Setting Priorities in Behavioral Interventions: An Application to Reducing Phishing Risk

Setting Priorities in Behavioral Interventions: An Application to Reducing Phishing Risk

Phishing risk is a growing area of concern for corporations, governments, and individuals. Given the evidence that users vary widely in their vulnerability to phishing attacks, we demonstrate an approach for assessing the benefits and costs of interventions that target the most vulnerable users. Our...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Veröffentlicht in:Risk analysis 2018-04, Vol.38 (4), p.826-838
Hauptverfasser: Canfield, Casey Inez, Fischhoff, Baruch
Format: Artikel
Sprache:eng
Schlagworte:
Behavior
Behavior modification
Behavioral intervention
benefit–cost analysis
Computer simulation
Email
Intervention
Monte Carlo simulation
Parameter estimation
Phishing
Prioritizing
Response bias
Return on investment
Risk
Risk assessment
Risk taking
Sensitivity
Sensitivity analysis
Signal detection
signal detection theory
Simulation
system‐level risk
Vulnerability
Online-Zugang:Volltext
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
container_end_page 838
container_issue 4
container_start_page 826
container_title Risk analysis
container_volume 38
creator Canfield, Casey Inez
Fischhoff, Baruch
description Phishing risk is a growing area of concern for corporations, governments, and individuals. Given the evidence that users vary widely in their vulnerability to phishing attacks, we demonstrate an approach for assessing the benefits and costs of interventions that target the most vulnerable users. Our approach uses Monte Carlo simulation to (1) identify which users were most vulnerable, in signal detection theory terms; (2) assess the proportion of system‐level risk attributable to the most vulnerable users; (3) estimate the monetary benefit and cost of behavioral interventions targeting different vulnerability levels; and (4) evaluate the sensitivity of these results to whether the attacks involve random or spear phishing. Using parameter estimates from previous research, we find that the most vulnerable users were less cautious and less able to distinguish between phishing and legitimate emails (positive response bias and low sensitivity, in signal detection theory terms). They also accounted for a large share of phishing risk for both random and spear phishing attacks. Under these conditions, our analysis estimates much greater net benefit for behavioral interventions that target these vulnerable users. Within the range of the model's assumptions, there was generally net benefit even for the least vulnerable users. However, the differences in the return on investment for interventions with users with different degrees of vulnerability indicate the importance of measuring that performance, and letting it guide interventions. This study suggests that interventions to reduce response bias, rather than to increase sensitivity, have greater net benefit.
doi_str_mv 10.1111/risa.12917
format Article
fullrecord <record><control><sourceid>proquest_cross</sourceid><recordid>TN_cdi_proquest_miscellaneous_1955069138</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><sourcerecordid>1955069138</sourcerecordid><originalsourceid>FETCH-LOGICAL-c3937-c25c1f70821535e706680e426422d686f7ab37f906383dd2f7c97027d99bcec43</originalsourceid><addsrcrecordid>eNp9kF1LwzAUhoMobk5v_AFS8EaEznw0SeNdHX4MBGVT8C50aeoyu7Ym7WT_3nSbXnhhbk44POflnAeAUwSHyL8ra1w6RFggvgf6iBIRMoGjfdCHmOMwIgT3wJFzCwgRhJQfgh4WEBMB4z54m-qmMeV78GxNZU1jtAtMGdzoebryjbQIxmWj7UqXjalKdx0kZZDUdWFU2jWCpgomOmvVJmJu3Lz7TIz7OAYHeVo4fbKrA_B6d_syeggfn-7Ho-QxVEQQHipMFco5jLFfnGoOGYuhjjCLMM5YzHKezgjPBWQkJlmGc64E93dlQsyUVhEZgIttbm2rz1a7Ri6NU7oo0lJXrZNIUAqZQH58AM7_oIuqtaXfTmLvg1IaCeKpyy2lbOWc1bmsrVmmdi0RlJ1v2fmWG98ePttFtrOlzn7RH8EeQFvgyxR6_U-UnIynyTb0GwPwiUE</addsrcrecordid><sourcetype>Aggregation Database</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype><pqid>2023555493</pqid></control><display><type>article</type><title>Setting Priorities in Behavioral Interventions: An Application to Reducing Phishing Risk</title><source>Wiley Online Library Journals Frontfile Complete</source><source>EBSCOhost Business Source Complete</source><creator>Canfield, Casey Inez ; Fischhoff, Baruch</creator><creatorcontrib>Canfield, Casey Inez ; Fischhoff, Baruch</creatorcontrib><description>Phishing risk is a growing area of concern for corporations, governments, and individuals. Given