网络钓鱼的影响因素:心理学的视角
Influencing Factors of Phishing: A Psychological Perspective
DOI: 10.12677/AP.2021.114109, PDF,    国家科技经费支持
作者: 葛 燕, 崔馨月, 瞿炜娜:中国科学院行为科学重点实验室(中国科学院心理研究所),北京;中国科学院大学心理系,北京
关键词: 网络钓鱼人格特质情境因素系统特征Phishing Personality Traits Email Characteristics System Features
摘要: 网络钓鱼是指通过计算机技术并利用人类心理弱点对终端用户进行攻击的行为,研究网络钓鱼的影响因素可以提高网络安全水平,降低网络钓鱼伤害。本文以心理学的视角,从个体、情境和系统三个方面对网络钓鱼的影响因素进行梳理总结,并探讨了各影响因素联结的动态过程。在个体因素方面,先天特质会影响网络钓鱼易感性,但后天学习和积累的知识经验能降低被钓鱼的风险;在情境方面,身份伪装和特殊情境设定能够利用用户的心理弱点,直接影响用户回复钓鱼邮件的行为;在系统方面,系统反馈影响人对系统安全的信任,进而影响网络钓鱼风险。未来的研究可从三个方面展开:一是探讨和细化个人特质对整体网络钓鱼易感性的综合影响,建立易感者模型;二是量化邮件特征在用户动态决策过程的作用;三是结合个体特质、情境因素和系统特征,建立基于三者结合关系模型的防护体系。
Abstract: Phishing refers to the behavior of attacking end-users through computer technology and taking advantage of human psychological weaknesses. Investigating what shapes phishing susceptibility can improve the level of network security and reduce the damage of phishing. From the perspective of psychology, this paper summarized the influential factors of phishing from three levels: the individual level, the email level and the system level. Meanwhile the dynamic processes of the link of those factors are also explored. At the individual level, people with high score in some specific individual are easier to be attached by phishing, but acquired knowledge and accumulated experience can reduce the risk of getting phished. At the email level, identity camouflage and context setting can make use of users’ psychological weaknesses, and thus directly affect the possibility to respond to phishing email. At the system level, system features affect users’ trust in automation security and reliability, which in turn affects phishing risk. Future research could be focused on three aspects: first, to refine the comprehensive influence of different personalities on overall phishing susceptibility and to establish the susceptibility model; second, to qualify the influence of email characteristics on users’ the dynamic decision-making process; third, to establish a protective system based on the comprehensive impact of individual traits, email characteristics and system features.
文章引用:葛燕, 崔馨月, 瞿炜娜 (2021). 网络钓鱼的影响因素:心理学的视角. 心理学进展, 11(4), 968-977. https://doi.org/10.12677/AP.2021.114109

参考文献

[1] 顾威(2017). 防火防盗反钓鱼2016年全球网络钓鱼总汇概览. 计算机与网络, 43(Z1), 78-84.
[2] 吴少华, 胡勇(2014).社会工程在APT攻击中的应用与防御. 信息安全与通信保密, (10), 93-95.
[3] 杨明, 杜彦辉, 刘晓娟(2012). 网络钓鱼邮件分析系统的设计与实现. 中国人民公安大学学报(自然科学版), 18(2), 61-65.
