Vulnerabilities / Threats
9/30/2013
03:51 PM
Dark Reading
Dark Reading
Products and Releases
Connect Directly
RSS
E-Mail
50%
50%

Vulnerability To Phishing Scams May Be Linked To Personality, NYU-Poly Study Shows

Two factors may boost the likelihood that a computer user will fall prey

BROOKLYN, N.Y., Sept. 30, 2013 /PRNewswire/ -- Phishing scams are some of the most effective online swindles, hooking both savvy and naive computer users. New insights from researchers at the Polytechnic Institute of New York University

(NYU-Poly) point to two factors that may boost the likelihood that a computer user will fall prey: being female and having a neurotic personality.

A multidisciplinary team comprised of Tzipora Halevi, postdoctoral scholar in computer science and engineering; James Lewis, instructor in the NYU-Poly Department of Science, Technology and Society; and Nasir Memon, professor and head of the Department of Computer Science and Engineering, set out to probe the connections between personality types and phishing to better inform computer security education and training.

In a preliminary study, the researchers sampled 100 students from an undergraduate psychology class, most of whom were science or engineering majors.

Participants completed a questionnaire about their online habits and beliefs, including details about the type and volume of information they share on Facebook. They were also asked to rate the likelihood of negative things happening to them personally online, such as having an Internet password stolen.

Finally, participants answered the short version of a widely used multidimensional personality assessment survey.

Shortly thereafter, the researchers used the email provided by participants to execute a real-life phishing scam, attempting to lure the students to click a link to enter a prize raffle and to fill out an entry form containing personal information. Like many phishing scams, the "from" field in the email did not match the actual address, and the email contained spelling and grammatical errors.

"We were surprised to see that 17% of our targets were successfully phished--and this was a group with considerable computer knowledge," Lewis said.

The majority of those who fell for the scam were women, and those women who were categorized as "neurotic" according to the personality assessment were likeliest to fall for the phishing scam. Neurotic personalities are characterized by irrational thoughts and a tendency toward negative feelings like guilt, sadness, anger, and fear.

There was no correlation between men's personality types and their vulnerability to phishing.

"These results tell us that personality characteristics may exert considerable influence when it comes to choices about online behavior, and that they may even override awareness of online threats," Lewis explained.

The team found no correlation between participants' level of knowledge of computer security and their likelihood of being phished.

The researchers also examined the connections between the amount of personal information participants admitted to sharing on Facebook and personality traits.

Those categorized as having "open" personalities tended to share the most information on Facebook, and to have the least restrictive privacy settings on the social networking site, thus increasing their vulnerability to privacy leaks.

"In the moment, it appears that computer users may be more focused on the possibility of winning a prize or the perceived benefits of sharing information on Facebook, and that these gains distract from potentially damaging outcomes," Lewis said.

The researchers also uncovered an inverse relationship between those with "openness" and "extroversion" as personality traits and the likelihood of their being phished or sharing copious information on Facebook. Among the cohort studied were 12 people without Facebook accounts. All were men, none fell prey to the phishing scheme, and all were least likely to be characterized as "open" or "extroverted."

While the researchers emphasized that their study sample was small and further investigation is needed, they believe that insights into how personality traits impact decision-making online may aid in the design of more effective computer interfaces, as well as security training and education. As this experiment tested a single type of scam--prize phishing--future work may explore whether other personality types prove vulnerable to different types of scams.

These findings were first presented at the Second International Workshop on Privacy and Security in Online Social Media. Halevi, Lewis, and Memon conducted the investigation in collaboration with the Center for Interdisciplinary Studies in Security and Privacy (CRISSP), which brings together experts in computer security, psychology, law and public policy to formulate new approaches to privacy in an increasingly interconnected world. Their research was supported by a grant from the National Science Foundation.

The Polytechnic Institute of New York University (formerly the Brooklyn Polytechnic Institute and the Polytechnic University, now widely known as NYU-Poly) is an affiliated institute of New York University, and will become its School of Engineering in January 2014. NYU-Poly, founded in 1854, is the nation's second-oldest private engineering school. It is presently a comprehensive school of education and research in engineering and applied sciences, rooted in a 159-year tradition of invention, innovation and entrepreneurship. It remains on the cutting edge of technology, innovatively extending the benefits of science, engineering, management and liberal studies to critical real-world opportunities and challenges, especially those linked to urban systems, health and wellness, and the global information economy. In addition to its programs on the main campus in New York City at MetroTech Center in downtown Brooklyn, it offers programs around the globe remotely through NYUe-Poly. NYU-Poly is closely connected to engineering in NYU Abu Dhabi and NYU Shanghai and to the NYU Center for Urban Science and Progress (CUSP) also at MetroTech, while operating two incubators in downtown Manhattan and Brooklyn.

For more information, visit www.poly.edu.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Peter Fretty
50%
50%
Peter Fretty,
User Rank: Apprentice
10/3/2013 | 5:48:51 PM
re: Vulnerability To Phishing Scams May Be Linked To Personality, NYU-Poly Study Shows
This is important information for IT professionals to understand as they work to educate the user base on security best practice. For instance, knowing the most vulnerable personality traits could prove instrumental in providing additional resources and support. This also reinforces the importance of embracing a multifaceted approach to securing the enterprise including next generation firewall, email, web and endpoint protection as well as secure VPNs. Fun time to be in security!

Peter Fretty, IDG blogger working on behalf of Sophos.
Jeff LoSapio
50%
50%
Jeff LoSapio,
User Rank: Apprentice
10/1/2013 | 8:23:38 PM
re: Vulnerability To Phishing Scams May Be Linked To Personality, NYU-Poly Study Shows
It would be really helpful to see the actual message used in this test. The results are presented as pretty conclusive that neurotic females are more prone to phishing. Yet there is no commentary on whether or not the content of the phishing messages were more prone to elicit responses from females. If Facebook was the lure, then that is not a surprise. Change the message to fantasy football and you would have different results. We do a lot of phishing testing, and the results of any given test are dramatically influenced by the type of lure used in the message. For companies, it is a disservice to have them think that they should be more concerned about female employees, which is a potential assumption a reader could have.
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-3304
Published: 2014-10-30
Directory traversal vulnerability in Dell EqualLogic PS4000 with firmware 6.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the default URI.

CVE-2013-7409
Published: 2014-10-30
Buffer overflow in ALLPlayer 5.6.2 through 5.8.1 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long string in a .m3u (playlist) file.

CVE-2014-3446
Published: 2014-10-30
SQL injection vulnerability in wcm/system/pages/admin/getnode.aspx in BSS Continuity CMS 4.2.22640.0 allows remote attackers to execute arbitrary SQL commands via the nodeid parameter.

CVE-2014-3584
Published: 2014-10-30
The SamlHeaderInHandler in Apache CXF before 2.6.11, 2.7.x before 2.7.8, and 3.0.x before 3.0.1 allows remote attackers to cause a denial of service (infinite loop) via a crafted SAML token in the authorization header of a request to a JAX-RS service.

CVE-2014-3623
Published: 2014-10-30
Apache WSS4J before 1.6.17 and 2.x before 2.0.2, as used in Apache CXF 2.7.x before 2.7.13 and 3.0.x before 3.0.2, when using TransportBinding, does properly enforce the SAML SubjectConfirmation method security semantics, which allows remote attackers to conduct spoofing attacks via unspecified vect...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.