Jan 23, 2025

Public workspaceUnderstanding the Role of Demographic and Psychological Factors in Users’ Susceptibility to Phishing Emails

This protocol is a draft, published without a DOI.
  • Theodore Kotsilieris1,
  • Alexandros Kavvadias1
  • 1University of the Peloponnese
  • Theodore Kotsilieris: Department of Business and Organizations Administration
  • Alexandros Kavvadias: Department of Business and Organizations Administration
Theodore Kotsilieris
Icon indicating open access to content
QR code linking to this content
Protocol CitationTheodore Kotsilieris, Alexandros Kavvadias 2025. Understanding the Role of Demographic and Psychological Factors in Users’ Susceptibility to Phishing Emails. protocols.io https://protocols.io/view/understanding-the-role-of-demographic-and-psycholo-dyd87s9w
License: This is an open access protocol distributed under the terms of the Creative Commons Attribution License,  which permits unrestricted use, distribution, and reproduction in any medium, provided the original author and source are credited
Protocol status: In development
We are still developing and optimizing this protocol
Created: January 23, 2025
Last Modified: January 23, 2025
Protocol Integer ID: 118944
Keywords: Phishing email, Susceptibility, Phishing Simulation, Social Engineering, Semantic Deception, Demographics, Personality Traits, Awareness
Abstract
Phishing emails are malicious email messages that aim to deceive users into revealing sensitive information, by imitating legitimate emails. These emails are usually among the first steps in most cyberattacks, often appearing as an urgent message, seemingly from reputable sources, in order to provoke an immediate action from the recipient. Their manipulative nature is leveraging social engineering techniques aiming to exploit human psychological weaknesses, personality traits, and a range of cognitive, behavioral, and technical vulnerabilities. In this review, the factors that contribute to users’ susceptibility to phishing attacks were investigated. The study focuses on exploring how demographic and psychological factors influence individuals’ vulnerability to phishing emails, with the goal of identifying and categorizing the key factors that increase susceptibility. Twenty-seven studies were examined, revealing that demographic factors, behavioral tendencies, psychological traits and contextual elements play a key role on the users’ susceptibility in phishing emails. The results vary according to the type of methodology that has been used, indicating a need for further investigation and refinement in each respective procedure. Significant work has been done in identifying the factors contributing to users’ susceptibility to phishing emails, existing studies do not fully cover the topic complexity under research. There is more to be done regarding these factors, especially in understanding their complex interactions and impacts across different contexts. Further research is essential, so we may be able to predict with higher accuracy the users’ characteristics and the factors that make someone more susceptible to phishing and thus making them more vulnerable to phishing email attacks.
Attachments
Icon for Understanding the Role of Demographic and Psychological Factors in Users' Susceptibility to Phishing Emails_ A Review.pdf
Understanding the Ro...
387KB
Research questions
Research questions
Our contribution aims to extend the existing research by challenging the provided results, exploring additional samples, and conducting phishing campaigns and surveys to gather further insights. This approach not only synthesizes the current state of research but also enhances the understanding of phishing susceptibility through empirical evidence and practical applications.
The research questions are broad in scope and valuable in order to deepen our understanding of the factors contributing to phishing susceptibility and explore potential strategies for mitigation. The primary research questions are as follows:
  1. How do demographic factors such as age, gender, educational background, and technical skills influence susceptibility to phishing attacks across different industries? (Previous research implies that the demographic factors play a key role in phishing email susceptibility, this question aims to explore the multifaceted impact of various demographic factors on phishing susceptibility).
  2. What psychological, behavioral, and contextual factors contribute to user susceptibility to phishing emails? (While various aspects of phishing have been studied, a comprehensive synthesis of these contributing factors remains unexplored).
