社会与工程心理学研究室知识库

随着互联网经济的发展，网络钓鱼(Phishing)攻击风险日益突出。作为新型 安全领域入侵手段，网络钓鱼对网络安全和个人隐私造成了巨大的威胁，如何提升网络安全水平，防范网络钓鱼是国家和研究者非常关注的问题。以往研究大多关注技术因素，忽略了信息安全中处于核心地位的人的心理因素。因此，本论文从心理学视角出发，通过4 个研究系统探索了人在面临邮件钓鱼时，个体特征、情境因素和系统特征如何对网络钓鱼风险产生影响。

研究一重点考察个体特征对网络钓鱼风险的影响。通过情景模拟的形式让被试完成角色扮演下的邮件鉴别任务，探索大五人格、知识经验、认知加工和网络钓鱼风险之间的关系。实验结果显示，开放性得分越高、知识经验越丰富并且对邮件进行更多的评估加工的被试可以更好的甄别钓鱼邮件；评估加工在电脑知识与邮件鉴别的总体精度关系中呈部分中介作用，电脑知识越丰富的被试对邮件进行更多的评估加工从而降低网络钓鱼风险。

研究二采用被试内设计探索时间紧迫性、收件人信息对网络钓鱼风险的影响。 实验结果显示，添加时间紧迫性后被试网络钓鱼风险提高，体现为更多地回复钓 鱼邮件并且查询相关信息的可能降低。添加收件人信息后被试更少地回复钓鱼邮件并且更多地删除钓鱼邮件。两个自变量之间存在显著的交互作用，具体表现为既有时间紧迫性又有收件人信息的邮件更有可能被回复。考虑人格特征时，冲动 性会影响邮件特征与网络钓鱼风险的关系。有收件人信息时冲动倾向高的被试更容易回复钓鱼邮件。

研究三主要关注个体特征与系统特征对网络钓鱼风险的影响。自变量为可靠性水平、反馈、描述、信任倾向和冲动倾向。实验结果显示，在高可靠性水平或添加反馈条件下，被试邮件辨别表现更好；信任倾向和冲动倾向高的被试网络钓鱼风险更高。人格会影响系统特征与邮件鉴别任务表现的关系。在添加反馈后信任倾向高的被试击中率更高,高可靠性水下无计划冲动倾向低的被试误报率更低。

研究四向被试发送真实的钓鱼邮件，探索个体特征对真实钓鱼邮件鉴别的影响。结果发现年龄越小、行为冲动得分越低并且对邮件进行更多评估加工的被试容易阅读钓鱼邮件；年龄越小、开放性得分越高、行为冲动得分越低并且邮件鉴别任务表现越差的被试容易点击钓鱼链接。

综上，本研究结合“人-机-环”三个层面系统的探讨了网络钓鱼风险的影响因素，发现个体特征、情境因素和系统特征会影响网络钓鱼风险，并且个体特征会影响情境因素、系统特征与网络钓鱼风险的关系。相关的研究成果一方面可以促进对网络钓鱼防范机制的理解，另一方面可以为数据安全等重要岗位的人员挑选和培训提供建议，并且可以为设计个性化的邮件系统防护提供数据支持。

As individuals and organizations are continuing to increase their reliance on networks, the risk of phishing attacks is increasingly severe. Phishing causes significant damage to network security and personal privacy as a new intrusion type in the security field. How to improve the level of network security to prevent phishing is an urgent problem of great concern to the researchers and country. Most previous studies have focused on technical factors and ignored the psychological factors which is the core of information security. From the perspective of psychology, this article focuses on how individual characteristics, email characteristics and system characteristics affect phishing risk when people face the phishing. It explores on this issue through four studies.

Study 1 focuses on the impact of individual characteristics on phishing risk. In the form of scenario, subjects were asked to complete an email task under role-playing to explore the relationship between Big Five personality, knowledge and experience, cognitive processing and phishing risk. The results showed that subjects who with higher openness, the more knowledge and accumulated experience and higher level of elaboration could better identify phishing emails; the impact of computer knowledge on the overall accuracy was incompletely mediated by the level of elaboration, subjects with more computer knowledge would took higher level of elaboration to emails to reduce the risk of getting phished.

Study 2 explored the impact of time urgency and recipient information on phishing risk by adopting an within-subjects design. The results showed that the likelihood of replying to the phishing emails increased and the likelihood of searching for the relevant information decreased under the condition of time constraints; When recipient information was added to the phishing emails, the likelihood of replying to the phishing emails decreased and the likelihood of deleting the phishing emails increased; the interaction effect of recipient information and time pressure was also significant. The phishing email that have time pressure and recipient information were more likely to be answered. When considering personality characteristics, impulsive affected the relationship between email characteristics and phishing risk. When recipient information was added, subjects who with higher impulse score had higher likelihood of replying to the phishing emails.

Study 3 focuses on the impact of individual characteristics and system characteristics on phishing risk. The independent variables were reliability, feedback, description, trust and impulsive. The results showed that with the improvement of reliability or feedback added, the subjects' performance became better; subjects who with higher impulse score and trust score would have higher phishing risk; personality affected the relationship between system characteristics and email task performance. Subjects with higher trust score had a higher hit rate after adding feedback. Under the high level of reliability, the false alarm rate of subjects with lower non-planning

impulse score was lower.

Study 4 explored the influence of individual characteristics on phishing email identification. The results showed that subjects who were younger, with higher impulse score and higher level of elaboration would more likely to reading phishing email. Subjects who were younger, with higher openness, higher impulse score and better email-task performance would more likely to clicking phishing link.

In summary, this study systematically explores the influencing factors of phishing risk by combining three levels: the individual level, the email level and the system level. Email characteristics and system characteristics will affect phishing risk, furthermore, the whole process was affected by individual characteristics. On the one hand, related research results can promote understanding of phishing prevention mechanisms, on the other hand, they can provide recommendations for the selection and training of personnel in important positions such as data security, and can provide data support for the design of personalized email system protection.