Quantifying Phishing Susceptibility for Detection and Behavior Decisions

Objective: We use signal detection theory to measure vulnerability to phishing attacks, including variation in performance across task conditions. Background: Phishing attacks are difficult to prevent with technology alone, as long as technology is operated by people. Those responsible for managing security risks must understand user decision making in order to create and evaluate potential solutions. Method: Using a scenario-based online task, we performed two experiments comparing performance on two tasks: detection, deciding whether an e-mail is phishing, and behavior, deciding what to do with an e-mail. In Experiment 1, we manipulated the order of the tasks and notification of the phishing base rate. In Experiment 2, we varied which task participants performed. Results: In both experiments, despite exhibiting cautious behavior, participants’ limited detection ability left them vulnerable to phishing attacks. Greater sensitivity was positively correlated with confidence. Greater willingness to treat e-mails as legitimate was negatively correlated with perceived consequences from their actions and positively correlated with confidence. These patterns were robust across experimental conditions. Conclusion: Phishing-related decisions are sensitive to individuals’ detection ability, response bias, confidence, and perception of consequences. Performance differs when people evaluate messages or respond to them but not when their task varies in other ways. Application: Based on these results, potential interventions include providing users with feedback on their abilities and information about the consequences of phishing, perhaps targeting those with the worst performance. Signal detection methods offer system operators quantitative assessments of the impacts of interventions and their residual vulnerability.

• Publication year

  2016

• Venue

  Hum. Factors

• Publication date

  2016-08-25

• Fields of study

  Medicine, Computer Science, Psychology

• Identifiers
  DOI 10.1177/0018720816665025PMID 27562565
• External record

  Open on Semantic Scholar

• Source metadata

  Semantic Scholar, PubMed

• No claims are published for this paper.

• No concepts are published for this paper.

• Acta Psychologica

  2017cited by this paper
• The Myth of the Average User: Improving Privacy and Security Systems through Individualization

  2015cited by this paper
• Environmental risk perception from visual cues: the psychophysics of tornado risk perception

  2015cited by this paper
• The Role of Human Factors/Ergonomics in the Science of Security

  2015cited by this paper
• Will the "Phisher-Men" Reel You In?: Assessing Individual Differences in a Phishing Detection Task

  2015influential reference
• The Effect of Decentralized Behavioral Decision Making on System‐Level Risk

  2014influential reference
• A signal detection theory analysis of racial and ethnic disproportionality in the referral and substantiation processes of the U.S. child welfare services system

  2014cited by this paper
• More Is Not the Answer

  2014cited by this paper
• “Utilizing” Signal Detection Theory

  2014influential reference
• Identifying the Effects of Unjustified Confidence versus Overconfidence: Lessons Learned from Two Analytic Methods.

  2014cited by this paper
• Reducing online identity disclosure using warnings.

  2014cited by this paper
• Investigating phishing victimization with the Heuristic-Systematic Model: A theoretical framework and an exploration

  2013cited by this paper
• When is it time to move to the next raspberry bush? Foraging rules in human visual search.

  2013cited by this paper
• Prevalence effects in newly trained airport checkpoint screeners: trained observers miss rare targets, too.

  2013cited by this paper
• Evaluating Amazon's Mechanical Turk as a Tool for Experimental Behavioral Research

  2013cited by this paper
• Sources of non-compliance with clinical practice guidelines in trauma triage: a decision science study

  2012cited by this paper
• Training users to counteract phishing

  2012cited by this paper
• Research Article Phishing Susceptibility: An Investigation Into the Processing of a Targeted Spear Phishing Email

  2012cited by this paper
• Implementation of the CALM intervention for anxiety disorders: a qualitative study

  2012cited by this paper
• Conducting behavioral research on Amazon’s Mechanical Turk

  2011cited by this paper
• Why do people get phished? Testing individual differences in phishing vulnerability within an integrated, information processing model

  2011cited by this paper
• Running experiments on Amazon Mechanical Turk

  2010cited by this paper
• Are Your Participants Gaming the System? Screening Mechanical Turk Workers

  2010cited by this paper
• The Influence of Experiential and Dispositional Factors in Phishing: An Empirical Investigation of the Deceived

  2010cited by this paper
• It won't happen to me: Promoting secure behaviour among internet users

  2010cited by this paper
• Where Did They Go Right? Understanding the Deception in Phishing Communications

  2010cited by this paper
• Who falls for phish?: a demographic analysis of phishing susceptibility and effectiveness of interventions

  2010influential reference
• Teaching Johnny not to fall for phish

  2010influential reference
• So long, and no thanks for the externalities: the rational rejection of security advice by users

  2009cited by this paper
• Homo economicus in visual search.

