{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,11,20]],"date-time":"2025-11-20T13:13:37Z","timestamp":1763644417697,"version":"3.41.2"},"reference-count":35,"publisher":"Oxford University Press (OUP)","issue":"1","license":[{"start":{"date-parts":[[2024,11,14]],"date-time":"2024-11-14T00:00:00Z","timestamp":1731542400000},"content-version":"vor","delay-in-days":318,"URL":"https:\/\/creativecommons.org\/licenses\/by-nc-nd\/4.0\/"}],"funder":[{"DOI":"10.13039\/100009527","name":"Swedish Civil Contingencies Agency","doi-asserted-by":"publisher","id":[{"id":"10.13039\/100009527","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2024,1,2]]},"abstract":"<jats:title>Abstract<\/jats:title>\n               <jats:p>Phishing attacks via email remain a popular and cost-effective alternative for attackers looking to penetrate computer networks. A number of experiments suggest that a person\u2019s susceptibility to this type of deception depends on the phishing email. In field experiments, three variables found to be important are: the scam represented in the email, to what extent the email has been adapted to recipient, and to what extent influence techniques are used. These variables have intricate interdependencies, and the overall scam of the message often constrains how the message can be adapted using influence techniques. In this study, a multilevel model is used. Scam is added cluster variable, and the other two are added as predictor variables. Thus, variations in the overall scam are controlled for before the effect impact of adaptations and use of influence techniques is estimated. In total, 2294 emails were sent to 102 participants and it is measured if they click links provided in emails (N\u00a0=\u00a01953) or run executables referenced in emails (N\u00a0=\u00a02199). The results show that the difference in scam in the message results in 6% variance in susceptibility to phishing links, and 3% variance in susceptibility to executing code. When controlling for the scam, no robust relationships were found between the remaining variables and phishing susceptibility. It is discussed if previous research has overestimated the impact of adaptation and influence techniques, e.g. because of the interdependency between the variables and the scam.<\/jats:p>","DOI":"10.1093\/cybsec\/tyae021","type":"journal-article","created":{"date-parts":[[2024,11,14]],"date-time":"2024-11-14T09:01:28Z","timestamp":1731574888000},"source":"Crossref","is-referenced-by-count":4,"title":["The unpredictability of phishing susceptibility: results from a repeated measures experiment"],"prefix":"10.1093","volume":"10","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-2606-4139","authenticated-orcid":false,"given":"Teodor","family":"Sommestad","sequence":"first","affiliation":[{"name":"Swedish Defence Research Agency, FOI Totalf\u00f6rsvarets forskningsinstitut , 164 90 Stockholm ,","place":["Sweden"]}]},{"given":"Henrik","family":"Karlz\u00e9n","sequence":"additional","affiliation":[{"name":"Swedish Defence Research Agency, FOI Totalf\u00f6rsvarets forskningsinstitut , 164 90 Stockholm ,","place":["Sweden"]}]}],"member":"286","published-online":{"date-parts":[[2024,11,14]]},"reference":[{"key":"2024121909132663700_bib1","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1016\/j.ijhcs.2018.06.004","article-title":"Exploring susceptibility to phishing in the workplace","volume":"120","author":"Williams","year":"2018","journal-title":"Int J Hum Comput Stud"},{"key":"2024121909132663700_bib2","doi-asserted-by":"publisher","first-page":"341","DOI":"10.1007\/978-3-030-80825-9_17","article-title":"Spotlight on phishing: a longitudinal study on phishing awareness trainings","volume-title":"Lecture Notes in Computer Science","author":"Quinkert","year":"2021"},{"article-title":"2023 Annual state of email security report","year":"2023","author":"Cofense","key":"2024121909132663700_bib3"},{"key":"2024121909132663700_bib4","doi-asserted-by":"publisher","DOI":"10.1109\/eCrime47957.2019.9037502","article-title":"A meta-analysis of field experiments on phishing susceptibility","volume-title":"eCrime Researchers Summit, eCrime 2019","author":"Sommestad","year":"2019"},{"author":"US Federal Trade Commission","key":"2024121909132663700_bib5","article-title":"How to recognize and avoid phishing scams"},{"key":"2024121909132663700_bib6","doi-asserted-by":"publisher","first-page":"1200","DOI":"10.1109\/TDSC.2022.3151103","article-title":"Sixteen