Email load and stress impact on susceptibility to phishing and scam emails - Emils Rozentals
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Email load and stress impact on
susceptibility to phishing and scam emails
Emils Rozentals
Information Security, master's level (120 credits)
2021
Luleå University of Technology
Department of Computer Science, Electrical and Space EngineeringABSTRACT
Research Question How does the email load and stress affect the susceptibility to
phishing and scam emails?
Methodology The study was conducted with a Qualitative research
approach. Semi-structured interviews were selected for the
data gathering. Thematic Analysis was used to analyze
Empirical data.
Theoretical Framework This research studied if a high email load affects the likelihood
of falling victim to phishing and scam attacks. Research was
studied through a theoretical lens of stress, since high email
load is subjective for each individual and stress rate can show
better how people are perceiving their email load.
Conclusions Findings suggest that high email load for the majority of
people in this study, does increase the susceptibility towards
phishing and scam emails. Furthermore, those people with
higher email load who are processing their emails heuristically
evaluated their stress rates higher than those with high email
load who are processing their emails systematically.
Therefore, the results indicate that there is a relation between
high email load, stress and susceptibility to phishing and scam
emails. In this study, it was found that majority of respondents
described high stress as a factor that played a role in their
susceptibility of falling victim to phishing and scam emails.
Keywords Phishing, scam, email load, stress, workload, COVID-19ABBREVIATIONS CEO - Chief Executive Officer CTO - Chief Technical Officer ISP - Internet Service Provider SSL - Secure Socket Layer TLS - Transport Layer Security SCAM framework - Suspicion, Cognition, Automaticity Model GCS - Generalized Communicative Suspicion NIST - National Institute of Standards and Technology ISO - International Organization for Standardization IP address - Internet Protocol address COVID-19 - Corona Virus Disease 2019 caused by SARS-CoV-2
TABLE OF CONTENTS
CHAPTER 1: INTRODUCTION 5
1.1 Background of the Study 5
1.2 Research Problem 6
1.3 Scope of the research 7
1.4 Structure of the Study 8
CHAPTER 2: THEORETICAL BACKGROUND 10
2.1 Concepts of phishing 10
2.2 Tools used to test employees 12
2.3 Related work 14
2.3.1 Stress 17
2.3.2 Stress caused by email load, isolation and remote work 18
CHAPTER 3: METHODOLOGY 21
3.1 Qualitative Research Approach 21
3.2 Selecting interviewees 22
3.2.1 Gophish Environment 23
3.2.2 Ethical consideration 24
3.2.3 Phishing campaigns 25
3.2.3.1 iPhone 12 Pro campaign 25
3.2.3.2 LinkedIn campaign 25
3.2.3.3 Password reset campaign for internal systems 26
3.3 Primary data collection - Interview Method 27
3.3.1 Interview process 293.3.2 Transcribing interviews 30 3.3.3 Thematic Analysis 30 CHAPTER 4: ANALYSIS OF EMPIRICAL DATA 34 4.1 Email load that increases stress directly and indirectly 34 4.2 Tight deadlines that require more meetings, putting people under pressure 37 4.3 Various personal issues that increase stress 39 CHAPTER 5: DISCUSSION 42 CHAPTER 6: CONCLUSION 47 6.1 Empirical Findings 47 6.2 Theoretical Contribution 47 6.3 Research Limitations 48 6.4 Future Research 49 BIBLIOGRAPHY 51 APPENDICES 57 Appendix A - Statement of ethics 57 Appendix B - Semi-Structured Interview Guide 59
CHAPTER 1: INTRODUCTION
1.1 Background of the Study
Studies, such as Aldawood, Skinner and Alashoor (2020) and Bullee and
Junger (2020) agree that one of the biggest threats for the companies nowadays are
social engineering attacks, more specifically, phishing and scam attacks. Therefore,
employees are thought to be the first defense line or contrary - the weakest link in the
security chain (Alharthi and Regan, 2020; Jain et al., 2016). In other words, people are
the greatest threat for companies nowadays (Al-Mohannadi et al., 2018). The success
rates of phishing and spear-phishing attacks over the years have increased (Bhardwaj
et al., 2020) and therefore it is important to have well educated employees with a high
awareness level of risks (Alharthi and Regan, 2020).
Because cybercriminals are constantly coming up with new, creative ways on
how to fool people (Vayansky and Kumar, 2018) it has raised a question about how to
better protect sensitive information in companies, their employees and networks. For
this reason, several studies have been carried out to determine why people actually are
falling for phishing and scam attacks to better understand characteristics and reasons
behind. Researchers have identified that there are many factors that play a role in
susceptibility to phishing, for example, gender (Halevi, Memon and Nov, 2015; Sun et
al., 2016; Abdelhamid, 2020), age (Oliveira et al., 2017), different personal traits like
risk tolerance (Chen, YeckehZaare and Zhang, 2018) and information processing style
(Vishwanath et al., 2018). Yet there are other factors that have not been fully studied,
for instance, email load (Sommestad and Karlzén, 2019).
5Email has been the main communication tool in the companies for years,
meaning the received, read and sent message amount is growing every year (Stich et
al., 2019) and it has been growing even more during the global pandemic of COVID-
19 that started in 2020 (Teevan et al., 2021). Email load in general has been found to
increase the stress levels people are experiencing (Stich et al., 2019; Akbar et al., 2019;
Mark, Voida and Cardello, 2012). Moreover, the pandemic in the world has also made
its footprint in the information security field. People are mandated to isolate and work
from home, likely, from not as secure network environment as it would be in the office
(Ramadan et al., 2021). This down-pressing situation when people cannot meet their
relatives, travel for a vacation or simply hang out with friends, has also left an impact
on their mental state (Shah et al., 2021). Study by Shah et al. (2021) shows that
approximately 58% of people have increased indications of high stress during the
pandemic.