the evidence that users vary widely in their vulnerability to phishing attacks, we demonstrate an approach for assessing the benefits and costs of interventions that target the most vulnerable users. Our approach uses Monte Carlo simulation to (1) identify which users were most vulnerable, in signal detection theory terms; (2) assess the proportion of system‐level risk attributable to the most vulnerable users; (3) estimate the monetary benefit and cost of behavioral interventions targeting different vulnerability levels; and (4) evaluate the sensitivity of these results to whether the attacks involve random or spear phishing. Using parameter estimates from previous research, we find that the most vulnerable users were less cautious and less able to distinguish between phishing and legitimate emails (positive response bias and low sensitivity, in signal detection theory terms). They also accounted for a large share of phishing risk for both random and spear phishing attacks. Under these conditions, our analysis estimates much greater net benefit for behavioral interventions that target these vulnerable users. Within the range of the model's assumptions, there was generally net benefit even for the least vulnerable users. However, the differences in the return on investment for interventions with users with different degrees of vulnerability indicate the importance of measuring that performance, and letting it guide interventions. This study suggests that interventions to reduce response bias, rather than to increase sensitivity, have greater net benefit.</description><identifier>ISSN: 0272-4332</identifier><identifier>EISSN: 1539-6924</identifier><identifier>DOI: 10.1111/risa.12917</identifier><identifier>PMID: 29023908</identifier><language>eng</language><publisher>United States: Blackwell Publishing Ltd</publisher><subject>Behavior ; Behavior modification ; Behavioral intervention ; benefit–cost analysis ; Computer simulation ; Email ; Intervention ; Monte Carlo simulation ; Parameter estimation ; Phishing ; Prioritizing ; Response bias ; Return on investment ; Risk ; Risk assessment ; Risk taking ; Sensitivity ; Sensitivity analysis ; Signal detection ; signal detection theory ; Simulation ; system‐level risk ; Vulnerability</subject><ispartof>Risk analysis, 2018-04, Vol.38 (4), p.826-838</ispartof><rights>2017 Society for Risk Analysis</rights><rights>2017 Society for Risk Analysis.</rights><rights>2018 Society for Risk Analysis</rights><lds50>peer_reviewed</lds50><oa>free_for_read</oa><woscitedreferencessubscribed>false</woscitedreferencessubscribed><citedby>FETCH-LOGICAL-c3937-c25c1f70821535e706680e426422d686f7ab37f906383dd2f7c97027d99bcec43</citedby><cites>FETCH-LOGICAL-c3937-c25c1f70821535e706680e426422d686f7ab37f906383dd2f7c97027d99bcec43</cites><orcidid>0000-0001-5325-3798</orcidid></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktopdf>$$Uhttps://onlinelibrary.wiley.com/doi/pdf/10.1111%2Frisa.12917$$EPDF$$P50$$Gwiley$$H</linktopdf><linktohtml>$$Uhttps://onlinelibrary.wiley.com/doi/full/10.1111%2Frisa.12917$$EHTML$$P50$$Gwiley$$H</linktohtml><link.rule.ids>314,780,784,1416,27915,27916,45565,45566</link.rule.ids><backlink>$$Uhttps://www.ncbi.nlm.nih.gov/pubmed/29023908$$D View this record in MEDLINE/PubMed$$Hfree_for_read</backlink></links><search><creatorcontrib>Canfield, Casey Inez</creatorcontrib><creatorcontrib>Fischhoff, Baruch</creatorcontrib><title>Setting Priorities in Behavioral Interventions: An Application to Reducing Phishing Risk</title><title>Risk analysis</title><addtitle>Risk Anal</addtitle><description>Phishing risk is a growing area of concern for corporations, governments, and individuals. Given the evidence that users vary widely in their vulnerability to phishing attacks, we demonstrate an approach for assessing the benefits and costs of interventions that target the most vulnerable users. Our approach uses Monte Carlo simulation to (1) identify which users were most vulnerable, in signal detection theory terms; (2) assess the proportion of system‐level risk attributable to the most vulnerable users; (3) estimate the monetary benefit and cost of behavioral interventions targeting different vulnerability levels; and (4) evaluate the sensitivity of these results to whether the attacks involve random or spear phishing. Using parameter estimates from previous research, we find that the most vulnerable users were less cautious and less able to distinguish