NISTIR 8194
Exploratory Lens Model of Decision-
Making in a Potential Phishing Attack
Scenario
Franklin P. Tamborello, II
Kristen K. Greene
This publication is available free of charge from:
https://doi.org/10.6028/NIST.IR.8194
NISTIR 8194
Exploratory Lens Model of Decision-
Making in a Potential Phishing Attack
Scenario
Franklin P. Tamborello, II
Cogscent, LLC
Kristen K. Greene
Information Access Division
Information Technology Laboratory
This publication is available free of charge from:
https://doi.org/10.6028/NIST.IR.8194
October 2017
U.S. Department of Commerce
Wilbur L. Ross, Jr., Secretary
National Institute of Standards and Technology
Walter Copan, NIST Director and Under Secretary of Commerce for Standards and Technology
Abstract
______________________________________________________________________________________________________
This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8194
Phishing, the transmission of a message spoofing a legitimate sender about a legitimate
subject with intent to perform malicious activity, causes a tremendous and rapidly-increasing
amount of damage to information systems and users annually. This project implements an exploratory computational model of user decision making in a potential phishing attack
scenario. The model demonstrates how contextual factors, such as message subject matter
match to current work concerns, and personality factors, such as conscientiousness,
contribute to users’ decisions to comply with or ignore message requests.
Disclaimer
Any mention of commercial products or reference to commercial organizations is for
information only; it does not imply recommendation or endorsement by the National Institute
of Standards and Technology nor does it imply that the products mentioned are necessarily
the best available for the purpose.
i
______________________________________________________________________________________________________
This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8194The Rise of Information Systems and Information Theft
Beginning in the 1950s, information processing systems have held increasingly
important economic roles at organizations. As that technology has improved, its
economic importance has accelerated such that now information services themselves form a substantial proportion of the American economy (Gartner, 2013). As the amount of commerce we transact by computerized information system increases, the valuable information processed and contained within these systems has also become an
increasingly tempting target for malicious actors intent on stealing information or performing other malicious acts (Anti-Phishing Working Group, 2016; Kaspersky, 2016; Phishlabs, 2016).
One way to gain unauthorized access to an information system is to attack the
information systems’ users, rather than attacking the information system itself. Attackers may attempt to lure users into a trap designed to steal authentication credentials such as
user account names and passwords. “Phishing” is a set of malicious attack strategies
designed around contacting users and persuading them to do something, much as “spam” is unsolicited advertising attempting to persuade users to click on unwanted ads. However, phishing tends to be a means to more sinister ends, such as to obtain information that may be itself valuable, such as credit card account information, or information that may lead to something else of value, such as information system account
credentials.
Phishing attacks often take the form of messages directed to the user and transmitted
through some computerized communication system that users use, such as email, Short Message Service (SMS), or social network services such as Facebook or Twitter. Like
1
NIST.IR.8194
安全标准 >
NIST >
文档预览
中文文档
17 页
50 下载
1000 浏览
0 评论
0 收藏
3.0分
温馨提示:本文档共17页,可预览 3 页,如浏览全部内容或当前文档出现乱码,可开通会员下载原始文档
本文档由 思安 于 2022-12-05 09:19:31上传分享