It is not fully understood whether email load increases susceptibility to phishing
and scam emails (Sommestad and Karlzén, 2019). Additionally, how stress, driven
from increased email load and other side effects, is impacting the likelihood of falling
victim for such attacks. This study tries to fill the gap in this block of knowledge.
1.2 Research Problem
Studies, such as Tiwari (2020) have found that authority, urgency in the
malicious emails as well as different personal traits leave a significant impact towards
susceptibility to phishing and scam emails. Study was based on a survey, therefore, the
future research proposal by the author was to conduct a simulated phishing attack
(Tiwari, 2020). Sommestad and Karlzén (2019) meta-analysis study that looked into
6different reasons that increase the risk of falling victim for the phishing and scam emails
found that there are few studies made that analyze how email load influences the
susceptibility to phishing. To address this lack of empirical studies made on the email
load influence (Sommestad and Karlzén, 2019), phishing could be simulated as
proposed by Tiwari (2020) but followed up with interview questions around email load
to better understand how and if it influences the susceptibility to phishing attacks
(Sommestad and Karlzén, 2019). To measure high email load and understand why
people may click on malicious links, research could be expanded and addressed through
the perspective of stress, since email load is subjective and it would not bring an
accurate representation if looking only at the number of emails, instead how people
perceive email load. As such, the research question for this thesis is as follows “*How
does the email load and stress affect the susceptibility to phishing and scam
emails?”.
1.3 Scope of the research
The research was conducted in a controlled environment, namely, in a company
with approximately 130 employees. Physical location of the company is Zurich,
Switzerland. Company employs people from different countries in Europe, Asia and
America. Majority of employees are in the age group from 30 to 45. The main purpose
of this study was to understand if and how does the email load and stress affect the
likelihood of falling victim to phishing and scam emails. The data gathered through the
interviews were analyzed through the theoretical lens of stress, as defined by Kyriacou
(2001) - the experience of unpleasant, negative emotions, such as anger, anxiety,
tension, frustration or depression.
71.4 Structure of the Study
The research report consists of six chapters that are described in this section.
Chapter 1 - Introduction, covers the background of study to better understand
reasoning why this research was important. It also briefly highlights the ongoing
challenges that the study field is facing. Furthermore, it argues why this research was
important and relevant as well as gives a scope of research made.
Chapter 2 - Theoretical background, covers theory part of the research.
Concepts of social engineering, more specifically, phishing, spear phishing and scam
are explained. Next, a small overview of tools that can be used to mimic phishing
attacks are presented to better understand how they work and how they can help.
Chapter continues with the gathered literature overview of different aspects and
characteristics of users who are more likely to fall victims of phishing and scam emails.
Lastly, this chapter defines what stress means in this research and covers the previous
studies about causes of work stress.
Chapter 3 - Methodology, describes a research process and methodology used
to conduct the study. It also argues the reasons why the selected method is used. Chapter
starts with an overview of Qualitative research approach and continues with the
description of technique used to select interviewees. Next, it describes the interviewee
selection phase and environment more in detail. It also highlights the ethical concerns
and actions made when the study began. Chapter ends with a detailed description of the
interview and transcript process as well as the Thematic Analysis of gathered empirical
data used to answer the research question.
Chapter 4 - Analysis of Empirical data, represents several themes discovered
from interviews with respondents whilst doing thematic analysis. After interviews were
8transcribed and coded, different common themes were identified. In this chapter
answers from interviewees that belong to the recognized themes are shown.
Chapter 5 - Discussion, contains a discussion of the Empirical findings
presented in Chapter 4. Chapter starts with a brief recap of the whole study and then
moves to a more detailed discussion of Empirical data analysis, comparing results with
the existing literature presented in Chapter 2.
Chapter 6 - Conclusion, contains a summary of empirical findings and
theoretical contributions. It also points out several limitations of the research as well as
suggestions for the possible future research are made.
9CHAPTER 2: THEORETICAL
BACKGROUND
This chapter outlines the theoretical part of the study to fully understand the
upcoming method used. It starts with the general overview of phishing concepts. Next,
it presents and explains different tools that can be used to mimic phishing attacks.
Further, it outlines a gathered literature of studies made on reasons why people are
failing to recognize phishing and scam emails. Lastly, the chapter concludes with the
definition of stress, what it means in this study, and theory on how the email load is
affecting the stress levels for people.
2.1 Concepts of phishing
The attacks when cybercriminals are targeting people, using psychological
manipulation techniques are known as social engineering (Jain et al., 2016). Oxford
English Dictionary defines social engineering as: “The use of deception to manipulate
individuals into divulging confidential or personal information that may be used for
fraudulent purposes” (Oxford Dictionary on Lexico.com). Because social engineering
is taking advantage of human behavior and their emotions, detection and mitigation of
social engineering attacks is difficult (Kaushalya, Randeniya and Liyanage, 2018).
It is thought that networks and computer systems over the years have improved
and security measures have become relatively reliable (Aldawood and Skinner, 2018).
Therefore, to compromise such systems, it has become a more technical and complex
task. For this reason cybercriminals are often making use of social engineering to
bypass technical controls by exploiting vulnerable users (Alharthi and Regan, 2020) or
10the “weak link in information security” (Mouton et al., 2014) in order to break into the
company's network and steal classified information or even launch a greater attack.
Studies, such as Al-Mohannadi et al. (2018), Mouton et al. (2014) and Kaushalya,
Randeniya and Liyanage (2018) agree that the biggest threat for companies nowadays
is the internal users, hence, employees themselves who are likely to infect systems
unconsciously by browsing some sketchy webpage, downloading infected files or
giving away their credentials. There are several subtypes of social engineering, namely,
baiting, pretexting, tailgating, quid pro quo and phishing (Kaushalya, Randeniya and
Liyanage, 2018). This research is focusing specifically on phishing attacks.
