IDEAS home Printed from https://ideas.repec.org/a/inm/orisre/v32y2021i2p410-436.html
   My bibliography  Save this article

The Phishing Funnel Model: A Design Artifact to Predict User Susceptibility to Phishing Websites

Author

Listed:
  • Ahmed Abbasi

    (Mendoza College of Business, University of Notre Dame, Notre Dame, Indiana 46556)

  • David Dobolyi

    (Mendoza College of Business, University of Notre Dame, Notre Dame, Indiana 46556)

  • Anthony Vance

    (Fox School of Business, Temple University, Philadelphia, Pennsylvania 19122)

  • Fatemeh Mariam Zahedi

    (Sheldon B. Lubar School of Business, University of Wisconsin-Milwaukee, Milwaukee, Wisconsin 53202)

Abstract

Phishing is a significant security concern for organizations, threatening employees and members of the public. Phishing threats against employees can lead to severe security incidents, whereas those against the public can undermine trust, satisfaction, and brand equity. At the root of the problem is the inability of Internet users to identify phishing attacks even when using anti-phishing tools. We propose the phishing funnel model (PFM), a design artifact for predicting user susceptibility to phishing websites. PFM incorporates user, threat, and tool-related factors to predict actions during four key stages of the phishing process: visit, browse, consider legitimate, and intention to transact . We used a support vector ordinal regression with a custom kernel encompassing a cumulative-link mixed model for representing users’ decisions across funnel stages. We evaluated the efficacy of PFM in a 12-month longitudinal field experiment in two organizations involving 1,278 employees and 49,373 phishing interactions. PFM significantly outperformed competing models/methods by 8%–52% in area under the curve, correctly predicting visits to high-severity threats 96% of the time—a result 10% higher than the nearest competitor. A follow-up three-month field study revealed that employees using PFM were significantly less likely to interact with phishing threats relative to comparison models and baseline warnings. Furthermore, a cost-benefit analysis showed that interventions guided by PFM resulted in phishing-related cost reductions of nearly $1,900 per employee more than comparison prediction methods. These results indicate strong external validity for PFM. Our findings have important implications for practice by demonstrating (1) the effectiveness of predicting user susceptibility to phishing as a real-time protection strategy, (2) the value of modeling each stage of the phishing process together, rather than focusing on a single user action, and (3) the considerable impact of anti-phishing tool and threat-related factors on susceptibility to phishing.

Suggested Citation

  • Ahmed Abbasi & David Dobolyi & Anthony Vance & Fatemeh Mariam Zahedi, 2021. "The Phishing Funnel Model: A Design Artifact to Predict User Susceptibility to Phishing Websites," Information Systems Research, INFORMS, vol. 32(2), pages 410-436, June.
    • Handle: RePEc:inm:orisre:v:32:y:2021:i:2:p:410-436
    DOI: 10.1287/isre.2020.0973
    as

    Download full text from publisher

    File URL: http://dx.doi.org/10.1287/isre.2020.0973
    Download Restriction: no
    File URL: https://libkey.io/10.1287/isre.2020.0973?utm_source=ideas
    LibKey link: if access is restricted and if your library uses this service, LibKey will redirect you to where you can use your library subscription to access this item
    ---><---

