CYBERSECURITYStressed for a Bit? Then Don’t Click It, Cybersecurity Experts Advise

By Tom Rickey

Published 6 July 2023

Workers feeling a specific form of stress are more likely than others to become the victims of a phishing attack. Phishing psychology study explores what makes workers vulnerable.

Workers feeling a specific form of stress are more likely than others to become the victims of a phishing attack, according to a study at the Department of Energy’s Pacific Northwest National Laboratory.

While most—if not all—of us feel stress in the workplace, scientists identified a specific form of stress that indicates who is more vulnerable to clicking on bogus content that could lead to malware and other cyber ills. The work could help workers and their employers increase their cybersecurity defenses by recognizing the warning signs when someone is about to make a risky click.

The team’s results from a study of 153 participants were published recently in the Journal of Information Warfare. The researchers noted that while the relatively small sample size limited their ability to tease out all of the relationships among more than two dozen variables they studied, the relationship between stress and response to the simulated phishing email was statistically significant.

The costs of phishing attacks are enormous. An analysis sponsored by Proofpoint and conducted by the Ponemon Institute estimates that large U.S. businesses lost, on average, $14.8 million apiece to fraudsters via phishing in 2021 alone.

Defenses include not just better technology but also improved awareness by would-be victims.

“The first step to defend ourselves is understanding the complex constellation of variables that make a person susceptible to phishing,” says PNNL psychologist Corey Fallon, a corresponding author of the study. “We need to tease out those factors that make people more or less likely to click on a dubious message.”

In their study, Fallon and colleagues found that people who reported a high level of work-related distress were significantly more likely to follow a phony phishing email’s link. Every one-point increase in self-reported distress increased the likelihood of responding to the simulated phishing email by 15 percent.

The scientists describe distress as a feeling of tension when someone on the job feels they’re in a difficult situation and unable to tackle the task at hand. Distress might stem from feeling their workload is too high, or they might be questioning whether they have adequate training or time to accomplish their work.

Fancy Phish to Explore Phishing Psychology
The 153 participants had agreed to take part in a study, but they were unaware that the phishing email sent a few weeks later was part of the planned study into human factors research.