Don’t judge the phished
A comprehensive study into individuals’ phishing
susceptibility
Name: Hans Schoemaker Student number: 5623154
Graduate School of Communication
Master’s programme Communication Science Supervisor: Marieke Fransen
1 Abstract
This research focuses on the question: What determines the ability of people to successfully detect phishing messages? In order to explore this question a national representative survey was conducted among 1015 respondents examining various background variables such as age, gender, education, computer self-efficacy, web experience, phishing knowledge, mindfulness and their phishing susceptibility. Results show that age, education, phishing knowledge and two aspects of mindfulness are significant predictors of phishing
susceptibility. This project extends previous research by empirically testing results from previous experiments and provides policy makers and phishing training tool developers recommendations to enhance their toolkit to combat phishing attacks.
Introduction:
In 2016, a mysterious syndicate tried to steal $951 million from Bangladesh’s central bank in a sophisticated online attack. Due to the alertness of an employee of the Federal Reserve Bank of New York most of the transactions were thwarted. However, the perpetrators still managed to get away with almost 81 million dollar, making it the biggest bank heist in history and it all started from one single phishing e-mail (New York Times, 2018).
Everyone has received them, e-mails that ask us to click on a link or download an attachment to win a special prize or to avoid catastrophes such as our accounts expiring. Some of these messages are easily identified as fraudulent but others use a more
sophisticated approach mimicking communication from a trustworthy source (e.g. your bank). These messages come from phishers; cybercriminals who aim to steal your credentials, collect private information or install malicious software (Hong, 2012). It is estimated that more than 80% of the 500 billion e-mails sent per day are likely spam, malware, or phishing
messages (Radicati, 2012).
In response to these threats, software designers and security companies have increased their efforts to stop phishing. Technical progress has come in comprehensive blacklists and whitelists, spam folders, machine learning algorithms and plug-ins, and
2 extensions to detect phishing attacks (Luga, 2016). However, perpetrators of phishing
attacks continuously adapt their tricks to find new ways to circumvent these restrictions. Therefore, the crucial line of defence is the targeted individual or as Hong (2012) stated: “It doesn’t matter how many firewalls, encryption software, certificates, two factor authentication mechanism an organisation has if the person behind the keyboard falls for a phish”.
In the literature on phishing susceptibility, exploratory work has focused on three areas. First, a broad range of literature has focused on individual differences that explain why some people are more susceptible to phishing attacks than others. Research on individual differences investigated whether personality traits (e.g. neuroticism, conscientiousness, and openness) (Halevi, Lewis, & Memon, 2013) computer self-efficacy, dispositional trust (Hong et al., 2013) and demographic variables (Halevi, Menon, & Nov, 2015, Sheng et al., 2010) influenced peoples’ susceptibility to phishing attacks. Second, research has focused on the contents of the phishing messages, specifically the use of psychological manipulation, such as fear appeals (e.g. your account has been compromised) or scarcity tactics (e.g. “Act now” stressing a sense of urgency and exploiting human cognitive limitations (Butavicius, Parsons, Pattinson, & McCormac, 2015, Wright et al., 2014). Lastly, a growing body of research focuses on preventing people from falling for phishing attacks through training (Jensen et al., 2017, Wash & Cooper, 2018). For example, in an experiment Wash and cooper (2018) found that facts-and-advice training works better than not training users, but only when this training is presented by a security expert.
Despite the increased attention from the academic world and the progress made so far, a study in 2015 found that an alarming 97 percent of consumers could not correctly identify phishing scam e-mails (securityaffairs.co), indicating room for improvement. Furthermore, effects have largely been studied in experimental settings through student samples, to date no comprehensive study into individuals’ phishing susceptibility exists. Therefore, this study will use a survey to investigate which individual characteristics affect phishing susceptibility in order to aid in developing successful training tools which can help
3 people better detect phishing e-mails and focuses on the following research question: What determines the ability of people to successfully detect phishing messages?
The theoretical contribution of this paper is twofold; first it looks at relevant literature and tests constructs previously used only in experiments in a field study. Secondly it
contributes to the growing body of research in understanding how people can make more deliberate choices. From a corporate and public policy perspective, this study provides valuable information on which traits and skills might be important to enhance individuals’ ability to detect phishing e-mails. This could aid practitioners in developing better trainings tools, which increases citizens’ and employees’ defence mechanism against phishing and online fraud.
What is a phishing message?
Phishing is a message, usually an e-mail, intended to persuade the receiver to accept a falsehood and to perform a specific action (e.g. clicking on a link in an e-mail or opening an attachment). Through complying with one of those actions the user compromises its own personal information; the attachment could contain a virus or ransomware (a type of malicious software that threatens to publish the victim's data or block access to it unless a ransom is paid) or the receiver could open a link to a fake website fabricated by the attackers and enter his or her credentials, allowing the attackers to use those credentials to access, for example, the victim’s bank account (Wright et al., 2014).
Phishing messages have certain distinct characteristics. First, phishing attacks occur through mediated channels (e.g. e-mail). Mediation allows the attacker to conceal or change the actual message source, mimicking a legitimate one (Abbasi et al., 2010). A second characteristic of phishing attacks is that the attacks generally occur only once. The majority of phishing attempts are one-time messages sent to a large group of individuals with the expectation that only a small number of the recipients will respond (Hong, 2012). This is in contrast with other types of deception where a deceiver may have repeated interactions with the receiver. Third, whereas in other types of deception the goal is to evade or hide the truth,
4 a phisher’s intention is to persuade the receiver to accept a falsehood and to perform a specific action as mentioned above. Moreover, a phishing message is normally active for only a brief period (e.g., average of 26 hours and 13 minutes; Anti-Phishing Working Group, 2015) before recipients are alerted and can take preventative action. Therefore, it is crucial for phishers to make their messages as believable and persuasive as possible.
Phishers use a variety of tactics to make their messages more believable. They personalize their messages and related phishing websites (Wright et al., 2014, Wright & Marett 2010), mimic the content of legitimate messages and tailor their messages to look like e-mail that people ordinarily expect to receive (Caldwell, 2013). Additionally phishers often include logo’s, graphics, and forged security seals from trusted third parties to make their fabricated websites and e-mails look more authentic. Furthermore, believability is increased by forging or closely approximating technical features of legitimate messages, such as spoofing (making it appear that e-mails come from) legitimate e-mail addresses and
replicating actual websites (Dinev & Hart, 2006). To be able to discern between real and fake messages takes effort and experience. Individuals without this experience are more likely to click on a link or open an attachment in phishing e-mails making them more susceptible to phishing attacks (Hong, 2012).
