Why don't people report phishing emails? Finding the reasons, improving motivations, and securing cyberspace

摘要

Antiphishing training efforts are effective to the extent to which individuals are able to correctly identify phishing emails. Even for individuals with advanced knowledge in cyber security, however, it is hardly possible that individuals detect all types of phishing emails. Failure of detecting phishing emails can result in falling for phishing attacks. In this daunting situation, a plain reporting phishing emails can bring about a breakthrough into antiphishing efforts. However, the reporting rate of phishing emails is so far very low, and has been little studied in the social sciences. The current study aims to uncover motivational processes of engaging in reporting phishing emails using the Social Cognitive Theory with two antecedents---awareness of reporting phishing emails and cyber risk beliefs. Three models are examined, which are the social cognitive model of intent to report phishing emails as a baseline model, the baseline model with awareness of reporting phishing emails, and the baseline model with cyber risk beliefs, are tested individually using structural equation analysis of data from 386 college students at a large northeastern university in the United States. Interestingly enough, the concerted efforts of examining the three models reveal that intent to report phishing emails is driven by a proactive approach to cyber security which involves causal relationships among perceived antiphishing self-efficacy, concern for mishandling of reports, and self-reaction of meticulous attention to cyber security behaviors, which also indicate a doubtful mode of cognition and action. The similar results are found in the tests for the second and third model. In addition, the second model uncovers that awareness of reporting phishing emails has the strongest direct effect on intent to report phishing emails; the third model reemphasizes that intent to report phishing emails is driven by a doubtful mode of cognition and action. An unexpected finding reveals that a motivational process of intent not to report phishing emails is driven by a causal path among perceived antiphishing self-efficacy, positive intangible outcomes, and compliance with cyber security behavioral tips, which is called an avoidance/passive approach to cyber security. Implications for future research on the behavior of reporting phishing emails are discussed.