author photo
By Clare O’Gara
Thu | May 14, 2020 | 5:30 AM PDT

The latest risk for increased phishing attacks?

According to research from New York University, it's hubris.

Security awareness study: how do end-users view cyber risks?

Humans are notorious for dangerous levels of overconfidence.

And according to an investigation by Emily Balcetis, an associate professor at NYU, this overconfidence bleeds into our digital lives:

"This study shows people 'self-enhance' when assessing risk, believing they are less likely than others to engage in actions that pose a threat to their cyber security—a perception that, in fact, may make us more susceptible to online attacks because it creates a false sense of security."

How did the experiment work? Researchers used computers, subjects, and, oddly enough, eye-tracking technology.

First, they showed subjects email phishing scams. They also told the subjects that the emails were examples of phishing.

Afterward, they asked some particular questions:

"Half of the subjects were asked how likely they were to take the requested action while the other half was asked how likely another, specifically, 'someone like them,' would do so.

Next, they provided the subjects with a statistic about phishing risk: something like, "37.3% of undergraduate students at a large American university clicked on a link to sign an illegal movie downloading pledge because they thought they must in order to register for classes."

And this part is where the eye-tracking comes in:

"Using eye-tracking technology, they could determine when the subjects actually read the provided information when reporting their own likelihood of falling for phishing attempts and when reporting the likelihood of others doing the same."

What did the research find?

"The subjects thought they were less likely than are others to fall for phishing scams—evidence of 'self-enhancement.' But the researchers also discovered that the subjects were less likely to rely on 'base rate information' when answering the question about their own behavior yet more likely to use it when answering the question about how others would act."

Essentially, we don't think the statistics apply to us.

But this logic can actually make us more vulnerable.

Increasing cybersecurity risks associated with COVID-19

According to the NYU researchers, this is particularly important information to have now.

As the world continues to rely on a remote workforce, the cybersecurity risks facing individuals and organizations is only increasing:

"COVID-19 has had a devastating impact on the physical and mental health of people around the globe. Now, with so many more working online during the pandemic, the virus threatens to wreak havoc on the world's cyber health," the researchers note.

And this is an impact we're already seeing. SecureWorld covered these new risks recently:

"One of the biggest challenges is that huge numbers of employees are working from home for the first time due to the coronavirus.

They may be unaware of best practices which road warriors know well, like always using a VPN on public networks or how to handle challenges connecting to the corporate database where sensitive data should be stored.

That can generate significant organizational risk." 

Speaking of risk, according to the latest New York University research, we can reduce risk by helping employees realize they may be overconfident in their ability to spot a phishing email.

Check out more information on the NYU study here.