The Millennial Cybersecurity
Project
Improving Awareness of and Modifying
Risky Behavior in Cyberspace
29 September 2012
Authors
Noel P. Greis, Center for Logistics and Digital Strategy
Monica L. Nogueira, Center for Logistics and Digital Strategy
Susan Kellogg, Information Technology Department
Kenan-Flagler Business School
The University of North Carolina at Chapel Hill
Prepared for:
Department of Homeland Security
U.S. Department of Homeland Security
Washington, D.C. 20528
www.dhs.gov
Contract No. 4-312-0202782
Prepared by:
RTI International–Institute for Homeland Security Solutions
Research Triangle Park, North Carolina
This document is in the public domain and may be used and reprinted without special
permission. Citation of the source is appreciated.
None of the investigators have any affiliations or financial involvement that conflicts with the
material presented in this report.
Suggested citation: Greis, N.P.; Nogueira, M.L.; and Kellogg, S. The Millennial Cybersecurity
Project: Improving Awareness of and Modifying Risky Behavior in Cyberspace. Final Report.
Institute for Homeland Security Solutions, 29 September 2012.
(Prepared by RTI International–Institute for Homeland Security Solutions under contract
4-312-0202782)
This report is based on research conducted under the Institute for Homeland Security
Solutions (IHSS) under contract to the Department of Homeland Security, Washington, DC.
(Contract 4-312-0202782). The findings and conclusions in this document are those of the
author(s), who are responsible for its contents; the findings and conclusions do not
necessarily represent the views of the Department of Homeland Security. Therefore, no
statement in this article should be construed as an official position of the Department of
Homeland Security.
ii
Table of Contents
Executive Summary .................................................................................................................................... 1
Statement of Problem ................................................................................................................................. 3
Background ................................................................................................................................................. 3
1.
Lack of Awareness of Organizational Cybersecurity Policies ..................................................... 4
2.
Limited Adherence to Organizational Cybersecurity Policies ..................................................... 4
3.
Need for New Approaches that Build Awareness of Risky Cyber Behaviors ............................. 4
Conceptual Approach ................................................................................................................................. 5
1.
Avatars and Digital (Self) Representations ................................................................................. 6
2.
Digital Messaging......................................................................................................................... 6
3.
Real-TimePperformance Feedback............................................................................................. 7
Methods and Results .................................................................................................................................. 8
Experiment 1: Understanding Millennial Attitudes about Cybersecuirty .............................................. 8
Policies Regarding Firewalls, Antivirus, and OS Updates ........................................................ 11
Password Behaviors .................................................................................................................. 11
Problems Due to Risky Behaviors ............................................................................................. 11
Experiment 2: Determining Baseline Risky Behaviors in Millennials ................................................. 11
Phishing Email Behaviors .......................................................................................................... 11
Password Generation Behaviors ............................................................................................... 11
Experiment 3: Modifying Risky Behavior in Millennials ...................................................................... 11
Modifying Risky Behavior in Phishing Emails ........................................................................... 11
Modifying Risky Behaviors in Passowrd Creation and Use ...................................................... 27
Recommendations .................................................................................................................................... 38
Conclusions and Future Directions........................................................................................................... 39
References ................................................................................................................................................ 40
iii
List of Figures
Figure 1. Millennial Cybersecurity Project Conceptual Model ................................................................... 6
Figure 5. Distribution of Clues Selected by Millennials for Phishing Email Decision .............................. 15
Figure 6. Distribution of Baseline Password Length Behavior ................................................................. 17
Figure 7. Distribution of Baseline Password Complexity Behavior .......................................................... 18
Figure 8. Example of Avatar-Based Phishing Email Strategy Email ....................................................... 19
Figure 9. Example of Avatar “Positive” Reinforcement Email.................................................................. 21
Figure 10. Experimental Results of Intervention for Phishing Email Behavior ........................................ 24
Figure 11. Performance Feedback for Intervention 1 .............................................................................. 29
Figure 12. Intervention Feedback for Intervention 2 ................................................................................ 30
Figure 13. Example of Password Strategy “Messaging” with Avatar....................................................... 31
Figure 14. Example of Animated Strategy “Messaging” .......................................................................... 32
Figure 15. Post-Intervention Password Length Improvement by Group ................................................. 35
Figure 16. Post-Intervention Password Complexity Improvement by Group........................................... 35
Figure 17. Distribution of Individual Password Complexity Score Improvement ..................................... 36
Figure 18. Distribution of Password Complexity Score Improvement ..................................................... 37
Figure 19. Comparison of Pre-Intervention and Post-Intervention Password Complexity Scores
by Group.................................................................................................................................. 37
iv
List of Tables
Table 1. UNC Cybersecurity Policies ......................................................................................................... 8
Table 2. Experimental Design for Phishing Email Experiment ................................................................ 12
Table 3. Lists of Clues for identifying Phishing Emails ............................................................................ 13
Table 4. Results of Phishing Email Experiment Stratified by Sender Type ............................................. 13
Table 5. Results of Phishing Email Experiment Stratified by Gender and Sender Type ........................ 14
Table 6. Results of Phishing Email Experiment Stratified by Sender Type (Millennials) ........................ 15
Table 7. Experimental Design for Phishing Email Experiment ................................................................ 22
Table 8. Results of Phishing Email Experiment (First 24 Hours after Delivery) ...................................... 23
Table 9. Risky vs. Best Practices for Password Creation and Use ......................................................... 28
Table 10. Overview of Experimental Design for Password Experiment .................................................. 33
Table 11. Distribution of Repeated Password Behavior by Group .......................................................... 38
v
Executive Summary
Millennials are the first “always connected” generation ensconced within an ecosystem of
digital devices from iphones and iPads to tablets and laptops. They bring these devices and
behaviors into the places where they study and work which can expose organizations to
security vulnerabilities. Millennials are reported to lack awareness of and demonstrate limited
adherence to organizational security policies which highlights the need for new approaches
that build awareness of risky behaviors in cyberspace. The goal of the Millennial Cybersecurity
Project is to improve our understanding of millennials awareness of cybersecurity threats , to
identify risky behaviors that put organizations at risk, and to explore new digitally-mediated
tools to modify risky behaviors in cyberspace.
