Abstract
Keywords
1. Introduction
2. Literature review
3. Theoretical framework
4. Model of trust calibration for phishing-website detection tools
5. Research methodology
6. Scale development and data collection
7. Analysis and results
8. Discussion
9. Theoretical and practical implications
10. Limitations and future research directions
Acknowledgements
Appendix A. Supplementary data
References
Vitae
Abstract
Phishing websites become a critical cybersecurity threat affecting individuals and organizations. Phishing-website detection tools are designed to protect users against such sites. Nevertheless, detection tools face serious user trust and suboptimal performance issues which require trust calibration to align trust with the tool’s capabilities. We employ the theoretical framework of automation trust and reliance as a kernel theory to develop the trust calibration model for phishing-website detection tools. We test the model using a controlled lab experiment. The results of our analysis show that users’ trust in detection tools can be calibrated by trust calibrators. Moreover, users’ calibrated trust has significant consequences, including users’ tool reliance, use, and performance against phishing websites.
1. Introduction
Phishing websites victimize millions of Internet users, exacting significant monetary losses and social costs for individuals and organizations [[1], [2], [3]]. An FBI announcement showed that phishing rendered $26 billion damage over a three-year period from 2016 to 2019 [4]. About $1.1 million per hour is lost to phishing attacks [5].
Phishing websites come in two forms: spoof and concocted. Spoof sites mimic existing, generally well-known websites to engage in identity theft or malware dissemination [6,7]. Concocted sites are fictional websites designed to conduct social engineering, fraudulent online advertising, or black-hat search engine optimization-based attacks for monetary gains or malware propagations. Both categories of phishing websites have serious implications for Internet users and organizations, such as damaging brand equity and increasing customer churn rates [6]. Concocted websites also frequently appear in top-ranked search results [8] and routinely disseminate malware to unsuspecting site visitors [9]. Phishing-website detection tools protect users against such sites.
These detection tools belong to a subcategory of IT called automated security IT and are defined as a type of security IT that uses certain mechanisms to automatically classify an event/objective as normal or malicious [10] while allowing users to make the final security decision [11]. There are many phishing-website detection tools, but reports indicate that users often ignore or disuse their advice [12,13]. A survey of Internet users found that 60 % of respondents do not use the web browsers’ built-in phishing-website detection tools [14]. Many users rely solely on intuition to judge the credibility of a website despite the fact that spoof rates can be as high as 33 %–45 % when users rely on their own mental model [9,15,16]. While research shows that user accuracy in detecting phishing websites is much lower than the accuracy of the detection tools [1], the rate of ignoring certain types of warnings in some browsers (e.g., SSL warnings) can be as high as 60 % [17]. These results suggest that detection tools face serious trust issues in users. Addressing these issues demands a novel approach to investigate user trust vis-à-vis characteristics of detection tools.