SoK: Human-Centered Phishing Susceptibility

TL;DR

This paper reviews human factors in phishing susceptibility, proposing a three-stage model to explain human involvement and identify research gaps, aiming to guide future studies for better detection and prevention strategies.

Contribution

It introduces a novel three-stage Phishing Susceptibility Model and provides a systematic taxonomy of variables affecting human phishing detection and prevention.

Findings

Identifies key variables influencing phishing susceptibility

Highlights research gaps in understanding human factors

Proposes guidelines for future experimental research

Abstract

Phishing is recognised as a serious threat to organisations and individuals. While there have been significant technical advances in blocking phishing attacks, people remain the last line of defence after phishing emails reach their email client. Most of the existing literature on this subject has focused on the technical aspects related to phishing. However, the factors that cause humans to be susceptible to phishing attacks are still not well-understood. To fill this gap, we reviewed the available literature and we propose a three-stage Phishing Susceptibility Model (PSM) for explaining how humans are involved in phishing detection and prevention, and we systematically investigate the phishing susceptibility variables studied in the literature and taxonomize them using our model. This model reveals several research gaps that need to be addressed to improve users' detection performance. We also propose a practical impact assessment of the value of studying the phishing susceptibility variables, and quality of evidence criteria. These can serve as guidelines for future research to improve experiment design, result quality, and increase the reliability and generalizability of findings.