Phishing in general is an email based attack where criminals are using several
techniques to trick users into believing that the email comes from a legitimate source,
for example, a bank, social networking company or a colleague from a company where
the person is employed (Bhardwaj et al., 2020). By definition of Oxford English
Dictionary it is: “The fraudulent practice of sending emails purporting to be from
reputable companies in order to induce individuals to reveal personal information, such
as passwords and credit card numbers.” (Oxford Dictionary on Lexico.com). When
using phishing attacks, cybercriminals usually are trying to retrieve from targets
information such as usernames and passwords, home addresses, credit card details and
other sensitive information (Bhardwaj et al., 2020). Nowadays, the complexity of
phishing attacks has risen since criminals are using more sophisticated techniques to
trick the user by completely spoofing legitimate websites (Vayansky and Kumar, 2018).
As mentioned, phishing happens through an email. Phishing email delivered to
the end user can contain logos and graphics from legitimate companies, convincing the
user that the email is real (Vayansky and Kumar, 2018). The concept of phishing is
fairly simple - phishing email is delivered to a victim, containing some sort of a weblink
11which is usually in the form of a button; when clicked on the link, victim is taken to a
malicious website that is spoofed and looks identical to real one; victim is asked to
provide personal information, for example, credit card details, username and password;
once submitted, information is stored on cybercriminal's server (Vayansky and Kumar,
2018). Furthermore, spear-phishing is more tailored to specific groups of people.
Principles of spear-phishing are the same as regular phishing, however, cybercriminals
are usually doing some deeper research about potential victims before the attack,
gathering publicly available information on the internet, such as their workplace, bank,
or websites they visit (Vayansky and Kumar, 2018).
In general, the success rates of phishing and spear-phishing attacks over the
years have been increasing (Bhardwaj et al., 2020) especially during the COVID-19
pandemic when phishing attacks peaked (Chokhonelidze, Basilaia and Kantaria, 2020).
Because cybercriminals are implementing new and creative approaches to phishing
attacks, making them more qualitative, it is becoming more difficult to distinguish them
from real emails (Vayansky and Kumar, 2018).
2.2 Tools used to test employees
Social engineering is one of the biggest threats to companies at the present (Luse
and Burkman, 2020). Moreover, phishing attacks are becoming more sophisticated
every year (Kanhere et al., 2020). Therefore, it is vital for the companies to educate
their employees about threats and increase their security awareness level. One approach
is to have regular security awareness trainings that can help to refresh knowledge about
threats and techniques that cybercriminals are using (Vayansky and Kumar, 2018).
Another approach, which usually complements security awareness trainings, is real
12simulated phishing attacks made by the company's IT department. Through simulated
attacks, companies test and can see how good their employees are prepared for such
attacks (Särökaari, 2020). It also helps to tailor security trainings that fit more for the
specific company or even separate people groups.
There are several open-source and paid solutions that are available for
companies to test their workers. Among the more popular open-source penetration
frameworks there are Gophish, King Phisher and Phishing Frenzy (Pirocca, Allodi and
Zannone, 2020). There are also more advanced social engineering frameworks that
require license, for example, Lucy and Phishing Box.
All of the above mentioned phishing frameworks in general have similar
objectives - simulate a phishing attack to see how employees are responding. All of
them support features like phishing email creation, modification, statistic gathering and
attack scheduling. Still, each framework has its own limitations and companies should
choose one that fits the best for them. Usually these testing frameworks can be installed
on a local, on-premises server as well as cloud based server. Furthermore, landing
pages, where a victim is taken once clicked on the link, can be equipped with a
purchased domain name and SSL/TLS certificate (Kanhere et al., 2020).
Tools like these are useful to see the real situation in the company and prepare
their employees even better for social engineering attacks.
For this study the Gophish framework was used because the research author was
already familiar with this tool and it suited well for the set research objectives - to select
participants for the interviews.
132.3 Related work
User security awareness training in companies is gaining popularity. On one
hand, those companies that want to comply with security standards, like ISO 27001
series, NIST 800-53 are mandated to have such user awareness training on a regular
basis (ISO - ISO/IEC 27001 — Information security management, 2021; Joint Task
Force Interagency Working Group, 2020). On the other hand, studies are showing that
more often the biggest threat for the companies are their own employees (Aldawood,
Skinner and Alashoor, 2020). This can be explained by the fact that the success rates
of social engineering attacks are rising every year and have gone up even more during
the global pandemic in 2020 when cybercriminals took an advantage of spreading
misleading and malicious emails about COVID-19 and vaccination (Chokhonelidze,
Basilaia and Kantaria, 2020). To ensure that the employees are well aware of risks,
some firms even have gone one step further and have integrated gamification in their
training process to make the whole experience more interesting and more memorable
(Corradini, 2020). Organizations have also improved their security policies in order to
secure their business continuity to fight against social engineering threats (Aldawood
and Skinner, 2018).
Presenting basics on how to recognize malicious emails is one thing, however,
more importantly it is to understand exactly what motivates employees to click on the
links of phishing and scam emails. Over time, there have been several researches made
to determine characteristics like age (Oliveira et al., 2017), gender (Halevi, Memon and
Nov, 2015; Sun et al., 2016; Abdelhamid, 2020), human behavior like risk tolerance
(Chen, YeckehZaare and Zhang, 2018) and information processing style (Vishwanath
et al., 2018) of the vulnerable user when it comes to taking such security risks.
However, there are many, yet unknown and even changing factors that can leave an
14impact on giving a concrete answer on which group of people is the most vulnerable so
that companies can pay more attention, for example, by giving them more detailed
educational courses or restricting their access to some parts of the network (Sommestad
and Karlzén, 2019).
In 2018 Vishwanath et al. created a framework called SCAM (Suspicion,
Cognition, and Automaticity Model). In order to be able to explain the reasons why
people are falling for phishing attacks, SCAM framework proposes two separate
aspects - habitual email use and cognitive information processing. The first part of
SCAM framework is referring to habitual email use, where Vishwanath et al. (2018)
analyzed one group of people that is processing their emails systematically and other,
heuristically. This is a habit that develops over the time. It was found that people with
the developed systematic email processing habits are less likely to fall victims to
phishing emails, whilst those who review their emails heuristically are in a higher risk
group (Vishwanath et al., 2018). This concept is also correlating with user beliefs of
their cyber risks. For example, the group of people which tends to think their cyber
actions are relatively risky are more often processing their emails systematically
(Vishwanath et al., 2018). On the other hand, those in denial who think their cyber
actions are relatively safe, are more likely to process their emails heuristically, hence,
more often becoming victims of phishing attacks (Vishwanath et al., 2018). The second
part of the SCAM framework is about cognitive mediation and how it influences the
habitual use of emails. It was concluded that habitual email use is related to the person's
capabilities to control their behavior, and the cognitive processing is highly influenced
by person’s cyber-risk beliefs (Vishwanath et al., 2018), meaning, habits of email use
are more often taking over the cognitive processing abilities. Similar results were found
in earlier study by Halevi, Memon and Nov (2015). Those who felt more secure were
15more likely to fall victims of phishing and scam attacks (Halevi, Memon and Nov,
2015).
In 2016 Harrison, Vishwanath and Rao study found that Generalized
Communicative Suspicion (GCS) has a correlation with susceptibility to phishing. GCS
is a phenomenon that describes a state in which a person believes to be able to recognize
a deception in face-to-face conversations (Harrison, Vishwanath and Rao, 2016).
During the study, GCS was not only found to be correlating with the susceptibility to
phishing but also to the way how people are processing online information like emails
- either systematically or heuristically (Harrison, Vishwanath and Rao, 2016). It was
concluded that people with higher levels of GCS are suffering from uncertainty and
trust issues and they are processing online information systematically (Harrison,
Vishwanath and Rao, 2016). On the other hand, people with lower GCS levels are
processing online information heuristically and therefore are more likely to fall for
phishing and scam attacks (Harrison, Vishwanath and Rao, 2016).
Many researchers agree that gender is also playing a role towards susceptibility
to phishing (Halevi, Memon and Nov, 2015; Sun et al., 2016; Abdelhamid, 2020).
Study conducted by Halevi, Memon and Nov (2015) looked into different aspects of
why people are falling for phishing. One of the findings was that female participants
were more vulnerable to phishing than their male counterparts (Halevi, Memon and
Nov, 2015). Male participants were able to recognize malicious emails better and their
security awareness level scored greater overall (Halevi, Memon and Nov, 2015).
Similar findings were discovered by Sun et al. (2016) study where research objectives
were to test anti-phishing self-efficacy, internet self-efficacy and anti-phishing
behavior between male and female participants. Furthermore, a more recent study was
conducted in a health concern by Abdelhamid (2020) which also showed the same
16results - the female participants were more likely to fall for phishing attacks than their
male counterparts.
Another aspect that is associated with susceptibility to phishing is age group.
During the research made by Oliveira et al. (2017), it was found that older people are
more likely to become victims of phishing attacks, specifically older women. These
findings project similar results found in Halevi, Memon and Nov research made in
2015. Another more recent study concluded that younger adults are more careful and
suspicious when it comes to recognizing malicious emails (Chen, YeckehZaare and
Zhang, 2018). The same study also demonstrated that different characteristics of
personality and cyber-risk beliefs have an impact on likelihood of falling victim. False-
positive and false-negative decisions were tested and results indicated that people who
are intolerant to risky actions are more likely to identify legitimate email as malicious,
contrary to those who are more tolerant to risks (Chen, YeckehZaare and Zhang, 2018).
To sum up, there are many factors that determine whether a person is susceptible
to phishing and scam emails and there might be even aspects that people have not yet
thought of.
2.3.1 Stress
High email load is a subjective for each individual. For one person high email
load can be 20 messages per day and for other 100 messages per day. One natural way
of how to look at the email load is stress, because high email load has been proven to
increase stress level (Stich et al., 2019; Akbar et al., 2019; Mark, Voida and Cardello,
2012) and therefore it is relevant part to understand how email load is being perceived.
17Stress defined by Kyriacou (2001) is experience of unpleasant, negative
emotions, such as anger, anxiety, tension, frustration or depression. Similar definition
is offered by Skaalvik and Skaalvik (2016). It has also been found that stress makes
negative impact on person’s self-esteem (Galanakis et al., 2020). Stress can be caused
from several factors, such as tight deadlines, heavy workload, high demands, personal
issues and others (Chen and Miller, 1997). In simple words, stress is the reflection of
cognitive processes leaving an impact on how people are responding to ordinary as well
as extraordinary conditions in their life (Robinson, 2018). It is individuals
psychological state of mind that changes perception of the environment they are in and
emotional experiences of it (Cox, 2007). In order to understand how people perceive
the world, Cox (2007) suggests to focus on individuals emotional answers.
2.3.2 Stress caused by email load, isolation and remote work
Since this study examines the research through the theoretical lens of stress as
defined by Kyriacou (2001), it is important to understand how stress correlates with the
email load and what are the side effects that can increase stress.
Nowadays when the majority of a company's workflow, job delegation, contract
negotiation and communication with partners and clients relies on emails, the load of
received, read and sent emails is growing every year (Stich et al., 2019). Especially
during the ongoing pandemic situation in the world when even those people who did
not use email that much are now mandated to work from home and use email as their
daily communication channel with their colleagues (Teevan et al., 2021).
18Many researches show that increased email load and nowadays even overload
leaves a strong impact on the stress level people are experiencing (Stich et al., 2019;
Akbar et al., 2019; Mark, Voida and Cardello, 2012). It has been found that high email
load increases psychological strains as well as negative emotion development.
Furthermore, it leaves an impact on employees' performance in work related tasks that
can further turn into anxiety (Stich et al., 2019).
Several studies have found clear relation between stress levels and email
amount. For instance, Mano and Mesch (2010) study found that fewer emails per day
decreases stress level employees are experiencing. Another study revealed that
dismissing emails for five days and focusing purely on the work tasks lowered the
overwhelming feelings of stress (Mark, Voida and Cardello, 2012), suggesting that
emails in general are increasing the stress for employees. Stich et al. study conducted
in 2019 found similar results as well.
Still, there are other aspects that influence people's stress level considering
emails. For example, time spent answering messages. Akbar et al. (2019) study found
that people have lower stress if they are answering emails slowly. Hence, demand for a
quicker communication increases measures of stress.
Another finding related to the email load is that interruptions during the ongoing
work increase stress levels. Study tested two techniques for processing emails - regular
or instant response and batching, meaning when emails are checked all in once, several
times per day. During this research a thermal camera was used to measure the stress
level. It was concluded that if batching technique is not used, there are more
interruptions that lead to higher stress levels (Akbar et al., 2019). The authors also
found that stress can additionally be caused by high demand and commitments at work,
19deadlines or tension at home (Akbar et al., 2019). Even multitasking increases stress
levels, which is a common work style these days.
Based on the discussions found in previous studies, it seems that there is a
correlation between high email load that leads to greater demands, multitasking and
higher stress level.
Isolation during the global pandemic of COVID-19 has also left an impact on
human behavior (Shah et al., 2021). Lack of social interaction with colleagues was
found to correlate with stress levels people are facing. During Shah et al. (2021)
research, 57.4% of participants had clear signs of high stress levels. Seemingly a simple
conversation during a coffee break or a quick talk before a face-to-face meeting makes
people feel more comfortable and less tense. As during the global pandemic of COVID-
19 these activities are not possible, stress and the feeling of being isolated is certainly
increased to majority of people (Teevan et al., 2021). Furthermore, people who do not
feel the support from their managers, for instance, by having a face-to-face
conversation, more often experience negative emotion development that leaves an
impact on their physical and mental state (Teevan et al., 2021). In short, currently with
the ongoing global pandemic of COVID-19 situation people are feeling more stressed
than ever. This is caused not only by the increased email load but also from the lack of
social interaction with their colleagues and isolation.
20CHAPTER 3: METHODOLOGY
In this chapter a research process and methodology used to conduct the study
is described. It also argues the reasons why exactly this specific method was used.
Chapter starts with an overview of Qualitative research approach. It continues with the
description of the process of how the respondents for the interviews were selected. Next
it describes more in detail the selection phase and environment used. It also highlights
the ethical concerns and actions made when the study began. Chapter ends with a
detailed description of the interview and transcript process as well as the Thematic
Analysis of gathered empirical data used to answer the research question.
3.1 Qualitative Research Approach
A qualitative research approach in general is used to study some phenomenon,
typically focusing on people's behavior and experience (Basias and Pollalis, 2018). A
qualitative approach does not cover numerical, mathematical or statistical studies,
which is contrary to quantitative research approach that looks into frequency of specific
phenomenon. It can also be described as series of interpretive techniques that usually
are trying to find an answer to a research question through decoding and translating
theory of a particular phenomenon (Basias and Pollalis, 2018). Moreover, qualitative
research questions are formulated with How, What, Where and When types of questions
(Hennink, Hutter and Bailey, 2020). Therefore, because the question of this study is
“How does the email load and stress affect the susceptibility to phishing and scam
emails?”, it was decided that a qualitative approach is the most suitable and should be
used to make this research by conducting semi-structured interviews.
213.2 Selecting interviewees
Sampling or participant selection in qualitative research usually is small and
focused, hence, non-random and is purposeful (Merriam, 2009). In order to select
participants for the interviews in this research, the Quota Sampling method was used.
Inspiration for this part of research was taken from a suggestion of the future research
by Tiwari (2020), where the author proposed conducting a real-life simulated phishing
attack in a company.
According to Dudovskiy (2018), the Quota Sampling method can be used to
gather data from a specific group of people that represents definite characteristics in the
population. In this study the characteristic is a susceptibility to phishing attacks.
The research author selected a company with approximately 130 employees
where the study was conducted. For the security reasons the name of the company is
not disclosed. In this paper the company is called “X” to hide and protect its identity.
In order to find respondents for the interviews, several simulated phishing and
scam attacks, also known as phishing campaigns, were launched in agreement with the
company (see section 3.2.2). Attacks were carried off with the Gophish framework, a
tool that allows to generate and send out phishing emails with landing pages, register
information about users who opened the email, clicked on the malicious link, as well
as collect any submitted information. This part of the research took approximately one
month. Three different types of phishing attacks were launched within the company
“X”. Each of the phishing campaigns was active for one and a half weeks, which was
enough time considering that some people might be on vacation. Attacks were launched
between the 3rd of February and the 12th of March, 2021.
22As previously stated, the goal of these phishing campaigns was to select people
for the interviews. Those who did fall for simulated attacks were asked to participate in
the interview process of this study.
3.2.1 Gophish Environment
In order to simulate real-life phishing and scam attacks, a platform called
Gophish was used. Gophish is a well-known open-source tool that is being utilized by
various companies to test their employee’s behavior once phishing or scam events
occurs (Särökaari, 2020). In this particular case Gophish was installed and configured
on a Linux Ubuntu 18.04 LTS virtual machine. To make phishing and scam emails,
also known as campaigns, look legitimate, three domains were purchased for the
purpose of hiding the IP address of the Gophish host machine.
In order to cover different scenarios of phishing and scam attacks, three
different campaigns were used, expecting that it will increase the success rate of the
campaigns. First campaign was trying to lure in users to register for a lottery with a
prize of a new iPhone 12 Pro. This campaign was using domain register.win-prize.de.
Second campaign was targeting users to expose their social media portal LinkedIn.com
login credentials. Respectively, for this campaign domain name linkedin.account-
verification.de was used. Last campaign aimed to expose users' corporate account login
credentials. Therefore, a domain that is similar to the real one was purchased. Instead
of using “.com”, the phishing domain ended with “.co”. For security reasons, this
domain name is not outlined in this paper, because it might expose the real name of the
company.
23To make this experiment safe for all employees in the company “X” and
additionally gain their trust, all landing pages where users were expected to submit their
credentials were equipped with the SSL/TLS certificate to encrypt traffic upon
submission of information. Whilst cybercriminals are using more sophisticated
phishing techniques to attack, it is becoming also more dangerous, since phishing
emails are more often equipped with SSL/TLS certificates giving an impression of
legitimate website (Särökaari, 2020). One of the reasons is that “Let's Encrypt” is
offering a free SSL/TLS certificate valid for 90 days (Särökaari, 2020). In this study
the same SSL/TLS free certificate from “Let's Encrypt” was used.
In addition a Google Workspace suite was subscribed to so that senders’ email
could be hidden with the registered domains.
3.2.2 Ethical consideration
Before launching phishing attacks to the company's “X” employees, some
ethical aspects of this research had to be addressed, since it might lead to legal issues
(Hennink, Hutter and Bailey, 2020). To perform this research a “Statement of Ethics”
(shown in the Appendix A) was issued, where step-by-step actions were described. This
statement of ethics was approved by the company's “X” CEO and CTO.
Furthermore, because the actual phishing server was hosted on the company's
“X” network and it had a public IP address owned by the company, in order to allow
the phishing server to be reached from the outside of the corporate network, the Internet
Service Provider (ISP) was informed about this educational experiment. This was done
24in order to prevent IP address blacklisting, because people might report the sender as a
malicious content spreader with the intent of phishing.
After all simulated phishing attacks were finished and selection for interviewees
was done, all employees of the company “X” were informed about the ongoing study.
Anonymity was guaranteed for those who did fall victims.
3.2.3 Phishing campaigns
3.2.3.1 iPhone 12 Pro campaign
The very first phishing campaign or simulated attack in the company “X” was
made with the intention to make users click on the malicious link. Already by simply
clicking on the link in some attack scenarios might be dangerous, because it could
launch an infected script, installing malicious software without any notice. In this
particular case, an email claiming to be from a lottery company was sent. In the email
it was mentioned that 1000 pieces of the new iPhone 12 Pros are the giveaway prize.
Everything that a user had to do to enter the lottery was to click on the button and
provide their first name, last name, email address and home address.
This email was sent out to 132 people. Only 1 person clicked on the link that
redirected to the landing, submission page. However, this user did not submit any
details.
3.2.3.2 LinkedIn campaign
Second phishing attack was sent out claiming to be from the social media portal
called “LinkedIn”. In this campaign it was mentioned that “LinkedIn” has recognized
25some suspicious actions from the user's profile, therefore, security notice is pushed and
their account is blocked. Users were asked to verify their accounts within 24 hours
before it gets completely suspended from this social media portal. It was believed that
the urgency factor in the email will increase the success rate of phishing as suggested
by Tiwari (2020). Once clicked on the “Verify account” button, the user was redirected
to a phishing landing page that looked the same as the regular login web page of
LinkedIn. Users were asked to provide their email address and password in order to
verify their account.
Same as in the previous campaign, this phishing email was sent out to 132
people. The click rate on the malicious link, however, was higher than on the iPhone
12 Pro campaign. From all delivered messages, 4 people clicked on the link.
Furthermore, 1 person also submitted credentials from his “LinkedIn” account.
3.2.3.3 Password reset campaign for internal systems
Last campaign was claiming to be from the IT department of the company “X”.
This campaign covered a scenario when someone's emails are stolen, hence, in the
phishing email users were able to see previous messages about server upgrade. It was
thought that this fact will increase the trust level for employees to believe that email
was indeed legitimate (Tiwari, 2020). Campaign claimed that, because of security
reasons, the IT department has decided that everyone have to change their password
after the server was upgraded. The email provided a seemingly legitimate link that
usually is used for resetting internal system passwords in the company “X”, however,
once clicked, it redirected users to the phishing landing page which again looked
exactly the same as the original web page.
From the very beginning this phishing campaign was expected to be with the
highest success rate since it was related to the internal systems. Because of previous
26experience with the unplanned “whistleblowers” who announced publicly in the
corporate chat channel that they have received a phishing email, it was decided to
exclude these people from the receivers list to increase potential success rate even more.
In this case, the final number of sent emails was 110. In total 7 people clicked on the
malicious link and 6 users submitted their credentials.
Results of all phishing campaigns are gathered in the Table 1 below.
