{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,7,4]],"date-time":"2026-07-04T11:08:09Z","timestamp":1783163289586,"version":"3.54.6"},"reference-count":55,"publisher":"SAGE Publications","issue":"8","license":[{"start":{"date-parts":[[2016,9,27]],"date-time":"2016-09-27T00:00:00Z","timestamp":1474934400000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/journals.sagepub.com\/page\/policies\/text-and-data-mining-license"}],"content-domain":{"domain":["journals.sagepub.com"],"crossmark-restriction":true},"short-container-title":["Hum Factors"],"published-print":{"date-parts":[[2016,12]]},"abstract":"<jats:sec>\n                    <jats:title>Objective:<\/jats:title>\n                    <jats:p>We use signal detection theory to measure vulnerability to phishing attacks, including variation in performance across task conditions.<\/jats:p>\n                  <\/jats:sec>\n                  <jats:sec>\n                    <jats:title>Background:<\/jats:title>\n                    <jats:p>Phishing attacks are difficult to prevent with technology alone, as long as technology is operated by people. Those responsible for managing security risks must understand user decision making in order to create and evaluate potential solutions.<\/jats:p>\n                  <\/jats:sec>\n                  <jats:sec>\n                    <jats:title>Method:<\/jats:title>\n                    <jats:p>Using a scenario-based online task, we performed two experiments comparing performance on two tasks: detection, deciding whether an e-mail is phishing, and behavior, deciding what to do with an e-mail. In Experiment 1, we manipulated the order of the tasks and notification of the phishing base rate. In Experiment 2, we varied which task participants performed.<\/jats:p>\n                  <\/jats:sec>\n                  <jats:sec>\n                    <jats:title>Results:<\/jats:title>\n                    <jats:p>In both experiments, despite exhibiting cautious behavior, participants\u2019 limited detection ability left them vulnerable to phishing attacks. Greater sensitivity was positively correlated with confidence. Greater willingness to treat e-mails as legitimate was negatively correlated with perceived consequences from their actions and positively correlated with confidence. These patterns were robust across experimental conditions.<\/jats:p>\n                  <\/jats:sec>\n                  <jats:sec>\n                    <jats:title>Conclusion:<\/jats:title>\n                    <jats:p>Phishing-related decisions are sensitive to individuals\u2019 detection ability, response bias, confidence, and perception of consequences. Performance differs when people evaluate messages or respond to them but not when their task varies in other ways.<\/jats:p>\n                  <\/jats:sec>\n                  <jats:sec>\n                    <jats:title>Application:<\/jats:title>\n                    <jats:p>Based on these results, potential interventions include providing users with feedback on their abilities and information about the consequences of phishing, perhaps targeting those with the worst performance. Signal detection methods offer system operators quantitative assessments of the impacts of interventions and their residual vulnerability.