Research on phishing susceptibility has focused on three components related to computer experience; Computer self-efficacy, web experience and domain-specific knowledge (Wright & Marret, 2010, Luga et al., 2016, Vishwanath et al., 2011). In an
experiment (Wright & Marret, 2010) investigated whether experiential factors (computer self- efficacy, web experience and phishing knowledge) were related to falling for a phishing attack. The results from their field study indicated that all these aspects decreased user’ susceptibility. This was also found in a field study by Luga et al. (2016). However, Vishwanath et al. (2011) found something else, their results showed only an effect for phishing knowledge on phishing susceptibility.
Self-efficacy is the belief in one's ability to organise and execute a particular course of action. With respect to computing, it is the belief in one's ability to use computing technology
5 (Vishnawath, 2015). Computer self-efficacy has been linked with online privacy concerns; Internet users with high computer self-efficacy are more confident in their abilities to secure their privacy and deal with online threats (Yao Rice & Wallis 2007). It is likely that the same holds true regarding phishing susceptibility. Individuals with low computer self-efficacy will be more likely to follow instructions provided in the phishing e-mail to remedy the problem (e.g. a phishing messages that warns you your account is expiring and to click “here” to reset it) because they do not know how to solve computer related problems on their own. On the other hand people who have a stronger believe in their capacity to deal with computer-related problems will know what to do themselves and are therefore less likely to follow the instructions (e.g. clicking on the link) in the e-mail. Therefore the first hypothesis is:
H1. Individuals who score high on computer self- efficacy have a lower phishing susceptibility
Web experience, defined as time one has spent on the internet. Web experience can be related to phishing susceptibility based on the channel expansion theory by Carlson and Zmud (1999). This theory states that individuals with more experience in a conversation have a better chance of noticing and processing subtleties within messages. This experience is defined as the amount of experience a communicator has with the topic, the context of the discussion, the communication partners and most relevant for phishing susceptibility the communication medium itself. This can be interpreted as individuals who spend more time online have more experience with the medium (e-mail), more experience with the content and context of these e-mails and are therefore more able to spot subtitle differences between real e-mails and phishing attempts and are therefore less likely to fall for a phish. The second hypotheses is therefore:
H2. Individuals who score high on web experience have a lower phishing susceptibility
Domain-specific knowledge relates to how much an individual knows about a specific domain or construct, in this case about phishing (Straub & Welke, 1998). Larcom and Elbirt (2006) found that users are better prepared if they are made aware of the tactics involved in
6 phishing and how to protect themselves from becoming victims or security risks, a finding also found by Wright & Marret (2010) and Vishwanath et al. (2011). This is further
substantiated by Malhotra, Kim and Agarwal (2004) who found that individuals on the web who are concerned with information privacy and make information privacy a priority are less trusting and perceive more risk when requested to share personal information. Increased awareness and knowledge of tactics involved in phishing and how to protect oneself from becoming a victim should therefore enhance people’s ability to spot phishing e-mails and lower their phishing susceptibility.
H3: Individuals who score high on phishing knowledge have lower phishing susceptibility
Phishers not only use technical aspects to make their messages more believable, they also use psychological manipulation to persuade their victims to fall for the phish. A form of psychological manipulation is when phishers use principles of persuasion (i.e. Liking, reciprocity, social proof, consistency, authority and scarcity) as formulated by Cialdini (2007). These forms of manipulation are effective because they exploit the human tendency to rely on mental shortcuts or heuristics to quickly come to a decision. In day-to-day activities individuals (or employees) must allocate their attention and time to a variety of tasks; they must complete their work-related task in a quick and efficient manner, but also manage and respond to a near constant stream of messages (e.g. e-mail, chat, or social media). While completing these various tasks employees expend finite cognitive resources. Relying on heuristics to quickly and mindlessly respond to an e-mail helps individuals to work through the workload but also exposes them to falling for a phish. It is therefore not enough to increase individuals knowledge, familiarity and awareness with computers and phishing but also understanding how individuals can make more deliberate choices when opening and reading their e-mail could be crucial to decrease phishing susceptibility.
A fruitful area of research that investigates how individuals can make more deliberate choices is mindfulness theory. Within mindfulness theory two schools of thought dominate,
7 The first by Kabat-Zinn (1994), defines mindfulness as “paying attention in a particular way: on purpose, in the present moment, and non-judgmentally” (p.8) The second is mindfulness popularized by Ellen Langer in 1989. According to Langer (1989) mindfulness is a trait consisting of engagement, seeking and producing novelty and adopting a flexible mind-set. While there are differences between these schools of thought they both agree that
mindfulness can be enhanced or learned through training (Hart, Ivtzan, & Hart, 2013). ` Rosenberg (2004) argues that mindfulness training can help individuals to cope with the nonconscious psychological processes that are exploited by corporations and advertisers to shape their consumption preferences. In Rosenberg’s (2004) view mindfulness can be seen as a process, where one expands his or her awareness to include stimuli that otherwise might have been filtered out or not attended to and to become aware of the kinds of biases to which someone might be vulnerable. Translating this to opening an e-mail more mindful means that the recipient of the e-mail reads the e-mail while being aware of the different stimuli (e.g. the different forms of psychological manipulation) used within the e-mail and are therefore capable to recognise the strategies and the intentions of the sender. Consider the following e-mail sent by phishers using multiple forms of psychological manipulation at once: “We found suspicious activity on your account (reciprocity) and suspended your account. In order to restore your account please click on this link within 24 hours (scarcity) to update your security settings. Signed by the COO of a company (authority)”. An individual
processing this e-mail mindlessly would probably follow the instructions and click on the link. Whereas a more mindful processing of this e-mail would involve asking oneself questions such as “does the request make sense? Why would the sender need me to do this? And why does it need to be within 24 hours?” and consequently lead to a more deliberate processing of the content of the message decreasing susceptibility to the phishing attack, therefore H4 states:
8 Method.
This study employed an online survey among 1015 respondents representative for the Dutch population aged 18-70. Respondents were recruited from Motivaction’s Stempunt-panel. The Motivaction’s Stempunt-panel is an ISO 26362-certified online research panel. Created in 2002, the panel consists of over 80,000 Dutch citizens (reference date: January/February 2018). In total 4000 respondents received an invitation to participate in the survey. 2198 opened the e-mail, 1196 (29.9%) respondents started the questionnaire and 1057 (26.4%) completed the questionnaire. After controlling for straight liners (respondents with no variations in their answers), the final sample consisted of 1015 respondents. The final sample was weighted using propensity sampling, a statistical technique that corrects for self-selection and matches the samples from the StemPunt panel to the “Gouden Standaard” from het Centraal Bureau voor Statistiek. The sample is therefore representative for the Dutch population for age (18-70), gender, educational attainment and region (Nielsen6). Minimum and maximum weight factors were 0.55 – 2.84, the mean age of the sample was 49.46, in total 457 female and 558 male respondents participated in the survey, for full details on the weighted and unweighted numbers of participants see the appendix.
Procedure.