    References listed on IDEAS

    as
    1. Bonnie Brinton Anderson & Anthony Vance & C Brock Kirwan & David Eargle & Jeffrey L Jenkins, 2016. "How users perceive and respond to security messages: a NeuroIS research agenda and empirical study," European Journal of Information Systems, Taylor & Francis Journals, vol. 25(4), pages 364-390, July.
    2. Huseyin Cavusoglu & Birendra Mishra & Srinivasan Raghunathan, 2005. "The Value of Intrusion Detection Systems in Information Technology Security Architecture," Information Systems Research, INFORMS, vol. 16(1), pages 28-46, March.
    3. Porter, Constance Elise & Donthu, Naveen, 2006. "Using the technology acceptance model to explain how attitudes determine Internet usage: The role of perceived access barriers and demographics," Journal of Business Research, Elsevier, vol. 59(9), pages 999-1007, September.
    4. Jingguo Wang & Yuan Li & H. Raghav Rao, 2017. "Coping Responses in Phishing Detection: An Investigation of Antecedents and Consequences," Information Systems Research, INFORMS, vol. 28(2), pages 378-396, June.
    5. Daniel Kahneman & Amos Tversky, 2013. "Prospect Theory: An Analysis of Decision Under Risk," World Scientific Book Chapters, in: Leonard C MacLean & William T Ziemba (ed.), HANDBOOK OF THE FUNDAMENTALS OF FINANCIAL DECISION MAKING Part I, chapter 6, pages 99-127, World Scientific Publishing Co. Pte. Ltd..
    6. Casey Inez Canfield & Baruch Fischhoff, 2018. "Setting Priorities in Behavioral Interventions: An Application to Reducing Phishing Risk," Risk Analysis, John Wiley & Sons, vol. 38(4), pages 826-838, April.
    7. D. Harrison McKnight & Vivek Choudhury & Charles Kacmar, 2002. "Developing and Validating Trust Measures for e-Commerce: An Integrative Typology," Information Systems Research, INFORMS, vol. 13(3), pages 334-359, September.
    8. Ryan T. Wright & Matthew L. Jensen & Jason Bennett Thatcher & Michael Dinger & Kent Marett, 2014. "Research Note ---Influence Techniques in Phishing Attacks: An Examination of Vulnerability and Resistance," Information Systems Research, INFORMS, vol. 25(2), pages 385-400, June.
    9. Judit Bar‐Ilan & Kevin Keenoy & Mark Levene & Eti Yaari, 2009. "Presentation bias is significant in determining user preference for search results—A user study," Journal of the American Society for Information Science and Technology, Association for Information Science & Technology, vol. 60(1), pages 135-149, January.
    10. Jeffrey L. Jenkins & Bonnie Brinton Anderson & Anthony Vance & C. Brock Kirwan & David Eargle, 2016. "More Harm Than Good? How Messages That Interrupt Can Make Us Vulnerable," Information Systems Research, INFORMS, vol. 27(4), pages 880-896, December.
    11. Sam Ransbotham & Sabyasachi Mitra, 2009. "Choice and Chance: A Conceptual Model of Paths to Information Security Compromise," Information Systems Research, INFORMS, vol. 20(1), pages 121-139, March.
    12. Paul A. Pavlou & David Gefen, 2004. "Building Effective Online Marketplaces with Institution-Based Trust," Information Systems Research, INFORMS, vol. 15(1), pages 37-59, March.
    13. Indranil Bardhan & Jeong-ha (Cath) Oh & Zhiqiang (Eric) Zheng & Kirk Kirksey, 2015. "Predictive Analytics for Readmission of Patients with Congestive Heart Failure," Information Systems Research, INFORMS, vol. 26(1), pages 19-39, March.
    14. Sumantra Sarkar & Anthony Vance & Balasubramaniam Ramesh & Menelaos Demestihas & Daniel Thomas Wu, 2020. "The Influence of Professional Subculture on Information Security Policy Violations: A Field Study in a Healthcare Context," Information Systems Research, INFORMS, vol. 31(4), pages 1240-1259, December.
    Full references (including those not matched with items on IDEAS)

    Citations

    Citations are extracted by the CitEc Project, subscribe to its RSS feed for this item.
    as


    Cited by:

    1. Ahmed Abbasi & Jeffrey Parsons & Gautam Pant & Olivia R. Liu Sheng & Suprateek Sarker, 2024. "Pathways for Design Research on Artificial Intelligence," Information Systems Research, INFORMS, vol. 35(2), pages 441-459, June.
    2. Fatemeh Mariam Zahedi & Yan Chen & Huimin Zhao, 2024. "Ontology-Based Intelligent Interface Personalization for Protection Against Phishing Attacks," Information Systems Research, INFORMS, vol. 35(3), pages 1463-1478, September.