years of phishing user studies: what have we learned?","volume":"20","author":"Baki","year":"2022","journal-title":"IEEE Trans Dependable Secure Comput"},{"key":"2024121909132663700_bib7","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1145\/3575797","article-title":"SoK: human-centered phishing susceptibility","volume":"26","author":"Zhuo","year":"2023","journal-title":"ACM Trans Priv Secur"},{"key":"2024121909132663700_bib8","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1145\/3635149","article-title":"Cognition in social engineering empirical research: a systematic literature review","volume":"31","author":"Burda","year":"2024","journal-title":"ACM Trans Comput Hum Interact"},{"article-title":"The state of phishing defence","year":"2018","author":"Cofense","key":"2024121909132663700_bib9"},{"article-title":"Annual State of Email Security","year":"2024","author":"Cofense","key":"2024121909132663700_bib10"},{"article-title":"Quarterly Threat Report Q1 2022","year":"2022","author":"Expel","key":"2024121909132663700_bib11"},{"key":"2024121909132663700_bib12","doi-asserted-by":"publisher","first-page":"22","DOI":"10.17705\/1jais.00447","article-title":"Got phished? Internet security and human vulnerability","volume":"18","author":"Goel","year":"2017","journal-title":"J Assoc Inf Syst"},{"key":"2024121909132663700_bib13","doi-asserted-by":"publisher","first-page":"103364","DOI":"10.1016\/j.cose.2023.103364","article-title":"Evaluating organizational phishing awareness training on an enterprise scale","volume":"132","author":"Hillman","year":"2023","journal-title":"Comput Secur"},{"key":"2024121909132663700_bib14","doi-asserted-by":"publisher","first-page":"230","DOI":"10.1109\/THS.2011.6107876","article-title":"Measuring the human factor of cyber security","volume-title":"2011 IEEE International Conference on Technologies for Homeland Security, HST 2011","author":"Bowen","year":"2011"},{"key":"2024121909132663700_bib15","doi-asserted-by":"publisher","first-page":"79","DOI":"10.1108\/IMCS-11-2013-0083","article-title":"Using phishing experiments and scenario-based surveys to understand security behaviours in practice","volume-title":"Proceedings of the European Information Security Multi-Conference, EISMC 2013","author":"Flores","year":"2013"},{"key":"2024121909132663700_bib16","first-page":"297","article-title":"Lessons learned from phishing test","volume-title":"IDIMT2017: Digitalization in Management, Society and Economy\u201325th Interdisciplinary Information Management Talks","author":"Sokol","year":"2017"},{"key":"2024121909132663700_bib17","doi-asserted-by":"publisher","first-page":"94","DOI":"10.1145\/1290958.1290968","article-title":"Social phishing","volume":"50","author":"Jagatic","year":"2007","journal-title":"Commun ACM"},{"key":"2024121909132663700_bib18","doi-asserted-by":"publisher","first-page":"597","DOI":"10.1080\/07421222.2017.1334499","article-title":"Training to mitigate phishing attacks using mindfulness techniques","volume":"34","author":"Jensen","year":"2017","journal-title":"J Manag Inf Syst"},{"key":"2024121909132663700_bib19","first-page":"2583","article-title":"The effectiveness of deceptive tactics in phishing","volume-title":"15th Americas Conference on Information Systems 2009, AMCIS 2009","author":"Marett","year":"2009"},{"key":"2024121909132663700_bib20","doi-asserted-by":"publisher","first-page":"564","DOI":"10.1057\/s41303-017-0058-x","article-title":"Which phish get caught an exploratory study of individuals\u2032 susceptibility to phishing","volume":"26","author":"Moody","year":"2017","journal-title":"Eur J Inf Syst"},{"key":"2024121909132663700_bib21","doi-asserted-by":"publisher","first-page":"70","DOI":"10.1145\/1897852.1897872","article-title":"Understanding scam victims: seven principles for systems security","volume":"54","author":"Stajano","year":"2011","journal-title":"Commun ACM"},{"key":"2024121909132663700_bib22","first-page":"143","article-title":"Principles of interpersonal influence","volume-title":"Persuasion: Psychological Insights and Perspectives","author":"Cialdini","year":"2005","edition":"2nd edn"},{"key":"2024121909132663700_bib23","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1145\/3336141","article-title":"Susceptibility to spear-phishing emails: effects of internet user demographics and email content","volume":"26","author":"Lin","year":"2019","journal-title":"ACM Trans Comput Hum Interact."