Respondents were contacted via e-mail to participate in the research and are part of Motivaction’s Stempunt-panel. Respondents received an incentive for participating in the research in the form of “StemPuntPunten” these points can be exchanged for small gifts in an online web shop or donated to charity. After the respondents clicked on the link in the invitation e-mail they were directed to the survey. To not tip the respondents that the real purpose of the questionnaire was to assess their phishing susceptibility, the survey started with a short introduction explaining that the researchers were interested in how people responded to corporate communication. Next the respondents viewed pictures of five e-mails (in random order) send from different companies. Three of these mails were phishing e-mails (obtained from fraudehelpdesk.nl) and two were genuine e-e-mails. The original receiver’
9 name and e-mail address were photo-shopped to obscure their identify and were replaced with brackets with the word [name] or [e-mail address] respectively. The respondents had to imagine that their own name or e-mail address was placed within these brackets, which was explained in the introduction. All e-mails included links (hovering with your mouse over the link showed the destination of the link) to other websites. Respondents were asked how likely on a 5-point scale it was they would click on the link if they received the e-mail. Respondents were considered to be more susceptible to phishing when they indicated they were more likely to click on the link in the phishing e-mails than respondents who indicated they were not likely to click on the link. However, in this set-up you cannot know for sure if the
respondent did not click on the link because they correctly classified the e-mail as a phishing attempt or because of some other reason. Therefore, the researchers opted to measure phishing susceptibility in a second more direct method explained later on.
The questionnaire continued with questions in order to assess respondents their computer self-efficacy, web experience, phishing knowledge, mindfulness and personality traits. The final questions of the survey included a second method to measure respondents phishing susceptibility in the form of a small quiz on phishing. First a definition of phishing (“a form of electronical fraud where the perpetrators try to lure the victims to a false webpage”) was given to the respondents. The respondents were then asked to discern genuine e-mails from phishing e-mails. The respondents viewed two e-mails seemingly send by the same company, a genuine e-mail and a phishing e-mail. Respondents were asked to select the genuine e-mail, in total the respondents judged five pairs of e-mails in random order. The quiz concluded with four knowledge questions about phishing. After completing the quiz the respondents received their score (amount of correct answers given in the quiz). Respondents with a higher score were considered to be less susceptible to phishing.
The researchers acknowledge that the content of the questionnaire, in particular being made aware of the risk of falling victim to electronical fraud, could be upsetting for the respondents. Furthermore, since the respondents are part of an online research panel and are generally contacted through e-mail to participate in research, the content of the research
10 could potentially cause them to be sceptical about future e-mails and make them less likely to participate in future research. Therefore, an instruction with tips and tricks to be able to discern phishing e-mails from genuine e-mails (by fraudehelpdesk.nl) and a link to
fraudehelpdesk.nl for more information about phishing was included after respondents received their score. The questionnaire concluded by thanking the respondents for their participation in the research. The full questionnaire (in Dutch) is included in the appendix.
Measurements.
Computer Self-efficacy was measured using a 6 items 5-point scale developed by Compeau (1995) and adjusted by Vishnawath (2011) asking respondent to indicate whether they had 1 no trust at all and 5 complete trust in (example item): their skills in working with computers. The scale had a Cronbach’s alpha of .93, indicating a reliable scale of computer self-efficacy (M = 3.50, SD = 0.84).
Phishing knowledge was measured using an 8 items 5-point scale developed by Vishnawath (2011) asking respondent if they were familiar with concepts such as “Malware”, with 1 meaning never heard of this concept and 5 understanding the concept very well. The scale had a Cronbach’s alpha of .90, indicating a reliable scale of phishing knowledge (M = 3.44, SD = 0.93).
Web experience was measured using 5 questions asking respondents to indicate how much hours they spend on various activities (such as, looking up information, news,
shopping and social media on the internet) on average per week (M = 11.47 SD = 13,26), based on a scale from Wright and Marret (2010). Hours spend online was recoded to 6 groups (0-5 hours, 5-10, 10-15, 15-20, 20-25 and 25+).
Mindfulness was measured using a 24 items 5-point scale developed by Bohlmeijer (2011) based on Baer’s (2001) 39 items Five Facet Mindfulness Questionnaire (FFMQ). Asking respondent to indicate how true the 24 statements were to them, e.g. “I am good in finding words to describe my feelings”. The 24 items measures five different aspects of mindfulness which was confirmed by a principal component analysis (PCA) showing five
11 components with an Eigenvalue greater than 1 and with a clear point of inflexion after the last component in the scree plot, explaining 57% of the variance. The five aspects are Actaware; defined in terms of attending to one’s activities of the moment opposite of acting on
automatic pilot (Cronbach’s alpha = .81, M = 3.42, SD = 0.68). Describe defined as being able to label internal experiences with words (Cronbach’s alpha = 0.76, M = 3.43, SD = 0.67). Nonjudge; defined in terms of taking a non-evaluative stance toward thoughts and feelings (Cronbach’s alpha = .80, M = 3.40, SD = 0.76). Nonreact; defined in terms of allowing thoughts and feelings to come and go, without getting caught up in or carried away by them. (Cronbach’s alpha = .73, M = 3.08, SD = 0.68). Observe defined in terms of noticing or attending to internal and external experiences (Cronbach’s alpha = .72, M = 3.35, SD = 0.72). The five facets as a group, however do not measure a unidimensional mindfulness construct (Cronbach’s alpha = .52). This finding is in line with earlier findings by Bohlmeijer et al. (2011) and Baer’s (2006) that the FFMQ measures five distinct but related aspects of mindfulness, which according to them cab be computed to an overall mindfulness factor. Therefore, mindfulness was computed taking the average of the five aspects (M = 3.34, SD = 0.41). Bohlmeijer et al. (2011) and Baer’s (2006) do advise to differentiate between facets when examining the relationship between mindfulness and related constructs.
Phishing susceptibility was measured in three different ways. First, counting all the correct answers given in the quiz, were a higher score means you have a lower phishing susceptibility (M = 6.14, SD = 1.67), scores could range from zero to nine, called Testscore1 from now on. Second, called Testscore2, via counting the correct answers given on the e-mails and not the knowledge questions in the quiz. Here again a higher scores indicates you have a lower phishing susceptibility (M = 3.88, SD = 1.02), scores could range from zero to five. Third, called Testscore3 the mean score based on the respondent’s likeliness to click on the link in the three phishing e-mails at the start of the research. The scores were recoded so a higher score means the respondent has a lower phishing susceptibility M = 4.21, SD = 0.80, scores could range from one to five. Lastly, background variables included in the questionnaire were coded as age (counted in age groups: 18-24, 25-34, 35-44, 45-54, 55-64
12 and 65-70), gender (0=male 1=female) and educational attainment (coded as -1=low 0=mid and 1=high).
Results.