Name of the campaign People clicked on the link People submitted data
iPhone 12 Pro 1 0
LinkedIn 4 1
Password reset for internal
7 6
systems
Table 1 - Summary of phishing campaign results
3.3 Primary data collection - Interview Method
Once the selection of potential interview participants was done, it was time to
conduct the actual interviews. Interviews are one of the primary tools used to collect
data in Qualitative research (Merriam, 2009). Questions used in the interviews were
semi-structured and open-ended in order to collect empirical material. According to
Khan (2014), face-to-face interviews are suitable for analyzing some sensitive topics
like employees perception and human behavior, in order to extract more detailed, yet
sensitive information about some phenomenon. In this study, falling victim of a
phishing attack is indeed a sensitive topic, since failing to recognize an attack and
giving away user's credentials can cause financial and reputation damage to the
company (Ekandjo, Jazri and Peters, 2018). Therefore, interviews had to be conducted
27face-to-face and at the same time stay anonymous in order not to damage employees'
reputation.
From 7 people who were identified as victims, one person was removed from
potential interviewees list because, although he did fall for phishing, he did so with the
intention to investigate malicious content and not because of having fallen victim to a
phishing email itself. All other 6 people who did fall for simulated phishing attacks
were asked to participate in the interview process through an official email. Full
anonymity in the company and also in this research document was guaranteed as part
of ethical considerations (Dudovskiy, 2018). Since it is not possible to force people to
have an interview, two people decided that they do not wish to participate in this study
and declined the invitation for the interview. Due to the restrictive conditions of
COVID-19, interviews with other four participants were conducted remotely and in an
out-of-office time over the digital collaboration platform “Zoom”. Suitable time slot
for the interview was communicated through the email. Interviews lasted from 26
minutes up to 45 minutes, depending on the answers given by respondents. Interviews
were conducted from the 15th till the 20th of April, 2021. Before the interview began,
each respondent was informed about the aims of the research as well as a consensus to
record the interview for further analysis was asked. As stated before, for security
matters, the name and job title of the respondent is not presented in this paper. List of
conducted interviews, respondents’ pseudonyms, gender of the respondents, length and
date of interviews are presented in the Table 2.
28Length of the
Respondent Gender Date
Interview
A Male 26 Minutes 15.04.21
B Male 22 Minutes 15.04.21
C Female 24 Minutes 16.04.21
D Male 45 Minutes 20.04.21
Table 2 - List of conducted interviews
3.3.1 Interview process
Once agreed on a suitable time slot, each respondent received an invitation link
for an online meeting in the digital collaboration platform “Zoom”. Right at the
beginning of the meeting, each respondent was asked for consent to record the meeting
for the purpose of further analysis, e.g., transcript and coding. All respondents gave
their permission to record the interview. This was beneficial, because it allowed the
interviewer to focus more on the interview itself, without taking additional notes
(Halcomb and Davidson, 2006). Respondents were once again informed about the aims
and objectives of the study. Furthermore, it was stated that their identity will not be
disclosed in the research report, nor within the company “X”. Questions asked mainly
were open-ended with an intention to make a discussion to understand given answers
more in depth as well as to avoid leading questions (Dudovskiy, 2018). An interview
guide (showed in the Appendix B) was prepared beforehand and questions were
developed based on the theory around susceptibility, email load and stress, discussed
in the Chapter 2. Questions were asked in a sequence, following the interview guide,
however, if needed, jumping between questions was not forbidden, since it allowed a
29smoother flow of the interview as well as deeper understanding of the answers. At the
end of each interview, respondents were asked to do a “self-valuation” to estimate their
own perceived level of stress in compassion with the answers they gave to get a fairer
picture of the situation. The evaluation of stress level scale was from 0 to 5 where 0 is
no stress at all and 5 is extremely high stress. Before the interview was finished,
respondents were asked if they want to give any final comments about their answers.
3.3.2 Transcribing interviews
Interviews were transcribed verbatim that allowed the research author to get
closer to the gathered data for further analysis (Halcomb and Davidson, 2006). Sounds
that were not relevant, such as “mmm”, “uh”, “aam” were skipped to improve textual
sentence formatting. The interview transcript process was completed right after each
conducted interview. This helped to understand if there are any quality issues with the
gathered data or interview questions and correct them before the upcoming interviews
(Hennink, Hutter and Bailey, 2020). To transcribe interviews, an online tool called
“oTranscribe” was used which enabled functions such as speed adjustment of the audio
recording as well as jump back and forward to a specific time stamp.
3.3.3 Thematic Analysis
Thematic Analysis was chosen to suit the best for the gathered empirical data
because of its flexibility during the analysis process (Terry et al., 2017). Thematic
30Analysis was conducted following the six phases suggested by Terry et al. (2017) which
include Familiarisation with the data, Coding, Theme Development, Theme Reviewing,
Defining Themes and finally Producing the Report. All six phases are described more
in detail in this chapter.
1. Familiarisation
Familiarisation phase is the entry point of the whole analysis. It is necessary to
engage and grasp insights of the gathered information to fully understand the
meaning of the data (Terry et al., 2017). Whilst going through the whole dataset,
the research author noted down some comments, interesting ideas and patterns
in each interview that helped to develop codes later on. The Familiarisation was
done in several cycles to make sure important information was not missed.
2. Coding
During the next phase of Thematic Analysis, information that is relevant to the
research question was coded using an inductive approach. Based on the
comments, noted ideas and patterns in the previous phase, the research author
assigned meaningful codes to those segments of data that can help to answer the
research question. Codes were developed by using that definition of stress (see
section 2.3.1) to help interpreting the answers received. Furthermore, if the
same code name was relevant to the data segment mentioned in different parts
of the interview, it was used to tag and link those data segments to find more
insights of the information.
313. Theme Development
Once the coding was done, all the codes were written out and it was time to try
to find any similarities between them by clustering several codes into one topic.
To avoid too high granularity of themes but rather making them deeper, one
central concept was identified that helped to determine what the theme's idea is
about. It also helped to evaluate if one or another code belongs to this central
concept. After several codes were clustered, a candidate theme or provisional
theme name was given to each cluster.
