Are People with Cyber Security Training Worse at Checking Phishing Email Addresses? Testing the Automaticity of Verifying the Sender’s Address

Publisher:
Springer Nature
Publication Type:
Chapter
Citation:
Human Aspects of Information Security and Assurance, 2023, 674, pp. 310-323
Issue Date:
2023-01-01
Filename Description Size
978-3-031-38530-8_25 (1).pdf1.08 MB
Full metadata record
Cyber security training emphasises checking the sender’s email address to identify phishing emails. Dual process theories of cognition suggest that with practice such tactics can transition from effortful, analytic processes to involuntary heuristics and become ‘automatic’. We tested the automaticity of this email habit by developing a scale for cyber security experience and then deployed an interference task where participants (n = 61) had to make a decision about text colour and ignore sender’s addresses from either legitimate or phishing emails. A surprising result emerged: the more cyber security training participants had, the less interference they exhibited in the colour selection task and the more they were able to ignore the content of the sender’s addresses. This suggests that evaluating sender’s addresses does not fulfill the criterion for ‘automatic’ processes when practiced and that more experienced people seem to be able to ignore this important cue when extraneous task goals are present.
Please use this identifier to cite or link to this item: