Profiling User Vulnerability to Phishing Through Psychological and Behavioral Factors

TL;DR

This study analyzes psychological and behavioral factors influencing user susceptibility to phishing, identifying user profiles and emphasizing personalized cybersecurity training over generic approaches.

Contribution

It introduces a multidimensional user profiling method using factor analysis and clustering, highlighting the importance of cognitive factors in phishing vulnerability.

Findings

Faster decision-making correlates with higher vulnerability.

Two user profiles identified: Aware User and High-Risk User.

Most users fall into the High-Risk category with hasty evaluation processes.

Abstract

Phishing remains one of the most pervasive cybersecurity threats, shifting the focus from technological vulnerabilities to human cognitive and psychological factors. In coherence with the trend of studies on phishing to increasingly focus on human aspects and vulnerable users profiling, this study investigates the multidimensional nature of user susceptibility by analyzing data from the Spamley dataset, involving 1,086 participants evaluated through a realistic phishing detection task. Using Exploratory Factor Analysis (EFA), five latent constructs were identified, named: Seniority, Expertise, Creativity, Stability, and Vulnerability. Behavioral findings, validating self-reported impulsivity through its negative correlation with response times, demonstrate that faster decision-making significantly distinguishes vulnerable users from resilient ones. A K-Means clustering procedure, driven by the dimensions of Seniority (F1) and Creativity (F3), revealed two distinct user profiles: the Aware User and the High-Risk User. The results demonstrate that technical knowledge alone is insufficient to guarantee resilience; rather, the interaction between operational maturity, decision-making speed, and cognitive approach determines effectiveness. The findings suggest that the majority of users fall into the High-Risk category, characterized by hasty evaluation processes and lower critical analysis. These results underline the urgent need to move beyond "one-size-fits-all" training toward personalized, adaptive cybersecurity programs that actively address cognitive biases and behavioral tendencies.