Before testing the various hypotheses, a correlation analysis was conducted in order to check for possible confounding variables among the background variables: age (in groups), gender, educational attainment level, the independent variables, computer self-efficacy, web experience, phishing knowledge and mindfulness and the dependent variable Testscore1 (phishing susceptibility). The correlation analysis showed that all variables correlated with phishing susceptibility except web experience, and that many variables correlated with each other, most notable computer self-efficacy and phishing knowledge (r = .60, p < .001) for details see table 1.
Table 1.
Correlation table
Age Gender Education CSE WE PK Mindfulness TestScore1
Age 1 -.13** -.15** -.19** -.14** -0.1 .20** -.16** Gender 1 -.08* -.27** -.01 -.34** -.05 -.11** Education 1 .17** -.02 .23** .19** .29** CSE 1 .19** .60** .16** .28** WE 1 .18** .03 .09** PK 1 .27** .41** Mindfulness 1 .18** TestScore 1
*p<.01, **p<.000. CSE = Computer self-efficay, WE = Web experience, PK = phishing knowledge
To test the hypotheses, a regression analysis was calculated to predict phishing susceptibility based on age per decade, gender and education level, computer self-efficacy, web experience, phishing knowledge and mindfulness, Results are summarized in table 2. The regression model (1a) with the amount of correct answers on the phishing quiz as dependent variable and age, gender, educational attainment, computer self-efficacy, web experience, phishing knowledge and mindfulness as independent variables is significant,
13 F(7, 1014) = 43.95, p < .001. The regression model can therefore be used to predict phishing susceptibility, the strength of the prediction is moderate: 23 per cent of the variation in correct answers can be predicted on the basis of age, gender, educational attainment, computer self-efficacy, web experience, phishing knowledge and mindfulness (R2 = 0.23). age, b* = -0.16, t=-4.90, p < .001, 95% CI [-0.22, -0.10], gender, p = .778, educational attainment, b* = 0.43, t=5.99, p < .000, 95% CI [0.29, 0.58], computer self-efficacy p = .881, web experience p = .753, phishing knowledge, b* = 0.63, t=9.50, p < .001, 95% CI [0.50, 0.77], mindfulness b* = 0.31, t=2.57, p < .001, 95% CI [0.07, 0.55], have a significant, weak strong association with phishing susceptibility. Per decade of age the amount of correct answers given on the
phishing susceptibility test decreases by 0.22 to 0.10. Per level of educational attainment the amount of correct answers given on the phishing susceptibility test increases by 0.29 to 0.58. Scoring 1 point higher on the scale of phishing knowledge increases the amount of correct answers given on the phishing susceptibility test by 0.50 to 0.77. Scoring 1 point higher on the mindfulness scale increases the amount of correct answers given on the phishing susceptibility test by 0.07 to 0.55. Computer self-efficacy, web experience and gender are not significant predictors of phishing susceptibility. For all these effects predictions on the other independent variables are assumed to be held constant.
To summarize, for two out of the four hypothesized predictions significant effects on phishing susceptibility was found. The results from model 1 supported hypotheses 3 and 4, indicating that higher levels of phishing knowledge and higher levels of mindfulness correlate with a lower phishing susceptibility. However, as per Bohlmeijer et al. (2011) and Baer’s (2006) suggestion mindfulness is not a uniform construct and it is advised to differentiate between facets when examining the relationship between mindfulness and related constructs. Therefore a new regression model (2a) was calculated replacing mindfulness with the 5 facets as independent variables, results can be found in table 2.
The regression model (2a) with the amount of correct answers on the phishing quiz (Testscore1) as dependent variable and age in groups, gender, educational attainment,
14 computer self-efficacy, web experience, phishing knowledge and the five aspects of
mindfulness as independent variables is significant, F(11, 1014) = 29.11, p < .001.
Table 2.
Regression models to predict phishing susceptibility based on Testscore1.
Phishing susceptibility
Model 1a Model 2a Model 3a
Constant 2.54*** 3.26*** 6.82*** Age -0.16*** -0.17*** -0.16*** Gender 0.03 0.02 0.03 Education 0.43*** 0.42*** 0.44*** CSE -0.01 -0.01 0.01 WE -0.00 -0.00 -0.02 PK 0.63*** 0.65*** -0.22 Mindfulness 0.31* Actaware -0.01 Nonjudge 0.27*** -0.70** Describe -0.11 Observe 0.13 Nonreact 0.08 Nonjudge*PK 0.26*** R2 .23 .24 .25 F 43.96*** 29.11*** 41.70***
Note. N=1015 **P<.01. ***p<.001 CSE = Computer self-efficacy, WE = Web experience, PK = phishing knowledge.
The regression model can therefore be used to predict phishing susceptibility, the strength of the prediction is moderate: 24 per cent of the variation in correct answers can be predicted on the basis of age, gender, educational attainment, computer self-efficacy, web experience, phishing knowledge and the five facets of mindfulness (R2 = 0.24). The results for age, gender, education, CSE, WE and PK are very similar to the ones found in model 1. Out of the five mindfulness facets four are not significant predictors of phishing susceptibility, One (Nonjudge) b* = 0.27, t=-3.53, p < .001, 95% CI [0.12, 0.41] is a significant predictors of phishing susceptibility, indicating that scoring 1 point higher on the nonjudge scale increases the mean of the amount of correct answers given on the phishing susceptibility test by 0.12 to 0.41. For all these effects predictions on the other independent variables are assumed to be held constant.
15 Lastly, a third regression model (3a) was calculated to explore a possible interaction effect between nonjudge and PK. The regression model (3a) with the amount of correct answers on the phishing quiz (Testscore1) as dependent variable and age in groups, gender, educational attainment, computer self-efficacy, web experience, phishing knowledge,
nonjudge and nonjudge* PK (score on nonjudge multiplied by the score on PK) as
independent variables is significant, F(8, 1014) = 41.70, p < .001. The regression model can therefore be used to predict phishing susceptibility, the strength of the prediction is moderate: 25 per cent of the variation in correct answers can be predicted on the basis of age, gender, educational attainment, computer self-efficacy, web experience, phishing knowledge
nonjudge and the interaction between nonjudge and phishing knowledge (R2 = 0.25). The effect of nonjudge on phishing susceptibility seems to be moderated by phishing knowledge. However interpreting the interaction effect using the b = 0.26, p < .001 is difficult. Therefore, four groups were created by dividing the sample in half based on respondents their PK and on their Nonjudge scores. Comparing the mean scores on the unstandardized predicted values generated in the model by these four groups allow us to interpret the interaction effect, results are as follows: low PK low nonjudge group (M = 5.65, SD = 0.55), low PK high nonjudge group (M = 5.58, SD = 0.75), High PK low nonjudge group (M = 6.43, SD = 0.44), High PK high nonjudge group (M = 6.94, SD = 0.57), visualized in figure 1.