between phishing and legitimate emails (positive response bias and low sensitivity, in signal detection theory terms). They also accounted for a large share of phishing risk for both random and spear phishing attacks. Under these conditions, our analysis estimates much greater net benefit for behavioral interventions that target these vulnerable users. Within the range of the model's assumptions, there was generally net benefit even for the least vulnerable users. However, the differences in the return on investment for interventions with users with different degrees of vulnerability indicate the importance of measuring that performance, and letting it guide interventions. This study suggests that interventions to reduce response bias, rather than to increase sensitivity, have greater net benefit.</description><subject>Behavior</subject><subject>Behavior modification</subject><subject>Behavioral intervention</subject><subject>benefit–cost analysis</subject><subject>Computer simulation</subject><subject>Email</subject><subject>Intervention</subject><subject>Monte Carlo simulation</subject><subject>Parameter estimation</subject><subject>Phishing</subject><subject>Prioritizing</subject><subject>Response bias</subject><subject>Return on investment</subject><subject>Risk</subject><subject>Risk assessment</subject><subject>Risk taking</subject><subject>Sensitivity</subject><subject>Sensitivity analysis</subject><subject>Signal detection</subject><subject>signal detection theory</subject><subject>Simulation</subject><subject>system‐level risk</subject><subject>Vulnerability</subject><issn>0272-4332</issn><issn>1539-6924</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2018</creationdate><recordtype>article</recordtype><recordid>eNp9kF1LwzAUhoMobk5v_AFS8EaEznw0SeNdHX4MBGVT8C50aeoyu7Ym7WT_3nSbXnhhbk44POflnAeAUwSHyL8ra1w6RFggvgf6iBIRMoGjfdCHmOMwIgT3wJFzCwgRhJQfgh4WEBMB4z54m-qmMeV78GxNZU1jtAtMGdzoebryjbQIxmWj7UqXjalKdx0kZZDUdWFU2jWCpgomOmvVJmJu3Lz7TIz7OAYHeVo4fbKrA_B6d_syeggfn-7Ho-QxVEQQHipMFco5jLFfnGoOGYuhjjCLMM5YzHKezgjPBWQkJlmGc64E93dlQsyUVhEZgIttbm2rz1a7Ri6NU7oo0lJXrZNIUAqZQH58AM7_oIuqtaXfTmLvg1IaCeKpyy2lbOWc1bmsrVmmdi0RlJ1v2fmWG98ePttFtrOlzn7RH8EeQFvgyxR6_U-UnIynyTb0GwPwiUE</recordid><startdate>201804</startdate><enddate>201804</enddate><creator>Canfield, Casey Inez</creator><creator>Fischhoff, Baruch</creator><general>Blackwell Publishing Ltd</general><scope>NPM</scope><scope>AAYXX</scope><scope>CITATION</scope><scope>7ST</scope><scope>7U7</scope><scope>7U9</scope><scope>8BJ</scope><scope>8FD</scope><scope>C1K</scope><scope>FQK</scope><scope>FR3</scope><scope>H94</scope><scope>JBE</scope><scope>JQ2</scope><scope>KR7</scope><scope>M7N</scope><scope>SOI</scope><scope>7X8</scope><orcidid>https://orcid.org/0000-0001-5325-3798</orcidid></search><sort><creationdate>201804</creationdate><title>Setting Priorities in Behavioral Interventions: An Application to Reducing Phishing Risk</title><author>Canfield, Casey Inez ; Fischhoff, Baruch</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-c3937-c25c1f70821535e706680e426422d686f7ab37f906383dd2f7c97027d99bcec43</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2018</creationdate><topic>Behavior</topic><topic>Behavior modification</topic><topic>Behavioral intervention</topic><topic>benefit–cost analysis</topic><topic>Computer simulation</topic><topic>Email</topic><topic>Intervention</topic><topic>Monte Carlo simulation</topic><topic>Parameter estimation</topic><topic>Phishing</topic><topic>Prioritizing</topic><topic>Response bias</topic><topic>Return on investment</topic><topic>Risk</topic><topic>Risk assessment</topic><topic>Risk taking</topic><topic>Sensitivity</topic><topic>Sensitivity analysis</topic><topic>Signal detection</topic><topic>signal detection theory</topic><topic>Simulation</topic><topic>system‐level risk</topic><topic>Vulnerability</topic><toplevel>peer_reviewed</toplevel><toplevel>online_resources</toplevel><creatorcontrib>Canfield, Casey Inez</creatorcontrib><creatorcontrib>Fischhoff, Baruch</creatorcontrib><collection>PubMed</collection><collection>CrossRef</collection><collection>Environment Abstracts</collection><collection>Toxicology Abstracts</collection><collection>Virology and AIDS Abstracts</collection><collection>International Bibliography of the Social Sciences (IBSS)</collection><collection>Technology Research Database</collection><collection>Environmental Sciences and Pollution Management</collection><collection>International