Vulnerabilities / Threats
9/30/2013
03:51 PM
Dark Reading
Dark Reading
Products and Releases
Connect Directly
RSS
E-Mail
50%
50%

Vulnerability To Phishing Scams May Be Linked To Personality, NYU-Poly Study Shows

Two factors may boost the likelihood that a computer user will fall prey

BROOKLYN, N.Y., Sept. 30, 2013 /PRNewswire/ -- Phishing scams are some of the most effective online swindles, hooking both savvy and naive computer users. New insights from researchers at the Polytechnic Institute of New York University

(NYU-Poly) point to two factors that may boost the likelihood that a computer user will fall prey: being female and having a neurotic personality.

A multidisciplinary team comprised of Tzipora Halevi, postdoctoral scholar in computer science and engineering; James Lewis, instructor in the NYU-Poly Department of Science, Technology and Society; and Nasir Memon, professor and head of the Department of Computer Science and Engineering, set out to probe the connections between personality types and phishing to better inform computer security education and training.

In a preliminary study, the researchers sampled 100 students from an undergraduate psychology class, most of whom were science or engineering majors.

Participants completed a questionnaire about their online habits and beliefs, including details about the type and volume of information they share on Facebook. They were also asked to rate the likelihood of negative things happening to them personally online, such as having an Internet password stolen.

Finally, participants answered the short version of a widely used multidimensional personality assessment survey.

Shortly thereafter, the researchers used the email provided by participants to execute a real-life phishing scam, attempting to lure the students to click a link to enter a prize raffle and to fill out an entry form containing personal information. Like many phishing scams, the "from" field in the email did not match the actual address, and the email contained spelling and grammatical errors.

"We were surprised to see that 17% of our targets were successfully phished--and this was a group with considerable computer knowledge," Lewis said.

The majority of those who fell for the scam were women, and those women who were categorized as "neurotic" according to the personality assessment were likeliest to fall for the phishing scam. Neurotic personalities are characterized by irrational thoughts and a tendency toward negative feelings like guilt, sadness, anger, and fear.

There was no correlation between men's personality types and their vulnerability to phishing.

"These results tell us that personality characteristics may exert considerable influence when it comes to choices about online behavior, and that they may even override awareness of online threats," Lewis explained.

The team found no correlation between participants' level of knowledge of computer security and their likelihood of being phished.

The researchers also examined the connections between the amount of personal information participants admitted to sharing on Facebook and personality traits.

Those categorized as having "open" personalities tended to share the most information on Facebook, and to have the least restrictive privacy settings on the social networking site, thus increasing their vulnerability to privacy leaks.

"In the moment, it appears that computer users may be more focused on the possibility of winning a prize or the perceived benefits of sharing information on Facebook, and that these gains distract from potentially damaging outcomes," Lewis said.

The researchers also uncovered an inverse relationship between those with "openness" and "extroversion" as personality traits and the likelihood of their being phished or sharing copious information on Facebook. Among the cohort studied were 12 people without Facebook accounts. All were men, none fell prey to the phishing scheme, and all were least likely to be characterized as "open" or "extroverted."

While the researchers emphasized that their study sample was small and further investigation is needed, they believe that insights into how personality traits impact decision-making online may aid in the design of more effective computer interfaces, as well as security training and education. As this experiment tested a single type of scam--prize phishing--future work may explore whether other personality types prove vulnerable to different types of scams.

These findings were first presented at the Second International Workshop on Privacy and Security in Online Social Media. Halevi, Lewis, and Memon conducted the investigation in collaboration with the Center for Interdisciplinary Studies in Security and Privacy (CRISSP), which brings together experts in computer security, psychology, law and public policy to formulate new approaches to privacy in an increasingly interconnected world. Their research was supported by a grant from the National Science Foundation.