Figure 1. Interaction effect, difference in mean score on Testscore1
5,00 6,00 7,00
low pk high pk
16 As figure 1 shows scoring high on PK results in lower scores on phishing susceptibly compared with low PK (dotted line higher than the solid line). The interaction effect can be observed when we look at the direction of the two lines from low nonjudge to high nonjudge. Scoring higher on nonjudge does not have an effect when you score low on PK (horizontal solid line) but it does have an effect when you also score high on PK (upwards sloping dotted line).
Models 1a to 3a used the amount of correct answers on the phishing quiz as a dependent variable. However, the quiz next to judging whether e-mails were genuine also incorporated knowledge questions about phishing. It is not unlikely that the effect of phishing knowledge is therefore overestimated. Furthermore, letting respondents participate in a quiz could have heightened certain aspects of mindfulness, in particular Actaware, attending to one’s activities in the moment in opposite of acting on automatic pilot. Therefore, the analysis was run again with the two other operationalizations (Testscore2 and Testscore3) of phishing susceptibly as dependent variables, results are summarized in table 3 (appendix) and in table 4.
The results from the regression model (1b) are similar to model 1a, except the model is weaker, explaining 12 per cent of the variation. Age, education and PK are still significant predictors of phishing susceptibility F(7, 1014) = 19.06, p < .001. Two differences can be noted: gender b* = 0.14, t=2.15, p = .03, 95% CI [0.01, 0.27] now is a significant predictor of phishing susceptibility, males score 0.01 – 0.27 higher than females on this test. and the second difference is that mindfulness no longer is a significant predictor. Exploring
mindfulness in depth via calculating another regression model (2b), which included the five facets as independent variables gives us similar results as model 1b. Again the model is weaker, explaining 13 per cent of the variation. Just like in model 1b, Age, education, PK and Nonjudge are significant predictors of phishing susceptibility. Furthermore, when comparing the third models (3a and 3b) again a significant interaction effect is observed. Comparing the unstandardized predicted values among the four groups shows the following: low PK low Nonjudge group (M = 3.67, SD = 0.27), low PK high Nonjudge group (M = 3.69, SD = 0.35),
17 High PK low Nonjudge group (M = 3.92, SD = 0.24), High PK high Nonjudge group (M = 4.23, SD = 0.28) which is in line with the results from model 3a. Scoring high on nonjudge decreases phishing susceptibility but only when having high PK for a visualization see figure 2 in the appendix.
The results from the regression models under c are comparative with the results from models a and b when the phishing quiz was used as dependent variable, except the models are slightly weaker, explaining 6 to 8 per cent of the variation. Three notable results pop up comparing the models under c with models a and b. First, PK still is the strongest predictor of decreasing phishing susceptibility. Second, education no longer is a significant predictor of phishing susceptibility and third instead of the mindfulness facet of nonjudge now Actaware b* = 0.09, t=2. 02, p < .001, 95% CI [0.00, 0.19] is a significant predictor of phishing
susceptibility. However, no interaction effect between actaware and PK is observed.
Table 4.
Regression models to predict phishing susceptibility based on Testscore3. Phishing susceptibility
Model 1c Model 2c Model 3c
Constant 3.23*** 3.22*** 2.69*** Age 0.08*** 0.07*** -0.16*** Gender 0.03* 0.10 0.10 Education -0.04 -0.02 -0.03 CSE -0.03 -0.03 0.03 WE -0.03 -0.02 -0.02 PK 0.17*** 0.19*** -0.28* Mindfulness 0.06* Actaware 0.09* Nonjudge 0.07 0.23 Describe -0.05 Observe -0.01 Nonreact -0.05 Actaware* PK -0.03 R2 .06 .08 .07 F 9.66*** 7.86*** 9.84*** Note. N=1015 *P<.05 **P<.01. ***p<.001
18 To summarize, in all models for two out of the four hypothesized predictions
significant effects on phishing susceptibility were found. Higher levels of phishing knowledge and higher levels of mindfulness correlate with lower phishing susceptibility. Exploring the construct of mindfulness deeper, for the phishing quiz (testscore1 and testscore2) the component nonjudge of mindfulness correlated with lower phishing susceptibility and a significant interaction effect with PK was found. Phishing susceptibility under testscore3 correlated with the component Actaware of mindfulness and with PK. However, unlike with models a and b no interaction effect was found.
Discussion.
This research focused on the question: What determines the ability of people to successfully detect phishing messages? In order to explore this question a national representative survey was conducted among 1015 respondents examining various background variables such as age, gender, education, computer self-efficacy, web experience, phishing knowledge, mindfulness and their phishing susceptibility. Results show that age, education, phishing knowledge and mindfulness aspects all play a role in determining ones’ phishing
susceptibility.
In the study phishing susceptibility was measured in two distinct ways. The first, replicating a more real life setting, where respondents had to indicate whether they would click on a link in a possible phishing e-mail. The other, through a quiz were respondents had to judge between two options which mail was a phishing attempt and which was genuine e-mail. Regardless of the way phishing susceptibility was measured the results showed that higher degrees of phishing knowledge and mindfulness are correlated with lower levels of phishing susceptibility supporting hypothesis 3 and 4. However, the results did not support hypothesis 1 and hypothesis 2, computer self-efficacy and web experience when controlling for age, gender, education and phishing knowledge are not a significant predictor of phishing susceptibility.
19 The results for computer self-efficacy and web experience is in contrary to findings from an earlier study by Wright and Marett (2010) and Luga et al. (2016) who both found that subjects who reported a higher CSE and subjects who reported higher degrees of web experience were less likely to fall for a phish. This contradiction in the findings could be due to a different set up in the studies. Wright and Marett (2010) used a field experiment and sent an actual phishing e-mail to their subjects. Whereas in the present study a survey was used phishing susceptibility was measured through a quiz. However, since in the present study also for the more real life measurement of phishing susceptibility no effect was found another explanation is more likely. The other explanation is that the effect of computer self-efficacy and web experience on phishing susceptibility is mediated by phishing knowledge. This is also supported by Vishwanath et al (2011) who also expected that computer self-efficacy would influence individual likelihood to respond to phishing e-mails, but did not found support for this in their data. They suspected that “the observed insignificancy of self-efficacy may be caused by the simultaneous presence of domain-specific knowledge in the research”, which is confirmed by the present study.
More interesting is the relation between mindfulness and phishing susceptibility. In the models tested mindfulness is a significant predictor of phishing susceptibility regardless of how phishing susceptibility was measured. However, upon closer inspection two
underlining facets of mindfulness actually had a significant effect on phishing susceptibility. Interestingly these facets differ depending on how phishing susceptibility was measured. Using the first assessment of phishing susceptibility (the method closer resembling a real life situation), the mindfulness facet of Actaware (doing things intentionally as opposed to on automatic pilot) is a significant predictor of phishing susceptibility. This effect is significant regardless of the level of phishing knowledge. This could be explained by Kahneman’ (2011) two-way model. This model distinguishing between system 1 thinking which is an automatic and quick mode of thinking designed to detect simple relations and system 2 a slower
deliberate mode of thinking associated which requires more effort and concentration. System 1 is a machine for jumping to conclusions while system 2 allocates attention to effortful
20 mental activities Kahneman (2011). People who are more Actaware use more mental
resources when making a decision and use system 2 route causing them to scrutinize the e-mails more thoroughly and detecting it was a phishing message. This supports the
hypothesized effect by Rosenberg (2004) that mindfulness training can help individuals to cope with the nonconscious psychological processes.