[4] Aaron, G. (2019). Phishing Attack Trends Report-1Q 2019. https://apwg.org/
[5] Alseadoon, I., Othman, F. I., & Chan, T. Z. (2015). What Is the Influence of Users’ Characteristics on Their Ability to Detect Phishing Emails? Advanced Computer and Communication Engineering Technology, 315, 949-962.[CrossRef
[6] Alsharnouby, M., Alaca, F., & Chiasson, S. (2015). Why Phishing Still Works: User Strategies for Combating Phishing Attacks. International Journal of Human-Computer Studies, 82, 69-82.[CrossRef
[7] Barlow, R. E. (1984). Mathematical-Theory of Reliability—A Historical-Perspective. IEEE Transactions on Reliability, 33, 16-20.[CrossRef
[8] Bullee, J.-W., Montoya, L., Junger, M., & Hartel, P. (2017). Spear Phishing in Organisations Explained. Information & Computer Security, 25, 593-613.[CrossRef
[9] Chancey, E. T., Bliss, J. P., Proaps, A. B., & Madhavan, P. (2015). The Role of Trust as a Mediator between System Characteristics and Response Behaviors. Human Factors: The Journal of the Human Factors and Ergonomics Society, 57, 947- 958.[CrossRef] [PubMed]
[10] Chancey, E. T., Bliss, J. P., Yamani, Y., & Handley, H. A. H. (2017).Trust and the Compliance-Reliance Paradigm: The Effects of Risk, Error Bias, and Reliability on Trust and Dependence. Human Factors: The Journal of the Human Factors and Ergonomics Society, 59, 333-345.[CrossRef] [PubMed]
[11] Chavaillaz, A., Wastell, D., & Sauer, J. (2016). System Reliability, Performance and Trust in Adaptable Automation. Applied Ergonomics, 52, 333-342.[CrossRef] [PubMed]
[12] Chen, J., Mishler, S., Hu, B., Li, N., & Proctor, R. W. (2018). The Description-Experience Gap in the Effect of Warning Reliability on User Trust and Performance in a Phishing-Detection Context. International Journal of Human-Computer Studies, 119, 35-47.[CrossRef
[13] Chou, N., Ledesma, R., Teraguchi, Y., & Mitchell, J. C. (2004). Client-Side Defense against Web-Based Identity Theft. Proceedings of the Network and Distributed System Security Symposium (NDSS’04), San Diego, 1-8.
[14] Dambacher, M., Hübner, R. (2015). Time Pressure Affects the Efficiency of Perceptual Processing in Decisions under Conflict. Psychological Research, 79, 83-94.[CrossRef] [PubMed]
[15] de Vries, P., Midden, C., & Bouwhuis, D. (2003). The Effects of Errors on System Trust, Self-Confidence, and the Allocation of Control in Route Planning. International Journal of Human-Computer Studies, 58, 719-735.[CrossRef
[16] Downs, J. S., Holbrook, M., & Cranor, L. F. (2007). Behavioral Response to Phishing Risk. Proceedings of the Anti-Phishing Working Groups 2nd Annual eCrime Researchers Summit (eCrime’07), October 2007, 37-44.[CrossRef
[17] Egelman, S., Cranor, L. F., & Hong, J. (2008). You’ve Been Warned: An Empirical Study of the Effectiveness of Web Browser Phishing Warnings. Proceedings of the 26th Annual Chi Conference on Human Factors in Computing Systems, April 2008, 1065-1074.[CrossRef
[18] Gefen, D., Karahanna, E., & Straub, D. W. (2003). Trust and TAM in Online Shopping: An Integrated Model. MIS Quarterly, 27, 51-90.[CrossRef
[19] Goel, S., Williams, K., & Dincelli, E. (2017). Got Phished? Internet Security and Human Vulnerability. Journal of the Asso-ciation for Information Systems, 18, 22-44.[CrossRef
[20] Griffin, R. J., Neuwirth, K., Giese, J., & Dunwoody, S. (2002). Linking the Heuristic-Systematic Model and Depth of Processing. Communication Research, 29, 705-732.[CrossRef
[21] Halevi, T., Lewis, J., & Memon, N. (2013). A Pilot Study of Cyber Security and Privacy Related Behavior and Personality Traits. Proceedings of the 22nd International Conference on World Wide Web (IW3C2), May 2013, 737-744.[CrossRef
[22] Harrison, B., Svetieva, E., & Vishwanath, A. (2016). Individual Processing of Phishing Emails: How Attention and Elaboration Protect against Phishing. Online Information Review, 40, 265-281.[CrossRef
