EXPLORING USER STRATEGIES IN DETERMINING TRUSTWORTHINESS OF WEBSITES

Abstract

Phishing attacks and breaches in online security are increasing at a high rate, irrespective of current security indicators which aim to warn users against those attacks. We conducted a user study to explore and understand different strategies that users of both technical and non-technical groups follow to determine the legitimacy of websites and emails on their own laptops. We showed websites to all the participants and e-mails to half of them and asked them to determine their legitimacy. This observation session was screen and video recorded. A post-observation questionnaire and semi-structured interview gave us a better understanding of the knowledge and reasons of participants for looking at security cues while making decisions. Based on our results, 67.3% of the phishing websites were correctly identified by our participants on an average (79.2% technical, 55.4% non-technical). While our results were mostly in line with prior research, our use of participants’ laptops uncovered a strategy not previously reported. We found that some participants check to see if they are logged in to the website or not to determine its legitimacy, which they can only see while using their own laptops. During our observation, we also identified some differences in the strategies applied by technical and non-technical participants. 50% of our participants who visited websites through emails decided about their legitimacy based on the trustworthiness of e-mail. Based on our findings, we provide recommendations that might improve the design of security cues and thus help users in identifying phishing websites more effectively.