When we measure phishing susceptibility via the quiz, Actaware no longer is a significant predictor of phishing susceptibility. A possible explanation is that the respondents wanted to score well on the quiz and therefore thoroughly scrutinized the e-mails using system 2 instead of system 1 to process the e-mails. At the same time a different aspect of mindfulness, the nonjudge aspect (taking a non-evaluative stance toward thoughts and feelings) did become a significant predictor of phishing susceptibility, but only in interaction with high phishing knowledge. A possible explanation could be that people who are more likely to judge themselves are more afraid of making mistakes and therefore make more mistakes, a self-fulfilling prophecy (Merton, 1948). However, this is speculation and further research is need to explore the interaction between Actaware, nonjudge, phishing knowledge and phishing susceptibility.
The findings in this study provide insight into which people are more susceptible to phishing attacks, but the present study is not without limitations. Improvements could be made in the design of the study. The first method of measuring phishing susceptibility included the limited number of three phishing e-mails, adding extra e-mails could have increased the variation in the answers and increased the predictive power of the model. Furthermore, the question itself could have been phrased better. Respondents were asked how likely it was the would click on a link after receiving the e-mail shown in their screen. However, not clicking on links in an e-mail is always the correct response even when it concerns a genuine e-mail, making the results harder to analyse. However, the alternative of asking respondents (as was done later in the study) to judge whether an e-mail is genuine or a phishing attempt, means revealing the aim of the research to the respondents (i.e.
21 they normally would not do, threatening the external validity of the research and potentially missing effects like the one (Actaware) found using the first method of measuring phishing susceptibility. Including both measurements in the survey was therefore the right choice. However, giving respondents more e-mail scenario’s to judge could have solidified the results. Future researchers are advised to take these considerations into account.
Nevertheless the results from this study provides ample recommendations for policy makers and companies developing training tools to decrease phishing susceptibility. Firstly knowledge of phishing is a prerequisite for detecting phishing e-mails. Training tools should always enhance phishing knowledge. Second, being more Actaware or using system 2 when opening e-mails is also correlated with lower phishing susceptibility. Companies could think of ways to increase effortful thinking when opening and reading e-mails (e.g. assign 1 hour per day to attend to e-mails and ignore them the rest of the day). Third when attending to your e-mails, postponing your judgement could further decrease phishing susceptibility. Policy makers are also aided by this research since the study uses a national representative sample. Policy makers could use this to target people at risk who are more often found among the lower educated and in the higher age-groups. This also points to a gap in the current research towards phishing, as this is mostly conducted among student samples, while the people most at risk are found more often in other parts of society. In conclusion combating phishing and other forms of electronical requires a knowledgeable, effortful and non-judgemental approach from everyone involved.
22 Reference list.
Abbasi, A., Zahedi, F., Zeng, D., Chen, Y., Chen, H., & Nunamaker, J.F. (2015). Enhancing predictive analytics for anti-phishing by exploiting website genre information. Journal of Management Information Systems, 31(4), 109–157.
Anti-Phishing Working Group (APWG) (2015). Phishing Activity Trends Report. Retrieved on November 9, 2018, from
http://docs.apwg.org/reports/apwg_trends_report_q1-q3_2015.pdf
Baer, R. A, Smith, G. T., & Allen, K. B. (2004). Assessment of mindfulness by self-report: The Kentucky Inventory of Mindfulness Skills. Assessment, 11, 191-206.
Baer, R. A., Smith, G. T., Hopkins, J., Krietemeyer, J., & Toney, L. (2006). Using self-report assessment methods to explore facts of mindfulness. Assessment, 13, 27-45. Bohlmeijer, E. T., ten Klooster, P. M., Fledderus, M., Martine, V., & Baer, B. (2011).
Psychometric properties of the five facet mindfulness questionnaire in depressed adults and development of a short form. Assessment, 18(3), 308-320.
Butavicius, M., Parsons, K., Pattinson, M., & McCormac, A. (2015). Breaching the human firewall: Social engineering in phishing and spear-phishing emails. Paper presented at the 26th Australasian Conference on Information Systems, Adelaide, Australia.
Caldwell, T. (2013) Spear-phishing: how to spot and mitigate the menace. Computer Fraud Security, 1, 11-16.
Carlson, J.R., & Zmud, R.W. (1999). Channel expansion theory and the experiential nature of media richness perceptions. Academy of Management Journal, 42(2), 153- 70.
Cialdini, R. B. (2007). Influence: The psychology of persuasion. New York: Collins.
Compeau, D., & Higgins, C. (1995). Computer self efficacy: development of a measure and initial test. MIS Quarterly, 19, 189–211.
Dinev, T., & Hart, P. (2006). An extended privacy calculus model for ecommerce transactions. Information Systems Research, 17(1), 61-80.
Halevi, T., Lewis, J., & Memon, N. (2013). Phishing, personality traits and Facebook. arXiv preprint arXiv:1301.7643.
23 Halevi, T., Memon, N., & Nov, O. (2015). Spear-phishing in the wild: A real-world study of
personality, phishing self-efficacy and vulnerability to spear-phishing attacks. Social Science Research Network.
Hammer, J. (2018). The billion-dollar bank job. The New York times retrieved on 09-10-2018 https://www.nytimes.com/interactive/2018/05/03/magazine/money-issue-bangladesh-billion-dollar-bank-heist.html).
Hart, R., Ivtzan, I., & Hart, D. (2013). Mind the gap in mindfulness research: A comparative account of the leading schools of thought. Review of General Psychology, 17(4), 453– 466.
Hong, J. (2012). The state of phishing attacks. Communications of the ACM, 55(1), 74–81. Hong, K. W., Kelley, C. M., Tembe, R., Murphy-Hill, E., & Mayhorn, C. B. (2013). Keeping up
with the Joneses: Addressing phishing susceptibility in an email task. Proceedings of the Human Factors and Ergonomics Society Annual Meeting, 57, 1012-1016.
Jensen, M.L. Dinger, M. Wright, R.T., & Thatcher, J.B. (2017). Training to mitigate phishing attacks using mindfulness techniques. Journal of Management Information Systems, 34(2), 597–626.
Kahneman, D. (2011). Thinking, fast and slow. New York, NY: Farrar, Straus and Giroux. Kabat-Zinn, J. (1994). Wherever you go, there you are: mindfulness meditation in everyday
life. New York: Hyperion.
