Phishing, Smishing

Phishing, vishing, whaling, spear-phishing: the list of clever new terms seems constantly to change. A successful attack by any other name, though, is just as sweet to the adversary. Terminology aside, the fundamental problem is this. Phishing is the most common and effective way to steal data because it goes after the weakest chain in our cybersecurity armor: the human being. Even high-profile people, including one CEO of a major cybersecurity firm and major figures in law enforcement, have fallen victim to phishing attacks.

Why do people continually click on phishing e-mails, even when they have been through rigorous training about the dangers, or even publicly shamed for doing so? Does it make sense to try to use technology to solve a human-behavior problem? Perhaps we should look outside the technical realm for answers, perhaps to the behavioral sciences.

There is one researcher, Dr. Arun Vishwanath, who has studied the problem extensively, not as a technical challenge, but as a problem of human behavior. In numerous papers and talks, Dr. Vishwanath has shown his research that confirms empirically what many of us believe anecdotally: training doesn’t work.  Training starts, he says, with the flawed assumption that “always applying sufficient cognitive effort but merely lacking knowledge”1, and “in reality, people seldom commit cognitive resources to analyze information. People almost always act as cognitive misers, choosing efficiency over detailed processing.”1. In simple terms, this means people know not to click, but they click anyway. But, why?

Vishwanath asserts that in addition to hoarding our cognitive resources, we are also subject to habituation, from the routine and frequent nature of reading e-mail, most of which are benign1. Consequently, while the user may possess the requisite knowledge, their slogging through an overstuffed inbox turns off, or at least turns down, their “spidey-sense” for spotting bogus messages.

There is no clear solution to this problem, but as any engineer will say, defining a problem is always the first step. Dr. Vishwanath, however, has made significant progress in finding a solution. First, he says, we need to assess and quantify an individual’s propensity for risky cyber behavior 1, a score he calls the Cyber Risk Index (CRI). The CRI, he continues, should define who receives training, and – this is critical – what kind of training they receive.   No two people are alike, so one-size-fits-all training makes little sense. The training must address a person’s particular habits, behavioral patterns, beliefs about cybersecurity, and beliefs about his or her own abilities to spot a fraudulent e-mail. Dr. Vishwanath also recommends dynamically tracking a user’s CRI score, and rewarding them with access to files or other resources.

Phishing remains a chronic, unsolved problem in cybersecurity, and requires new approaches, quite possibly from researchers who study behaviors and habits, instead of bits and bytes.

[1] Vishwanath, A. (n.d.). Blunting the Phisher’s Spear: A risk-based approach for defining the user. Retrieved February 11, 2019, from