MSGID: 1:317/3 64a643a8   
   PID: hpt/lnx 1.9.0-cur 2019-01-08   
   TID: hpt/lnx 1.9.0-cur 2019-01-08   
    Stressed for a bit? Then don't click it, cybersecurity experts advise   
    Phishing psychology study explores what makes workers vulnerable    
      
     Date:   
         July 5, 2023   
     Source:   
         DOE/Pacific Northwest National Laboratory   
     Summary:   
         Workers feeling a specific form of stress are more likely than   
         others to become the victims of a phishing attack, according to   
         a new study.   
      
      
         Facebook Twitter Pinterest LinkedIN Email   
      
   ==========================================================================   
   FULL STORY   
   ==========================================================================   
   Workers feeling a specific form of stress are more likely than others   
   to become the victims of a phishing attack, according to a study at the   
   Department of Energy's Pacific Northwest National Laboratory.   
      
   While most -- if not all -- of us feel stress in the workplace, scientists   
   identified a specific form of stress that indicates who is more vulnerable   
   to clicking on bogus content that could lead to malware and other cyber   
   ills. The work could help workers and their employers increase their   
   cybersecurity defenses by recognizing the warning signs when someone is   
   about to make a risky click.   
      
   The team's results from a study of 153 participants were published   
   recently in the Journal of Information Warfare. The researchers noted that   
   while the relatively small sample size limited their ability to tease   
   out all of the relationships among more than two dozen variables they   
   studied, the relationship between stress and response to the simulated   
   phishing email was statistically significant.   
      
   The costs of phishing attacks are enormous. An analysis sponsored by   
   Proofpoint and conducted by the Ponemon Institute estimates that large   
   U.S. businesses lost, on average, $14.8 million apiece to fraudsters   
   via phishing in 2021 alone.   
      
   Defenses include not just better technology but also improved awareness   
   by would-be victims.   
      
   "The first step to defend ourselves is understanding the complex   
   constellation of variables that make a person susceptible to phishing,"   
   says PNNL psychologist Corey Fallon, a corresponding author of the   
   study. "We need to tease out those factors that make people more or   
   less likely to click on a dubious message."  In their study, Fallon and   
   colleagues found that people who reported a high level of work-related   
   distress were significantly more likely to follow a phony phishing email's   
   link. Every one-point increase in self-reported distress increased the   
   likelihood of responding to the simulated phishing email by 15 percent.   
      
   The scientists describe distress as a feeling of tension when someone   
   on the job feels they're in a difficult situation and unable to tackle   
   the task at hand. Distress might stem from feeling their workload is too   
   high, or they might be questioning whether they have adequate training   
   or time to accomplish their work.   
      
   Fancy phish to explore phishing psychology The 153 participants had   
   agreed to take part in a study, but they were unaware that the phishing   
   email sent a few weeks later was part of the planned study into human   
   factors research.   
      
   As far as phishes go, this was a fancy phish. There was no mention of a   
   large sum of money from an African prince, for example, and there were   
   no outright spelling mistakes or gross grammatical errors.   
      
   "These were well-crafted emails deliberately designed to trick people and   
   tailored to the organization," said Jessica Baweja, a psychologist and   
   an author of the study. "It was much harder to detect than the average   
   phish."  Each participant received one of four different versions of   
   a message about an alleged new dress code to be implemented at their   
   organization. The team tested three common phishing tactics separately   
   and together. Here's what they found:   
       * Urgency. 49 percent of recipients clicked on the links. Sample text:   
         "This policy will go into effect 3 days from the receipt of this   
         notice...acknowledge the changes immediately."   
       * Threat. 47 percent clicked. "...comply with this change in dress   
       code or   
         you may be subject to disciplinary action."   
       * Authority. 38 percent clicked. "Per the Office of General   
       Counsel..."  * The three tactics together: 31 percent clicked.   
      
   While the team had expected that more tactics used together would result   
   in more people clicking on the message, that wasn't the case.   
      
   "It's possible that the more tactics that were used, the more obvious it   
   was a phishing message," said author Dustin Arendt, a data scientist. "The   
   tactics must be compelling, but there's a middle ground. If too many   
   tactics are used, it may be obvious that you're being manipulated."   
   In day-to-day operations, PNNL tests its staff with fake phishing   
   emails periodically. Typically around just 1 percent of recipients   
   will click. Far more employees spot the phish early on and provide   
   crowd-sourced alerting to the Laboratory's cybersecurity experts,   
   said Joseph Higbee, PNNL's chief information security officer. When a   
   real phishing email is detected, the Laboratory purges the system of   
   all instances of the email immediately. The information is frequently   
   shared with other DOE laboratories.   
      
   Human-machine teaming to reducecybersecurityrisk How can companies and   
   employees use this data to reduce the risk?  "One option is to help people   
   recognize when they are feeling distressed," said Fallon, "so they can   
   be extra aware and cautious when they're especially vulnerable."  In the   
   future, one option might be human-machine teaming. If an algorithm notes   
   a change in a work pattern that might indicate fatigue or inattention,   
   a smart machine assistant could suggest a break from email. Automated   
   alerts are becoming more common, for instance, when a driver drifts   
   unexpectedly and the car issues a warning about fatigue. The researchers   
   noted that the potential benefits of input from a machine assistant   
   would need to be weighed against employee privacy concerns.   
      