Review Methodology
Review Methodology
A review was conducted including studies on characteristics that can be used to predict phishing susceptibility. The search strategy and implementation of this review adhered to the PRISMA flow diagram, a well-established and widely recognized framework for conducting systematic reviews. This study adopts a rigorous and structured review approach used to synthesize existing scholarly literature on a specific topic. The objective is to examine how demographic and psychological factors influence susceptibility to phishing attacks. This methodology ensures a systematic and comprehensive analysis, aiming to map the available research without providing a conclusive summary answer to the research questions.
Eligibility Criteria
Eligibility Criteria
The eligibility criteria were meticulously defined to ensure the inclusion of relevant and high-quality studies. The selected papers had to meet the following criteria:
  • Publication Date: Studies published between 2015 and 2024 were considered to ensure the inclusion of the most recent research.
  • Language: Only articles published in English were included.
  • Relevance: Papers must focus on phishing emails, user susceptibility, and related psychological, behavioral, or contextual factors that affect susceptibility.
  • Type of Study: Both qualitative and quantitative studies, including experimental research, surveys, and case studies, were eligible.
  • Peer-Reviewed: Only peer-reviewed journal articles and conference papers were included to ensure the credibility and reliability of the sources.
Search Strategy
Search Strategy
The search strategy for this review was comprehensive and systematic, aiming to capture a wide range of relevant literature from the Google Scholar and IEEE Xplore databases. The following search terms and keywords were used in combination with the appropriate Boolean operators (AND, OR) so as to refine and expand the search results ("Phishing Email") AND ("Susceptibility" OR "Detection" OR "Predicting" OR "Spearphishing" OR "Demographic" OR "Psychological" OR "Behavior” OR “Factors")
Study Selection and Data Collection
Study Selection and Data Collection
The study selection process involved several stages to ensure the inclusion of relevant and high-quality studies:
  • Initial Screening: Titles and abstracts of the retrieved articles were screened to exclude irrelevant papers.
  • Full-Text Review: The full texts of the remaining articles were reviewed to confirm their relevance and adherence to the eligibility criteria.
  • Data Extraction: Data from the selected studies were systematically extracted using a predefined data extraction form. The extracted information included study characteristics (e.g., author, year, publication type), research objectives, methodologies, key findings, abstracts and conclusions. The authors independently screened the titles and abstracts, concentrating on the eligibility criteria. Any studies the authors disagreed upon were included in the review process.
In total, twenty-seven (27) studies were included in this review, providing a robust dataset for analyzing the factors contributing to user susceptibility to phishing emails.
Articles that did not include the search terms in their title, abstract, or keywords were 280
excluded during the initial filtering process. Lastly, articles published in languages other 281
than English were excluded from the review, as English is the primary language of most 282
prominent journals and conferences in the field.
Literature Classification
Literature Classification
The selected studies were classified into three categories based on their findings. It is important to note that this categorization is not rigid, as some studies may overlap and fall into more than one category. It is rather a subjective categorization that helps the reader to keep in track with the main findings and concepts of each study.
The categories are:
  • Demographics: Age and Gender
  • Principles of Influence and Personality Traits
  • Awareness, Training and Response to Phishing
Discussion
Discussion
The results indicate that user susceptibility to phishing emails is influenced by a complex interplay of demographic, psychological, and behavioral factors. Previous research implies that these factors play a key role in phishing email susceptibility, however they have not been investigated in depth.
  1. By addressing our first research question: How do demographic factors such as age, gender, educational background, and technical skills influence susceptibility to phishing attacks across different industries? we aim to explore the multifaceted impact of various demographic and technical factors on phishing susceptibility. Several studies, appear to address our first research question. However, important considerations remain. For instance, these studies often utilize relatively small sample sizes (ranging from 50 to 150 participants), which may limit the generalization of their findings regarding the influence of demographics and educational background on susceptibility to phishing emails. Moreover, the methods employed across studies lack consistency, including approaches such as questionnaires, phishing simulations, and phishing training platforms.