Kennisquiz Fraudehelpdesk.nl (2018) retrieved on November 29, 2018 from https://www.fraudehelpdesk.nl/kennisquiz-valse-e-mails/
Langer, E. J. (1989). Mindfulness. Reading, MA: Addison-Wesley.
Larcom, G., & Elbirt, A.J. (2006), Gone phishing. IEEE Technology and Society Magazine, 25(3), 52–55.
Luga, C., Nurse, J. R. C., & Erola, A. (2016). Baiting the hook: factors impacting susceptibility to phishing attacks. Human-centric Computing and Information Sciences, 6(8),
24 Malhotra, N.K., Kim, S.S., & Agarwal, J. (2004) Internet users’ information privacy concerns
(IUIPC): The construct, the scale, and a causal model. Information Systems Research, 15(4), 336–355.
Paganini, P. (2015, May 18). New Intel Security study shows that 97% of people can’t identify phishing emails. retrieved on 09-20-2018 from
https://securityaffairs.co/wordpress/36922/cyber-crime/study-phishing-emails-response.html
Radicati (2012). Email statistics report 2011–2015. Retrieved September 20, 2018, from http://www.radicati.com/wp/wp-content/uploads/2011/ 05/Email-Statistics-Report-2011-2015-Executive-Summary.pdf.
Rosenberg, E. L. (2004). Mindfulness and consumerism. In T. Kasser & A. D. Kanner (Eds.), Psychology and consumer culture: The struggle for a good life in a materialistic world (pp. 107-125). Washington, DC, US: American Psychological Association.
Sheng, S., Holbrook, M., Kumaraguru, P., Cranor, L. F., & Downs, J. (2010). Who falls for phish? A demographic analysis of phishing susceptibility and effectiveness of interventions. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, 373-382.
Straub, D.W., Welke, R.J. (1998). Coping with systems risk: Security planning models for management decision making. MIS Quarterly, 22(4), 441–469.
Wash R., & Cooper, M.M., (2018) Who provides training? Facts, stories, and people like me In Proc. of CHI’18, Montreal, Canada.
Vishwanath, A., Herath, T., Chen, R., Wang, J., & Rao, R. (2011). Why do people get phished? Testing individual differences in phishing vulnerability within an integrated, information processing model. decision support systems, 51(3), 576-586.
Vishwanath, A. (2015). Examining the distinct antecedents of e-mail habits and its influence on the outcomes of a phishing attack. Journal of Computer-Mediated Communication, 20(5), 570-584.
25 Wright, R.T., Jensen, M.L., Thatcher, J. B., Dinger, M., & Marett, K. (2014). Influence
techniques in phishing attacks: An examination of vulnerability and resistance. Information Systems Research, 25(2), 385-400.
Wright, R.T., & Marett, K (2010). The influence of experiential and dispositional factors in phishing: an empirical investigation of the deceived. Journal of management information system, 27(1), 273-303.
Yao, M.Z., Rice, R.E.& Wallis, K. (2007). Predicting user concerns about online privacy. Journal of the American Society for Information Science & Technology, 58(5), 710– 722.
26 Appendix A:
Table 3.
Regression models to predict phishing susceptibility based on Testscore2. Phishing susceptibility
Model 1b Model 2b Model 3b
Constant 2.76*** 2.65*** 4.19*** Age -0.09*** -0.10*** -0.10*** Gender 0.14* 0.13 0.14* Education 0.20*** 0.20*** 0.20*** CSE 0.03 0.03 0.02 WE -0.03 -0.02 -0.02 PK 0.24*** 0.26*** -0.17 Mindfulness 0.15 Actaware 0.00 Nonjudge 0.19*** -0.27 Describe -0.10 Observe 0.07 Nonreact 0.01 Nonjudge* PK 0.12** R2 .12 .13 .14 F 19.06*** 13.82*** 19.55*** Note. N=1015 *P<.05 **P<.01. ***p<.001
Figure 2. Interaction effect, difference in mean score on Testscore2
3,00 4,00 5,00
low pk high pk
27 Table 5. Sample characteristics
unweighted weighted n % n % 18-24 50 4.9 124 12.2 25-34 140 13.8 180 17.7 35-44 176 17.3 190 18.7 45-54 227 22.4 220 21.6 55-64 254 25.0 190 18.7 65-70 168 16.6 111 11 Female 457 45.0 517 51.0 Male 558 55.0 498 49.0 Education low 292 20.2 192 18.9 Education mid 518 51.0 550 54.2 Education high 292 28.8 273 26.9 3 grote gemeenten 96 9.5 126 12.4 West 270 26.6 301 29,6 Noord 123 12.1 101 9.9 Oost 215 21.2 209 20.6 Zuid 270 26.6 237 23.4 Randgemeenten 41 4.0 41 4.0 Total 1015 100 1015 100
28
Vragenlijst | Phishing
Hans Schoemaker
Projectleiding: Hans Schoemaker Projectnummer:
Leeswijzer:
Teksten in de blauwe blokken zijn de namen van de hoofdstukken, respondenten krijgen dit niet te zien.
De cursieve teksten boven de vragen zijn filters/routings.
Teksten in blauw en cursief geven aan hoe de antwoordcategorieën worden voorgelegd. Wanneer de antwoorden gerandomiseerd zijn, staan de ‘anders, nl’ en ‘weet niet’ categorie of ‘geen van deze’ altijd onderaan de lijst.
Teksten in rood en cursiefzijn instructies voor onze programmeurs.
Geel gearceerde teksten zijn wijzigingen/nieuwe toevoegingen t.o.v. de vorige versie. Grijs gearceerde teksten zijn verwijderd t.o.v. de vorige versie.
Gewenst aanleverformat (indien van toepassing): Afbeeldingen: zo groot mogelijk in .jpg of .png Video: .mpeg, .mp4, .avi, .mov
Radio: .mp3, .wav Onderzoeksspecificaties:
Doelgroep/steekproef: NL Rep Steekproefgrootte: 1000
Uitgangspunt lengte vragenlijst: 15 minuten Aantal te coderen open vragen: 0
Uitsplitsingen voor analyse: indien bekend Start veldwerk: z.s.m.
29 Vragenlijst:
Allen
IntroS1. Welkom bij deze vragenlijst.
Voor dit onderzoek zijn wij benieuwd naar hoe je reageert op nieuwsbrieven en communicatie vanuit bedrijven.
In de volgende schermen leggen we een aantal situaties voor. We willen graag weten hoe je in deze verschillende situaties zou handelen. Je ziet hierna 5 schermen met steeds een afbeelding van een e-mailbericht met de vraag wat je in die situatie zou doen. Wanneer er in de afbeelding tekst tussen vierkante haken voorkomt, staan op die plek in de betreffende originele mails je eigen gegevens, bijvoorbeeld [naam] of [adres].
