"Better Beware: Comparing Metacognition for Phishing and Legitimate Emails" by Casey I. Canfield

Selected Works of Casey I. Canfield

Follow Contact

Article

Better Beware: Comparing Metacognition for Phishing and Legitimate Emails

Metacognition and Learning

Casey I. Canfield, Missouri University of Science and Technology
Baruch Fischhoff
Alex Davis

Download

Abstract

Every electronic message poses some threat of being a phishing attack. If recipients underestimate that threat, they expose themselves, and those connected to them, to identity theft, ransom, malware, or worse. If recipients overestimate that threat, then they incur needless costs, perhaps reducing their willingness and ability to respond over time. In two experiments, we examined the appropriateness of individuals' confidence in their judgments of whether email messages were legitimate or phishing, using calibration and resolution as metacognition metrics. Both experiments found that participants had reasonable calibration but poor resolution, reflecting a weak correlation between their confidence and knowledge. These patterns differed for legitimate and phishing emails, with participants being better calibrated for legitimate emails, except when expressing complete confidence in their judgments, but consistently overconfident for phishing emails. The second experiment compared performance on the laboratory task with individuals' actual vulnerability, and found that participants with better resolution were less likely to have malicious files on their home computers. That comparison raised general questions about the design of anti-phishing training and of providing feedback essential to self-regulated learning.

Department(s)

Engineering Management and Systems Engineering

Research Center/Lab(s)

Center for Research in Energy and Environment (CREE)

Second Research Center/Lab

Intelligent Systems Center

Comments

The Security Behavior Observatory was partially funded by the NSA Science of Security Lablet at Carnegie Mellon University (contract #H9823014C0140); the National Science Foundation, Grant CNS-1012763 (Nudging Users Towards Privacy); and the Hewlett Foundation, through the Center for Long-Term Cybersecurity (CLTC) at the University of California, Berkeley. In addition, this work was supported by the Swedish Foundation for the Humanities and Social Sciences and Riksbankens Jubileumsfond.

This article was originally published electronically on the publisher’s internet portal (currently SpringerLink) on 20 July 2019 without open access: Correction.

Keywords and Phrases

Calibration,
Deception detection,
Digital literacy,
Phishing,
Resolution

Document Type

Article - Journal

Document Version

Final Version

File Type

text

Language(s)

English

Rights

Creative Commons Licensing

Creative Commons Attribution 4.0

Publication Date

12-1-2019

Publication Date

01 Dec 2019

Disciplines

Operations Research, Systems Engineering and Industrial Engineering

Citation Information

Casey I. Canfield, Baruch Fischhoff and Alex Davis. "Better Beware: Comparing Metacognition for Phishing and Legitimate Emails" Metacognition and Learning Vol. 14 Iss. 3 (2019) p. 343 - 362 ISSN: 1556-1623; 1556-1631
Available at: http://works.bepress.com/casey-canfield/12/