  2. Taking all of the above into consideration, we address our second research question: What psychological, behavioral, and contextual factors contribute to user susceptibility to phishing emails? While numerous aspects of phishing have been examined, a comprehensive synthesis of these contributing factors has yet to be conducted. Although the review has provided valuable insights, gaps remain in understanding how psychological, behavioral, and contextual factors interact and influence susceptibility across various contexts.
Limitations
Limitations
A significant limitation is the variety in the demographic, technical, and psychological characteristics of users across the included studies. This inconsistency makes it difficult to draw firm conclusions about which factors consistently influence phishing susceptibility. Moreover, many studies rely on artificial or simulated phishing environments, which may not accurately replicate real-world scenarios. This creates challenges in understanding how users behave under genuine phishing threats. Another limitation lies in the lack of diversity in phishing campaigns analyzed. Many studies focus on a narrow range of phishing tactics, neglecting the evolving sophistication and variety of phishing strategies used in real-world phishing attacks. Additionally, most studies fail to account for long-term behavioral changes, making it unclear whether interventions or awareness programs have a lasting impact on reducing susceptibility. Finally, the studies included often lack comprehensive data on contextual factors, such as organizational culture, technical infrastructure, and training programs, which play a critical role in phishing susceptibility. The absence of such data restricts the ability to offer more holistic recommendations for mitigating phishing risks.
Recommendations for future research
Recommendations for future research
The findings of this review reveal several important directions for future research on phishing susceptibility. One critical area is the need for studies with larger and more diverse sample sizes. Current research often relies on small participant pools, which limits the ability to generalize findings across different demographics, professional groups, and cultural contexts. Broader samples would help uncover variations in phishing susceptibility and provide more robust insights into user behavior.
A significant gap in the literature concerns the long-term impact of interventions and awareness programs. Many studies focus on immediate behavioral outcomes without assessing whether these changes are sustained over time. Longitudinal research is needed to determine the persistence of behavioral changes and the role of reinforcement strategies, such as periodic training or simulated phishing tests, in maintaining user vigilance.
Protocol references
1. Jagatic, T.N.; Johnson, N.A.; Jakobsson, M.; Menczer, F. Social Phishing. Communications of the ACM 2007, 50, 94–100. https://doi.org/10.1145/1290958.1290968.
2. Hong, J. The State of Phishing Attacks. Communications of the ACM 2012, 55, 74. https://doi.org/10.1145/2063176.2063197.
3. Frauenstein, E.; Flowerday, S. Susceptibility to Phishing on Social Network Sites: A Personality Information Processing Model. Computers Security 2020, 94, 101862. https://doi.org/10.1016/j.cose.2020.101862. 689
4. Workman, M. Wisecrackers: A theory-grounded investigation of phishing and pretext social engineering threats to information security. Journal of the American Society for Information Science and Technology 2008, 59, 662–674. https://doi.org/10.1002/asi.20779.
5. Yang, R.; Zheng, K.;Wu, B.; Li, D.;Wang, Z.;Wang, X. Predicting User Susceptibility to Phishing Based on Multidimensional Features. Computational Intelligence and Neuroscience 2022, 2022.
6. Kumar, A. Phishing Email Detection using Machine Learning. INTERANTIONAL JOURNAL OF SCIENTIFIC RESEARCH IN ENGINEERING AND MANAGEMENT 2024, 08, 1–5. https://doi.org/10.55041/IJSREM32276.
7. Habib, P.; Sharma, U.; Sethi, K. Phishing Detection with Machine Learning. International
Journal for Research in Applied Science and Engineering Technology 2022, 10, 1609–1615. https://doi.org/10.22214/ijraset.2022.48276.
8. A.Taha, M.; A.Jabar, H.; K/Mohammed, W. A Machine Learning Algorithms for Detecting Phishing Websites: A Comparative Study. Iraqi Journal For Computer Science and Mathematics 2024, 5, 275–286. https://doi.org/10.52866/ijcsm.2024.05.03.015.