4. Theme Reviewing
Throughout the Theme Reviewing phase, provisional themes were checked to
verify if the selected data sets that belong to each candidate theme are
meaningful to the central concept (Terry et al., 2017). If some of the linked
codes or parts of the data set were identified to be applicable for more than one
theme, the provisional theme was revisited once more and the transcript of the
interview was checked to verify validity. Moreover, it was important to check
if each of the candidate themes is distinctive, yet linked with each other in order
to help tell the story to answer the research question (Terry et al., 2017).
5. Defining Themes
Once the review and refining of the potential themes was completed, three main
themes were decided on to be used for the report phase of the analysis. Each of
the themes were once again verified by writing a short abstract that helped to
see if the theme is not too thin (Terry et al., 2017). Next, for each theme, a name
32or a title was defined that gives an idea of the content found within the theme.
The final theme map is presented in Figure 1.
Figure 1 - Final theme map
6. Producing the Report
The final phase of Thematic Analysis was to produce the report. It can be found
in the next section of this document, “Chapter 4: Analysis of empirical data”. It
is divided into three sub-sections representing each selected themes. Under each
of those sub-sections answers given by respondents help to come to the
resolution of the research question presented.
33CHAPTER 4: ANALYSIS OF EMPIRICAL
DATA
This chapter represents several themes discovered from interviews with respondents
whilst doing Thematic Analysis. After interviews were transcribed and coded, several
codes were merged and a theme name was given. In total three main themes were
identified. They are based on topics like email load and stress; workload and meetings;
additional factors from private life that increase stress.
4.1 Email load that increases stress directly and indirectly
All interviewees agreed that email load has increased lately, mainly because of
government rules for working from home, however, not all respondents thought that it
comes with a higher stress. Some respondents admitted that they rather see it as an
indirect factor for stress and one respondent mentioned that email load is not bothering
him.
Respondent “A” admitted that email load has increased because of the current
situation with remote work. He estimated that on average there are approximately 50
new emails every day in his inbox, stating that he used to have more in previous
company, therefore, he is used to a high load of emails. However, he explained that not
only remote meeting requests are a big part of his inbox, but also regular emails have
become much quicker, meaning they are used more like a chat service that requires fast
response and it increases the stress:
I think there is a trend to write what you think right away and use it kind of like
a chat service. [...] It would usually be an immediate response. From this point
34of view you really have to keep up the pressure so that you do not lose time on
communication.
Respondent “A” evaluated his stress level at 4 on a scale from 0 to 5 (where 0 is no
stress and 5 is extremely high stress).
Second respondent “B” has also noticed email load increase but he thinks that
it is more likely to come from the fact that his professional position was changed and
now he is required to engage more into new projects. Respondent estimated that he
receives approximately 100 new emails per day, stating that it is a lot, however, he felt
like it does not affect much his stress level:
Between my work and private account I receive probably a hundred, hundred
plus emails per day. It is more than before when I was in my previous position.
Then I was getting probably like 30-40 emails. Now it has definitely increased
by factor two or more. [...] It is annoying. Maybe it is stress, but sort of a low
level stress.
Later on during the interview he elaborated that a big part of his emails are irrelevant
messages that come from the scientific and academic community. He felt like the
volume of emails play an indirect role to his stress levels:
I noticed as I became more integrated in the scientific and academic community
I started to get a lot of irrelevant emails from conferences and journals. Like
lots of noise. And I get more and more of this noise. It is annoying. It is for sure
quite distracting during the day. [...] I would not say that emails themselves
make me feel under pressure, but I do feel pressure to achieve goals of the
projects that I am currently working on and, absolutely, dealing with the volume
of emails that I receive is a huge time sink and a distraction. Therefore it
indirectly increases the stress.
Respondent “B” evaluated his stress level at 3.5 on scale from 0 to 5 (where 0 is no
stress and 5 is extremely high stress).
Similarly, respondent “C” also noticed that email load is increased with lots of
irrelevant emails. However, this is not increasing the stress level because she is not
worrying about having an empty inbox:
35I have perhaps noticed an increase in the number of emails from large
businesses, for example, booking.com with offers for special deals, and small
businesses, like my optician, urging me to make an appointment to have my
contact lenses checked, hoping to drum up business. [...] I am not one to worry
too much about having an empty inbox.
Same respondent admitted that the load of emails are usually making her do multiple
things at once and therefore she can be easily distracted. For the stress level evaluation
question, the respondent said that she does not feel stressed, giving herself mark 1 on
scale from 0 to 5 (where 0 is no stress and 5 is extremely high stress).
Respondent “D” mentioned that email load has increased a lot because of the
nature of his work. He used to have several face-to-face meetings per day and now the
majority of these conversations are handled through the email because of the global
pandemic. Furthermore, he said that also time when emails are delivered has changed
that puts him under pressure:
The email load has increased a lot! I receive emails very late in the evening or
early hours. So a lot has changed during the pandemic with the respect to the
email. Not only the load has increased but also the time when the rate peaks.
It might be in the evening instead during the day. [...] I am always stressed
when I have emails in my inbox, and I do not archive them to my local folders.
Furthermore, he elaborated that due to the switch from face-to-face meetings to email
conversations, he has noticed that style of emails in some cases are changed to have
less structure, which makes him feel nervous and anxious:
Young people are a bit confused between different digital means of
communication. They write their emails like they are on messaging apps. [...]
They are ignorant of code of practices. I do not like when I have to look for
more details. I get nervous and anxious and sometimes angry that I have to
look for the purpose of the email.
When asked about stress level evaluation, the respondent “D” answered that currently
he is experiencing level 5 stress on scale from 0 to 5 (where 0 is no stress and 5 is
extremely high stress).
36You can also read
