Better beware: comparing metacognition for phishing and legitimate emails

Every electronic message poses some threat of being a phishing attack. If recipients underestimate that threat, they expose themselves, and those connected to them, to identity theft, ransom, malware, or worse. If recipients overestimate that threat, then they incur needless costs, perhaps reducing their willingness and ability to respond over time. In two experiments, we examined the appropriateness of individuals’ confidence in their judgments of whether email messages were legitimate or phishing, using calibration and resolution as metacognition metrics. Both experiments found that participants had reasonable calibration but poor resolution, reflecting a weak correlation between their confidence and knowledge. These patterns differed for legitimate and phishing emails, with participants being better calibrated for legitimate emails, except when expressing complete confidence in their judgments, but consistently overconfident for phishing emails. The second experiment compared performance on the laboratory task with individuals’ actual vulnerability, and found that participants with better resolution were less likely to have malicious files on their home computers. That comparison raised general questions about the design of anti-phishing training and of providing feedback essential to self-regulated learning.

• Publication year

  2019

• Venue

  Metacognition and Learning

• Publication date

  2019-03-25

• Fields of study

  Computer Science, Psychology

• Identifiers
  DOI 10.1007/s11409-019-09197-5
• External record

  Open on Semantic Scholar

• Source metadata

  Semantic Scholar

• No claims are published for this paper.

• No concepts are published for this paper.

• Correction to: Better beware: comparing metacognition for phishing and legitimate emails

  2019cited by this paper
• Replication challenges

  2019influential reference
• It's the deceiver, not the receiver: No individual differences when detecting deception in a foreign and a native language

  2018cited by this paper
• Social Phishing

  2018cited by this paper
• It’s the deceiver and the receiver: Individual differences in phishing susceptibility and false positives with item profiling

  2018cited by this paper
• Fake news, phishing, and fraud: a call for research on digital media literacy education beyond the classroom

  2018cited by this paper
• Lipidomic analysis of immune activation in equine leptospirosis and Leptospira-vaccinated horses

  2018cited by this paper
• Subjective Confidence Predicts Information Seeking in Decision Making

  2018cited by this paper
• Serious games may improve physician heuristics in trauma triage

  2018cited by this paper
• An Examination of the Calibration and Resolution Skills in Phishing Email Detection

  2016influential reference
• Detecting deceptive behaviour after the fact.

  2016cited by this paper
• Do or Do Not, There Is No Try: User Engagement May Not Improve Security Outcomes

  2016cited by this paper
• Overconfidence in Phishing Email Detection

  2016cited by this paper
• Does Training Improve the Detection of Deception? A Meta-Analysis

  2016cited by this paper
• Replication: Challenges in Using Data Logs to Validate Phishing Detection Ability Metrics

  2016influential reference
• Quantifying Phishing Susceptibility for Detection and Behavior Decisions

  2016cited by this paper
• The Role of Human Factors/Ergonomics in the Science of Security

  2015cited by this paper
• Identifying and Cultivating Superforecasters as a Method of Improving Probabilistic Predictions

  2015cited by this paper
• Building the security behavior observatory: an infrastructure for long-term monitoring of client machines

  2014cited by this paper
• How to measure metacognition

  2014cited by this paper
• Measuring critical components of digital literacy and their relationships with learning

  2014cited by this paper
• Assessing randomness and complexity in human motion trajectories through analysis of symbolic sequences

  2014cited by this paper
• Security Behavior Observatory: Infrastructure for Long-term Monitoring of Client Machines (CMU-CyLab-14-009)

  2014cited by this paper
• Prevalence effects in newly trained airport checkpoint screeners: trained observers miss rare targets, too.

  2013cited by this paper
• If You Don’t Find It Often, You Often Don’t Find It: Why Some Cancers Are Missed in Breast Cancer Screening

  2013cited by this paper
• Orthosteric Binding of ρ-Da1a, a Natural Peptide of Snake Venom Interacting Selectively with the α1A-Adrenoceptor

  2013cited by this paper
• Why Do Some People Manage Phishing Emails Better Than Others?

  2012cited by this paper
• Metacognition in human decision-making: confidence and error monitoring

  2012cited by this paper
• The media and the literacies: media literacy, information literacy, digital literacy

  2011influential reference
• Bridging the Gap in Computer Security Warnings: A Mental Model Approach

  2011cited by this paper
• Human Performance in Cybersecurity

  2011cited by this paper
• A market-based bandwidth charging framework

  2010cited by this paper
• Teaching Johnny not to fall for phish

  2010cited by this paper
• Pitfalls and Opportunities in Nonverbal and Verbal Lie Detection

  2010cited by this paper
• Are Your Participants Gaming the System? Screening Mechanical Turk Workers

  2010cited by this paper
• Running experiments on Amazon Mechanical Turk

  2010cited by this paper
• Who falls for phish?: a demographic analysis of phishing susceptibility and effectiveness of interventions

  2010cited by this paper
• An integrated view of human, organizational, and technological challenges of IT security management

  2009cited by this paper
• 2009 Data Breach Investigations Report

  2009cited by this paper
• Individual differences in judging deception: accuracy and bias.

