Phishing poses a significant threat to companies and public administrations. Mostly, this attack is perpetrated by exploiting social engineering techniques, such as persuasion principles and emotional triggers. Moreover, technical defenses alone are insuficient to protect organizations from these socially engineered attacks. Therefore, countermeasures that address human vulnerabilities are essential. To this end, we present a framework dedicated to assess human vulnerabilities of employees within an organization by using simulated phishing campaigns. In detail, the proposed work consists of two activities. The first activity explores the interaction between persuasion principles, emotional triggers, and user profiles. Such aspect has not yet been investigated in the literature and it may provide more information on the human factors to which users are most exposed during a phishing attack. The second activity will focus on designing phishing campaigns in which we will measure the efectiveness of emails considering the emotional triggers and persuasion principles used to scam the users, as well as the interaction between these two dimensions and the user personality traits.
Phishing is one of the major cyber threats in our society, being one of the top initial access
vectors for cyber criminals [
Given the important role that human factors play in the success of these attacks, phishing
cannot be addressed solely on a technological level (e.g., by implementing automated phishing
detection mechanisms). For this reason, organizations typically conduct "white hat" phishing
campaigns to assess the company’s susceptibility to phishing attacks. By sending fake emails,
companies can estimate their exposure to attacks in terms of how many employees clicked on
the phishing links in these emails [
While simulated phishing campaigns provide organizations with a tool to quantitatively
assess their vulnerability to phishing attacks, they fall short in assessing the human factors
at play when these attacks are successful [6]. For example, personality traits of an employee
strongly impact their susceptibility to phishing [7]. Furthermore, the efectiveness of a phishing
campaign can be significantly influenced by the nature of emails it comprises. Persuasion
principles [8] are psychological techniques often used in phishing attacks, which can increase
the user’s susceptibility [9, 10, 11]. Phishing emails also often leverage emotional drivers, such
as creating a sense of urgency or fear, to increase the likelihood of users falling victim [12, 4, 13].
Although previous work has explored how individual user diferences [
Our research proposes a new defensive solution in the context of the Italian national project DAMOCLES (Detection And Mitigation Of Cyber attacks that expLoit human vulnerabilitiES), which aims to develop a framework for the Italian Public Administration to assess human factors in cyber incidents and mitigate their impact through security awareness and customized user training. The ongoing work presented in this paper includes two main contributions. The first part provides insight into the relationships between persuasion principles, emotional triggers, and personality traits. To achieve this, a large-scale study will be conducted with over 1000 participants exposed to various emails that correspond to diferent combinations of persuasion principles and emotional triggers. The study results will reveal the most critical combinations of <persuasion principle, emotional trigger, personality trait> that make phishing emails most efective for certain users. The second part of our research will build on the knowledge gained in the first study to create more precise simulated phishing campaigns. These campaigns will enable companies and organizations to evaluate the susceptibility of their employees to emails that include (or exclude) the most efective phishing techniques for their profiles.
Understanding the individual vulnerabilities of the employees can lead to take more efective
decisions from an organizational perspective, such as providing them with specific support in
the form of personalized training material to address their vulnerabilities [17, 18]. Furthermore,
with the right support and training, employees can become a valuable asset to the organization
and an efective line of defense against phishing (i.e., also known as crowd-sourced phishing
detection) [
The paper continues as following: Section 2 presents the related work on social engineering techniques commonly used in phishing email and user’s assessment; Section 3 discusses the 2-phase approach we propose to measure the efectiveness of phishing emails and to assess employees with a simulated phishing campaign; Section 4 draws conclusions and presents future work of the project.
The causes of a phishing email’s efectiveness can be boiled down to two main factors: the characteristics of the email itself and the characteristics of the recipient.
Phishing emails often use Persuasion Principles to deceive users into clicking on phishing links or disclosing personal information [8, 11]. Cialdini [8] identifies 6 persuasion principles that are widely explored in the social engineering literature: authority, scarcity, liking, social proof, reciprocation, and consistency. The use of persuasion principles can ultimately afect the efectiveness of a phishing email, making it generally more deceptive to users [ 9, 10, 11, 19, 14]. Ferreira and Teles [11] identified a list of persuasion principles that are most prominent in phishing attacks, which include, in addition to authority and reciprocation, integrity and strong afect .
Phishing emails often exploit core emotions: curiosity (or anticipation), fear (or anxiety), greed (or desire), anger (or annoyance), joy (or excitement), confusion (surprise), and empathy (or compassion) [12, 4, 13]. This is usually accomplished by including emotional drivers (or triggers) that manipulate users and cause them to make irrational decisions [20, 21]. For instance, when experiencing sadness, individuals tend to gravitate toward high-risk/high-reward options, whereas those in anxious states prefer low-risk/low-reward choices [22]. In general, individuals who are under the influence of "visceral influences" do not consider the ramifications of their actions and seek immediate satisfaction of their visceral desires [23, 24].
Emails that employ these social engineering techniques (either alone or in combination) are typically more deceptive and can more easily lead users to become victims [9, 10, 11]. The quality of a phishing email can be measured using the Phish Scale developed by NIST [25]. This tool can help assess the dificulty of an email, in average, to be detected. This scale considers two main aspects: the email cues (i.e., the observable characteristics of an email such as language, presentation, correctness, etc.) and the alignment with the user premises (i.e., how closely an email matches the work roles or responsibilities of the recipient). The stronger an email’s premise alignment and the fewer cues it has, the more dificult it is to detect it as a phish. The dificulty of a phishing email can be classified in three categories, based on the number of cues: many cues (less dificult), some cues (medium), few cues (more dificult).
Regarding the characteristics of the recipient (i.e., the user), there are a number of human
factors that play a critical role in influencing the susceptibility of users to phishing attacks [
Simulated phishing campaigns are typically used to deliver embedded training material
[
The solution we propose in this paper will be carried out in two diferent and sequential activities: 1. Design of a user study to measure the three factors that may influence users’ susceptibility to phishing, i.e. personality traits, persuasion principles and emotional triggers; 2. Design of a simulated phishing campaign based on the results of Activity 1, i.e., the correlations between the three factors and users’ phishing susceptibility. A web platform will make it possible to apply the most efective combinations of these factors to test users with challenging fake phishing emails.
To discover correlations between users’ profiles, persuasion principles, and emotional triggers, we need to construct a knowledge base with data about the phishing susceptibility of users (each with their own personality traits) to diferent phishing techniques. Therefore, a user study serves as a means for gathering the data. This will be done by firstly collecting data about the users to profile them according to the Big Five personality traits model by administering the NEO Five-Factor Inventory-3 [39], a 60-item questionnaire to measure their personality traits according to the Big 5 model. After a user profile of the employee is generated, the users will be exposed to a set of safe and phishing emails. The phishing emails included in the study will be crafted by applying diferent combinations of <persuasion principle, emotional trigger>. The persuasion principle will be one of the 6 persuasion principles (i.e., authority, scarcity, reciprocation, social proof, liking, consistency), while the emotional trigger will be one of the 7 emotional triggers (i.e., curiosity, fear, greed, anger, joy, confusion, empathy), leading to a total of 6 × 7 unique combinations.
In addition, to improve the external validity of the study, the topic of the phishing email is also varied, as done in [4]. The fake emails can be crafted by, e.g., following the modus operandi of Gallo et al. [14], starting from real phishing emails to include a unique combination of persuasion principle and emotional trigger.
For each of the 42 combinations, 3 variants are generated to have a more solid knowledge base. The variants are crafted to be of diferent levels of dificulty to include an additional dimension in the measurements. To objectively rate the overall level of dificulty for an average employee to detect an email, the Phish Scale [25] is used with the following scores: (1) low level of dificulty ( cues category = "Many"), (2) medium level of dificulty ( cues category = "Some"), and (3) high level of dificulty ( cues category = "Few"). This results in 42 × 3 = 126 fake emails that will be sent during the study; a fake phishing email contains a link that, when clicked, redirects an employee to a landing page where they are debriefed about the fake phishing email. At this point, the information about which employee clicked on the phishing link is saved. To avoid overloading users with too many emails, each of them will be exposed to a subset of the emails (e.g., 10 safe emails, 10 phishing emails). Eventually, each of the 42 combinations will be administered to an equal number of users.
The findings from the previous study will highlight the most important interactions between <persuasion principle, emotional trigger, personality trait> that, for particular users, maximize the efectiveness of phishing emails. Building on the insights from the first study, the second activity of the research presented in this paper will develop more accurate simulated phishing campaigns. Through these campaigns, companies and organizations will be able to assess how vulnerable their staf members are to emails that contain (or don’t contain) the most successful phishing techniques specific to their profiles. To better illustrate this activity, we introduce a scenario that describes how this approach could be practically applied in a PA. The scenario is described below: 1. The National Institute for Social Security ("INPS", in Italian) is a PA with about 20,000 employees; faced with the ever-increasing risk of cyber-attacks, its IT director decided to improve the organization’s defenses against phishing attacks by assessing the specific human factors to which its employees are more susceptible to, with the subsequent goal of addressing the specific deficiencies of employees through customized training programs. 2. 7 days in advance, employees are informed about the simulated phishing campaign that will be conducted and its objective. They are also informed of the need to collect data that can be used to create a profile, assuring them that their digital profile won’t be directly traceable to them. These measures limit the extent of the ethical implications that naturally come with a similar approach. 3. An initial model of the PA’s employees is created by administering the NEO Five-Factor Inventory-3 [39], a 60-item questionnaire to measure their personality traits according to the Big 5 model. To assess the employees’ initial ability to correctly recognize and respond to phishing attacks, the survey-based Phishing Awareness Questionnaire [40] is also administered. Finally, the employees’ risk-taking behavior is measured with the Balloon Analogue Risk Task test [41], as higher risk-taking behaviours can negatively influence phishing susceptibility [32]. The questionnaires are administered to the employees in the workplace to ensure a more controlled environment. 4. A simulated phishing campaign has been designed to assess the long-term susceptibility of employees to phishing attacks, spanning a duration of 3 months. In this context, personalized phishing emails will be utilized, with a comprehensive approach tailored to each user. Specifically, a total of 30 emails will be meticulously crafted for every personality trait, drawing upon the top 10 combinations of persuasion principles and emotional triggers associated with that trait. Each of these combinations will generate 3 distinct emails varying in complexity. Consequently, throughout the campaign period, users will encounter the 30 emails tailored to the personality trait identified as most influential for them. This approach ensures a targeted exposure to a spectrum of psychological tactics employed in phishing attempts, facilitating a robust evaluation of susceptibility over time. 5. The simulated phishing campaign is launched. On Day 1, the first email is sent. The phishing link in the email redirects any employee who falls victim to a page where they are debriefed about the fake phishing email. Here they are reassured that no consequences will be taken against them, and that the data they will submit will be kept anonymous (in line with what is done in [4]). The causes that led them to click on the links are investigated by asking open-ended questions about (i) how did the email made them feel, to qualitatively collect their self-reported emotions (as in [4]]), and (ii) what led them to click on the phishing link (as in [42]). 6. After Day 1, the remaining emails are sent at intervals of 3 days to avoid predictability (with an average of one email every 10 days). Furthermore, the minimum delay between one phishing email and another is necessary to avoid priming the employees to more secure behavior after exposure to a debriefing message (i.e., to reduce the expectancy efect [43]). 7. A dashboard can show the current situation for all employees by reporting, for each fake email sent, the percentage of employees who clicked on the phishing link. The employees’ personality traits are also displayed to highlight the correlation between them and the phishing susceptibility. 8. At the end of the simulated campaign, the company can address the individual vulnerabilities of each employee (whose identity remains undisclosed) by automatically delivering customized training/security awareness materials. For example, if an employee is found to be particularly vulnerable to the Authority principle used in IT communication emails, they are provided with examples of fake emails that include that specific persuasion technique; training material additionally suggests security measures to double check the sender’s identity (e.g., the address of legit communications). Moreover, they are provided with vital information such as some of the company norms (e.g., that the IT department will never ask employees to provide their passwords) and useful contacts to consult when they feel a communication is suspicious, so that they do not resort to alternative, less secure, sources.
