{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,10]],"date-time":"2026-03-10T12:08:14Z","timestamp":1773144494512,"version":"3.50.1"},"reference-count":67,"publisher":"Emerald","issue":"1","license":[{"start":{"date-parts":[[2022,1,5]],"date-time":"2022-01-05T00:00:00Z","timestamp":1641340800000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.emerald.com\/insight\/site-policies"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["ICS"],"published-print":{"date-parts":[[2022,1,31]]},"abstract":"<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Purpose<\/jats:title>\n<jats:p>Phishing is a well-known cybersecurity attack that has rapidly increased in recent years. It poses risks to businesses, government agencies and all users due to sensitive data breaches and subsequent financial losses. To study the user side, this paper aims to conduct a literature review and user study.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Design\/methodology\/approach<\/jats:title>\n<jats:p>To investigate phishing attacks, the authors provide a detailed overview of previous research on phishing techniques by conducting a systematic literature review of <jats:italic>n<\/jats:italic> = 367 peer-reviewed academic papers published in ACM Digital Library. Also, the authors report on an evaluation of a high school community. The authors engaged 57 high school students and faculty members (12 high school students, 45 staff members) as participants in research using signal detection theory (SDT).<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Findings<\/jats:title>\n<jats:p>Through the literature review which goes back to as early as 2004, the authors found that only 13.9% of papers focused on user studies. In the user study, through scenario-based analysis, participants were tasked with distinguishing phishing e-mails from authentic e-mails. The results revealed an overconfidence bias in self-detection from the participants, regardless of their technical background.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Originality\/value<\/jats:title>\n<jats:p>The authors conducted a literature review with a focus on user study which is a first in this field as far the authors know. Additionally, the authors conducted a detailed user study with high school students and faculty using SDT which is also an understudied area and population.<\/jats:p>\n<\/jats:sec>","DOI":"10.1108\/ics-12-2020-0204","type":"journal-article","created":{"date-parts":[[2022,1,4]],"date-time":"2022-01-04T07:43:40Z","timestamp":1641282220000},"page":"1-18","source":"Crossref","is-referenced-by-count":20,"title":["Evaluating user susceptibility to phishing attacks"],"prefix":"10.1108","volume":"30","author":[{"given":"Sanchari","family":"Das","sequence":"first","affiliation":[]},{"given":"Christena","family":"Nippert-Eng","sequence":"additional","affiliation":[]},{"given":"L. Jean","family":"Camp","sequence":"additional","affiliation":[]}],"member":"140","published-online":{"date-parts":[[2022,1,5]]},"reference":[{"key":"key2022012710483678600_ref001","doi-asserted-by":"crossref","first-page":"69","DOI":"10.1016\/j.ijhcs.2015.05.005","article-title":"Why phishing still works: user strategies for combating phishing attacks","volume":"82","year":"2015","journal-title":"International Journal of Human-Computer Studies"},{"key":"key2022012710483678600_ref002","doi-asserted-by":"crossref","first-page":"437","DOI":"10.1016\/j.chb.2016.12.040","article-title":"Gender difference and employees\u2019 cybersecurity behaviors","volume":"69","year":"2017","journal-title":"Computers in Human Behavior"},{"key":"key2022012710483678600_ref003","first-page":"12","article-title":"A practical assessment of social engineering vulnerabilities","year":"2008"},{"key":"key2022012710483678600_ref004","doi-asserted-by":"crossref","first-page":"3469","DOI":"10.1145\/1978942.1979459","article-title":"F for fake: four studies on how we fall for phish","volume-title":"Proceedings of the SIGCHI Conference on Human Factors in Computing Systems","year":"2011"},{"issue":"8","key":"key2022012710483678600_ref005","doi-asserted-by":"crossref","first-page":"1158","DOI":"10.1177\/0018720816665025","article-title":"Quantifying phishing susceptibility for detection and behavior decisions","volume":"58","year":"2016","journal-title":"Human Factors: The Journal of the Human Factors and Ergonomics Society"},{"key":"key2022012710483678600_ref006","first-page":"30","article-title":"Web usability and age: how design changes can improve performance","year":"2003"},{"key":"key2022012710483678600_ref007","article-title":"Client-side defense against web-based identity theft","year":"2004"},{"key":"key2022012710483678600_ref008","unstructured":"Colarik, A. and Janczewski, L. (2007), \u201cDeception in cyber-attacks\u201d, available at: http:\/\/faculty.nps.edu\/ncrowe\/_waroffdec.htm"},{"key":"key2022012710483678600_ref009","unstructured":"Das, S. (2020), \u201cA risk-reduction-based incentivization model for human-centered multi-factor authentication\u201d, PhD thesis, Indiana University."