Er zijn geen goede of foute antwoorden. Phishing tests:
Q1a. Stel je bent klant bij dit bedrijf en krijgt onderstaande e-mail, zou je op de link klikken? Voorleggen afbeeldingen 1 t/m 5
- Zeer onwaarschijnlijk - Onwaarschijnlijk
- Niet waarschijnlijk, niet onwaarschijnlijk - Waarschijnlijk
- Zeer waarschijnlijk
Computerkennis:
IntroQ2. De volgende vragen gaan over je computergebruik en computerkennis. Kan je aangeven in hoeverre je vertrouwt op je eigen vaardigheden met computers? Randomiseren
> in mijn vaardigheden in werken met computers > in leren omgaan met nieuwe computerprogramma’s
> in begrijpen van termen/woorden gerelateerd aan computers > dat ik problemen met mijn computer zelfstandig kan oplossen > dat ik zonder problemen nieuwe programma’s kan installeren > dat ik alles kan vinden wat ik nodig heb op het internet
1. Helemaal geen vertrouwen 2.
3. 4.
5. Volledig vertrouwen
Q3. Hoeveel uur besteed je gemiddeld per week aan de volgende activiteiten op het internet? > Lezen van nieuws online
> Lezen en posten van berichten op sociale media
> Informatie opzoeken over producten en diensten die je mogelijk wilt kopen/afnemen > Online shopping
30 > Online video’s kijken (bijvoorbeeld Youtube, Netflix)
- Open invoerveld per vraag
Q4. Hoe bekend ben je met de volgende concepten?
Randomiseren
> Virtual Private network (VPN) > Secure Sockets Layer (SSL) > IP-adres > Phishing > Malware > Cookies > Encryptie > URL
- Nog nooit van gehoord
- Heb er van gehoord maar weet niet wat het is - Ik weet wat het is maar weet niet hoe het werkt - Ik weet ongeveer hoe dit werkt
- Ik weet heel goed hoe dit werkt
Mindfulness en big Five
Q5. We zijn benieuwd naar hoe je in het leven staat.
Kan je voor de volgende uitspraken aangeven hoe vaak dit voor jou in het algemeen
waar is?
Randomiseren
> Ik ben goed in het vinden van woorden om mijn gevoelens te beschrijven
> Ik kan makkelijk mijn overtuigingen meningen en verwachtingen onder woorden brengen
> Ik observeer mijn gevoelens zonder dat ik me er helemaal door laat meeslepen > Ik zeg tegen mezelf dat ik me niet zou moeten voelen als ik me voel
> Het is moeilijk voor me om de woorden te vinden die mijn gedachten beschrijven > Ik let op lichamelijke ervaringen zoals de wind in mijn haar of de zon op mijn gezicht > Ik oordeel of mijn gedachten goed of fout zijn
> Ik vind het moeilijk om mijn aandacht te houden bij wat er op dit moment gebeurt > Als ik verontrustende gedachten heb of beelden zie, dan laat ik me daar niet door
meevoeren
> Ik let in het algemeen op geluiden zoals het tikken van een klok, het fluiten van de vogels of het voorbijrijden van een auto
> Als ik iets in mijn lichaam voel, kost het me moeite om de juiste woorden te vinden om het te beschrijven
> Het lijkt als ik op de ‘automatische piloot’ sta zonder dat ik me erg bewust ben van wat ik doe
> Als ik verontrustende gedachten heb of beelden zie, voel ik me kort daarna weer rustig > Ik zeg tegen mezelf dat ik niet moet denken zoals ik denk
> Ik merk de geur en het aroma van dingen op
> Zelfs als ik heel erg overstuur ben kan ik dit op een of andere manier onder woorden brengen
31 > Als ik verontrustende gedachten heb of beelden zie, kan ik ze opmerken zonder iets te
doen
> Ik denk dat mijn emoties soms slecht of ongepast zijn en dat ik ze niet zou moeten voelen > Ik merk de visuele aspecten van kunst of de natuur op, zoals de kleur, vorm, structuur of
patronen van licht en donker
> Als ik verontrustende gedachten heb of beelden zie, merk ik ze op en laat ze los > Ik doe mijn werk of taken automatisch zonder dat ik me bewust ben van wat ik doe > Ik merk dat ik vaak dingen doe zonder er aandacht aan te besteden
> Ik keur mezelf af als ik onlogische gedachtes heb - Nooit of bijna nooit waar
- Zelden waar - Soms waar - Vaak waar
- Heel vaak of altijd waar
Q6. Hieronder volgen een aantal eigenschappen die mogelijk op je van toepassing zijn.
Geef bij elke uitspraak aan in welke mate je het met de uitspraak eens of oneens bent.
Ik zie mijzelf als iemand die ....
Randomiseren > veel piekert > snel ongerust is
> rustig blijft in spannende situaties > van praten houdt
> extravert of gezellig is > terughoudend is
> origineel is, met nieuwe ideeën komt
> waarde hecht aan artistieke of esthetische ervaringen > een levendige verbeeldingskracht heeft
> soms onbeschoft is tegen anderen > vergevensgezind is
> met zo goed als iedereen rekening houd, bijna altijd aardig is > nauwkeurig werkt
> vaak lui is
> dingen anders doet - Zeer oneens - Oneens
- Enigszins oneens - Niet eens niet oneens - Enigszins eens - Eens
- Zeer eens
Phishing tests:
Q7A. Phishing is een vorm van internetfraude waarbij de oplichter het slachtoffer naar een valse webpagina lokt.
32 Deze vorm van internetfraude vindt meestal plaats via e-mail en heeft vaak als doel het
verkrijgen van persoonlijke (bank)gegevens
We zijn benieuwd hoe goed Nederlanders in staat zijn om valse van originele e-mails te onderscheiden.
Hierna volgt een korte test met telkens twee screenshots van e-mails van hetzelfde bedrijf, eentje echt en de ander vals, de bedoeling is om de echte email aan te klikken.
Voorleggen afbeeldingen 6 t/m 10
Q8. Zijn de volgende uitspraken waar of niet waar?
Randomiseren
> Een groen slotje in de URL betekent dat ik op een legitieme website zit > Phishing-emails zijn altijd te herkennen aan spelfouten
> Phishing-emails hebben nooit een persoonlijke aanhef
> Phishers kunnen een link in een email namaken waardoor de link lijkt door te verwijzen naar een legitieme website
- Waar - Niet waar
- Weet niet/geen mening Outrotekst.
Dank voor het meedoen aan dit onderzoek naar phishing.
Phishing en andere vormen van online fraude zijn in toenemende mate een probleem in de maatschappij. Vertrouw je een e-mail niet volg dan onderstaand stroomschema:
33 Voor meer informatie over phishing en online fraude kijk op www.fraudehelpdesk.nl
39 Afbeeldingen Q7