This work is part of the research conducted within the Italian national project DAMOCLES. The main project ultimately aims to develop a framework for the Italian PAs to assess and mitigate human factors in cyber incidents. This would make it possible to uncover factors that may be overlooked in current cybersecurity training approaches and ultimately lead to better protection in these organizations. One line of action to enhance user protection is customized training that addresses the employees’ individual vulnerabilities.
This paper contributes to the first step of assessing the user vulnerability by proposing a methodology based on simulated phishing campaigns. This phase is only a part of a broader, iterative approach, that involves a continuous assessment-training process to progressively reduce an organization’s vulnerability to phishing (this methodology is also referred to as "Agile Phishing" by [4]).
Future work will include testing the proposed approach with user studies in a controlled setting. Moreover, much efort will be put in studying how to craft customized training material to specifically address one or more vulnerabilities. Another interest aspect to be investigated is the expectancy efect, i.e., the extent to which an employee is primed towards a safer behavior when they are aware that a phishing campaign is being conducted in the organization; analyses to assess this bias may involve comparing the click-rate in emails with similar dificulty sent with diferent delay from each other. While the proposed approach can certainly bring many benefits to organizations in their fight against phishing, there is a major ethical problem with collecting employees data in a safety critical context. Being able to identify each user and their actions with phishing emails could put their jobs at risk. Therefore, future works must include the development an anonymization mechanism to protect the user’s identity, while allowing targeted interventions to improve their susceptibility to phishing attacks.
This work has been supported by the Italian Ministry of University and Research (MUR) and by the European Union - NextGenerationEU, under grant PRIN 2022 PNRR "DAMOCLES: Detection And Mitigation Of Cyber attacks that exploit human vuLnerabilitiES" (Grant P2022FXP5B) – CUP: H53D23008140001. The research of Francesco Greco is funded by a PhD fellowship within the framework of the Italian “D.M. n. 352, April 9, 2022” - under the National Recovery and Resilience Plan, Mission 4, Component 2, Investment 3.3 - PhD Project “Investigating XAI techniques to help user defend from phishing attacks”, co-supported by “Auriga S.p.A.” (CUP H91I22000410007). [4] CybSafe, The ultimate people-centric guide to simulated phishing, 2023. URL: https://www.
cybsafe.com/value/simulated-phishing/. [5] T. N. Jagatic, N. A. Johnson, M. Jakobsson, F. Menczer, Social phishing, Commun. ACM 50 (2007) 94–100. URL: https://doi.org/10.1145/1290958.1290968. doi:10.1145/1290958. 1290968. [6] Y. Lee, K. R. Larsen, Threat or coping appraisal: determinants of smb executives’ decision to adopt anti-malware software, European Journal of Information Systems 18 (2009) 177–187.
URL: https://doi.org/10.1057/ejis.2009.11. doi:10.1057/ejis.2009.11. [7] E. D. Frauenstein, S. Flowerday, Susceptibility to phishing on social network sites: A personality information processing model, Computers & Security 94 (2020) 101862. URL: https://www.sciencedirect.com/science/article/pii/S0167404820301346. doi:10.1016/j. cose.2020.101862. [8] R. B. Cialdini, Influence: The Psychology of Persuasion, 1st. ed., Harper Collins, New York,
NY, 2007. [9] K. Parsons, M. Butavicius, P. Delfabbro, M. Lillie, Predicting susceptibility to social influence in phishing emails, International Journal of Human-Computer Studies 128 (2019) 17–26.
