Security research evaluating decision-making in web phishing scenarios faces multiple complicating factors that are difficult to measure. Stress, uncertainty, technical expertise, and risk perception have all been found to be relevant factors in phishing resilience. None of these can be measured effectively in surveys or interviews. However, these factors are reflected in or indicated by eye movement, and eye movement is leveraged as an interaction mode in emerging interactions. In this work, we explore the potential of eye-tracking to detect vulnerability to phishing attacks. We report an analysis of 44 participants in a study using a standard eye-tracking laboratory. We found distinctive eye movements could be used to detect when participants were about to be deceived by a phishing website attack with accuracy as high as 89\% for safe log-in and 77\% for phishing attacks. We report the accuracy of different analytical approaches that leverage the existence of patterns indicating participants’ trust, certainty, and hesitation. We document eye movement behaviors under different conditions, illustrating that traits found relevant in other work (e.g., familiarity or expertise) had no significance to phishing behaviors when measured by eye movements. We conclude that eye tracking has a uniquely promising role in understanding human decision-making in computer security. The implication is that the nuanced measures possible with interactions that integrate eye tracking may be leveraged to detect and deter stress-inducing phishing attacks that have proven intractable with traditional interactions.
https://papers.ssrn.com/sol3/papers.cfm?abstract_id=5168768
In this work, we have illustrated a path forward using standard hardware to monitor and predict individuals’ susceptibility to phishing based on eye movement. We found that by focusing on the behaviors of an individual participant and a small set of critical websites, it was possible to identify likely moments of susceptibility. From simple observation of the data, we theorize that the cases where such identification was not possible were where the participant was highly confident of their answer despite the fact that it was incorrect. When individuals are highly confident, alerts and offers of education may also be less effective; essentially, it is possible that the system could provide training only to those who are receptive. We are seeking partnerships for larger field trials to determine if this testing could facilitate timely usercentered alerts and training.