    Most related items

    These are the items that most often cite the same works as this one and are cited by the same works as this one.
    1. Weck, Marina & Afanassieva, Marianne, 2023. "Toward the adoption of digital assistive technology: Factors affecting older people's initial trust formation," Telecommunications Policy, Elsevier, vol. 47(2).
    2. Ben Q. Liu & Dale L. Goodhue, 2012. "Two Worlds of Trust for Potential E-Commerce Users: Humans as Cognitive Misers," Information Systems Research, INFORMS, vol. 23(4), pages 1246-1262, December.
    3. Ahmed Ibrahim Alzahrani & T. Ramayah & Nalini Suppiah & Osama Alfarraj & Nasser Alalwan, 2020. "Modeling Blog Usage From a Developing Country Perspective Using Structural Equation Modeling (SEM)," SAGE Open, , vol. 10(3), pages 21582440209, July.
    4. Jung Lee & Jae-Nam Lee & Bernard C. Y. Tan, 2015. "Antecedents of cognitive trust and affective distrust and their mediating roles in building customer loyalty," Information Systems Frontiers, Springer, vol. 17(1), pages 159-175, February.
    5. Kjell Hausken, 2017. "Security Investment, Hacking, and Information Sharing between Firms and between Hackers," Games, MDPI, vol. 8(2), pages 1-23, May.
    6. Möhlmann, Mareike, 2021. "Unjustified trust beliefs: Trust conflation on sharing economy platforms," Research Policy, Elsevier, vol. 50(3).
    7. Yonghua Ji & Subodha Kumar & Vijay Mookerjee, 2016. "When Being Hot Is Not Cool: Monitoring Hot Lists for Information Security," Information Systems Research, INFORMS, vol. 27(4), pages 897-918, December.
    8. Timm Teubner & Marc T. P. Adam & Florian Hawlitschek, 2020. "Unlocking Online Reputation," Business & Information Systems Engineering: The International Journal of WIRTSCHAFTSINFORMATIK, Springer;Gesellschaft für Informatik e.V. (GI), vol. 62(6), pages 501-513, December.
    9. Luca Allodi & Fabio Massacci, 2017. "Security Events and Vulnerability Data for Cybersecurity Risk Estimation," Risk Analysis, John Wiley & Sons, vol. 37(8), pages 1606-1627, August.
    10. Stephen C. Wingreen & Natasha C. H. L. Mazey & Stephen L. Baglione & Gordon R. Storholm, 2019. "Transfer of electronic commerce trust between physical and virtual environments: experimental effects of structural assurance and situational normality," Electronic Commerce Research, Springer, vol. 19(2), pages 339-371, June.
    11. Kirs, Peeter & Bagchi, Kallol, 2012. "The impact of trust and changes in trust: A national comparison of individual adoptions of information and communication technologies and related phenomenon," International Journal of Information Management, Elsevier, vol. 32(5), pages 431-441.
    12. Heng Tang & Xiaowan Lin, 2019. "Curbing shopping cart abandonment in C2C markets — an uncertainty reduction approach," Electronic Markets, Springer;IIM University of St. Gallen, vol. 29(3), pages 533-552, September.
    13. Sumeet Gupta & Haejung Yun & Heng Xu & Hee-Woong Kim, 2017. "An exploratory study on mobile banking adoption in Indian metropolitan and urban areas: a scenario-based experiment," Information Technology for Development, Taylor & Francis Journals, vol. 23(1), pages 127-152, January.
    14. Carol Hsu & Jae-Nam Lee & Detmar W. Straub, 2012. "Institutional Influences on Information Systems Security Innovations," Information Systems Research, INFORMS, vol. 23(3-part-2), pages 918-939, September.
    15. Baozhou Lu & Rudy Hirschheim & Andrew Schwarz, 2015. "Examining the antecedent factors of online microsourcing," Information Systems Frontiers, Springer, vol. 17(3), pages 601-617, June.
    16. Rajković, Borislav & Đurić, Ivan & Zarić, Vlade & Glauben, Thomas, 2021. "Gaining trust in the digital age: The potential of social media for increasing the competitiveness of small and medium enterprises," EconStor Open Access Articles and Book Chapters, ZBW - Leibniz Information Centre for Economics, vol. 13(4).
    17. Malhotra, Neeru & Sahadev, Sunil & Purani, Keyoor, 2017. "Psychological contract violation and customer intention to reuse online retailers: Exploring mediating and moderating mechanisms," Journal of Business Research, Elsevier, vol. 75(C), pages 17-28.
    18. Dan J. Kim & Donald L. Ferrin & H. Raghav Rao, 2009. "Trust and Satisfaction, Two Stepping Stones for Successful E-Commerce Relationships: A Longitudinal Exploration," Information Systems Research, INFORMS, vol. 20(2), pages 237-257, June.
    19. Richard, James E. & Purnell, Fruen, 2017. "Rethinking Catalogue and Online B2B Buyer Channel Preferences in the Education Supplies Market," Journal of Interactive Marketing, Elsevier, vol. 37(C), pages 1-15.
    20. Nguyen, Stephanie & Nicod, Lionel & Llosa, Sylvie, 2024. "Preventing bypass on sharing economy platforms: The impact of message framing on users’ bypass intention," Journal of Business Research, Elsevier, vol. 179(C).

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:inm:orisre:v:32:y:2021:i:2:p:410-436. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a bibliographic reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: Chris Asher (email available below). General contact details of provider: https://edirc.repec.org/data/inforea.html .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.