IDEAS home Printed from https://ideas.repec.org/a/inm/orisre/v32y2021i2p410-436.html
   My bibliography  Save this article

The Phishing Funnel Model: A Design Artifact to Predict User Susceptibility to Phishing Websites

Author

Listed:
  • Ahmed Abbasi

    (Mendoza College of Business, University of Notre Dame, Notre Dame, Indiana 46556)

  • David Dobolyi

    (Mendoza College of Business, University of Notre Dame, Notre Dame, Indiana 46556)

  • Anthony Vance

    (Fox School of Business, Temple University, Philadelphia, Pennsylvania 19122)

  • Fatemeh Mariam Zahedi

    (Sheldon B. Lubar School of Business, University of Wisconsin-Milwaukee, Milwaukee, Wisconsin 53202)

Abstract

Phishing is a significant security concern for organizations, threatening employees and members of the public. Phishing threats against employees can lead to severe security incidents, whereas those against the public can undermine trust, satisfaction, and brand equity. At the root of the problem is the inability of Internet users to identify phishing attacks even when using anti-phishing tools. We propose the phishing funnel model (PFM), a design artifact for predicting user susceptibility to phishing websites. PFM incorporates user, threat, and tool-related factors to predict actions during four key stages of the phishing process: visit, browse, consider legitimate, and intention to transact . We used a support vector ordinal regression with a custom kernel encompassing a cumulative-link mixed model for representing users’ decisions across funnel stages. We evaluated the efficacy of PFM in a 12-month longitudinal field experiment in two organizations involving 1,278 employees and 49,373 phishing interactions. PFM significantly outperformed competing models/methods by 8%–52% in area under the curve, correctly predicting visits to high-severity threats 96% of the time—a result 10% higher than the nearest competitor. A follow-up three-month field study revealed that employees using PFM were significantly less likely to interact with phishing threats relative to comparison models and baseline warnings. Furthermore, a cost-benefit analysis showed that interventions guided by PFM resulted in phishing-related cost reductions of nearly $1,900 per employee more than comparison prediction methods. These results indicate strong external validity for PFM. Our findings have important implications for practice by demonstrating (1) the effectiveness of predicting user susceptibility to phishing as a real-time protection strategy, (2) the value of modeling each stage of the phishing process together, rather than focusing on a single user action, and (3) the considerable impact of anti-phishing tool and threat-related factors on susceptibility to phishing.

Suggested Citation

  • Ahmed Abbasi & David Dobolyi & Anthony Vance & Fatemeh Mariam Zahedi, 2021. "The Phishing Funnel Model: A Design Artifact to Predict User Susceptibility to Phishing Websites," Information Systems Research, INFORMS, vol. 32(2), pages 410-436, June.
  • Handle: RePEc:inm:orisre:v:32:y:2021:i:2:p:410-436
    DOI: 10.1287/isre.2020.0973
    as

    Download full text from publisher

    File URL: http://dx.doi.org/10.1287/isre.2020.0973
    Download Restriction: no

    File URL: https://libkey.io/10.1287/isre.2020.0973?utm_source=ideas
    LibKey link: if access is restricted and if your library uses this service, LibKey will redirect you to where you can use your library subscription to access this item
    ---><---

