[BreachExchange] Gone phishing: Professor studies decision making

[Audrey McNeil]

http://www.theshorthorn.com/news/gone-phishing-professor-
studies-decision-making/article_aa47ae46-deb1-11e6-969e-a718e1d176c6.html

In an age where almost every business is online in some shape or form,
human behavior can cause security problems.

Jingguo Wang, information systems and operations management associate
professor, and his colleagues are researching human behavior and
information platforms.

Wang’s research explores the role decision confidence plays in phishing
scams. He started researching phishing in the fifth year of his doctoral
studies.

At that time, phishing was just emerging as a new avenue that exploits
emotional and cognitive vulnerabilities, Wang said. Phishing is normally
used as a hacker’s first step to explore an organization’s network.

In 2015, Americans reported over $1 billion in losses because of phishing
and other privacy violation crimes, according to the FBI’s Internet Crime
Complaint Center.

One of the leading contributors of the losses was email phishing scams, in
which hackers use emails that seem to be official to steal credentials and
other information, according to the FBI’s definition of phishing.

“When you or me receive an email, we make a judgment. We think it’s either
phishing or not phishing,” Wang said.

The study included 600 participants who each had to determine whether or
not an email was legitimate or a phishing scam. Each participant judged 16
random emails from a pool of 50. Most participants showed they were more
confident than what they could achieve, Wang said.

After that, they assigned a value of how confident they were in their
decision. Those results were analyzed for accuracy of judgment.

The results of the study showed all confidence beliefs poorly predicted
detection accuracy.

People shouldn’t rely on their confidence as a guide in decision making,
because the accuracy value provided by participants shows confidence is not
reliable, Wang said.

Businesses typically have training for employees to help raise awareness
and recognize pwhishing, but confidence is often not taken into account,
Wang said.

The study suggests employees should receive confidence regulation training,
he said.

“Not only do we need to pursue accuracy, but we should also let people
realize what’s the limit of their decision making,” Wang said.

With information and communication constantly bombarding people every day,
Wang said people often don’t take the time to fully vet their emails.

The most effective way to prevent falling for a phishing scam is to fully
investigate the email with a phone call to the business or individual in
question or look for inconsistencies, Wang said.

Other ways to protect your identity include keeping documents with
sensitive information safe or shredding them if you no longer need to keep
them, UTA Police Captain Mike McCord said.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170125/5606cec5/attachment.html>