Ontology-Based Intelligent Interface Personalization for Protection Against Phishing Attacks
Pages 1463 - 1478
Abstract
Millions of users on the Internet have fallen into phishing website traps. Detection tools are designed to warn users against such attacks but often fail to achieve this purpose due to usability issues. To address these issues and increase user self-protection against such attacks, we propose an ontology-based intelligent interface personalization (OBIIP) design for the warning interfaces of phishing website detection tools. Our design involves two phases: proof-of-concept and proof-of-value. The proof-of-concept phase consists of developing an ontology of warning interface elements (OWIE) based on the ontology approach in design science, expert feedback, and inputs from multiple populations through three rounds of surveys with 1,297 participants. OWIE is then used in the design and creation of an OBIIP prototype. The proof-of-value phase involves a controlled laboratory experiment (with 596 participants) to assess OBIIP’s value in terms of users’ self-protection performance as well as a posthoc online data collection (with 191 participants) and analysis to reveal the role of the design element categories in users’ trust and perceived personalization in OBIIP. The assessment results show the significant value of OBIIP in improving self-protection performance as well as the pervasive impact of OBIIP in improving users’ relationship with the security tool in terms of trust in and use of the tool. This work also identifies categories of design elements that matter in the OBIIP process.
History: Suprateek Sarker, Senior Editor; David (Jingjun) Xu, Associate Editor.
Funding: This work was partially supported by the U.S. National Science Foundation [Grant CNS-1049497].
Supplemental Material: The online appendices are available at https://doi.org/10.1287/isre.2021.0065.
References
[1]
Abbasi A, Chen H (2009) A comparison of tools for detecting fake websites. Computer 42(10):78–86.
[2]
Abbasi A, Zahedi F, Chen Y (2012) Impact of anti-phishing tool performance on attack success rates. Zeng D, Zhou L, Cukic B, Alan Wang G, Yang CC, eds. Proc. IEEE Internat. Conf. on Intelligence and Security Informatics (IEEE, Piscataway, NJ), 12–17.
[3]
Abbasi A, Dobolyi D, Vance A, Zahedi FM (2021) The phishing funnel model: A design artifact to predict user susceptibility to phishing websites. Inform. Systems Res. 32(2):410–436.
[4]
Abbasi A, Zhang Z, Zimbra D, Chen H, Nunamaker JF (2010) Detecting fake websites: The contribution of statistical learning theory. Management Inform. Systems Quart. 34(3):435–461.
[5]
Abbasi A, Zahedi F, Zeng D, Chen Y, Chen HC, Nunamaker JF (2015) Enhancing predictive analytics for anti-phishing by exploiting website genre information. J. Management Inform. Systems 31(4):109–157.
[6]
Abdelghany A, Darwish NR, Hefni HA (2019) An agile methodology for ontology development. Internat. J. Intelligent Engrg. Systems 12(2):170–181.
[7]
Akhawe D, Felt AP (2013) Alice in warningland: A large-scale field study of browser security warning effectiveness. Proc. USENIX Security Sympos. (USENIX, Berkeley, CA), 257–272.
[8]
Alam SL (2020) Many hands make light work: Toward a framework of digital co-production to co-creation on social platforms. Inform. Tech. People 34(3):1087–1118.
[9]
Alimamy S, Kuhail MA (2023) I will be with you alexa! The impact of intelligent virtual assistant’s authenticity and personalization on user reusage intentions. Comput. Human Behav. 143:107711.
[10]
Amer T, Maris JMB (2007) Signal words and signal icons in application control and information technology exception messages—Hazard matching and habituation effects. J. Inform. Systems 21(2):1–25.
[11]
Anderson BB, Jenkins JL, Vance A, Kirwan CB, Eargle D (2016a) Your memory is working against you: How eye tracking and memory explain habituation to security warnings. Decision Support Systems 92:3–13.
[12]
Anderson BB, Vance A, Kirwan CB, Jenkins JL, Eargle D (2016b) From warning to wallpaper: Why the brain habituates to security warnings and what can be done about it. J. Management Inform. Systems 33(3):713–743.
[13]
Attiq S, Rasool H, Iqbal S (2017) The impact of supportive work environment, trust, and self-efficacy on organizational learning and its effectiveness: A stimulus-organism response approach. Bus. Econom. Rev. 9(2):73–100.
[14]
Avey JB, Avolio BJ, Crossley CD, Luthans F (2009) Psychological ownership: Theoretical extensions, measurement and relation to work outcomes. J. Organ. Behav. 30(2):173–191.