The Polytechnic Institute of New York University (formerly the Brooklyn Polytechnic Institute and the Polytechnic University, now widely known as NYU-Poly) is an affiliated institute of New York University, and will become its School of Engineering in January 2014. NYU-Poly, founded in 1854, is the nation's second-oldest private engineering school. It is presently a comprehensive school of education and research in engineering and applied sciences, rooted in a 159-year tradition of invention, innovation and entrepreneurship. It remains on the cutting edge of technology, innovatively extending the benefits of science, engineering, management and liberal studies to critical real-world opportunities and challenges, especially those linked to urban systems, health and wellness, and the global information economy. In addition to its programs on the main campus in New York City at MetroTech Center in downtown Brooklyn, it offers programs around the globe remotely through NYUe-Poly. NYU-Poly is closely connected to engineering in NYU Abu Dhabi and NYU Shanghai and to the NYU Center for Urban Science and Progress (CUSP) also at MetroTech, while operating two incubators in downtown Manhattan and Brooklyn.

For more information, visit www.poly.edu.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Peter Fretty
50%
50%
Peter Fretty,
User Rank: Apprentice
10/3/2013 | 5:48:51 PM
re: Vulnerability To Phishing Scams May Be Linked To Personality, NYU-Poly Study Shows
This is important information for IT professionals to understand as they work to educate the user base on security best practice. For instance, knowing the most vulnerable personality traits could prove instrumental in providing additional resources and support. This also reinforces the importance of embracing a multifaceted approach to securing the enterprise including next generation firewall, email, web and endpoint protection as well as secure VPNs. Fun time to be in security!

Peter Fretty, IDG blogger working on behalf of Sophos.
Jeff LoSapio
50%
50%
Jeff LoSapio,
User Rank: Apprentice
10/1/2013 | 8:23:38 PM
re: Vulnerability To Phishing Scams May Be Linked To Personality, NYU-Poly Study Shows
It would be really helpful to see the actual message used in this test. The results are presented as pretty conclusive that neurotic females are more prone to phishing. Yet there is no commentary on whether or not the content of the phishing messages were more prone to elicit responses from females. If Facebook was the lure, then that is not a surprise. Change the message to fantasy football and you would have different results. We do a lot of phishing testing, and the results of any given test are dramatically influenced by the type of lure used in the message. For companies, it is a disservice to have them think that they should be more concerned about female employees, which is a potential assumption a reader could have.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Must Reads - September 25, 2014
Dark Reading's new Must Reads is a compendium of our best recent coverage of identity and access management. Learn about access control in the age of HTML5, how to improve authentication, why Active Directory is dead, and more.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2003-1598
Published: 2014-10-01
SQL injection vulnerability in log.header.php in WordPress 0.7 and earlier allows remote attackers to execute arbitrary SQL commands via the posts variable.

CVE-2011-4624
Published: 2014-10-01
Cross-site scripting (XSS) vulnerability in facebook.php in the GRAND FlAGallery plugin (flash-album-gallery) before 1.57 for WordPress allows remote attackers to inject arbitrary web script or HTML via the i parameter.

CVE-2012-0811
Published: 2014-10-01
Multiple SQL injection vulnerabilities in Postfix Admin (aka postfixadmin) before 2.3.5 allow remote authenticated users to execute arbitrary SQL commands via (1) the pw parameter to the pacrypt function, when mysql_encrypt is configured, or (2) unspecified vectors that are used in backup files gene...

CVE-2012-5485
Published: 2014-09-30
registerConfiglet.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via unspecified vectors, related to the admin interface.

CVE-2012-5486
Published: 2014-09-30
ZPublisher.HTTPRequest._scrubHeader in Zope 2 before 2.13.19, as used in Plone before 4.3 beta 1, allows remote attackers to inject arbitrary HTTP headers via a linefeed (LF) character.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Chris Hadnagy, who hosts the annual Social Engineering Capture the Flag Contest at DEF CON, will discuss the latest trends attackers are using.