   "It can be hard to see email as a threat," said Baweja. "Our ancient   
   brains aren't wired to equate email with scary things. You're working   
   through emails all day and it's routine; there's little reason to think   
   they could harm you or our organization.   
      
   "Organizations need to be thinking about how to encourage people to   
   make good choices. People overestimate their ability to detect phishing   
   emails," she added.   
      
   PNNL researchers are continuing the work, but with a twist. Instead of   
   asking what makes people more vulnerable to phishing, they will conduct   
   a small study of people who resisted the bait, to learn more about their   
   traits and state of mind as they monitor their email.   
      
   The work is part of a broader program in human-machine teaming and   
   human factors research at PNNL, which recently hosted a Symposium on   
   Human Factors.   
      
   The work was funded by the Cybersecurity and Infrastructure Security   
   Agency, part of the Department of Homeland Security. In addition to   
   Arendt, Baweja and Fallon, authors include Ji Young Yun and Nick Thompson   
   of PNNL and Zhuanyi Shaw, formerly of PNNL.   
      
       * RELATED_TOPICS   
             o Mind_&_Brain   
                   # Stress # Brain-Computer_Interfaces # Social_Psychology   
                   # Perception   
             o Computers_&_Math   
                   # Internet # Encryption # Communications #   
                   Computers_and_Internet   
       * RELATED_TERMS   
             o Phishing o Panic_attack o Altruism o Industrial_relations   
             o Anorexia_nervosa o Yoga_(alternative_medicine) o PMS o   
             Stress_(medicine)   
      
   ==========================================================================   
      
    Print   
      
    Email   
      
    Share   
   ==========================================================================   
   ****** 1 ****** ***** 2 ***** **** 3 ****   
   *** 4 *** ** 5 ** Breaking this hour   
   ==========================================================================   
       * Why_Birds_Ancestors_Lived;_Other_Dinosaurs_Died *   
       Dissolving_Cardiac_Device_Treats_Heart_Disease *   
       Webb_Locates_Dust_Reservoirs_in_Two_Supernovae *   
       Earth_Formed_from_Dry,_Rocky_Building_Blocks *   
       Ancient_Volcanic_Activity_On_Moon's_Dark_Side *   
       Highly_Conductive_Metallic_Gel_for_3D_Printing *   
       Potent_Greenhouse_Gas_Could_Be_Abated_Today *   
       Polymer_Brains_for_Artificial_Neural_Networks *   
       Early_Apex_Predator_Sought_Soft_Over_...   
      
       * Time_in_Universe_Once_Flowed_Five_Times_Slower   
      
   Trending Topics this week   
   ==========================================================================   
   SPACE_&_TIME Black_Holes Astrophysics NASA MATTER_&_ENERGY Biochemistry   
   Optics Petroleum COMPUTERS_&_MATH Communications Educational_Technology   
   Computer_Modeling   
      
      
   ==========================================================================   
      
   Strange & Offbeat   
   ==========================================================================   
   SPACE_&_TIME   
   Quasar_'Clocks'_Show_Universe_Was_Five_Times_Slower_Soon_After_the_Big_Bang   
   First_'Ghost_Particle'_Image_of_Milky_Way   
   Gullies_on_Mars_Could_Have_Been_Formed_by_Recent_Periods_of_Liquid_Meltwater,   
   Study_Suggests MATTER_&_ENERGY   
   Researchers_Create_Highly_Conductive_Metallic_Gel_for_3D_Printing   
   Growing_Bio-Inspired_Polymer_Brains_for_Artificial_Neural_Networks   
   Displays_Controlled_by_Flexible_Fins_and_Liquid_Droplets_More_Versatile,   
   Efficient_Than_LED_Screens COMPUTERS_&_MATH   
   AI_Tests_Into_Top_1%_for_Original_Creative_Thinking   
   Turning_Old_Maps_Into_3D_Digital_Models_of_Lost_Neighborhoods   
   NeuWS_Camera_Answers_'Holy_Grail_Problem'_in_Optical_Imaging Story Source:   
   Materials provided by DOE/Pacific_Northwest_National_Laboratory. Original   
   written by Tom Rickey. Note: Content may be edited for style and length.   
      
      
   ==========================================================================   
   Journal Reference:   
      1. Cory Fallon et al. Phishing in the Wild: An Ecologically Valid   
      Study of   
         the Phishing Tactics and Human Factors that Predict Susceptibility   
         to a Phishing Attack. Journal of Information Warfare, 2023   
         [abstract]   
   ==========================================================================   
      
   Link to news story:   
   https://www.sciencedaily.com/releases/2023/07/230705142959.htm   
      
   --- up 1 year, 18 weeks, 2 days, 10 hours, 50 minutes   
    * Origin: -=> Castle Rock BBS <=- Now Husky HPT Powered! (1:317/3)   
   SEEN-BY: 15/0 106/201 114/705 123/120 153/7715 218/700 226/30 227/114   
   SEEN-BY: 229/110 112 113 307 317 400 426 428 470 664 700 291/111 292/854   
   SEEN-BY: 298/25 305/3 317/3 320/219 396/45 5075/35   
   PATH: 317/3 229/426