},{"key":"2024121909132663700_bib24","doi-asserted-by":"publisher","first-page":"103487","DOI":"10.1016\/j.cose.2023.103487","article-title":"Phishing susceptibility across industries: the differential impact of influence techniques","volume":"135","author":"(Annie)\u00a0Tian","year":"2023","journal-title":"Comput Secur"},{"key":"2024121909132663700_bib25","doi-asserted-by":"publisher","first-page":"385","DOI":"10.1287\/isre.2014.0522","article-title":"Research note\u2014influence techniques in phishing attacks: an examination of vulnerability and resistance","volume":"25","author":"Wright","year":"2014","journal-title":"Inf Syst Res"},{"key":"2024121909132663700_bib26","doi-asserted-by":"publisher","first-page":"597","DOI":"10.1007\/978-3-319-70278-0_38","article-title":"What to phish in a subject?","volume-title":"Financial Cryptography and Data Security","author":"Ferreira","year":"2017"},{"key":"2024121909132663700_bib27","doi-asserted-by":"publisher","first-page":"203","DOI":"10.5334\/irsp.90","article-title":"Keep calm and learn multilevel logistic modeling: a simplified three-step procedure using stata, R, Mplus, and SPSS","volume":"30","author":"Sommet","year":"2017","journal-title":"Int Rev Soc Psychol"},{"author":"Jamovi","key":"2024121909132663700_bib28","article-title":"The jamovi project,Version 2.2"},{"key":"2024121909132663700_bib29","doi-asserted-by":"publisher","DOI":"10.1145\/3609987.3609990","article-title":"Methodologies and ethical considerations in phishing research: a comprehensive review","volume-title":"ACM International Conference Proceeding Series","author":"Thomopoulos","year":"2023"},{"key":"2024121909132663700_bib30","doi-asserted-by":"publisher","first-page":"178","DOI":"10.1108\/ICS-05-2014-0029","article-title":"Investigating personal determinants of phishing and the effect of national culture","volume":"23","author":"Flores","year":"2015","journal-title":"Inf Comput Secur"},{"key":"2024121909132663700_bib31","doi-asserted-by":"publisher","DOI":"10.1093\/CYBSEC\/TYAA009","article-title":"Categorizing human phishing difficulty: a phish scale","volume":"6","author":"Steves","year":"2020","journal-title":"J Cybersecur"},{"key":"2024121909132663700_bib32","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1109\/ISTAS.2006.4375893","article-title":"Societal aspects of phishing","volume-title":"2006 IEEE International Symposium on Technology and Society","author":"Ragucci","year":"2006"},{"key":"2024121909132663700_bib33","doi-asserted-by":"publisher","first-page":"1","DOI":"10.14722\/usec.2018.23016","article-title":"User context: an explanatory variable in phishing susceptibility","volume-title":"Proceedings 2018 Workshop on Usable Security","author":"Greene","year":"2018"},{"key":"2024121909132663700_bib34","doi-asserted-by":"publisher","first-page":"231","DOI":"10.1007\/s11896-019-09334-5","article-title":"The psychology of internet fraud victimisation: a systematic review","volume":"34","author":"Norris","year":"2019","journal-title":"J Police Crim Psych"},{"key":"2024121909132663700_bib35","doi-asserted-by":"publisher","first-page":"3066","DOI":"10.1109\/BigData.2018.8622555","article-title":"A decision support system for personality based phishing susceptibility analysis","volume-title":"2018 IEEE International Conference on Big Data (Big Data)","author":"Pantic","year":"2018"}],"container-title":["Journal of Cybersecurity"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/academic.oup.com\/cybersecurity\/article-pdf\/10\/1\/tyae021\/61182500\/tyae021.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"https:\/\/academic.oup.com\/cybersecurity\/article-pdf\/10\/1\/tyae021\/61182500\/tyae021.pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2024,12,19]],"date-time":"2024-12-19T09:13:35Z","timestamp":1734599615000},"score":1,"resource":{"primary":{"URL":"https:\/\/academic.oup.com\/cybersecurity\/article\/doi\/10.1093\/cybsec\/tyae021\/7900092"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024]]},"references-count":35,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2024,1,2]]}},"URL":"https:\/\/doi.org\/10.1093\/cybsec\/tyae021","relation":{},"ISSN":["2057-2085","2057-2093"],"issn-type":[{"type":"print","value":"2057-2085"},{"type":"electronic","value":"2057-2093"}],"subject":[],"published-other":{"date-parts":[[2024]]},"published":{"date-parts":[[2024]]},"article-number":"tyae021"}}