<\/jats:p>\n                  <\/jats:sec>","DOI":"10.1177\/0018720816665025","type":"journal-article","created":{"date-parts":[[2016,8,25]],"date-time":"2016-08-25T22:38:56Z","timestamp":1472164736000},"page":"1158-1172","update-policy":"https:\/\/doi.org\/10.1177\/sage-journals-update-policy","source":"Crossref","is-referenced-by-count":114,"title":["Quantifying Phishing Susceptibility for Detection and Behavior Decisions"],"prefix":"10.1177","volume":"58","author":[{"given":"Casey Inez","family":"Canfield","sequence":"first","affiliation":[{"name":"Carnegie Mellon University, Pittsburgh, Pennsylvania"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Baruch","family":"Fischhoff","sequence":"additional","affiliation":[{"name":"Carnegie Mellon University, Pittsburgh, Pennsylvania"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Alex","family":"Davis","sequence":"additional","affiliation":[{"name":"Carnegie Mellon University, Pittsburgh, Pennsylvania"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"179","published-online":{"date-parts":[[2016,9,27]]},"reference":[{"key":"bibr1-0018720816665025","doi-asserted-by":"publisher","DOI":"10.1080\/01688639608408307"},{"key":"bibr2-0018720816665025","doi-asserted-by":"crossref","unstructured":"Boyce M. W., Duma K. M., Hettinger L. J., Malone T. B., Wilson D. P., Lockett-Reynolds J. (2011). Human performance in cybersecurity: A research agenda. In Proceedings of the Human Factors and Ergonomics Society 55th Annual Meeting (pp. 1115\u20131119). Santa Monica, CA: Human Factors and Ergonomics Society. http:\/\/doi.org\/10.1177\/1071181311551233","DOI":"10.1177\/1071181311551233"},{"key":"bibr3-0018720816665025","doi-asserted-by":"crossref","unstructured":"Carpenter S., Zhu F., Kolimi S. (2014). Reducing online identity disclosure using warnings. Applied Ergonomics, 45(5), 1337\u20131342. http:\/\/doi.org\/10.1016\/j.apergo.2013.10.005","DOI":"10.1016\/j.apergo.2013.10.005"},{"key":"bibr4-0018720816665025","unstructured":"CERT, Insider Threat Team. (2013). Unintentional insider threats: A foundational study (CMU\/SEI-2013-TN-022). Retrieved from http:\/\/resources.sei.cmu.edu\/library\/asset-view.cfm?AssetID=58744"},{"key":"bibr5-0018720816665025","volume-title":"Mathematical psychology: An elementary introduction","author":"Coombs C. H.","year":"1970"},{"issue":"1","key":"bibr6-0018720816665025","volume-title":"Proceedings of the First Conference on Usability, Psychology and Security","author":"Cranor L. F.","year":"2008"},{"key":"bibr7-0018720816665025","doi-asserted-by":"publisher","DOI":"10.1371\/journal.pone.0057410"},{"key":"bibr8-0018720816665025","doi-asserted-by":"crossref","unstructured":"Davinson N., Sillence E. (2010). It won\u2019t happen to me: Promoting secure behaviour among Internet users. Computers in Human Behavior, 26(6), 1739\u20131747. http:\/\/doi.org\/10.1016\/j.chb.2010.06.023","DOI":"10.1016\/j.chb.2010.06.023"},{"key":"bibr9-0018720816665025","doi-asserted-by":"crossref","unstructured":"Dewitt B., Fischhoff B., Davis A., Broomell S. B. (2015). Environmental risk perception from visual cues: The psychophysics of tornado risk perception. Environmental Research Letters, 10(12), 1\u201315. http:\/\/doi.org\/10.1088\/1748-9326\/10\/12\/124009","DOI":"10.1088\/1748-9326\/10\/12\/124009"},{"key":"bibr10-0018720816665025","doi-asserted-by":"publisher","DOI":"10.1145\/1124772.1124861"},{"key":"bibr11-0018720816665025","doi-asserted-by":"publisher","DOI":"10.1145\/1143120.1143131"},{"key":"bibr12-0018720816665025","doi-asserted-by":"publisher","DOI":"10.1145\/1753326.1753688"},{"key":"bibr13-0018720816665025","doi-asserted-by":"publisher","DOI":"10.1145\/2841113.2841115"},{"key":"bibr14-0018720816665025","doi-asserted-by":"publisher","DOI":"10.1111\/j.1467-9280.2008.02092.x"},{"key":"bibr15-0018720816665025","doi-asserted-by":"publisher","