},{"key":"key2022012710483678600_ref010","volume-title":"Grifting in the Digital Age","year":"2017"},{"key":"key2022012710483678600_ref011","first-page":"160","article-title":"Why johnny doesn\u2019t use two factor a two-phase usability study of the fido u2f security key","volume-title":"International Conference on Financial Cryptography and Data Security","year":"2018"},{"key":"key2022012710483678600_ref012","first-page":"28","article-title":"A qualitative study on usability and acceptability of yubico security key","volume-title":"7th Workshop on Socio-Technical Aspects in Security and Trust","year":"2018"},{"key":"key2022012710483678600_ref013","article-title":"Towards implementing inclusive authentication technologies for older adults","year":"2019"},{"key":"key2022012710483678600_ref014","article-title":"All about phishing exploring user research through a systematic literature review","year":"2019"},{"key":"key2022012710483678600_ref015","article-title":"MFA is a waste of time! understanding negative connotation towards MFA applications via user generated content","year":"2019"},{"key":"key2022012710483678600_ref016","article-title":"Evaluating user perception of multi-factor authentication: a systematic review","year":"2019"},{"key":"key2022012710483678600_ref017","article-title":"User-centered risk communication for safer browsing. In first asia USEC-Workshop on usable security","volume-title":"Conjunction with the TwentyFourth International Conference International Conference on Financial Cryptography and Data Security","year":"2020"},{"key":"key2022012710483678600_ref018","article-title":"Why don\u2019t older adults adopt Two-Factor authentication","volume-title":"Proceedings of the 2020 SIGCHI Workshop on Designing Interactions for the Ageing Populations-Addressing Global Challenges","year":"2020"},{"key":"key2022012710483678600_ref019","article-title":"Mfa is a necessary chore!: exploring user mental models of multi-factor authentication technologies","volume-title":"53rd HI International Conference on System Sciences","year":"2020"},{"key":"key2022012710483678600_ref020","doi-asserted-by":"crossref","first-page":"581","DOI":"10.1145\/1124772.1124861","article-title":"Why phishing works","volume-title":"Proceedings of the SIGCHI Conference on Human Factors in Computing Systems","year":"2006"},{"key":"key2022012710483678600_ref021","first-page":"581","article-title":"Why phishing works","volume-title":"SIGCHI Conference on Human Factors in Computing Systems","year":"2006"},{"key":"key2022012710483678600_ref022","first-page":"133","article-title":"Gender preferences in webdesign: usability testing through eye tracking","year":"2007"},{"key":"key2022012710483678600_ref023","first-page":"37","article-title":"Identity and deception in the virtual community","volume-title":"Communities in Cyberspace","year":"2002"},{"key":"key2022012710483678600_ref024","doi-asserted-by":"crossref","first-page":"79","DOI":"10.1145\/1143120.1143131","article-title":"Decision strategies and susceptibility to phishing","volume-title":"Proceedings of the Second Symposium on Usable Privacy and Security","year":"2006"},{"issue":"2","key":"key2022012710483678600_ref025","doi-asserted-by":"publisher","first-page":"2","DOI":"10.1201\/1086\/44312.13.2.20040501\/81646.1","article-title":"Phishing isn\u2019t so sophisticated: Scary!","volume":"13","year":"2004","journal-title":"Information Systems Security"},{"key":"key2022012710483678600_ref026","first-page":"649","article-title":"Learning to detect phishing emails","volume-title":"16th International Conference on World Wide Web","year":"2007"},{"key":"key2022012710483678600_ref027","article-title":"The threat of political phishing","year":"2008"},{"key":"key2022012710483678600_ref028","first-page":"1","article-title":"Risk communication design for older adults","year":"2012"},{"key":"key2022012710483678600_ref029","first-page":"529","article-title":"Collective classification of spam campaigners on twitter: a hierarchical Meta-path based