Do Certain Traits Make People Vulnerable to Phishing?
By Andy Green
The Computer Emergency Response Team (CERT) at Carnegie-Mellon University is a research institute devoted to computer and network security. CERT is often referenced by other security researchers, and for good reason: they have deep knowledge of vulnerabilities and have developed cyber-engineering techniques both to analyze and prevent attacks. CERT also has an entire practice area focused on a favorite topic of ours: phishing and insider threats.
The publications and research they conduct lean, not surprisingly, towards the academic. So, what has the Ivory Tower been focused on?
According to a CERT paper reviewing the current state of phishing studies, researchers have been exploring whether or not there’s a link between broad demographic categories and the likelihood of taking phishing bait.
Researchers examined age, gender, personality (agreeableness, openness, etc.), and even culture as possible predictors, but they came up empty handed. There is no strong evidence to support the theory that any of these broad areas are related to phishing susceptibility.
However, there are some interesting statistics referenced in the CERT report.
For example, studies show no difference between phish mail click rates between Western and non-Western subjects. And in fact, the research points to a more universal result: there’ll always be between 3% and 11% of the population who’ll take the bait.
There are other schools of thought that have looked beyond demographics into human factors—traits related to memory, attention, risk tolerance, and even attitudes towards compliance. There are some interesting results here as well.
One researcher noted that people judged relevance before authenticity in reading email. In other words, if the content in some way resonated with them, they would accept directions to visit sites or download attachments, regardless of other cues or signs of legitimacy—for example the non-standard URL addresses in phish mail. Obviously, this tendency has been exploited in spear phishing, where the attackers have more granular details about the subject and can create more enticing content.
Is there a compliance observance trait?
There may not be a compliance gene, but studies have shown that employee attitudes and beliefs about their work environment does influence whether they’ll follow good security practices. For example if they feel that IT rules on phishing—reporting spam or only downloading software from approved sites –are getting in the way of doing their job, they likely won’t play by the rules.
However, there are ways to win over IT tech warriors. One strategy is to show employees that the organization takes security seriously by explaining the huge benefits of being more compliant.
And, yes, there are likely some gamification opportunities here: handing out gift cards for reporting phish mails, or even phishing your own employees—as one company did —and reporting the results.
The CMU CERT group also has a database of actual phishing incidents, and they’ve been able to discover some interesting patterns about how these attacks are carried out.