    References listed on IDEAS

    as
    1. Bonnie Brinton Anderson & Anthony Vance & C Brock Kirwan & David Eargle & Jeffrey L Jenkins, 2016. "How users perceive and respond to security messages: a NeuroIS research agenda and empirical study," European Journal of Information Systems, Taylor & Francis Journals, vol. 25(4), pages 364-390, July.
    2. Porter, Constance Elise & Donthu, Naveen, 2006. "Using the technology acceptance model to explain how attitudes determine Internet usage: The role of perceived access barriers and demographics," Journal of Business Research, Elsevier, vol. 59(9), pages 999-1007, September.
    3. Jingguo Wang & Yuan Li & H. Raghav Rao, 2017. "Coping Responses in Phishing Detection: An Investigation of Antecedents and Consequences," Information Systems Research, INFORMS, vol. 28(2), pages 378-396, June.
    4. Daniel Kahneman & Amos Tversky, 2013. "Prospect Theory: An Analysis of Decision Under Risk," World Scientific Book Chapters, in: Leonard C MacLean & William T Ziemba (ed.), HANDBOOK OF THE FUNDAMENTALS OF FINANCIAL DECISION MAKING Part I, chapter 6, pages 99-127, World Scientific Publishing Co. Pte. Ltd..
    5. Ryan T. Wright & Matthew L. Jensen & Jason Bennett Thatcher & Michael Dinger & Kent Marett, 2014. "Research Note ---Influence Techniques in Phishing Attacks: An Examination of Vulnerability and Resistance," Information Systems Research, INFORMS, vol. 25(2), pages 385-400, June.
    6. Judit Bar‐Ilan & Kevin Keenoy & Mark Levene & Eti Yaari, 2009. "Presentation bias is significant in determining user preference for search results—A user study," Journal of the American Society for Information Science and Technology, Association for Information Science & Technology, vol. 60(1), pages 135-149, January.
    7. Paul A. Pavlou & David Gefen, 2004. "Building Effective Online Marketplaces with Institution-Based Trust," Information Systems Research, INFORMS, vol. 15(1), pages 37-59, March.
    8. Huseyin Cavusoglu & Birendra Mishra & Srinivasan Raghunathan, 2005. "The Value of Intrusion Detection Systems in Information Technology Security Architecture," Information Systems Research, INFORMS, vol. 16(1), pages 28-46, March.
    9. Casey Inez Canfield & Baruch Fischhoff, 2018. "Setting Priorities in Behavioral Interventions: An Application to Reducing Phishing Risk," Risk Analysis, John Wiley & Sons, vol. 38(4), pages 826-838, April.
    10. D. Harrison McKnight & Vivek Choudhury & Charles Kacmar, 2002. "Developing and Validating Trust Measures for e-Commerce: An Integrative Typology," Information Systems Research, INFORMS, vol. 13(3), pages 334-359, September.
    11. Jeffrey L. Jenkins & Bonnie Brinton Anderson & Anthony Vance & C. Brock Kirwan & David Eargle, 2016. "More Harm Than Good? How Messages That Interrupt Can Make Us Vulnerable," Information Systems Research, INFORMS, vol. 27(4), pages 880-896, December.
    12. Sam Ransbotham & Sabyasachi Mitra, 2009. "Choice and Chance: A Conceptual Model of Paths to Information Security Compromise," Information Systems Research, INFORMS, vol. 20(1), pages 121-139, March.
    13. Indranil Bardhan & Jeong-ha (Cath) Oh & Zhiqiang (Eric) Zheng & Kirk Kirksey, 2015. "Predictive Analytics for Readmission of Patients with Congestive Heart Failure," Information Systems Research, INFORMS, vol. 26(1), pages 19-39, March.
    14. Sumantra Sarkar & Anthony Vance & Balasubramaniam Ramesh & Menelaos Demestihas & Daniel Thomas Wu, 2020. "The Influence of Professional Subculture on Information Security Policy Violations: A Field Study in a Healthcare Context," Information Systems Research, INFORMS, vol. 31(4), pages 1240-1259, December.
    Full references (including those not matched with items on IDEAS)

    Citations

    Citations are extracted by the CitEc Project, subscribe to its RSS feed for this item.
    as


    Cited by:

    1. Ahmed Abbasi & Jeffrey Parsons & Gautam Pant & Olivia R. Liu Sheng & Suprateek Sarker, 2024. "Pathways for Design Research on Artificial Intelligence," Information Systems Research, INFORMS, vol. 35(2), pages 441-459, June.

