A Study of Correlations Between Trait Affect and Phishing Susceptibility

Abstract

Although phishing emails have been in use for decades, these social engineering attacks are still prevalent because they keep working; in fact, they are a leading cause of data breaches. In this research, I attempt to discern how an individual’s trait affect levels are related to their susceptibility to clicking on links in phishing emails, with particular attention on how this relationship may vary based on the type of phishing email employed. Trait Affect is a term from psychology that references a subset of one’s disposition and tendency towards certain moods and emotions. Trait Affect is further broken down into positive affect and negative affect, which are largely independent. Positive Affect reflects one’s tendency to act, while Negative Affect reflects one’s tendency towards experiencing negative emotions. Trait Affect has been shown to influence user’s behaviors and risk perception. Additionally, it is generally stable over an individual’s lifetime, making it a useful metric with which to model behavior. Being able to model an individual’s behavior in response to phishing is important to lowering the rates of phishing. While the creation of such models is outside the scope of this paper, the relationships examined will prove useful in future attempts to model such behaviors. To obtain data as close to a real-world scenario as possible, phishing susceptibility was measured on a click-through basis of emails sent to participant’s personal emails. This process caused some difficulty in managing to make emails that were both compelling and capable of passing automated email filtering. The process was further complicated by legal concerns surrounding the real-world approach to phishing. It is important to note, however, that no user data was taken – all measurements were based around a user clicking on a link rather than entering any information.