SoK: Human-Centered Phishing Susceptibility
This work addresses the human factors in phishing susceptibility, which is a critical issue for organizations and individuals, but it is incremental as it builds on existing literature with a systematic review and model.
The paper tackles the problem of human susceptibility to phishing attacks by proposing a three-stage Phishing Susceptibility Model (PSM) to explain human involvement in detection and prevention, and it systematically reviews literature to taxonomize variables and identify research gaps for improving user detection performance.
Phishing is recognised as a serious threat to organisations and individuals. While there have been significant technical advances in blocking phishing attacks, people remain the last line of defence after phishing emails reach their email client. Most of the existing literature on this subject has focused on the technical aspects related to phishing. However, the factors that cause humans to be susceptible to phishing attacks are still not well-understood. To fill this gap, we reviewed the available literature and we propose a three-stage Phishing Susceptibility Model (PSM) for explaining how humans are involved in phishing detection and prevention, and we systematically investigate the phishing susceptibility variables studied in the literature and taxonomize them using our model. This model reveals several research gaps that need to be addressed to improve users' detection performance. We also propose a practical impact assessment of the value of studying the phishing susceptibility variables, and quality of evidence criteria. These can serve as guidelines for future research to improve experiment design, result quality, and increase the reliability and generalizability of findings.