    Most related items

    These are the items that most often cite the same works as this one and are cited by the same works as this one.
    1. Ben Q. Liu & Dale L. Goodhue, 2012. "Two Worlds of Trust for Potential E-Commerce Users: Humans as Cognitive Misers," Information Systems Research, INFORMS, vol. 23(4), pages 1246-1262, December.
    2. Weck, Marina & Afanassieva, Marianne, 2023. "Toward the adoption of digital assistive technology: Factors affecting older people's initial trust formation," Telecommunications Policy, Elsevier, vol. 47(2).
    3. Ahmed Ibrahim Alzahrani & T. Ramayah & Nalini Suppiah & Osama Alfarraj & Nasser Alalwan, 2020. "Modeling Blog Usage From a Developing Country Perspective Using Structural Equation Modeling (SEM)," SAGE Open, , vol. 10(3), pages 21582440209, July.
    4. Judy E. Scott & Dawn G. Gregg & Jae Hoon Choi, 2015. "Lemon complaints: When online auctions go sour," Information Systems Frontiers, Springer, vol. 17(1), pages 177-191, February.
    5. Jung Lee & Jae-Nam Lee & Bernard C. Y. Tan, 2015. "Antecedents of cognitive trust and affective distrust and their mediating roles in building customer loyalty," Information Systems Frontiers, Springer, vol. 17(1), pages 159-175, February.
    6. Chen, Ying-Hueih & Hsu, I-Chieh & Lin, Chia-Chen, 2010. "Website attributes that increase consumer purchase intention: A conjoint analysis," Journal of Business Research, Elsevier, vol. 63(9-10), pages 1007-1014, September.
    7. Kjell Hausken, 2017. "Security Investment, Hacking, and Information Sharing between Firms and between Hackers," Games, MDPI, vol. 8(2), pages 1-23, May.
    8. Suk-Joo Lee & Cheolhwi Ahn & Kelly Minjung Song & Hyunchul Ahn, 2018. "Trust and Distrust in E-Commerce," Sustainability, MDPI, vol. 10(4), pages 1-19, March.
    9. Möhlmann, Mareike, 2021. "Unjustified trust beliefs: Trust conflation on sharing economy platforms," Research Policy, Elsevier, vol. 50(3).
    10. Daniel A. Sanchez-Loor & Wei-Shiun Chang, 2023. "Experimental study of the effects of structural assurance, personal experiences, and product reviews on repurchase behavior in e-commerce platforms," Electronic Commerce Research, Springer, vol. 23(3), pages 1971-2010, September.
    11. Lee, Changju & Bae, Bumjoon & Lee, Yu Lim & Pak, Tae-Young, 2023. "Societal acceptance of urban air mobility based on the technology adoption framework," Technological Forecasting and Social Change, Elsevier, vol. 196(C).
    12. Yonghua Ji & Subodha Kumar & Vijay Mookerjee, 2016. "When Being Hot Is Not Cool: Monitoring Hot Lists for Information Security," Information Systems Research, INFORMS, vol. 27(4), pages 897-918, December.
    13. Timm Teubner & Marc T. P. Adam & Florian Hawlitschek, 2020. "Unlocking Online Reputation," Business & Information Systems Engineering: The International Journal of WIRTSCHAFTSINFORMATIK, Springer;Gesellschaft für Informatik e.V. (GI), vol. 62(6), pages 501-513, December.
    14. Kjell Hausken, 2018. "Proactivity and Retroactivity of Firms and Information Sharing of Hackers," International Game Theory Review (IGTR), World Scientific Publishing Co. Pte. Ltd., vol. 20(01), pages 1-30, March.
    15. W. Eric Lee & Amy M. Hageman, 2018. "Talk the Talk or Walk the Walk? An Examination of Sustainability Accounting Implementation," Journal of Business Ethics, Springer, vol. 152(3), pages 725-739, October.
    16. Luca Allodi & Fabio Massacci, 2017. "Security Events and Vulnerability Data for Cybersecurity Risk Estimation," Risk Analysis, John Wiley & Sons, vol. 37(8), pages 1606-1627, August.
    17. Stephen C. Wingreen & Natasha C. H. L. Mazey & Stephen L. Baglione & Gordon R. Storholm, 2019. "Transfer of electronic commerce trust between physical and virtual environments: experimental effects of structural assurance and situational normality," Electronic Commerce Research, Springer, vol. 19(2), pages 339-371, June.
    18. Debabrata Dey & Abhijeet Ghoshal & Atanu Lahiri, 2022. "Circumventing Circumvention: An Economic Analysis of the Role of Education and Enforcement," Management Science, INFORMS, vol. 68(4), pages 2914-2931, April.
    19. Kirs, Peeter & Bagchi, Kallol, 2012. "The impact of trust and changes in trust: A national comparison of individual adoptions of information and communication technologies and related phenomenon," International Journal of Information Management, Elsevier, vol. 32(5), pages 431-441.
    20. Heng Tang & Xiaowan Lin, 2019. "Curbing shopping cart abandonment in C2C markets — an uncertainty reduction approach," Electronic Markets, Springer;IIM University of St. Gallen, vol. 29(3), pages 533-552, September.

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:inm:orisre:v:32:y:2021:i:2:p:410-436. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a bibliographic reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: Chris Asher (email available below). General contact details of provider: https://edirc.repec.org/data/inforea.html .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.