The vast majority of cybersecurity breaches start with someone clicking on a link in an email. Phishing works, and continues to work, because it exploits weaknesses in human psychology and organisational culture.
New research suggests that national culture is also a factor, and an important one; perhaps as important as an individual's overall information security awareness (ISA).
"Participants from countries associated with higher levels of individualism were better at discerning malicious emails, and this was found to be the strongest predictor," wrote a research team from Australia's Defence Science and Technology Group (DST) and the University of Adelaide.
"This may be attributable to low levels of individualism being linked to a desire to maintain group harmony. This, in turn, results in an increased drive to respond to requests from others, including those requests in malicious emails."
The researchers also found that for both phishing and spearphishing -- that is, generic and targeted phishing attacks -- better knowledge, attitude, and behaviour specific to email use were associated with better detection of deceitful emails.
"Interestingly, there were differences between the factors that predicted phishing and spearphishing detection. Lower levels of cognitive impulsivity and high levels of agreeableness were only linked to better discrimination of phishing emails. Higher levels of neuroticism were only associated with better discrimination of spearphishing emails. This may be due to the link between neuroticism and compulsive thinking about possible threats," they wrote.
"In other words, heightened rumination may improve our ability to detect actual spearphishing threats. Such rumination may be limited to spearphishing emails due to the highly personalised nature of such cyber attacks where an individual may feel singled out."
The research was published in one of the papers presented to the 11th International Symposium on Human Aspects of Information Security and Assurance (HAISA 2017) in Adelaide in November, Understanding Susceptibility to Phishing Emails: Assessing the Impact of Individual Differences and Culture.
Words such as "agreeableness" and "neuroticism" are used in the specific technical sense used in the Ten-Item Personality Inventory (TIPI), a standard psychological profiling test.
There are of course limitations to the research. The sample size was small. Participants self-reported their ISA and their demographic data. Their individualism and other personality traits were inferred from their demographic data using previous research on the psychology of national cultures, rather than individual TIPI tests.
Nevertheless, the researchers feel that they've provided some insight into the links between culture and the ability to catch a phish.
"In particular, the prominence of a cultural factor over individual differences in predicting an individual's phishing susceptibility in our study suggests that future research should take a more holistic approach to examining the factors that influence our security-related behaviours," they wrote.
In a separate study, Understanding the Relationships between Resilience, Work Stress and Information Security Awareness, the researcher reported correlations between participants having greater resilience, higher ISA, and lower levels of work stress.
"From a practical perspective, organisations may benefit from incorporating training programs that focus on resilience training, in an effort to create a more resilient workforce. There are numerous benefits associated with having resilient employees; these benefits may extend to improvements in ISA and levels of job stress," they wrote.
This Australian research would seem to dovetail nicely with previously reported research from New Zealand and the US, which, to this writer's mind at least, indicates that employers create the very conditions that make their employees vulnerable to phishing attacks.
We are getting better at detecting phishing campaigns, but fraudsters are improving, too.
The bad guys use phishing because it works, and it works because it exploits weaknesses in human psychology and organisational culture. We won't fix cybersecurity until we fix those things.
The holiday season isn't just busy for shoppers--it's busy for cybercriminals too. Here's a continuation of last year's holiday shopping safety guide with more ways to stay safe.
This week, Google announced plans to increase security protections for 67 million accounts after studying hijackers in black markets.
A new phishing campaign uses invoices and other lures in order to trick victims into downloading malicious software.
Attacks on three fronts ensure attackers have all the information they need to steal banking details in the latest evolution of the Marcher malware, warn researchers.