approach","year":"2018"},{"key":"key2022012710483678600_ref030","first-page":"2647","article-title":"Using personal examples to improve risk communication for security and privacy decisions","volume-title":"SIGCHI Conference on Human Factors in Computing Systems","year":"2014"},{"key":"key2022012710483678600_ref031","first-page":"159","article-title":"Phorcefield: a phish-proof password ceremony","year":"2011"},{"key":"key2022012710483678600_ref032","doi-asserted-by":"crossref","first-page":"102","DOI":"10.1016\/j.cose.2017.10.008","article-title":"Social engineering in cybersecurity: the evolution of a concept","volume":"73","year":"2018","journal-title":"Computers and Security"},{"issue":"1","key":"key2022012710483678600_ref033","doi-asserted-by":"crossref","first-page":"74","DOI":"10.1145\/2063176.2063197","article-title":"The state of phishing attacks","volume":"55","year":"2012","journal-title":"Communications of the ACM"},{"key":"key2022012710483678600_ref034","first-page":"60","article-title":"Assessing end-user awareness of social engineering and phishing","volume-title":"7th Australian Information Warfare and Security Conference","year":"2006"},{"key":"key2022012710483678600_ref035","unstructured":"Kay, R. (2004), \u201cSidebar: the origins of phishing\u201d, available at: www.computerworld.com\/article\/_2575094\/security0\/sidebar\u2013the-origins-of-phishing.html"},{"issue":"2","key":"key2022012710483678600_ref036","first-page":"7","article-title":"Teaching Johnny not to fall for phish","volume":"10","year":"2010","journal-title":"ACM Transactions on Internet Technology (TOIT)"},{"key":"key2022012710483678600_ref037","first-page":"70","article-title":"Getting users to pay attention to anti-phishing education: evaluation of retention and transfer","year":"2007"},{"key":"key2022012710483678600_ref038","first-page":"1","article-title":"School of phish: a Real-World evaluation of anti-Phishing training","volume-title":"5th Symposium on Usable Privacy and Security (SOUPS)","year":"2009"},{"key":"key2022012710483678600_ref039","first-page":"229","article-title":"How effective is anti-phishing training for children?","year":"2017"},{"key":"key2022012710483678600_ref040","first-page":"289","article-title":"Detecting mobile application spoofing attacks by leveraging user visual similarity perception","year":"2017"},{"issue":"8","key":"key2022012710483678600_ref041","doi-asserted-by":"crossref","first-page":"1179","DOI":"10.1177\/0018720818789818","article-title":"Signal detection theory (SDT) is effective for modeling user behavior toward phishing and Spear-Phishing attacks","volume":"60","year":"2018","journal-title":"Human Factors: The Journal of the Human Factors and Ergonomics Society"},{"key":"key2022012710483678600_ref042","first-page":"1","article-title":"Using data type based security alert dialogs to raise online security awareness","year":"2011"},{"key":"key2022012710483678600_ref043","first-page":"135","article-title":"Training future cybersecurity professionals in spear phishing using sieve","year":"2018"},{"key":"key2022012710483678600_ref044","first-page":"193","article-title":"Sweetening the medicine: educating users about information security by means of game play","year":"2010"},{"key":"key2022012710483678600_ref045","first-page":"479","article-title":"A multi-modal neuro-physiological study of phishing detection and malware warnings","year":"2015"},{"key":"key2022012710483678600_ref046","article-title":"Investigating teenagers\u2019 ability to detect phishing messages","year":"2020"},{"key":"key2022012710483678600_ref047","first-page":"1","article-title":"The impact of digitalization on literacy: Digital immigrants vs. Digital natives","year":"2019"},{"key":"key2022012710483678600_ref048","first-page":"6412","article-title":"Dissecting spear phishing emails for older VS young adults: on the interplay of weapons of influence and life domains in predicting susceptibility to phishing","volume-title":"2017 CHI Conference on Human Factors in Computing Systems","year":"2017"},{"issue":"1","key":"key2022012710483678600_ref049","doi-asserted-by":"crossref","first-page":"1","DOI":"10.3390\/cryptography2010001","article-title":"Multi-Factor authentication: a survey","volume":"2","year":"2018","journal-title":"Cryptography"},{"key":"key2022012710483678600_ref050","unstructured":"P.P. A. E. Program (2018), \u201cPhishing: Don\u2019t be phooled!