More Likely to Fall for a Phishing Scam If You’re a Neurotic Woman?

describe the imageSoftpedia published an article I have a problem with. There is so much wrong with this that I don't even know where to start. They started out with:

"Researchers at the Polytechnic Institute of New York University (NYU-Poly) have conducted an experiment to determine if there is a link between an individual’s personality and the chances that they would fall victim to a phishing scam." 

That is the first problem right there. Labelling people as having "different personalities" is fraught with ambiguity as people change moods and perspectives all the time. Today I might feel great. Next week I might have a headache, the boss yelling, and other messes stuck at me. Is my "personality" going to determine if I am Phish-prone? I'm sure not. FAIL 1.

Next: "100 students from an undergraduate psychology class were selected and asked about their online habits and beliefs. They’ve been also asked to rate the likelihood of having their passwords stolen or other similar negative things that could happen to them online. In addition, they took a multidimensional personality assessment survey."

Only 100 test subjects? And all of them college students? Not nearly a large enough number to create a true statistically significant sample and a far too homogeneous to draw any kinds of valid results and extrapolate as far as they did. FAIL 2

"Once this phase of the experiment was over, they were sent phishing emails that promised them prizes in return for some personal information. The researchers made sure that the emails contained spelling and grammar errors, and other clues that can usually help users determine if an offer is legitimate or not. "

Offering "prizes" is only a very small part of the whole gamut of social engineering. Testing with prizes is like testing cats with a piece of raw chicken. A few may eat it but many others would sniff at it, wrinkle their nose and walk away. FAR from enough testing was done to draw any kind of conclusions about why people really fall for phishing scams. FAIL 3.

They went on with: "17% of the students fell for the scam. Interestingly, the group had considerable computer knowledge. Most of the victims were women. However, researchers have determined that women who, according to the personality assessment they took, were neurotic, were most likely to fall for the scam."

The real number of people falling for phishing is between 20 and 30%. Hundreds of tests over hundreds of thousands of employees done at KnowBe4 show this to be a much more reliable number, and the clicks are evenly distributed between men and women. FAIL 4.

"The study hasn’t found any link between men’s personalities and their vulnerability to phishing attacks. Also, no correlation has been found between computer security knowledge levels and the likelihood of being phished."

That's because there IS no correlation between personality and being Phish-prone. And there is no correlation between computer security knowledge and phish-prone percentage because they were not trained effectively and tested, tested, tested afterward. FAIL 5.

"These results tell us that personality characteristics may exert considerable influence when it comes to choices about online behavior, and that they may even override awareness of online threats,” said James Lewis, instructor in the NYU-Poly Department of Science, Technology and Society. 

Lewis added, “In the moment, it appears that computer users may be more focused on the possibility of winning a prize or the perceived benefits of sharing information on Facebook, and that these gains distract from potentially damaging outcomes.”

Those are completely unwarranted conclusions. It only shows that the subjects were not given sufficient and effective security awareness training. Here is an open challenge: Give me these same 100 students. We will train them, and send them simulated phishing attacks for a month. Then Lewis can send another one of their tests. NOT ONE of them will fall for a phishing attack after that we train them!

Full article here:






Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews