How users respond to phishing attacks is influenced by their perceptions of how susceptible they are to attacks (perceived susceptibility) and how severe are the attack’s consequences (perceived severity). The present study aims to examine whether users who hold different views about the people who conduct cyber-attacks, i.e. hackers, differ in how they rate the perceived susceptibility and perceived severity of phishing attacks.
Participants completed a survey in which they rated how strongly they agreed with statements that reflected each of the six hacker mental models, how susceptible they would be to a range of possible phishing attack consequences and how severe would be those attack consequences. The survey results were used to identify participants who endorsed a single mental model. Bootstrapped confidence intervals for perceived susceptibility and perceived severity were then computed for each participant group. Finally, those values were compared across groups.
Participants perceived themselves as moderately insusceptible to phishing attacks and perceived such attacks as moderately severe. Those perceptions were consistent across hacker mental model groups.
This was the first study to examine whether users who hold different cybersecurity-related mental models differ in how they rate perceived susceptibility and perceived severity of phishing attacks. Our results suggest that although hacker mental models differ in terms of whom and what hackers target, they do not appear to influence perceived susceptibility or perceived severity. This counter-intuitive finding suggests users’ threat perceptions may not always be influenced by related mental models. The study also offers a useful empirical baseline for future research on phishing threat perception.
