NISTIR 8194 Exploratory Lens Model of Decision- Making in a Potential Phishing Attack Scenario Franklin P. Tamborello, II Kristen K. Greene This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8194 NISTIR 8194 Exploratory Lens Model of Decision- Making in a Potential Phishing Attack Scenario Franklin P. Tamborello, II Cogscent, LLC Kristen K. Greene Information Access Division Information Technology Laboratory This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8194 October 2017 U.S. Department of Commerce Wilbur L. Ross, Jr., Secretary National Institute of Standards and Technology Walter Copan, NIST Director and Under Secretary of Commerce for Standards and Technology Abstract ______________________________________________________________________________________________________ This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8194 Phishing, the transmission of a message spoofing a legitimate sender about a legitimate subject with intent to perform malicious activity, causes a tremendous and rapidly-increasing amount of damage to information systems and users annually. This project implements an exploratory computational model of user decision making in a potential phishing attack scenario. The model demonstrates how contextual factors, such as message subject matter match to current work concerns, and personality factors, such as conscientiousness, contribute to users’ decisions to comply with or ignore message requests. Disclaimer Any mention of commercial products or reference to commercial organizations is for information only; it does not imply recommendation or endorsement by the National Institute of Standards and Technology nor does it imply that the products mentioned are necessarily the best available for the purpose. i ______________________________________________________________________________________________________ This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8194The Rise of Information Systems and Information Theft Beginning in the 1950s, information processing systems have held increasingly important economic roles at organizations. As that technology has improved, its economic importance has accelerated such that now information services themselves form a substantial proportion of the American economy (Gartner, 2013). As the amount of commerce we transact by computerized information system increases, the valuable information processed and contained within these systems has also become an increasingly tempting target for malicious actors intent on stealing information or performing other malicious acts (Anti-Phishing Working Group, 2016; Kaspersky, 2016; Phishlabs, 2016). One way to gain unauthorized access to an information system is to attack the information systems’ users, rather than attacking the information system itself. Attackers may attempt to lure users into a trap designed to steal authentication credentials such as user account names and passwords. “Phishing” is a set of malicious attack strategies designed around contacting users and persuading them to do something, much as “spam” is unsolicited advertising attempting to persuade users to click on unwanted ads. However, phishing tends to be a means to more sinister ends, such as to obtain information that may be itself valuable, such as credit card account information, or information that may lead to something else of value, such as information system account credentials. Phishing attacks often take the form of messages directed to the user and transmitted through some computerized communication system that users use, such as email, Short Message Service (SMS), or social network services such as Facebook or Twitter. Like 1