URL: https://doi.org/10.1016/j.ijhcs.2019.02.007. doi:10.1016/j.ijhcs.2019.02.007. [10] R. Taib, K. Yu, S. Berkovsky, P. Bayl-Smith, M. Wiggins, Social engineering and organisational dependencies in phishing attacks, in: D. Lamas, F. Loizides, L. Nacke, H. Petrie, M. Winckler, P. Zaphiris (Eds.), Human-Computer Interaction – INTERACT 2019, number 11746 in Lecture Notes in Computer Science, Springer, Springer Nature, United States, 2019, pp. 564–584. URL: http://interact2019.org/. doi:10.1007/978-3-030-29381-9_35, 17th IFIP TC.13 International Conference on Human-Computer Interaction – INTERACT 2019, INTERACT 2019 ; Conference date: 02-09-2019 Through 06-09-2019. [11] A. Ferreira, S. Teles, Persuasion: How phishing emails can influence users and bypass security measures, International Journal of Human-Computer Studies 125 (2019) 19– 31. URL: https://www.sciencedirect.com/science/article/pii/S1071581918306827. doi:10. 1016/j.ijhcs.2018.12.004. [12] C. Hadnagy, M. Fincher, Phishing dark waters: The ofensive and defensive sides of malicious Emails, John Wiley & Sons, 2015. [13] A. Higbee, S. Greaux, Phishing defense guide 2017, 2022. URL: https://cofense.com/ wp-content/uploads/2017/11/Enterprise-Phishing-Resiliency-and-Defense-Report-2017. pdf. doi:10.13140/RG.2.2.33730.50889. [14] L. Gallo, D. Gentile, S. Ruggiero, A. Botta, G. Ventre, The human factor in phishing: Collecting and analyzing user behavior when reading emails, Computers & Security 139 (2024) 103671. URL: https://doi.org/10.1016/j.cose.2023.103671. doi:10.1016/j.cose. 2023.103671. [15] B. E. Gavett, R. Zhao, S. E. John, C. A. Bussell, J. R. Roberts, C. Yue, Phishing suspiciousness in older and younger adults: The role of executive functioning, PLOS ONE 12 (2017) 1–16. URL: https://doi.org/10.1371/journal.pone.0171620. doi:10.1371/journal.pone. 0171620. [16] D. M. Sarno, J. E. Lewis, C. J. Bohil, M. B. Neider, Which phish is on the hook? phishing vulnerability for older versus younger adults, Human Factors 62 (2020) 704– 717. URL: https://doi.org/10.1177/0018720819855570. doi:10.1177/0018720819855570, pMID: 31237787. [17] K. Jansson, R. von Solms, Phishing for phishing awareness, Behaviour & Information Technology 32 (2013) 584–593. URL: https://doi.org/10.1080/0144929X.2011.632650. doi:10. 1080/0144929X.2011.632650. [18] S. McElwee, G. Murphy, P. Shelton, Influencing outcomes and behaviors in simulated phishing exercises, in: SoutheastCon 2018, 2018, pp. 1–6. URL: https://doi.org/10.1109/ SECON.2018.8479109. doi:10.1109/SECON.2018.8479109. [19] P. Burda, T. Chotza, L. Allodi, N. Zannone, Testing the efectiveness of tailored phishing techniques in industry and academia: a field experiment, in: Proceedings of the 15th International Conference on Availability, Reliability and Security, ARES ’20, Association for Computing Machinery, New York, NY, USA, 2020. URL: https://doi.org/10.1145/3407023. 3409178. doi:10.1145/3407023.3409178. [20] Z. Wang, H. Zhu, L. Sun, Social engineering in cybersecurity: Efect mechanisms, human vulnerabilities and attack methods, IEEE Access 9 (2021) 11895–11910. URL: https:// ieeexplore.ieee.org/document/9323026. doi:10.1109/ACCESS.2021.3051633. [21] E. A. Phelps, K. M. Lempert, P. Sokol-Hessner, Emotion and decision making: multiple modulatory neural circuits, Annu Rev Neurosci 37 (2014) 263–287. URL: https://pubmed. ncbi.nlm.nih.gov/24905597. [22] R. Raghunathan, M. T. Pham, All negative moods are not equal: Motivational influences of anxiety and sadness on decision making, Organizational Behavior and Human Decision Processes 79 (1999) 56–77. URL: https://www.sciencedirect.com/science/article/pii/ S0749597899928388. doi:10.1006/obhd.1999.2838. [23] J. Langenderfer, T. A. Shimp, Consumer vulnerability to scams, swindles, and fraud: A new theory of visceral influences on persuasion, Psychology & Marketing 18 (2001) 763–783.