\u201d, (accessed June 29, 2020), available at: www.dhs.gov\/sites\/default\/files\/publications\/2018_AEP_Vulnerabilities_of_Healthcare_IT_Systems.pdf"},{"key":"key2022012710483678600_ref051","first-page":"169","article-title":"Phishy-a serious game to train enterprise users on phishing awareness","year":"2018"},{"key":"key2022012710483678600_ref052","first-page":"1","article-title":"Phishnet: Predictive blacklisting to detect phishing attacks","year":"2010"},{"key":"key2022012710483678600_ref053","doi-asserted-by":"crossref","first-page":"135","DOI":"10.3389\/fpsyg.2018.00135","article-title":"Creative persuasion: a study on adversarial behaviors and strategies in phishing attacks","volume":"9","year":"2018","journal-title":"Frontiers in Psychology"},{"key":"key2022012710483678600_ref054","unstructured":"Retruster (2019), available at: https:\/\/Retruster.Com\/Blog\/2019-Phishing-And-Email-Fraud-Statistics.Html"},{"issue":"8","key":"key2022012710483678600_ref055","doi-asserted-by":"crossref","first-page":"541","DOI":"10.1080\/10447318.2012.728493","article-title":"Age-related differences in eye tracking and usability performance: website usability for older adults","volume":"29","year":"2013","journal-title":"International Journal of Human-Computer Interaction"},{"issue":"4","key":"key2022012710483678600_ref056","doi-asserted-by":"crossref","first-page":"261","DOI":"10.1145\/1357010.1352620","article-title":"Itrustpage: a user-assisted anti-phishing tool","volume":"42","year":"2008","journal-title":"ACM SIGOPS Operating Systems Review"},{"key":"key2022012710483678600_ref057","first-page":"88","article-title":"Antiphishing phil: the design and evaluation of a game that teaches people not to fall for phish","year":"2007"},{"key":"key2022012710483678600_ref058","first-page":"373","article-title":"Who falls for phish? A demographic analysis of phishing susceptibility and effectiveness of interventions","volume-title":"SIGCHI Conference on Human Factors in Computing Systems","year":"2010"},{"key":"key2022012710483678600_ref059","first-page":"8","article-title":"Phishing in international waters: exploring cross-national differences in phishing conceptualizations between chinese, indian and american samples","year":"2014"},{"key":"key2022012710483678600_ref060","volume-title":"Deceit and Deception: A Large User Study of Phishing","year":"2007"},{"key":"key2022012710483678600_ref061","unstructured":"Uchill, J. (2016), \u201cTypo led to podesta email hack: report\u201d, available at: http:\/\/thehill.com\/policy\/cybersecurity\/_310234-typo-may-have-caused-podesta-email-hack"},{"key":"key2022012710483678600_ref062","first-page":"109","article-title":"Quantifying susceptibility to spear phishing in a high school environment using signal detection theory","year":"2020"},{"key":"key2022012710483678600_ref063","first-page":"492","article-title":"Who provides phishing training?: facts, stories and people like me","year":"2018"},{"key":"key2022012710483678600_ref064","first-page":"601","article-title":"Do security toolbars actually prevent phishing attacks?","volume-title":"SIGCHI Conference on Human Factors in Computing Systems","year":"2006"},{"issue":"2","key":"key2022012710483678600_ref065","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1145\/2019599.2019606","article-title":"Cantina+ a feature-rich machine learning framework for detecting phishing web sites","volume":"14","year":"2011","journal-title":"ACM Transactions on Information and System Security (TISSEC)"},{"key":"key2022012710483678600_ref066","first-page":"456","article-title":"Digital video clips covering computer ethics in higher education","year":"2005"},{"key":"key2022012710483678600_ref067","first-page":"451","article-title":"Phishcatch-a phishing detection tool","year":"2009"}],"container-title":["Information &amp; Computer Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-12-2020-0204\/full\/xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-12-2020-0204\/full\/html","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,25]],"date-time":"2025-07-25T01:23:27Z","timestamp":1753406607000},"score":1,"resource":{"primary":{"URL":"http:\/\/www.emerald.com\/ics\/article\/30\/1\/1-18\/104704"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022,1,5]]},"references-count":67,"journal-issue":{"issue":"1","published-online":{"date-parts":[[2022,1,5]]},"published-print":{"date-parts":[[2022,1,31]]}},"alternative-id":["10.1108\/ICS-12-2020-0204"],"URL":"https:\/\/doi.org\/10.1108\/ics-12-2020-0204","relation":{},"ISSN":["2056-4961","2056-4961"],"issn-type":[{"value":"2056-4961","type":"print"},{"value":"2056-4961","type":"print"}],"subject":[],"published":{"date-parts":[[2022,1,5]]}}}