Errors, irregularities, and misdirection : cue utilisation and cognitive reflection in the diagnosis of phishing emails

Mitchell Ackerley, Ben W. Morrison, Kate Ingrey, Mark W. Wiggins, Piers Bayl-Smith, Natalie M. V. Morrison

Research output: Contribution to journalArticlepeer-review

Abstract

The study aimed to examine the role of, and potential interplay between, cue utilisation and cognitive reflection in email users’ ability to accurately (and efficiently) differentiate between phishing and genuine emails. 145 participants completed the Cognitive Reflection Test (CRT), a phishing diagnostic task, and the Expert Intensive Skill Evaluation (EXPERTise 2.0) battery, which provided a gauge of users’ cue utilisation in the domain. The results revealed an interaction between users’ cognitive utilisation and cue reflection, whereby users low in both facets performed significantly worse in diagnosing phishing emails than all other groups. Further, those participants with both higher cue utilisation and cognitive reflection took significantly longer to make their diagnosis. It is concluded that a high level of cognitive reflection was able to compensate for a lower level of cue utilisation, and vice versa. Participants reported using seven types of cue during diagnosis, however, there was no significant relationship between the types of cues used and users’ level of cue utilisation. Taken together, the findings have implications to the design of user-level interventions in relation to the identification of vulnerable users, as well as the need to consider training approaches that extend beyond the use of simple cue inventories.
Original languageEnglish
Number of pages21
JournalAustralasian Journal of Information Systems
Volume26
DOIs
Publication statusPublished - 2022

Open Access - Access Right Statement

© 2022 authors. This is an open-access article distributed under the terms of the Creative Commons Attribution-NonCommercial 3.0 Australia License (http://creativecommons.org/licenses/by-nc/3.0/au/), which permits non-commercial use, distribution, and reproduction in any medium, provided the original author and AJIS are credited.

Cite this