[15]
Bai X, Arapakis I, Cambazoglu BB, Freire A (2017) Understanding and leveraging the impact of response latency on user behaviour in web search. ACM Trans. Inform. Systems 36(2):1–42.
[16]
Balan UM, Mathew SK (2019) An experimental study on the swaying effect of web-personalization. ACM SIGMIS Database 50(4):71–91.
[17]
Benlian A (2015) Web personalization cues and their differential effects on user assessments of website value. J. Management Inform. Systems 32(1):225–260.
[18]
Bera D, Ogbanufe O, Kim DJ (2023) Toward a thematic dimensional framework of online fraud: An exploration of fraudulent email attack tactics and intentions. Decision Support Systems 171:113977.
[19]
Brank J, Grobelnik M, Mladenic D (2005) A survey of ontology evaluation techniques. Proc. Conf. on Data Mining and Data Warehouses (Citeseer, Princeton, NJ), 166–170.
[20]
Bunt A, Conati C, McGrenere J (2009) Mixed-initiative interface personalization as a case study in usable AI. AI Magazine 30(4):58–58.
[21]
Bzostek JA, Wogalter MS (1999) Measuring visual search time for a product warning label as a function of icon, color, column and vertical placement. Proc. Human Factors and Ergonomics Soc. Annual Meeting (Sage Publications, Los Angeles, CA), 888–892.
[22]
Chen Y, Zahedi FM (2016) Individuals’ Internet security perceptions and behaviors: Polycontextual contrasts between the United States and China. Management. Inform. Systems Quart. 40(1):205–222.
[23]
Chen Y, Galletta D, Lowry PB, Luo XR, Moody GD, Willison R (2021) Understanding inconsistent employee compliance with information security policies through the lens of the extended parallel process model. Inform. Systems Res. 32(3):1043–1065.
[24]
Cho W-C, Lee KY, Yang S-B (2019) What makes you feel attached to smartwatches? The stimulus–organism–response (S–O–R) perspectives. Inform. Tech. People 32(2):319–343.
[25]
Chou C-H, Zahedi FM, Zhao H (2011) Ontology for developing web sites for natural disaster management: Methodology and implementation. IEEE Trans. Systems Man Cybernetics A Systems Human 41(1):50–62.
[26]
Chou C-H, Zahedi FM, Zhao H (2014) Ontology-based evaluation of natural disaster management websites. Management Inform. Systems Quart. 38(4):997–1016.
[27]
CISA (2021) National cybersecurity awareness month (ncsam). Accessed July 28, 2021, https://www.cisa.gov/national-cyber-security-awareness-month.
[28]
Cranefield S, Purvis M (1999) UML as an ontology modelling language. Dean T, ed. Proc.16th Internat. Joint Conf. on Articial Intelligence (Morgan Kaufmann, San Francisco), 6–23.
[29]
Cranor L, Egelman S, Hong J, Zhang Y (2007) Phinding phish: Evaluating anti-phishing tools. 14th Annual Network Distributed System Security Sympos. (NDSS ’07) (Internet Society, Reston, VA).
[30]
Cui X, Lai VS, Lowry PB (2016) How do bidders’ organism reactions mediate auction stimuli and bidder loyalty in online auctions? The case of Taobao in China. Inform. Management 53(5):609–624.
[31]
Curcio CA, Allen KA (1990) Topography of ganglion cells in human retina. J. Comparative Neurology 300(1):5–25.
[32]
Davis J (2019) Hackers exploit urgency, personalization in phishing attacks. Accessed June 8, 2023, https://healthitsecurity.com/news/hackers-exploit-urgency-personalization-in-phishing-attacks.
[33]
Deng LQ, Poole MS (2010) Affect in web interfaces: A study of the impacts of web page visual complexity and order. Management Inform. Systems Quart. 34(4):711–730.
[34]
Desolda G, Di Nocera F, Ferro L, Lanzilotti R, Maggi P, Marrella A (2019) Alerting users about phishing attacks. Moallem A, ed. Proc. Internat. Conf. on Human-Computer Interaction (Springer, Cham, Switzerland), 134–148.
[35]
Eroglu SA, Machleit KA, Davis LM (2001) Atmospheric qualities of online retailing: A conceptual model and implications. J. Bus. Res. 54(2):177–184.
[36]
Freeze M, Baumgartner M, Bruno P, Gunderson JR, Olin J, Ross MQ, Szafran J (2021) Fake claims of fake news: Political misinformation, warnings, and the tainted truth effect. Political Behav. 43:1433–1465.
[37]
Gregor S, Hevner AR (2013) Positioning and presenting design science research for maximum impact. Management Inform. Systems Quart. 37(2):337–355.
[38]
Hancock P, Kaplan A, MacArthur K, Szalma J (2020) How effective are warnings? A meta-analysis. Safety Sci. 130:104876.
[39]
Hevner AR, March ST, Park J, Ram S (2004) Design science in information systems research. Management Inform. Systems Quart. 28(1):75–105.
[40]
Ho SY, Bodoff D (2014) The effects of web personalization on user attitude and behavior: An integration of the elaboration likelihood model and consumer search theory. Management Inform. Systems Quart. 38(2):497–520.
[41]
Hong J (2012) The state of phishing attacks. Comm. ACM 55(1):74–81.
[42]
Hsieh SH, Lee CT, Tseng TH (2021) Branded app atmospherics: Examining the effect of pleasure–arousal–dominance in brand relationship building. J. Retailing Consumer Services 60:102482.
[43]
Iivari J (2020) A critical look at theories in design science research. J. Assoc. Inform. Systems 21(3):10.
[44]
Islam JU, Shahid S, Rasool A, Rahman Z, Khan I, Rather RA (2020) Impact of website attributes on customer engagement in banking: A solicitation of stimulus-organism-response theory. Internat. J. Bank Marketing 38(6):1279–1303.
[45]
Jacoby J (2002) Stimulus‐organism‐response reconsidered: An evolutionary step in modeling (consumer) behavior. J. Consumer Psych. 12(1):51–57.
[46]
Johar M, Mookerjee V, Sarkar S (2014) Selling vs. profiling: Optimizing the offer set in web-based personalization. Inform. Systems Res. 25(2):285–306.
[47]
Kamis A, Koufaris M, Stern T (2008) Using an attribute-based decision support system for user-customized products online: An experimental investigation. Management Inform. Systems Quart. 32(1):159–177.
[48]
Kanagaretnam K, Mestelman S, Nainar SK, Shehata M (2010) Trust and reciprocity with transparency and repeated interactions. J. Bus. Res. 63(3):241–247.
[49]
Karjalainen M, Sarker S, Siponen M (2019) Toward a theory of information systems security behaviors of organizational employees: A dialectical process perspective. Inform. Systems Res. 30(2):687–704.
[50]
Kawasaki M, Yamaguchi Y (2012) Effects of subjective preference of colors on attention-related occipital theta oscillations. Neuroimage 59(1):808–814.
[51]
Komiak SYX, Benbasat I (2006) The effects of personalization and familiarity on trust and adoption of recommendation agents. Management Inform. Systems Quart. 30(4):941–960.
[52]
Krueger LE (1975) Familiarity effects in visual information processing. Psych. Bull. 82(6):949.
[53]
Lee Y, Chen ANK (2011) Usability design and psychological ownership of a virtual world. J. Management Inform. Systems 28(3):269–307.
[54]
Linstone HA, Turoff M (1975) The Delphi Method (Addison-Wesley, Reading, MA).
[55]
Liu DP, Sarkar S, Sriskandarajah C (2010) Resource allocation policies for personalization in content delivery sites. Inform. Systems Res. 21(2):227–248.
[56]
Mandviwalla M (2015) Generating and justifying design theory. J. Assoc. Inform. Systems 16(5):314–344.
[57]
Mao S, Dewan S, Ho Y-J (2022) Personalized ranking at a mobile app distribution platform. Inform. Systems Res. 34(3):811–827.
[58]
Marforio C, Jayaram Masti R, Soriente C, Kostiainen K, Čapkun S (2016) Evaluation of personalized security indicators as an anti-phishing mechanism for smartphone applications. Proc. CHI Conf. on Human Factors in Comput. Systems (ACM, New York), 540–551.
[59]
Mehrabian A, Russell JA (1974) An Approach to Environmental Psychology (MIT Press, Cambridge, MA).
[60]
Norton MI, Mochon D, Ariely D (2012) The IKEA effect: When labor leads to love. J. Consumer Psych. 22(3):453–460.
[61]
Nunamaker JF, Briggs RO, Derrick DC, Schwabe G (2015) The last research mile: Achieving both rigor and relevance in information systems research. J. Management Inform. Systems 32(3):10–47.
[62]
Parboteeah DV, Valacich JS, Wells JD (2009) The influence of website characteristics on a consumer’s urge to buy impulsively. Inform. Systems Res. 20(1):60–78.
[63]
Parsons J, Wand Y (2008) Using cognitive principles to guide classification in information systems modeling. Management Inform. Systems Quart. 32(4):839–868.
[64]
Pavlou PA, Liang H, Xue Y (2007) Understanding and mitigating uncertainty in online exchange relationships: A principal-agent perspective. Management Inform. Systems Quart. 31(1):105–136.
