In recent years, the most common kind of cybercrime has been phishing, a form of online fraud. In phishing, an attacker, masquerading as a trusted entity, dupes a victim into opening an email, instant message, or text, and then clicking a malicious link, triggering undesirable processes such as malware installation or a system freeze as part of a ransomware attack. Phishing attacks, which often evade spam filters and other cybersecurity tools, have resulted in billions of dollars of losses for individuals and organizations.
In a new study, researchers investigated the effect of the kind of device used on individuals' risk-avoidance behavior—specifically, their tendency to avoid potentially risky links like those used in phishing attacks. They found that users responded differently to cyberattacks based on the kind of device they used: Mobile use was associated with more risk-avoidant behavior than PC use.
The study, conducted by researchers at Carnegie Mellon University and Ben-Gurion University of the Negev Beer-Sheva, appears in the International Journal of Information Management.
"The fact that successful phishing attempts require victims to collaborate with their attackers highlights the importance of identifying factors that influence users' avoidance behavior," explains Naama Ilany-Tzur, assistant teaching professor in the Information Systems Program at Carnegie Mellon's Heinz College, who led the study. "Drawing from evidence that mobile users process information differently than personal computer users, our study suggests that the device used may influence users' risk-avoidance behavior, as manifested in their tendency to avoid clicking on potentially risky messages."
Researchers analyzed data from a cybersecurity company that develops security solutions for small networks. To detect Internet crimes, the company monitors all URL requests from all devices connected to each of the networks it serves. Researchers randomly selected 30 U.S. networks and the company provided them with all available records of URL requests from mobiles and PCs from these networks during one week in August-September 2020. Researchers then randomly selected about 500,000 URL requests to examine.
Next, to explore users' sensitivity to risk cues of different levels of security, researchers conducted two online experiments in which devices and URL risk levels were randomly assigned to participants (more than 250 workers from the Amazon Mechanical Turk platform for each experiment). After asking participants to complete a task related to online images, they simulated a phishing attack to see who would click on the link provided and who would not.
Mobile users were less likely than PC users to click on a URL in a phishing-like message, the study found. Researchers observed this difference for lower-risk URLs, while PC and mobile users displayed similar risk-avoidance tendencies when faced with higher-risk URLs. The authors inferred causality and concluded that device use was responsible for the differences in risk-avoidance behavior; they also determined that users' sensitivity to differential risk levels depended on which device they were using.
The study's findings support the contextual nature of risk-avoidance behavior, suggesting that mobile use settings may constrain the ability of users to engage in risk assessment, possibly causing their behavior to be more avoidant than necessary when links pose no significant risk. In contrast, PC use settings may be more suitable for engaging in risk assessment, allowing users to respond in a manner consistent with the actual level of risk.
"In a time of increasing Internet crime, our work adds to the growing understanding of risk-avoidance behavior," suggests Lior Fink, professor of industrial engineering and management at Ben-Gurion University of the Negev Beer-Sheva, who coauthored the study. "In light of the wide variety of devices available to users, our study also advances understanding of behavioral differences by device."
The results, the authors say, can help cybersecurity firms design solutions that better fit the device being used and the desired user behavior. For example, the effectiveness of security mechanisms may be contingent on the device being used. The findings can also inform policies and regulations related to security and privacy.
Among the study's limitations, the authors note that their experimental studies could not fully mimic an actual phishing attack.
The study was funded by the Israeli Science Foundation.