URL: https://onlinelibrary.wiley.com/doi/abs/10.1002/mar.1029. doi:10.1002/mar.1029. [24] J. Wang, T. Herath, R. Chen, A. Vishwanath, H. R. Rao, Research article phishing susceptibility: An investigation into the processing of a targeted spear phishing email, IEEE Transactions on Professional Communication 55 (2012) 345–362. URL: https://ieeexplore. ieee.org/abstract/document/6289402. doi:10.1109/TPC.2012.2208392. [25] M. Steves, K. Greene, M. Theofanos, Categorizing human phishing dificulty: a Phish Scale, Journal of Cybersecurity 6 (2020) tyaa009. URL: https://doi.org/10.1093/cybsec/tyaa009. doi:10.1093/cybsec/tyaa009. [26] V. Distler, The influence of context on response to spear-phishing attacks: an in-situ deception study, in: Proceedings of the 2023 CHI Conference on Human Factors in Computing Systems, CHI ’23, Association for Computing Machinery, New York, NY, USA, 2023. URL: https://doi.org/10.1145/3544548.3581170. doi:10.1145/3544548.3581170. [27] J.-H. Cho, H. Cam, A. Oltramari, Efect of personality traits on trust and risk to phishing vulnerability: Modeling and analysis, in: 2016 IEEE International MultiDisciplinary Conference on Cognitive Methods in Situation Awareness and Decision Support (CogSIMA), 2016, pp. 7–13. URL: https://doi.org/10.1109/COGSIMA.2016.7497779. doi:10.1109/COGSIMA.2016.7497779. [28] S. Eftimie, R. Moinescu, C. Răcuciu, Spear-phishing susceptibility stemming from personality traits, IEEE Access 10 (2022) 73548–73561. URL: https://doi.org/10.1109/ACCESS.2022. 3190009. doi:10.1109/ACCESS.2022.3190009. [29] P. Lawson, C. J. Pearson, A. Crowson, C. B. Mayhorn, Email phishing and signal detection: How persuasion principles and personality influence response patterns and accuracy, Applied Ergonomics 86 (2020) 103084. URL: https://www.sciencedirect.com/science/article/ pii/S0003687020300478. doi:https://doi.org/10.1016/j.apergo.2020.103084. [30] R. R. McCrae, P. T. Costa Jr., The five-factor theory of personality., Handbook of personality:
Theory and research, 3rd ed., The Guilford Press, New York, NY, US, 2008, pp. 159–181. [31] P. T. Costa Jr, R. R. McCrae, Four ways five factors are basic, Personality and Individual Diferences 13 (1992) 653–665. URL: https://www.sciencedirect.com/science/article/pii/ 019188699290236I. doi:10.1016/0191-8869(92)90236-I. [32] H. Abroshan, J. Devos, G. Poels, E. Laermans, Covid-19 and phishing: Efects of human emotions, behavior, and demographics on the success of phishing attempts during the pandemic, IEEE Access 9 (2021) 121916–121929. URL: https://doi.org/10.1109/ACCESS. 