9. Fan, Z.; Li, W.; Laskey, K.; Chang, K. Investigation of Phishing Susceptibility with Explainable Artificial Intelligence. Future Internet 2024, 16, 31. https://doi.org/10.3390/fi16010031.
10. Naseer, I. The role of artificial intelligence in detecting and preventing cyber and phishing attacks. European Journal of Engineering Science and Technology 2024, Vol. 11, 82–86.
11. Araneta, K.; Julasbi, N.; Syeddin.; Masbud, N.; Fathar.; Mohammad, A.; Mohammad, J.; Giner.; Nur, A.; Haniza.; et al. The Role of Artificial Intelligence Detecting and Preventing Phishing email. International Journal of Innovative Science and Research Technology 2024, 9, 1499–1502. https://doi.org/10.5281/zenodo.14565177.
Tornblad, M.; Jones, K.; Siami Namin, A.; Choi, J. Characteristics that Predict Phishing Susceptibility: A Review. Proceedings of the Human Factors and Ergonomics Society Annual Meeting 2021, 65, 938–942. https://doi.org/10.1177/1071181321651330.
13. Sutter, T.; Bozkir, A.; Gehring, B.; Berlich, P. Avoiding the Hook: Influential Factors of Phishing Awareness Training on Click-Rates and a Data-Driven Approach to Predict Email Difficulty Perception. IEEE Access 2022, PP, 1–1. https://doi.org/10.1109/ACCESS.2022.3207272.
14. Jampen, D.; Gür, G.; Sutter, T.; Tellenbach, B. Don’t click: towards an effective anti-phishing training. A comparative literature review. Human-centric Computing and Information Sciences 2020, 10. https://doi.org/10.1186/s13673-020-00237-7.
15. Krishna, G.; Nagarjuna. Email Phishing Simulations Serve as a Valuable Tool in Fostering a Culture of Cybersecurity Awareness 2024. 10. https://doi.org/10.46501/IJMTST1002021. 16. Hadnagy, C. Social Engineering : the Science of Human Hacking; Indianapolis, In Wiley, 2018.
17. Shashidhar, S.K. Spear Phishing - the New Face of Phishing. SSRN Electronic Journal 2017. https://doi.org/10.2139/ssrn.2905041.
18. Arachchilage, N.A.G.; Love, S.; Beznosov, K. Phishing threat avoidance behaviour: An empirical investigation. Computers in Human Behavior 2016, 60, 185–197. https://doi.org/10.1016/j.chb.2016.02.065.
19. Dhamija, R.; Tygar, J.D.; Hearst, M. Why phishing works. Proceedings of the SIGCHI Conference on Human Factors in Computing Systems 2006. https://doi.org/10.1145/1124772.1124861.
20. Downs, J.S.; Holbrook, M.B.; Cranor, L.F. Decision strategies and susceptibility to phishing. Proceedings of the second symposium on Usable privacy and security 2006, p. 79. https://doi.org/10..1145/1143120.1143131.
21. Sheng, S.; Holbrook, M.; Kumaraguru, P.; Cranor, L.F.; Downs, J. Who falls for phish? Proceedings of the SIGCHI Conference on Human Factors in Computing Systems 2010, pp. 373–382. https://doi.org/10.1145/1753326.1753383.
22. Purkait, S. Phishing Counter Measures and Their Effectiveness – Literature Review. Information Management & Computer Security 2012, 20, 382–420. https://doi.org/10.1108/09685221211286548.
23. Alseadoon, I.; Othman, M.F.I.; Chan, T. What Is the Influence of Users’ Characteristics on Their Ability to Detect Phishing Emails? Lecture Notes in Electrical Engineering 2014, pp. 949–962. https://doi.org/10.1007/978-3-319-07674-4_89.
24. Moher, D.; Liberati, A.; Tetzlaff, J.; Altman, D.G. Preferred reporting items for systematic reviews and meta-analyses: the PRISMA statement. BMJ 2009, 339, b2535. https://doi.org/10.1136/bmj.b2535.
