Cover not available

Article published In: Interaction Studies
Vol. 24:3 (2023) ► pp.437463

Get fulltext from our e-platform
JBE logo with link
PDF logo with download linkDownload PDF
EPUB logo with download linkDownload EPUB
authorization required

Human risk factors in cybersecurity

Experimental assessment of an academic human attack surface

 | Fairmont State University | Marshall UniversityHuntington
 | Fairmont State University
 | West Virginia UniversityMorgantown
ORCiD logo with link | Fairmont State University
Published online: 15 February 2024
DOI logo with link
https://doi.org/10.1075/is.22053.cuc
Abstract
This article presents an experimental analysis of several cybersecurity risks affecting the human attack surface of Fairmont State University, a mid-size state university. We consider two social engineering experiments: a phishing email barrage and a targeted spearphishing campaign. In the phishing experiment, a total of 4,769 students, faculty, and staff on campus were targeted by 90,000 phishing emails. Throughout these experiments, we explored the effectiveness of three types of phishing awareness training. Our results show that phishing emails that make it through IT’s defenses pose a clear and present threat to large educational organizations. Moreover, we found that simple, visual, instructional guides are more effective training tools than long documents or interactive training.
Article outline
  • 1.Introduction
    • 1.1Research questions
  • 2.Related work
  • 3.Methodology
    • 3.1Phishing emails
      • 3.1.1Structural overview
      • 3.1.2Phishing email design
      • 3.1.3Training types
      • 3.1.4Data collection
    • 3.2Spearphishing
      • 3.2.1Survey overview
      • 3.2.2Data collection
    • 3.3IRB approval process
  • 4.Results
    • 4.1Response analysis (Research Question 1)
    • 4.2Effectiveness of training (Research Question 2)
    • 4.3Time of day analysis (Research Question 3)
    • 4.4Effectiveness of warning emails (Research Question 4)
  • 5.Conclusion
    • 5.1Limitations
  • Acknowledgements
  • Note
  • References
References (23)
References
Amos, Z. (2022). Why do phishing emails have such obvious typos? Security Boulevard.Google Scholar logo with link to Google Scholar
Burns, A. J., Johnson, M. E., and Caputo, D. D. (2019). Spear phishing in a barrel: Insights from a targeted phishing campaign. Journal of Organizational Computing and Electronic Commerce, 29(1):24–39. Google Scholar logo with link to Google Scholar
Competition, A. and Commission, C. (2018).Google Scholar logo with link to Google Scholar
Cuchta, T., Blackwood, B., Devine, T. R., Niichel, R. J., Daniels, K. M., Lutjens, C. H., Maibach, S., and Stephenson, R. J. (2019). Human risk factors in cybersecurity. In Proceedings of the 20th Annual SIG Conference on Information Technology Education. ACM. Google Scholar logo with link to Google Scholar
Dhamija, R., Tygar, J. D., and Hearst, M. (2006). Why phishing works. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, CHI ’06, pages 581–590, New York, NY, USA. ACM. Google Scholar logo with link to Google Scholar
Downs, J. S., Holbrook, M., and Cranor, L. F. (2007). Behavioral response to phishing risk. In Proceedings of the Anti-phishing Working Groups 2Nd Annual eCrime Researchers Summit, eCrime ’07, pages 37–44, New York, NY, USA. ACM. Google Scholar logo with link to Google Scholar
Downs, J. S., Holbrook, M. B., and Cranor, L. F. (2006). Decision strategies and susceptibility to phishing. In Proceedings of the Second Symposium on Usable Privacy and Security, SOUPS ’06, pages 79–90, New York, NY, USA. ACM. Google Scholar logo with link to Google Scholar
Hanna, K. T. (2021). Definition: attack surface. WhatIs.com.Google Scholar logo with link to Google Scholar
Inc, P. (2019). State of the phish. [URL]
Jones, M. (2015). The effects of conformity and training in a phishing context: Conforming to the school of phish. Master’s thesis, The University of Alabama in Huntsville.
Khonji, M., Iraqi, Y., and Jones, A. (2013). Phishing detection: A literature survey. IEEE Communications Surveys Tutorials, 15(4):2091–2121. Google Scholar logo with link to Google Scholar
Matamoros-Macias;, R. B. K. S. N. S. B. and Ipsen, Y. (2019). Phishing and cybercrime risks in a university student community. International Journal of Cybersecurity Intelligence & Cybercrime, 21.Google Scholar logo with link to Google Scholar
Mathews, L. (2017). Phishing scams cost american businesses half a billion dollars a year. Forbes.Google Scholar logo with link to Google Scholar
Mimecast (2019). Email security risk assessment: Quarterly report, june 2019. Accessed: 2019-05-30.Google Scholar logo with link to Google Scholar
Moody, G. D., Galletta, D. F., and Dunn, B. K. (2017). Which phish get caught? an exploratory study of individuals’ susceptibility to phishing. European Journal of Information Systems, 26(6):564–584. Google Scholar logo with link to Google Scholar
Oliveira, D., Rocha, H., Yang, H., Ellis, D., Dommaraju, S., Muradoglu, M., Weir, D., Soliman, A., Lin, T., and Ebner, N. (2017). Dissecting spear phishing emails for older vs young adults. In Proceedings of the 2017 CHI Conference on Human Factors in Computing Systems. ACM. Google Scholar logo with link to Google Scholar
Sheng, S., Holbrook, M., Kumaraguru, P., Cranor, L. F., and Downs, J. (2010). Who falls for phish?: A demographic analysis of phishing susceptibility and effectiveness of interventions. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, CHI ’10, pages 373–382, New York, NY, USA. ACM. Google Scholar logo with link to Google Scholar
Sheng, S., Magnien, B., Kumaraguru, P., Acquisti, A., Cranor, L. F., Hong, J., and Nunge, E. (2007). Anti-phishing phil: The design and evaluation of a game that teaches people not to fall for phish. In Proceedings of the 3rd Symposium on Usable Privacy and Security, SOUPS ’07, pages 88–99, New York, NY, USA. ACM. Google Scholar logo with link to Google Scholar
Technologies, P. (2019). Cybersecurity threatscape q4 2018. [URL]
Williams, E. J., Hinds, J., and Joinson, A. N. (2018). Exploring susceptibility to phishing in the workplace. International Journal of Human-Computer Studies, 1201:1–13. Google Scholar logo with link to Google Scholar
(2018). Exploring susceptibility to phishing in the workplace. International Journal of Human-Computer Studies, 201:1 – 13. Google Scholar logo with link to Google Scholar
Young-McLear, K., Wyman, G., Benin, J., and Young-McLear, Y. (2016). A White Hat Approach to Identifying Gaps Between Cybersecurity Education and Training: A Social Engineering Case Study, pages 229–237.Google Scholar logo with link to Google Scholar
Zhao, R., John, S., Karas, S., Bussell, C., Roberts, J., Six, D., Gavett, B., and Yue, C. (2017). Design and evaluation of the highly insidious extreme phishing attacks. Computers & Security, 701:634–647. Google Scholar logo with link to Google Scholar
Cited by (1)

Cited by one other publication

Vrhovec, Simon, Blaž Markelj & Yaman Roumani
2024. We need to aim at the top: Factors associated with cybersecurity awareness of cyber and information security decision-makers. PLOS ONE 19:10  pp. e0312266 ff. DOI logo

This list is based on CrossRef data as of 18 march 2026. Please note that it may not be complete. Sources presented here have been supplied by the respective publishers. Any errors therein should be reported to them.

Mobile Menu Logo with link to supplementary files background Layer 1 prag Twitter_Logo_Blue