2021.3109091. doi:10.1109/ACCESS.2021.3109091. [33] C. A. Tian, M. L. Jensen, Efects of emotional appeals on phishing susceptibility, in: PreICIS Workshop on Information Security and Privacy (WISP) 2019 Proceedings, volume 16, 2019, pp. 1–16. URL: https://aisel.aisnet.org/wisp2019/16. [34] S. Uebelacker, S. Quiel, The social engineering personality framework, in: 2014 Workshop on Socio-Technical Aspects in Security and Trust, 2014, pp. 24–30. URL: https://doi.org/10. 1109/STAST.2014.12. doi:10.1109/STAST.2014.12. [35] R. T. Wright, M. L. Jensen, J. B. Thatcher, M. Dinger, K. Marett, Research note: Influence techniques in phishing attacks: An examination of vulnerability and resistance, Information Systems Research 25 (2014) 385–400. URL: http://www.jstor.org/stable/24700179. [36] P. Kumaraguru, J. Cranshaw, A. Acquisti, L. Cranor, J. Hong, M. A. Blair, T. Pham, School of phish: a real-world evaluation of anti-phishing training, in: Proceedings of the 5th Symposium on Usable Privacy and Security, SOUPS ’09, Association for Computing Machinery, New York, NY, USA, 2009. URL: https://doi.org/10.1145/1572532.1572536. doi:10.1145/1572532.1572536. [37] D. D. Caputo, S. L. Pfleeger, J. D. Freeman, M. E. Johnson, Going spear phishing: Exploring embedded training and awareness, IEEE Security & Privacy 12 (2014) 28–38. URL: https: //doi.org/10.1109/MSP.2013.106. doi:10.1109/MSP.2013.106. [38] A. Xiong, R. W. Proctor, W. Yang, N. Li, Embedding training within warnings improves skills of identifying phishing webpages, Human Factors 61 (2019) 577–595. URL: https:// doi.org/10.1177/0018720818810942. doi:10.1177/0018720818810942, pMID: 30526089. [39] P. T. Costa Jr., R. R. McCrae, The Revised NEO Personality Inventory (NEO-PI-R)., The SAGE handbook of personality theory and assessment, Vol 2: Personality measurement and testing., Sage Publications, Inc, Thousand Oaks, CA, US, 2008, pp. 179–198. URL: https://doi.org/10.4135/9781849200479.n9. doi:10.4135/9781849200479.n9. [40] B. T.T., E. V., H. T.D., L. W.H., S. M., Phishing awareness among students at ntnu, 2022.
URL: https://folk.idi.ntnu.no/baf/eremcis/2022/Group17.pdf. [41] C. W. Lejuez, J. P. Read, C. W. Kahler, J. B. Richards, S. E. Ramsey, G. L. Stuart, D. R.
Strong, R. A. Brown, Evaluation of a behavioral measure of risk taking: The balloon analogue risk task (bart)., Journal of Experimental Psychology: Applied 8 (2002) 75–84.
URL: https://doi.org/10.1037/1076-898X.8.2.75. doi:10.1037/1076-898X.8.2.75. [42] A. J. Ferguson, Fostering e-mail security awareness: The west point carronade, Educause
Quarterly 28 (2005) 54–57. URL: https://www.educause.edu/ir/library/pdf/EQM0517.pdf. [43] V. Anandpara, A. Dingman, M. Jakobsson, D. Liu, H. Roinestad, Phishing iq tests measure fear, not ability, in: S. Dietrich, R. Dhamija (Eds.), Financial Cryptography and Data Security, Springer Berlin Heidelberg, Berlin, Heidelberg, 2007, pp. 362–366. URL: https: //link.springer.com/chapter/10.1007/978-3-540-77366-5_33.