93-108
Evaluating user vulnerabilities vs phisher skills in spear phishing
Authors: Mathew Nicho, Hussein Fakhry,and Uche Egbue
Number of views: 303
Spear phishing emails pose great danger to employees of organizations due to the inherent weakness of
the employees in identifying the threat from spear phishing cues, as well as the spear phisher’s skill in
crafting contextually convincing emails. This raises the main question of which construct (user
vulnerabilities or phisher skills) has a greater influence on the vulnerable user. Researchers have
provided enough evidence of user vulnerabilities, namely the desire for monetary gain, curiosity of the
computer user, carelessness on the part of the user, the trust placed in the purported sender by the user,
and a lack of awareness on the part of the computer user. However, there is a lack of research on the
magnitude of each of these factors in influencing an unsuspecting user to fall for a phishing or spear
phishing attack which we explored in this paper. While user vulnerabilities pose major risk, the effect of
the spear phisher’s ability in skillfully crafting convincing emails (using fear appeals, urgency of action,
and email contextualization) to trap even skillful IT security personnel is an area that needs to be
explored. Therefore, we explored the relationships between the two major constructs namely ‘user
vulnerabilities’ and ‘email contextualization’, through the theory of planned behavior with the objective
to find out the major factors that lead to computer users biting the phishers’ bait. In this theoretical
version of the paper, we provided the resulting two constructs that needed to be tested.