All About Phishing: Exploring User Research through a Systematic Literature Review

TL;DR

This paper systematically reviews user-focused phishing research, highlighting the limited number of studies and issues in reporting methods and participant details, to inform future cybersecurity user studies.

Contribution

It provides a comprehensive overview of user research in phishing, revealing gaps in reporting practices and emphasizing the need for improved methodological transparency.

Findings

Only 13.9% of phishing papers focus on users.

Many studies lack detailed reporting of methods and participants.

Some research exhibits recruitment biases.

Abstract

Phishing is a well-known cybersecurity attack that has rapidly increased in recent years. It poses legitimate risks to businesses, government agencies, and all users due to sensitive data breaches, subsequent financial and productivity losses, and social and personal inconvenience. Often, these attacks use social engineering techniques to deceive end-users, indicating the importance of user-focused studies to help prevent future attacks. We provide a detailed overview of phishing research that has focused on users by conducting a systematic literature review of peer-reviewed academic papers published in ACM Digital Library. Although published work on phishing appears in this data set as early as 2004, we found that of the total number of papers on phishing (N = 367) only 13.9% (n = 51) focus on users by employing user study methodologies such as interviews, surveys, and in-lab studies. Even within this small subset of papers, we note a striking lack of attention to reporting important information about methods and participants (e.g., the number and nature of participants), along with crucial recruitment biases in some of the research.