[23] Hillesheim, A. J., & Rusnock, C. F. (2016). Predicting the Effects of Automation Reliability Rates on Human-Automation Team Performance. Proceedings of the 2016 Winter Simulation Conference (WSC), Washington DC, 11-14 December 2016, 1802-1813.[CrossRef
[24] Holm, H., Flores, W. R., Nohlberg, M., & Ekstedt, M. (2014). An Empirical Investigation of the Effect of Target-Related Information in Phishing Attacks. Proceedings of IEEE 18th International Enterprise Distributed Object Computing Conference Workshops and Demonstrations, Ulm, 1-2 September 2014, 357-363.[CrossRef
[25] Jagatic, T. N., Johnson, N. A., Jakobsson, M., & Menczer, F. (2007). Social Phishing. Communications of the ACM, 50, 94-100.[CrossRef
[26] Modic, D., & Lea, S. E. G. (2011). How Neurotic Are Scam Victims, Really? The Big Five and Internet Scams. Proceedings of the 2011 Conference of the International Confederation for the Advancement of Behavioral Economics and Economic Psychology, 1-23.[CrossRef
[27] Moody, G. D., Galletta, D. F., & Dunn, B. K. (2017). Which Phish Get Caught? An Exploratory Study of Individuals’ Susceptibility to Phishing. European Journal of Information Systems, 26, 564-584.[CrossRef
[28] Nicholson, J., Coventry, L., & Briggs, P. (2017). Can We Fight Social Engineering Attacks by Social Means? Assessing Social Salience as a Means to Improve Phish Detection. Proceedings of the Thirteenth Symposium on Usable Privacy and Security (SOUPS13), Santa Clara, 12-14 July 2017, 285-298.
[29] Ramesh, G., Selvakumar, K., & Venugopal, A. (2017). Intelligent Explanation Generation System for Phishing Webpages by Employing an Inference System. Behaviour& Information Technology, 36, 1244-1260.[CrossRef
[30] Sharples, S., Stedmon, A., Cox, G. et al. (2007). Flightdeck and Air Traffic Control Collaboration Evaluation (FACE): Evaluating Aviation Communication in the Laboratory and Field. Applied Ergonomics, 38, 399-407.[CrossRef] [PubMed]
[31] Spain, R. D., & Bliss, J. P. (2008). The Effect of Sonification Display pulse Rate and Reliability on Operator Trust and Perceived Workload during a Simulated Patient Monitoring Task. Ergonomics, 51, 1320-1337.[CrossRef] [PubMed]
[32] Vishwanath, A. (2015). Examining the Distinct Antecedents of E-Mail Habits and Its Influence on the Outcomes of a Phishing Attack. Journal of Computer-Mediated Communication, 20, 570-584.[CrossRef
[33] Vishwanath, A., Harrison, B., & Ng, Y. J. (2018). Suspicion, Cognition, and Automaticity Model of Phishing Susceptibility. Communication Research, 45, 1146-1166.[CrossRef
[34] Vishwanath, A., Herath, T., Chen, R. et al. (2011). Why Do People Get Phished? Testing Individual Differences in Phishing vulnerability within an Integrated, Information Processing Model. Decision Support Systems, 51, 576-586.[CrossRef
[35] Wang, J. G., Herath, T., Chen, R., Vishwanath, A., & Rao, H. R. (2012). Phishing Susceptibility: An Investigation Into the Processing of a Targeted Spear Phishing Email. IEEE Transactions on Professional Communication, 55, 345-362.[CrossRef
[36] Weirich, D., & Sasse, M. A. (2001). Pretty Good Persuasion: A First Step towards Effective Password Security in the Real World. Proceedings of the 2001 Workshop on New Security Paradigms (NSPW’12), September 2001, 137-143.[CrossRef
[37] Welk, A. K., Hong, K. W., Zielinska, O. A. et al. (2015). Will the Phisher-Men” Reel You In?: Assessing Individual Differences in a Phishing Detection Task. International Journal of Cyber Behavior, Psychology and Learning, 5, 1-17.[CrossRef
[38] Wright, R. T., Jensen, M. L., Thatcher, J. B. et al. (2014). Influence Techniques in Phishing Attacks: An Examination of Vulnerability and Resistance. Information Systems Research, 25, 385-400.[CrossRef
[39] Wright, R., Chakraborty, S., Basoglu, A., & Marett, K. (2010). Where Did They Go Right? Understanding the Deception in Phishing Communications. Group Decision and Negotiation, 19, 391-416.[CrossRef