25. De Bona, M.; Paci, F. A Real World Study on employees’ Susceptibility to Phishing Attacks. Proceedings of the 15th International Conference on Availability, Reliability and Security 2020. https://doi.org/10.1145/3407023.3409179.
26. Ferreira, A.; Lenzini, G. An Analysis of Social Engineering Principles in Effective Phishing. 2015 Workshop on Socio-Technical Aspects in Security and Trust 2015. https://doi.org/10.1109/stast.2015.10.
27. Gordon,W.J.;Wright, A.; Aiyagari, R.; Corbo, L.; Glynn, R.J.; Kadakia, J.; Kufahl, J.; Mazzone, C.; Noga, J.; Parkulo, M.; et al. Assessment of Employee Susceptibility to Phishing Attacks at US Health Care Institutions. JAMA Network Open 2019, 2, e190393–e190393. https://doi.org/10.1001/jamanetworkopen.2019.0393.
28. Iuga, C.; Nurse, J.R.C.; Erola, A. Baiting the hook: Factors Impacting Susceptibility to Phishing Attacks. Human-centric Computing and Information Sciences 2016, 6. https://doi.org/10.1186/s13673-016-0065-2.
29. Gratian, M.; Bandi, S.; Cukier, M.; Dykstra, J.; Ginther, A. Correlating human traits and cyber security behavior intentions. Computers & Security 2018, 73, 345–358. https://doi.org/10.1016/j.cose.2017.11.015.
30. Okokpujie, K.; Kennedy, C.G.; Nnodu, K.; Noma-Osaghae, E. Cybersecurity Awareness: Investigating Students’ Susceptibility to Phishing Attacks for Sustainable Safe Email Usage in Academic Environment (A Case Study of a Nigerian Leading University). International Journal of Sustainable Development and Planning 2023, 18, 255–263. https://doi.org/10.18280/ijsdp.180127.
31. Liu, Z.; Zhou, L.; Zhang, D. Effects of Demographic Factors on Phishing Victimization in the Workplace. Pacific Asia Conference on Information Systems 2020, p. 75.
32. Jones, H.S.; Towse, J.N.; Race, N.; Harrison, T. Email fraud: The search for psychological predictors of susceptibility. PLOS ONE 2019, 14, e0209684. https://doi.org/10.1371/journal.pone.0209684.
Shahbaznezhad, H.; Kolini, F.; Rashidirad, M. Employees’ Behavior in Phishing Attacks: What Individual, Organizational, and Technological Factors Matter? Journal of Computer Information Systems 2020, 61, 539–550. https://doi.org/10.1080/08874417.2020.1812134.
34. Li,W.; Lee, J.; Purl, J.; Greitzer, F.L.; Yousefi, B.H.; Laskey, K.B. Experimental Investigation of Demographic Factors Related to Phishing Susceptibility. Proceedings of the ... Annual Hawaii International Conference on System Sciences 2020. https://doi.org/10.24251/hicss.2020.274.
35. Williams, E.J.; Hinds, J.; Joinson, A.N. Exploring susceptibility to phishing in the workplace. International Journal of Human-Computer Studies 2018, 120, 1–13. https://doi.org/10.1016/j.ijhcs.2018.06.004.
36. Anwar, M.; He, W.; Ash, I.; Yuan, X.; Li, L.; Xu, L. Gender difference and employees’ cybersecurity behaviors. Computers in Human Behavior 2017, 69, 437–443. https://doi.org/10.1016/j.chb.2016.12.040.
37. Grilli, M.D.; McVeigh, K.S.; Hakim, Z.M.; Wank, A.A.; Getz, S.J.; Levin, B.E.; Ebner, N.C.; Wilson, R.C. Is This Phishing? Older Age Is Associated With Greater Difficulty Discriminating Between Safe and Malicious Emails. The Journals of Gerontology: Series B 2020, 76, 1711–1715. https://doi.org/10.1093/geronb/gbaa228.