  2008cited by this paper
• A Framework for Reasoning About the Human in the Loop

  2008cited by this paper
• Focusing the Conceptual Lens on Metacognition, Self-regulation, and Self-regulated Learning

  2008cited by this paper
• Low target prevalence is a stubborn source of errors in visual search tasks.

  2007cited by this paper
• Detection of Deception

  2007cited by this paper
• Social phishing

  2007cited by this paper
• Anti-Phishing Phil: the design and evaluation of a game that teaches people not to fall for phish

  2007cited by this paper
• Decision strategies and susceptibility to phishing

  2006influential reference
• Accuracy of Deception Judgments

  2006cited by this paper
• Metacognition and learning: conceptual and methodological considerations

  2006cited by this paper
• Self-regulation in error management training: emotion control and metacognition as mediators of performance effects.

  2005cited by this paper
• Digital Literacy: A Conceptual Framework for Survival Skills in the Digital era

  2004cited by this paper
• Information Literacy in Higher Education: A review and case study

  2003cited by this paper
• The comparative psychology of uncertainty monitoring and metacognition.

  2003cited by this paper
• Confidence and accuracy of near-threshold discrimination responses.

  2001cited by this paper
• What does and does not alleviate base-rate neglect under direct experience

  1999cited by this paper
• The effects of feedback interventions on performance: A historical review, a meta-analysis, and a preliminary feedback intervention theory.

  1996cited by this paper
• Countering loss of vigilance in sonar watchstanding using signal injection and performance feedback

  1994cited by this paper
• Decision making in online searching

  1988cited by this paper
• Search success and expectations with a computer interface

  1987cited by this paper
• Calibrating databases

  1986influential reference
• External correspondence: Decompositions of the mean probability score

  1982cited by this paper
• Calibration of probabilities: the state of the art to 1980

  1982cited by this paper
• Training for calibration.

  1980cited by this paper
• Calibration of Probabilities: The State of the Art

  1977cited by this paper
• Do those who know more also know more about how much they know?*1

  1977cited by this paper
• VERIFICATION OF FORECASTS EXPRESSED IN TERMS OF PROBABILITY

  1950cited by this paper

• ImmuniFraug: A Metacognitive Intervention Anti-Fraud Approach to Enhance Undergraduate Students' Cyber Fraud Awareness

  2026cites this paper
• Spot the Scam: Identifying Email Scams and Scam Susceptibility in Younger and Older Adults.

  2026cites this paper
• Precision Email Simulator for Research on Safety-Critical Phishing Behaviour

  2025cites this paper
• The Role of Cognitive Skills in Phishing Detection: A Comparative Study Between Chess Players and Non-Chess Players

  2025cites this paper
• Anti-Phishing Training (Still) Does Not Work: A Large-Scale Reproduction of Phishing Training Inefficacy Grounded in the NIST Phish Scale

  2025cites this paper
• Securing the Weakest Link: Exploring Affective States Exploited in Phishing Emails With Large Language Models

  2025cites this paper
• Which phish is captured in the net? Understanding phishing susceptibility and individual differences

  2023cites this paper
• An artificial intelligence perspective: How knowledge and confidence shape risk and benefit perception

  2023cites this paper
• Metacognition, public health compliance, and vaccination willingness

  2023cites this paper
• The Metacognitive Demands and Opportunities of Generative AI

  2023cites this paper
• False certainty in the acquisition of anatomical and physiotherapeutic knowledge

  2022cites this paper
• Is the key to phishing training persistence?: Developing a novel persistent intervention.

  2022cites this paper
• SoK: Human-centered Phishing Susceptibility

  2022influential citation
• IT assimilation: construct, measurement, and implications in cybersecurity

  2022cites this paper
• Holding Your Hand on the Danger Button

  2022cites this paper
• Using contextual factors to predict information security overconfidence: A machine learning approach

  2022cites this paper
• An Examination of The Role of Big Five Personality Traits, Cognitive Processes And Heuristics on Individuals’ Phishing Attack Susceptibility Levels (preprint)

  2022cites this paper
• Metacognitive Skills in Phishing Email Detection: A Study of Calibration and Resolution

  2021cites this paper
• Illusion of explanatory depth and social desirability of historical knowledge

  2021cites this paper
• Insight into the accuracy of COVID-19 beliefs predicts behavior during the pandemic

  2021cites this paper
• Cybersecurity Training in the Healthcare Workforce – Utilization of the ADDIE Model

  2021cites this paper
• So Many Phish, So Little Time: Exploring Email Task Factors and Phishing Susceptibility

  2021cites this paper
• Scam Augmentation and Customization: Identifying Vulnerable Users and Arming Defenders

  2020cites this paper
• Don’t click: towards an effective anti-phishing training. A comparative literature review

  2020cites this paper
• Applied metacognition and separation of confidence and accuracy in correlational studies

  2019cites this paper
• Introduction to the special Issue “applied metacognition: real-world applications beyond learning”

  2019cites this paper