[65]
Peffers K, Tuunanen T, Rothenberger MA, Chatterjee S (2007) A design science research methodology for information systems research. J. Management Inform. Systems 24(3):45–77.
[66]
ProofPoint (2020) 2020 state of the phish. Accessed February 22, 2020, https://www.proofpoint.com/sites/default/files/gtd-pfpt-us-tr-state-of-the-phish-2020.pdf.
[67]
Qu L, Xiao R, Shi W, Huang K, Qin B, Liang B (2022) Your behaviors reveal what you need: A practical scheme based on user behaviors for personalized security nudges. Comput. Security 122:102891.
[68]
Qureshi I, Compeau D (2009) Assessing between-group differences in information systems research: A comparison of covariance- and component-based sem. Management Inform. Systems Quart. 33(1):197–214.
[69]
Renaud K, Warkentin M, Westerman G (2023) From chatgpt to hackgpt: Meeting the cybersecurity threat of generative ai. MIT Sloan Management Rev. 64(3):1–4.
[70]
Roorda A, Williams DR (1999) The arrangement of the three cone classes in the living human eye. Nature 397(6719):520–522.
[71]
Samsudin NF, Zaaba ZF, Singh MM, Samsudin A (2016) Symbolism in computer security warnings: Signal icons and signal words. Internat. J. Adv. Comput. Sci. Appl. 7(10):148–153.
[72]
Schaefer KE, Chen JY, Szalma JL, Hancock PA (2016) A meta-analysis of factors influencing the development of trust in automation: Implications for understanding autonomy in future systems. Human Factors 58(3):377–400.
[73]
Schiaffino S, Amandi A (2004) User – interface agent interaction: Personalization issues. Internat. J. Human-Comput. Stud. 60(1):129–148.
[74]
Schlager T, Hildebrand C, Haubl G, Franke N, Herrmann A (2018) Social product-customization systems: Peer input, conformity, and consumers’ evaluation of customized products. J. Management Inform. Systems 35(1):319–349.
[75]
Sharma H, Meenakshi E, Bhatia SK (2017) A comparative analysis and awareness survey of phishing detection tools. Proc. 2nd IEEE Internat. Conf. on Recent Trends in Electronics, Inform. Comm. Tech. (IEEE, Piscataway, NJ), 1437–1442.
[76]
Sheng H, Nah FFH, Siau K (2008) An experimental study on ubiquitous commerce adoption: Impact of personalization and privacy concerns. J. Assoc. Inform. Systems 9(6):344–377.
[77]
Silic M, Lowry PB (2020) Using design-science based gamification to improve organizational security training and compliance. J. Management Inform. Systems 37(1):129–161.
[78]
Söllner M, Benbasat I, Gefen D, Leimeister JM, Pavlou PA (2016) Trust. Bush A, Rai A, eds. MIS Quarterly Research Curations. http://misq.org/research-curations.
[79]
Sunikka A, Bragge J (2012) Applying text-mining to personalization and customization research literature: Who, what and where? Expert Systems Appl. 39(11):10049–10058.
[80]
Sutanto J, Palme E, Tan CH, Phang CW (2013) Addressing the personalization-privacy paradox: An empirical assessment from a field experiment on smartphone users. Management Inform. Systems Quart. 37(4):1141.
[81]
Tam KY, Ho SY (2005) Web personalization as a persuasion strategy: An elaboration likelihood model perspective. Inform. Systems Res. 16(3):271–291.
[82]
Vance A, Siponen MT, Straub DW (2019) Effects of sanctions, moral beliefs, and neutralization on information security policy violations across cultures. Inform. Management 57(4):103212.
[83]
Vance A, Jenkins JL, Anderson BB, Bjornn DK, Kirwan CB (2018) Tuning out security warnings: A longitudinal examination of habituation through fMRI, eye tracking, and field experiments. Management Inform. Systems Quart. 42(2):355–380.
[84]
Verizon (2020) 2020 data breach investigations report. Accessed January 20, 2020, https://enterprise.verizon.com/resources/reports/2020-data-breach-investigations-report.pdf.
[85]
Verizon (2022) 2022 data breach investigations report. Accessed June 28, 2018, https://www.verizon.com/business/en-gb/resources/2022-data-breach-investigations-report-dbir.pdf.
[86]
Wand Y, Storey VC, Weber R (1999) An ontological analysis of the relationship construct in conceptual modeling. ACM Trans. Database Systems 24(4):494–528.
[87]
Wandell BA (1995) Foundations of Vision (Sinauer Associates).
[88]
Wang JG, Li Y, Rao HR (2017) Coping responses in phishing detection: An investigation of antecedents and consequences. Inform. Systems Res. 28(2):378–396.