38. Kleitman, S.; Law, M.K.H.; Kay, J. It’s the deceiver and the receiver: Individual differences in phishing susceptibility and false positives with item profiling. PLoS ONE 2018, 13, e0205089. https://doi.org/10.1371/journal.pone.0205089.
39. Lain, D.; Kostiainen, K.; Cˇ apkun, S. Phishing in Organizations: Findings from a Large-Scale and Long-Term Study, 2022. https://doi.org/10.1109/SP46214.2022.9833766.
40. Rizzoni, F.; Magalini, S.; Casaroli, A.; Mari, P.; Dixon, M.; Coventry, L. Phishing simulation exercise in a large hospital: A case study. DIGITAL HEALTH 2022, 8, 205520762210817. https://doi.org/10.1177/20552076221081716.
41. Gavett, B.E.; Zhao, R.; John, S.E.; Bussell, C.A.; Roberts, J.R.; Yue, C. Phishing suspiciousness in older and younger adults: The role of executive functioning. PLOS ONE 2017, 12, e0171620. https://doi.org/10.1371/journal.pone.0171620.
42. Halevi, T.; Memon, N.; Nov, O. Spear-Phishing in the Wild: a Real-World Study of Personality, Phishing Self-Efficacy and Vulnerability to Spear-Phishing Attacks. SSRN Electronic Journal 2015. https://doi.org/10.2139/ssrn.2544742.
43. Alhaddad, M.; Mohd, M.; Qamar, F.; Imam, M. Study of Student Personality Trait on Spear-Phishing Susceptibility Behavior 2023. 14. https://doi.org/10.14569/ijacsa.2023.0140571.
44. Parsons, K.; McCormac, A.; Pattinson, M.; Butavicius, M.; Jerram, C. The design of phishing studies: Challenges for researchers. Computers & Security 2015, 52, 194–206. https://doi.org/10.1016/j.cose.2015.02.008.
45. Burda, P.; Chotza, T.; Allodi, L.; Zannone, N. Testing the Effectiveness of Tailored Phishing Techniques in Industry and Academia. Proceedings of the 15th International Conference on Availability, Reliability and Security 2020. https://doi.org/10.1145/3407023.3409178.
46. Ebner, N.C.; Ellis, D.M.; Lin, T.; Rocha, H.A.; Yang, H.; Dommaraju, S.; Soliman, A.;Woodard, D.L.; Turner, G.R.; Spreng, R.N.; et al. Uncovering Susceptibility Risk to Online Deception in
Aging. The Journals of Gerontology: Series B 2018, 75. https://doi.org/10.1093/geronb/gby036.
47. Ribeiro, L.; Guedes, I.S.; Cardoso, C.S. Which Factors Predict Susceptibility to Phishing? an Empirical Study. Computers & Security 2023, p. 103558. https://doi.org/10.1016/j.cose.2023.103558.
48. Sarno, D.M.; Harris, M.W.; Black, J. Which Phish Is Captured in the net? Understanding Phishing Susceptibility and Individual Differences. Applied Cognitive Psychology 2023. https://doi.org/10.1002/acp.4075.
49. Alsharnouby, M.; Alaca, F.; Chiasson, S. Why Phishing Still works: User Strategies for Combating Phishing Attacks. International Journal of Human-Computer Studies 2015, 82, 69–82. https://doi.org/10.1016/j.ijhcs.2015.05.005.
50. Welk, A.K.; Hong, K.W.; Zielinska, O.A.; Tembe, R.; Murphy-Hill, E.; Mayhorn, C.B. Will the “Phisher-Men” Reel You In?: Assessing Individual Differences in a Phishing Detection Task. International Journal of Cyber Behavior, Psychology and Learning (IJCBPL) 2015, 5, 1–17. https://doi.org/10.4018/IJCBPL.2015100101.