EXPERIMENTAL STUDY TO ASSESS THE IMPACT OF TIMERS ON USER SUSCEPTIBILITY TO PHISHING ATTACKS
Social engineering costs organizations billions of dollars. It exploits the weakest link of information systems security, the users. It is well-documented in literature that users continue to click on phishing emails costing them and their employers significant monetary resources and data loss. Training does not appear to mitigate the effects of phishing much; other solutions are warranted. Kahneman introduced the concepts of System-One and System-Two thinking. System-One is a quick, instinctual decision-making process, while System-Two is a process by which humans use a slow, logical, and is easily disrupted. The key aim of our experimental field study was to investigate if requiring the user to pause by presenting a countdown or count-up timer when a possible phishing email is opened will influence the user to enter System-Two thinking. In this study, we designed, developed, and empirically tested a Pause-and-Think (PAT) mobile app that presented a user with a warning dialog and a countdown or count-up timer. Our goal was to determine whether requiring users to wait with a colored warning and a timer has any effect on phishing attempts. The study was completed in three phases with 42 subject matter experts and 107 participants. The results indicated that a countdown timer set at 3-seconds accompanied by red warning text was most effective on the user’s ability to avoid clicking on a malicious link or attachment. Recommendations for future research include enhancements to the PAT mobile app and investigating what effect the time of day has on susceptibility to phishing.
Information Security Commons, Management Information Systems Commons, Technology and Innovation Commons