  2009influential reference
• 2009 Data Breach Investigations Report

  2009cited by this paper
• Vigilance Requires Hard Mental Work and Is Stressful

  2008cited by this paper
• Perceptual Mechanisms That Characterize Gender Differences in Decoding Women's Sexual Intent

  2008cited by this paper
• The trouble with overconfidence.

  2008cited by this paper
• A Framework for Reasoning About the Human in the Loop

  2008cited by this paper
• The role of experience in decisions from description

  2007cited by this paper
• Anti-Phishing Phil: the design and evaluation of a game that teaches people not to fall for phish

  2007cited by this paper
• Low target prevalence is a stubborn source of errors in visual search tasks.

  2007influential reference
• Why phishing works

  2006cited by this paper
• Decision strategies and susceptibility to phishing

  2006cited by this paper
• I Downloaded What?: An Examination of Computer Security Decisions

  2006cited by this paper
• Toward a unified theory of decision criterion learning in perceptual categorization.

  2002cited by this paper
• What does and does not alleviate base-rate neglect under direct experience

  1999cited by this paper
• Computerized assessment of sustained attention: a review of factors affecting vigilance performance.

  1996influential reference
• Meta-analysis of the sensitivity decrement in vigilance.

  1995cited by this paper
• Corrections for extreme proportions and their biasing effects on estimated values ofd′

  1995cited by this paper
• Detection Theory: A User's Guide

  1991influential reference
• Calibrating databases

  1986cited by this paper
• Training for calibration.

  1980cited by this paper
• Speed-accuracy tradeoff and information processing dynamics

  1977cited by this paper
• Mathematical psychology : an elementary introduction

  1970cited by this paper
• The Breakdown of Vigilance during Prolonged Visual Search 1

  1948cited by this paper
• PSYCHOLOGICAL SCIENCE IN THE PUBLIC INTEREST PSYCHOLOGICAL SCIENCE CAN IMPROVE DIAGNOSTIC DECISIONS

  year unknowncited by this paper

• Analyzing instance representation in cognitive models of phishing decision-making

  2026cites this paper
• AI-Generated Phishing: Combining Human Behavior with Post Content to Assess Susceptibility

  2026cites this paper
• Message involvement increases phishing susceptibility: can suspicion and awareness make a difference?

  2026cites this paper
• Stop the Clock - Counteracting Bias Exploited by Attackers through an Interactive Augmented Reality Phishing Training

  2025cites this paper
• Precision Email Simulator for Research on Safety-Critical Phishing Behaviour

  2025cites this paper
• Device and risk-avoidance behavior in the context of cybersecurity phishing attacks

  2025cites this paper
• Forest or trees? Evidence for global processing via an information board study into cues utilised in phishing identification

  2025cites this paper
• The relationship between materialism and susceptibility to online fraud among Chinese college students: A moderated mediation model from trait and state perspectives

  2025cites this paper
• Untangling the Web of Deceit: Examining Shared User Susceptibility Across Five Types of Digital Deceptions

  2025cites this paper
• Social Engineering Attack Detection Using Natural Language Processing and Machine Learning Techniques

  2025cites this paper
• Phishing Vulnerability and Resilience: A Workplace Study in Saudi Arabia

  2025cites this paper
• Exploring User Risk Factors and Target Groups for Phishing Victimization in Pakistan

  2025cites this paper
• Think or Respond: Understanding the Impact of Cognitive Appraisals on Threat Detection and Phishing Susceptibility

  2025cites this paper
• Improving Phishing Resilience with AI-Generated Training: Evidence on Prompting, Personalization, and Duration

  2025cites this paper
• Framing digital inauthenticity: Comparing user detection of AI-generated faces to messaged-based scam methods.

  2025cites this paper
• The Role of Cognitive Skills in Phishing Detection: A Comparative Study Between Chess Players and Non-Chess Players

  2025influential citation
• Overconfidence in Consumers’ Detection of Phishing Fraud: From the Perspective of the Visual Saliency of Urgency Cues

  2025cites this paper
• Warning deterrence or knowledge guidance? Research on triggering mechanism of phishing sensitivity

  2024cites this paper
• The Impact of Workload on Phishing Susceptibility: An Experiment

  2024cites this paper
• Like Shooting Phish in a Barrel: Cue Utilization and Cognitive Reflection Aid Performance in Controlled, but Not Naturalistic Phishing Tasks

  2024cites this paper
• Filtering Out the User?: Are Users Complacent with Phishing Emails Due to Automated Filters?

  2024influential citation
• Eyes on the Phish(er): Towards Understanding Users' Email Processing Pattern and Mental Models in Phishing Detection

  2024cites this paper
• MACHINE LEARNING IN CYBERSECURITY: HARNESSING AI FOR DEFENSE

  2024cites this paper
• The influence of affective processing on phishing susceptibility

  2024cites this paper
• The roles of phishing knowledge, cue utilization, and decision styles in phishing email detection.

  2024cites this paper
• Eyes on phishing emails: an eye-tracking study

  2024cites this paper
• Phishing interrupted: The impact of task interruptions on phishing email classification

  2023cites this paper
• Human and Cognitive Factors involved in Phishing Detection. A Literature Review

  2023cites this paper
• Enhancing Cybersecurity: The Crucial Role of Self-Regulation, Information Processing, and Financial Knowledge in Combating Phishing Attacks

  2023cites this paper
• Cognition in Social Engineering Empirical Research: A Systematic Literature Review

  2023cites this paper
• Improving Social Bot Detection Through Aid and Training

  2023cites this paper
• Which factors predict susceptibility to phishing? An empirical study

  2023cites this paper
• User experiences with simulated cyber-physical attacks on smart home IoT

  2023cites this paper
• Older Adults’ Susceptibility to Deception from a Healthy Aging Perspective

  2023cites this paper
• The role of conscientiousness and cue utilisation in the detection of phishing emails in controlled and naturalistic settings

  2023cites this paper
• Falling for phishing attempts: An investigation of individual differences that are associated with behavior in a naturalistic phishing simulation

  2023cites this paper
• Who Gets Caught in the Web of Lies?: Understanding Susceptibility to Phishing Emails, Fake News Headlines, and Scam Text Messages

  2023cites this paper
• Theoretical basis and occurrence of internet fraud victimisation: Based on two systems in decision-making and reasoning

  2023cites this paper
• Cognitive elements of learning and discriminability in anti-phishing training

  2023cites this paper
• Evaluating user susceptibility to phishing attacks

  2022cites this paper
• The role of social-psychological factors of victimity on victimization of online fraud in China

  2022cites this paper
• Experiences, Behavioral Tendencies, and Concerns of Non-Native English Speakers in Identifying Phishing Emails

  2022influential citation
• Avoiding the Hook: Influential Factors of Phishing Awareness Training on Click-Rates and a Data-Driven Approach to Predict Email Difficulty Perception

  2022cites this paper
• Phishing with Malicious QR Codes

  2022cites this paper
• Phishing awareness and education – When to best remind?

  2022cites this paper
• Meaningful Context, a Red Flag, or Both? Preferences for Enhanced Misinformation Warnings Among US Twitter Users

  2022cites this paper
• Improving Phishing Reporting Using Security Gamification

  2022cites this paper
• The role of cue utilization in the detection of phishing emails.

  2022cites this paper
• Multi-Security System Based on Fingerprint Biometric Sensor and Wi-Fi Camera

  2022cites this paper
• Knowing When to Pass: The Effect of AI Reliability in Risky Decision Contexts

  2022cites this paper
• Errors, Irregularities, and Misdirection: Cue Utilisation and Cognitive Reflection in the Diagnosis of Phishing Emails

  2022cites this paper
• Meaningful Context, a Red Flag, or Both? Users' Preferences for Enhanced Misinformation Warnings on Twitter

  2022cites this paper
• The self-assessed information security skills of the Finnish population: A regression analysis

  2022cites this paper
• Gone Quishing: A Field Study of Phishing with Malicious QR Codes

  2022cites this paper
• The effect of automation trust tendency, system reliability and feedback on users' phishing detection.

  2022cites this paper
• Duped by Bots: Why Some are Better than Others at Detecting Fake Social Media Personas

  2022cites this paper
• SoK: Human-centered Phishing Susceptibility

  2022influential citation
• Is the key to phishing training persistence?: Developing a novel persistent intervention.

  2022cites this paper
• Holding Your Hand on the Danger Button

  2022cites this paper
• Why people keep falling for phishing scams: The effects of time pressure and deception cues on the detection of phishing emails

  2022cites this paper
• ADVERT: An Adaptive and Data-Driven Attention Enhancement Mechanism for Phishing Prevention

  2021cites this paper
• Lies, Damned Lies, and Social Media Following Extreme Events

  2021cites this paper
• Human factor, a critical weak point in the information security of an organization's Internet of things

  2021cites this paper
• Tell me the Truth: Separating Fact from Fiction in Social Media Following Extreme Events

  2021cites this paper
• Phishing for Long Tails: Examining Organizational Repeat Clickers and Protective Stewards

  2021cites this paper
• So Many Phish, So Little Time: Exploring Email Task Factors and Phishing Susceptibility

  2021cites this paper
• A comparison of features in a crowdsourced phishing warning system

  2021cites this paper
• Risk and protective factors for intuitive and rational judgment of cybersecurity risks in a large sample of K-12 students and teachers

  2021cites this paper
• Training Users to Identify Phishing Emails

  2021cites this paper
• How personal characteristics impact phishing susceptibility: The mediating role of mail processing.

  2021cites this paper
• Influence of Human Factors on Cyber Security within Healthcare Organisations: A Systematic Review

  2021influential citation
• Why They Ignore English Emails: The Challenges of Non-Native Speakers in Identifying Phishing Emails

  2021influential citation
• Sixteen Years of Phishing User Studies: What Have We Learned?

  2021cites this paper
• Learning not to take the bait: a longitudinal examination of digital training methods and overlearning on phishing susceptibility

  2021influential citation
• Human Factors in Phishing Attacks: A Systematic Literature Review

  2021cites this paper
• HUMAN ERRORS AND HUMAN RELIABILITY

  2021cites this paper
• Hybrid Rule-Based Solution for Phishing URL Detection Using Convolutional Neural Network

  2021cites this paper
• Taxonomy of Cybersecurity Awareness Delivery Methods: A Countermeasure for Phishing Threats

  2021cites this paper
• Unrealistic Promises and Urgent Wording Differently Affect Suspicion of Phishing and Legitimate Emails

  2021influential citation
• Careless Participants Are Essential for Our Phishing Study: Understanding the Impact of Screening Methods

  2021cites this paper
• The impact of formal and informal organizational norms on susceptibility to phishing: Combining survey and field experiment data

  2021cites this paper
• Evaluation der interaktiven NoPhish Präsenzschulung

  2021cites this paper
• Phishing Detection through Email Embeddings

  2020cites this paper
• Vissen met een nieuwe hengel: een onderzoek naar betaalverzoekfraude

  2020cites this paper
• Categorizing human phishing difficulty: a Phish Scale

  2020cites this paper
• Email Embeddings for Phishing Detection

  2020cites this paper
• Don’t click: towards an effective anti-phishing training. A comparative literature review

  2020cites this paper
• Human Cognition Through the Lens of Social Engineering Cyberattacks

  2020cites this paper
• Quantifying Susceptibility to Spear Phishing in a High School Environment Using Signal Detection Theory

  2020influential citation
• An examination of the effect of recent phishing encounters on phishing susceptibility

  2020cites this paper
• Trends & issues in crime and criminal justice

  2020cites this paper
• Email phishing and signal detection: How persuasion principles and personality influence response patterns and accuracy.

  2020cites this paper
• Developing a measure of information seeking about phishing

  2020cites this paper
• What makes phishing emails hard for humans to detect?

  2020cites this paper
• An investigation of phishing awareness and education over time: When and how to best remind users

  2020cites this paper
• Effectiveness of and user preferences for security awareness training methodologies

  2019cites this paper
• 2019 Phishing and Cybercrime Risks in a University Student Community Follow

  2019cites this paper
• The psychological interaction of spam email features

  2019cites this paper
• Trust It or Not: Effects of Machine-Learning Warnings in Helping Individuals Mitigate Misinformation

  2019cites this paper
• Which Phish Is on the Hook? Phishing Vulnerability for Older Versus Younger Adults

  2019cites this paper