[89]
Wogalter MS (2006) Handbook of Warnings (CRC Press, Boca Raton, FL).
[90]
Wogalter MS, Mayhorn CB, Black A, Luna P, Lund O, Walker S (2017) Warning design. Black A, Luna P, Lund O, Walker S, eds. Information Design: Research and Practice (Taylor & Francis, London), 331–348.
[91]
Wombot (2017) 2017 user risk report: Results of an international cybersecurity awareness survey. Accessed February 22, 2020, https://info.wombatsecurity.com/hubfs/2017%20End%20User%20Risk%20Report/Wombat%202017%20User%20Risk%20Report.pdf.
[92]
Wu M, Miller RC, Garfinkel SL (2006) Do security toolbars actually prevent phishing attacks? Grinter R, Rodden T, Aoki P, Cutrell E, Jeffries R, Olson G, eds. Proc. SIGCHI Conf. on Human Factors in Comput. Systems (ACM, New York), 601–610.
[93]
Xiong A, Proctor RW, Yang W, Li N (2019) Embedding training within warnings improves skills of identifying phishing webpages. Human Factors 61(4):577–595.
[94]
Xu J, Benbasat I, Cenfetelli RT (2014) Research note—The influences of online service technologies and task complexity on efficiency and personalization. Inform. Systems Res. 25(2):420–436.
[95]
Yadav R, Mahara T (2020) Exploring the role of e-servicescape dimensions on customer online shopping: A stimulus-organism-response paradigm. J. Electronic Commerce Organ. 18(3):53–73.
[96]
Yoon M, Lai MH (2018) Testing factorial invariance with unbalanced samples. Structural Equations Modeling 25(2):201–213.
[97]
Zahedi F, Lu Y (2003) Website personalization for relationship building: A conceptual framework. Proc. AMCIS (AIS, Atlanta), 2256–2264.
[98]
Zahedi FM, Abbasi A, Chen Y (2011) Trust calibration of security IT artifacts—The case of fake website detection tools. Proc. AIS SIGSEC Workshop on Inform. Security & Privacy (AIS, Atlanta), 1–15.
[99]
Zahedi FM, Abbasi A, Chen Y (2015) Fake-website detection tools: Identifying elements that promote individuals’ use and enhance their performance. J. Assoc. Inform. Systems 16(6):448–484.
[100]
Zhang KZ, Benyoucef M (2016) Consumer behavior in social commerce: A literature review. Decision Support Systems 86:95–108.
[101]
Zhou T, Wang Y, Yan L, Tan Y (2023) Spoiled for choice? Personalized recommendation for healthcare decisions: A multiarmed bandit approach. Inform. Systems Res., ePub ahead of print January 19, https://doi.org/10.1287/isre.2022.1191.
[102]
Zhu L, Ma Q, Bai X, Hu L (2020) Mechanisms behind hazard perception of warning signs: An EEG study. Transportaion Res. Part F Traffic Psych. Behav. 69:362–374.
Index Terms
- Ontology-Based Intelligent Interface Personalization for Protection Against Phishing Attacks
Index terms have been assigned to the content through auto-classification.
Recommendations
Massive Ontology Interface
CHINZ '13: Proceedings of the 14th Annual ACM SIGCHI_NZ conference on Computer-Human InteractionThis paper describes the Massive Ontology Interface (MOI), a web portal which facilitates interaction with a large ontology (over 200,000 concepts and 1.6M assertions) that is built automatically using the OpenCyc ontology as a backbone. The aim of the ...
Utilising context ontology in mobile device application personalisation
MUM '04: Proceedings of the 3rd international conference on Mobile and ubiquitous multimediaContext Studio, an application personalisation tool for semi-automated context-based adaptation, has been proposed to provide a flexible means of implementing context-aware features. In this paper, Context Studio is further developed for the end users ...
Designing an Intelligent User Interface for Preventing Phishing Attacks
Beyond InteractionsAbstractMost phishing sites are simply copies of real sites with slight features distorted or in some cases masqueraded. This property of phishing sites has made them difficult for humans and various anti-phishing techniques to detect. Also, the attacker ...
Comments
Information & Contributors
Information
Published In
Copyright © 2023, INFORMS.
Publisher
INFORMS
Linthicum, MD, United States
Publication History
Published: 11 October 2023
Accepted: 12 September 2023
Received: 30 January 2021
Author Tags
Qualifiers
- Research-article
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 0Total Downloads
- Downloads (Last 12 months)0
- Downloads (Last 6 weeks)0
Reflects downloads up to 14 Jan 2025