The three-year grant is funded by the U.S. Department of Defense’s Minerva Research Initiative.
Bing. A new email pops into your inbox. It's your bank, telling you it's time to update your account password – just click this link to do it.
Did you click, or did a red flag go up in your head?
If you clicked, you just fell victim to one of the most common types of scams – an attack called "phishing." Phishing is when fraudulent emails purporting to be from reputable companies try to trick individuals into revealing personal information, such as passwords and credit card numbers.
Because phishing is such a widespread and costly problem in cybersecurity, the U.S. Department of Defense has awarded two Texas Tech University faculty members a three-year, $784,732 grant to study what makes some people susceptible to phishing.
Age, sex, various personality characteristics and aspects of users' technical knowledge have previously been shown as predictors for phishing susceptibility. But Keith S. Jones, an associate professor and associate chair of the Department of Psychological Sciences, and Akbar Siami-Namin, an associate professor in the Department of Computer Science, are now working to develop a system that can determine a user's phishing susceptibility based on publicly available information, such as the user's personal social media and the website of the organization named in the phishing email.
Contrary to commercial services that offer testing – which usually send a phishing email to see who clicks it – the solution envisioned by Jones and Siami-Namin doesn't require attempting to phish users.
"That can be useful, but likely only identifies those who are extremely susceptible, and likely fails to identify users who are susceptible but not enough to respond to the relatively generic phishing emails that are typically used during self-phishing campaigns," Jones said. "Accordingly, we aim to develop an automated means for determining users' phishing susceptibility that does not require self-phishing."
They plan to collect data from 400 participants to create an algorithm predicting phishing susceptibility and from 100 participants to identify and evaluate publicly available data about model factors. After Jones and Siami-Namin create a prototype of their system, it will be tested using data collected from an additional 100 participants.
The proposal was one of 15 selected for funding this year through the U.S. Department of Defense's Minerva Research Initiative, which brings together universities, research institutions and individual scholars to support interdisciplinary and cross-institutional projects addressing specific topic areas determined by the Secretary of Defense.
"We are proud to have been selected," Jones said. "Phishing is a widespread and costly problem, and, to an extent, our project being funded makes it clear there is a desire to develop new solutions for combatting phishing."