Bibliography of the Social Sciences</collection><collection>Engineering Research Database</collection><collection>AIDS and Cancer Research Abstracts</collection><collection>International Bibliography of the Social Sciences</collection><collection>ProQuest Computer Science Collection</collection><collection>Civil Engineering Abstracts</collection><collection>Algology Mycology and Protozoology Abstracts (Microbiology C)</collection><collection>Environment Abstracts</collection><collection>MEDLINE - Academic</collection><jtitle>Risk analysis</jtitle></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext</fulltext></delivery><addata><au>Canfield, Casey Inez</au><au>Fischhoff, Baruch</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>Setting Priorities in Behavioral Interventions: An Application to Reducing Phishing Risk</atitle><jtitle>Risk analysis</jtitle><addtitle>Risk Anal</addtitle><date>2018-04</date><risdate>2018</risdate><volume>38</volume><issue>4</issue><spage>826</spage><epage>838</epage><pages>826-838</pages><issn>0272-4332</issn><eissn>1539-6924</eissn><abstract>Phishing risk is a growing area of concern for corporations, governments, and individuals. Given the evidence that users vary widely in their vulnerability to phishing attacks, we demonstrate an approach for assessing the benefits and costs of interventions that target the most vulnerable users. Our approach uses Monte Carlo simulation to (1) identify which users were most vulnerable, in signal detection theory terms; (2) assess the proportion of system‐level risk attributable to the most vulnerable users; (3) estimate the monetary benefit and cost of behavioral interventions targeting different vulnerability levels; and (4) evaluate the sensitivity of these results to whether the attacks involve random or spear phishing. Using parameter estimates from previous research, we find that the most vulnerable users were less cautious and less able to distinguish between phishing and legitimate emails (positive response bias and low sensitivity, in signal detection theory terms). They also accounted for a large share of phishing risk for both random and spear phishing attacks. Under these conditions, our analysis estimates much greater net benefit for behavioral interventions that target these vulnerable users. Within the range of the model's assumptions, there was generally net benefit even for the least vulnerable users. However, the differences in the return on investment for interventions with users with different degrees of vulnerability indicate the importance of measuring that performance, and letting it guide interventions. This study suggests that interventions to reduce response bias, rather than to increase sensitivity, have greater net benefit.</abstract><cop>United States</cop><pub>Blackwell Publishing Ltd</pub><pmid>29023908</pmid><doi>10.1111/risa.12917</doi><tpages>13</tpages><orcidid>https://orcid.org/0000-0001-5325-3798</orcidid><oa>free_for_read</oa></addata></record>
fulltext fulltext
identifier ISSN: 0272-4332
ispartof Risk analysis, 2018-04, Vol.38 (4), p.826-838
issn 0272-4332
1539-6924
language eng
recordid cdi_proquest_miscellaneous_1955069138
source Wiley Online Library Journals Frontfile Complete; EBSCOhost Business Source Complete
subjects Behavior
Behavior modification
Behavioral intervention
benefit–cost analysis
Computer simulation
Email
Intervention
Monte Carlo simulation
Parameter estimation
Phishing
Prioritizing
Response bias
Return on investment
Risk
Risk assessment
Risk taking
Sensitivity
Sensitivity analysis
Signal detection
signal detection theory
Simulation
system‐level risk
Vulnerability
title Setting Priorities in Behavioral Interventions: An Application to Reducing Phishing Risk
url https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-01-15T05%3A35%3A49IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-proquest_cross&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=Setting%20Priorities%20in%20Behavioral%20Interventions:%20An%20Application%20to%20Reducing%20Phishing%20Risk&rft.jtitle=Risk%20analysis&rft.au=Canfield,%20Casey%20Inez&rft.date=2018-04&rft.volume=38&rft.issue=4&rft.spage=826&rft.epage=838&rft.pages=826-838&rft.issn=0272-4332&rft.eissn=1539-6924&rft_id=info:doi/10.1111/risa.12917&rft_dat=%3Cproquest_cross%3E1955069138%3C/proquest_cross%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_pqid=2023555493&rft_id=info:pmid/29023908&rfr_iscdi=true