DOI":"10.1002\/(SICI)1097-4571(198607)37:4<222::AID-ASI8>3.0.CO;2-K"},{"key":"bibr16-0018720816665025","doi-asserted-by":"publisher","DOI":"10.1002\/(SICI)1099-0771(199912)12:4<307::AID-BDM324>3.0.CO;2-H"},{"key":"bibr17-0018720816665025","doi-asserted-by":"publisher","DOI":"10.1177\/154193120605001721"},{"key":"bibr18-0018720816665025","doi-asserted-by":"publisher","DOI":"10.3758\/BF03203619"},{"key":"bibr19-0018720816665025","doi-asserted-by":"publisher","DOI":"10.1145\/1719030.1719050"},{"key":"bibr20-0018720816665025","doi-asserted-by":"publisher","DOI":"10.1109\/MSP.2013.134"},{"key":"bibr21-0018720816665025","doi-asserted-by":"crossref","unstructured":"Kaivanto K. (2014). The effect of decentralized behavioral decision making on system-level risk. Risk Analysis, 34(12), 2121\u20132142. http:\/\/doi.org\/10.1111\/risa.12219","DOI":"10.1111\/risa.12219"},{"key":"bibr22-0018720816665025","doi-asserted-by":"publisher","DOI":"10.1145\/1754393.1754396"},{"key":"bibr23-0018720816665025","doi-asserted-by":"publisher","DOI":"10.1016\/0030-5073(80)90052-5"},{"key":"bibr24-0018720816665025","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2012.12.003"},{"key":"bibr25-0018720816665025","doi-asserted-by":"publisher","DOI":"10.1177\/0956797614541991"},{"key":"bibr26-0018720816665025","doi-asserted-by":"publisher","DOI":"10.1080\/17470214808416738"},{"key":"bibr27-0018720816665025","doi-asserted-by":"publisher","DOI":"10.4324\/9781410611147"},{"key":"bibr28-0018720816665025","doi-asserted-by":"publisher","DOI":"10.1901\/jeab.2002.78-567"},{"key":"bibr29-0018720816665025","doi-asserted-by":"publisher","DOI":"10.3758\/s13428-011-0124-6"},{"key":"bibr30-0018720816665025","doi-asserted-by":"crossref","unstructured":"Mayhorn C. B., Nyeste P. G. (2012). Training users to counteract phishing. Work, 41, 3549\u20133552. http:\/\/doi.org\/10.3233\/WOR-2012-1054-3549","DOI":"10.3233\/WOR-2012-1054-3549"},{"issue":"103","key":"bibr31-0018720816665025","first-page":"1","volume":"7","author":"Mohan D.","year":"2012","journal-title":"Implementation Science"},{"key":"bibr32-0018720816665025","doi-asserted-by":"publisher","DOI":"10.1037\/0033-295X.115.2.502"},{"issue":"2","key":"bibr33-0018720816665025","doi-asserted-by":"crossref","first-page":"114","DOI":"10.1017\/S1930297500005489","volume":"9","author":"Mumpower J. L.","year":"2014","journal-title":"Judgment and Decision Making"},{"key":"bibr34-0018720816665025","doi-asserted-by":"publisher","DOI":"10.1167\/9.1.31"},{"key":"bibr35-0018720816665025","doi-asserted-by":"publisher","DOI":"10.3758\/BF03193102"},{"key":"bibr36-0018720816665025","doi-asserted-by":"publisher","DOI":"10.1017\/S1930297500002205"},{"key":"bibr37-0018720816665025","doi-asserted-by":"publisher","DOI":"10.1002\/bdm.1787"},{"key":"bibr38-0018720816665025","doi-asserted-by":"publisher","DOI":"10.1108\/09685221211219173"},{"key":"bibr39-0018720816665025","doi-asserted-by":"crossref","unstructured":"Proctor R. W., Chen J. (2015). The role of human factors\/ergonomics in the science of security: Decision making and action selection in cyberspace. Human Factors, 57(5), 721\u2013727. http:\/\/doi.org\/10.1177\/0018720815585906","DOI":"10.1177\/0018720815585906"},{"key":"bibr40-0018720816665025","doi-asserted-by":"publisher","DOI":"10.1037\/0033-2909.117.2.230"},{"key":"bibr41-0018720816665025","doi-asserted-by":"publisher","DOI":"10.1145\/1753326.1753383"},{"key":"bibr42-0018720816665025","doi-asserted-by":"publisher","DOI":"10.1145\/1280680.1280692"},{"key":"bibr43-0018720816665025","doi-asserted-by":"publisher","DOI":"10.1111\/1529-1006.001"},{"key":"bibr44-0018720816665025","unstructured":"Symantec. (2016). Internet security threat report. Retrieved from https:\/\/www.symantec.com\/security-center\/threat-report."