced, distributed, or transmitted in any form or by any means, now known or later developed, including but not limited to photocopying, recording, or other electronic or mechanical methods, without the prior written permission of the author or the publisher.
Date of Award
2024
Document Type
Dissertation - NSU Access Only
Degree Name
Doctor of Philosophy Cybersecurity Management
Department
College of Computing and Engineering
Advisor
Gregory Simco
Committee Member
Wei Li
Committee Member
Carlene Blackwood-Brown
Keywords
Cybersecurity, Decision-making, Persuasion, Phishing, Seniors, SETA
Abstract
Cyber and phishing incidents have cost billions of dollars to senior citizens. Cybercriminals often employ different attack vectors over different mediums to deliver phishing attacks. For example, a phishing email, SMiShing message, or vishing attack uses the Internet, Short Message Service (SMS) messages, and voice mediums to deliver their attacks. Phishing attacks are often successful because attackers use different principles of persuasion to increase a person's susceptibility. These principles include authority; social proof; liking, similarity, deception; commitment, reciprocation, consistency; and distraction. Attackers often use combinations of these principles in dyads and triads to make their attacks more persuasive. In addition, phishing attacks can use social engineering techniques to manipulate victims and make them perform actions against their best interest.
A person’s susceptibility to a phishing attack can also be affected when the intended victim makes a decision about the attack with what Kahneman called System 1. Kahneman introduced two systems of decision-making - System 1 and System 2. System 1 operates quickly and effortlessly, making decisions based on mental shortcuts or heuristics. On the other hand, System 2 is responsible for more thoughtful and slower decision-making processes, which may involve deeper analysis. Although System 1 can quickly and easily make decisions related to phishing attacks, it is prone to making poor decisions. However, with proper training, System 1 can learn to make better decisions. Furthermore, individuals who are 60 years old or older may be more likely to make mistakes when making decisions compared to younger individuals.
This study was an empirical study that investigated the SMiShing attack vector, the vector’s use of the principles of persuasion, as well as the effectiveness of Security, Education, Training, and Awareness (SETA) training’s ability to reduce a senior citizen’s susceptibility to these SMiShing attacks. The main research question was: Does attending a training program that includes principles of persuasion affect senior citizens’ susceptibility to SMiShing?In answering this main research question, this study evaluated the impact of the individual operationalized principles of persuasion within simulated SMiShing messages before and after attending a novel cybersecurity training program. This study developed a new instrument that included simulated SMiShing and legitimate SMS messages that were validated by subject matter experts. The pretest and posttest data were collected via Google Forms on the participants’ cellphones. This study included 118 participants who were 60 years or older. The pretest group included 63 participants until pre-screening data analysis was completed, where four were removed due to response bias and one due to not being 60 years or older. The posttest group included 60 participants, and none was removed during the pre-screening data analysis.
In answering this main research question, this study evaluated the impact of the individual operationalized principles of persuasion within simulated SMiShing messages before and after attending a novel cybersecurity training program. This study developed a new instrument that included simulated SMiShing and legitimate SMS messages that were validated by subject matter experts. The pretest and posttest data were collected via Google Forms on the participants’ cellphones. This study included 118 participants who were 60 years or older. The pretest group included 63 participants until pre-screening data analysis was completed, where four were removed due to response bias and one due to not being 60 years or older. The posttest group included 60 participants, and none was removed during the pre-screening data analysis.
In assessing the impact of the individual principles of persuasion on senior citizens’ susceptibility to simulated SMiShing, this study analyzed the results of a multiple linear regression analysis. All of the individual principles of persuasion impacts were not statistically significant. These results may have been due to the high intercorrelations between the individual principles of persuasion or the small sample size. In assessing whether the pretest and posttest groups had a significant mean difference in their susceptibility to simulated SMiShing before and after the training, an Analysis of Variance (ANOVA) was conducted. The results of the ANOVA analysis showed that there was a significant mean difference in the groups’ susceptibility to simulated SMiShing. Moreover, the posttest group was more likely to identify a SMiShing message (with operationalized principles of persuasion) than the pretest group, as indicated by the pretest total SMiShing susceptibility mean score of 73.627% and the posttest total SMiShing susceptibility mean score of 79.282% (N=118). Additionally, an Analysis of Covariance (ANCOVA) was conducted to determine if any covariant or demographic indicator had a significant effect on senior citizens’ susceptibility to simulated SMiShing before and after attending the novel cybersecurity training program. The results of the ANCOVA showed that one demographic indicator, age, was a statistically significant covariant on senior citizens’ susceptibility to simulated SMiShing attacks before and after training. Moreover, age was positively related to senior citizens’ susceptibility to SMiShing.
This study contributes to the existing body of knowledge by increasing the understanding of phishing attacks that incorporate operationalized principles of persuasion. This study adds to the shortage of knowledge related to the SMiShing attack’s use of the principles of persuasion. In addition, this study contributes to the body of knowledge regarding the inclusion of the principles of persuasion in cybersecurity training programs designed to reduce susceptibility to SMiShing attacks. The practical implications of this study include helping the participants of the cybersecurity training program to reduce their vulnerability to SMiShing attacks. Additionally, it demonstrates that understanding the principles of persuasion used in malicious messages could assist in reducing susceptibility to other types of attacks in other training programs, such as those aimed at reducing children’s vulnerability to online predators.
NSUWorks Citation
Brian Bisceglia. 2024. An Empirical Assessment on the Role of Persuasion Principles and Cybersecurity Skills Training on Senior Citizens’ SMiShing Susceptibility. Doctoral dissertation. Nova Southeastern University. Retrieved from NSUWorks, College of Computing and Engineering. (1203)
https://nsuworks.nova.edu/gscis_etd/1203.