},{"key":"bibr45-0018720816665025","unstructured":"Verizon Communications. (2016). 2016 data breach investigations report. Retrieved from http:\/\/www.verizonenterprise.com\/verizon-insights-lab\/dbir\/2016\/"},{"key":"bibr46-0018720816665025","doi-asserted-by":"publisher","DOI":"10.1016\/j.dss.2011.03.002"},{"key":"bibr47-0018720816665025","doi-asserted-by":"crossref","unstructured":"Wang J., Herath T., Chen R., Vishwanath A., Rao H. R. (2012). Phishing susceptibility: An investigation into the processing of a targeted spear phishing email. IEEE Transactions on Professional Communication, 55(4), 345\u2013362. http:\/\/doi.org\/10.1109\/TPC.2012.2208392","DOI":"10.1109\/TPC.2012.2208392"},{"key":"bibr48-0018720816665025","doi-asserted-by":"publisher","DOI":"10.1518\/001872008X312152"},{"key":"bibr49-0018720816665025","doi-asserted-by":"crossref","unstructured":"Welk A. K., Hong K. W., Zielinska O. A., Tembe R., Murphy-Hill E., Mayhorn C. B. (2015). Will the \u201cphisher-men\u201d reel you in? International Journal of Cyber Behavior, Psychology and Learning, 5(4), 1\u201317. http:\/\/doi.org\/10.4018\/IJCBPL.2015100101","DOI":"10.4018\/IJCBPL.2015100101"},{"key":"bibr50-0018720816665025","doi-asserted-by":"publisher","DOI":"10.1016\/0001-6918(77)90012-9"},{"key":"bibr51-0018720816665025","doi-asserted-by":"publisher","DOI":"10.1167\/13.3.33"},{"key":"bibr52-0018720816665025","doi-asserted-by":"crossref","unstructured":"Wolfe J. M., Horowitz T. S., Van Wert M. J., Kenner N. M., Place S. S., Kibbi N. (2007). Low target prevalence is a stubborn source of errors in visual search tasks. Journal of Experimental Psychology: General, 136(4), 623\u2013638. http:\/\/doi.org\/10.1037\/0096-3445.136.4.623","DOI":"10.1037\/0096-3445.136.4.623"},{"key":"bibr53-0018720816665025","doi-asserted-by":"publisher","DOI":"10.1007\/s10726-009-9167-9"},{"key":"bibr54-0018720816665025","doi-asserted-by":"publisher","DOI":"10.2753\/MIS0742-1222270111"},{"key":"bibr55-0018720816665025","unstructured":"Wueest C. (2014). Targeted attacks against the energy sector. Mountain View, CA: Symantec. Retrieved from http:\/\/www.symantec.com\/content\/en\/us\/enterprise\/media\/security_response\/whitepapers\/targeted_attacks_against_the_energy_sector.pdf"}],"container-title":["Human Factors: The Journal of the Human Factors and Ergonomics Society"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/journals.sagepub.com\/doi\/pdf\/10.1177\/0018720816665025","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/journals.sagepub.com\/doi\/full-xml\/10.1177\/0018720816665025","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/journals.sagepub.com\/doi\/pdf\/10.1177\/0018720816665025","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,4,29]],"date-time":"2026-04-29T07:51:13Z","timestamp":1777449073000},"score":1,"resource":{"primary":{"URL":"https:\/\/journals.sagepub.com\/doi\/10.1177\/0018720816665025"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2016,9,27]]},"references-count":55,"journal-issue":{"issue":"8","published-print":{"date-parts":[[2016,12]]}},"alternative-id":["10.1177\/0018720816665025"],"URL":"https:\/\/doi.org\/10.1177\/0018720816665025","relation":{},"ISSN":["0018-7208","1547-8181"],"issn-type":[{"value":"0018-7208","type":"print"},{"value":"1547-8181","type":"electronic"}],"subject":[],"published":{"date-parts":[[2016,9,27]]}}}