The underlying premise of the Millennial Cybersecurity Project is that the best way to
communicate with millennials is through the language of technology. Most organizations today
employ communications strategies that are better suited to previous generations. Instead of
more traditional text-based materials and face-to-face interactions, this project demonstrates
that risky behaviors can be reduced by moving from more traditional approaches to digitallymediated and interactive online approaches that are more aligned with millennial familiarity
and comfort with “messaging” that is short and simple—and supported by graphics and
symbols for fast and easy comprehension. In particular we demonstrate the effectiveness of 1)
the use of real-time feedback of (lack of) conformance with security best practices, 2) the
online reinforcement of best practices by encoding them in a “strategy” that is delivered
digitally, and 3) the use of avatars or other digital (self) representations to personalize the
messaging.
While stereotypes portray millennials as risk-seeking and blithely unaware of threats to
and policies regarding cybersecurity, our results reveal a broad range of attitudes from highly
aware and competent to completely uninformed and dangerous. These behavioral categories
tend to transcend traditional boundaries of gender and age. Survey results of millennial
business students and staff at the Kenan-Flagler Business School revealed that among the
more vulnerable behaviors are password creation and use, and ability to recognize and
respond properly to phishing emails. Self-reported risky password and phishing behaviors by
millennials were confirmed by experiment.
The Millennial Cybersecurity Project demonstrated that digitally-mediated interventions
can both reinforce positive identification of phishing emails and reduce associated risky
behaviors. Phishing emails are increasingly difficult to spot as senders get better at portraying
themselves as legitimate. Further, while millennials rely on a number of standard clues to
catch phishing emails, they often overlook clues if the sender appears to come from a trusted
source. In online experiments, only 68% of millennials correctly identified phishing emails as
legitimate while 32% incorrectly identified phishing emails as legitimate. The presence of a
1
trustworthy sender and a realistic corporate logo were most useful in identifying legitimate
emails, while suspicious links and unknown senders clued millennials as to fraudulent emails.
Millennials that experienced real-time feedback about their skill at identifying phishing emails
and who received best practice phishing “strategies” from avatars improved their ability to
identify suspicious emails from low-and medium-trust senders.
Millennials, however,
consistently overlooked standard clues in phishing emails from high-trust senders.
Risky behaviors regarding password creation and use were also reduced after online
interventions. Two types of interventions were tested. The first intervention provided real-time
feedback about password “strength” while the second intervention supplemented feedback
about password strength with a password “strategy” that encoded best practices for password
creation—both delivered by a personalized avatar. The strategy offered guidelines for creating
passwords that are long and complex and that repeat patterns in a memorable way for us on
for different devices. The password is a “front door” into an organization’s accumulated
confidential and competitive information. However, self-reported and observed password
behaviors confirmed that millennials fail to use best practices in managing their passwords,
thereby putting the organizations where they work and study at risk. Both interventions
achieved reductions in risky behaviors related to password strength, suggesting that
awareness and behavioral training programs that integrate real-time, online interactions with
students about their cyber behaviors are worth further experimentation and development.
2
Statement of Problem
Millennials are reported to prize freedom and innovation over security and stability and,
thus, may expose business to cyber vulnerabilities—especially small and medium-sized
enterprises that do not have the resources to adequately protect against unsafe technology
use by millennials. The workplace attitudes and behaviors of the millennials have been the
focus of several high-profile surveys in the last several years. These surveys, combined with
anecdotes, have reinforced stereotypes of risky behavior in a number of domains including
cyberspace. The Millennial Cybersecurity Project1 conducted a set of experiments to
determine the effectiveness of interventions such as the use of avatars and other digital (self)
representations for message personalization, real-time digital feedback about observed risky
behaviors, and messaging of policies and best practices in formats and language that are
more aligned with how millennials communicate with others and experience the world. The
project’s underlying premise is that cybersecurity awareness initiatives for millennials might be
improved when messaging is accomplished digitally and in formats consistent with digital
devices such as personal computers, cell phones, and mobile devices rather than more
traditional media such as paper hand -outs and face-to-face communications and lectures. To
test this premise the Millennial Cybersecurity Project conducted three studies to determine: 1)
millennial awareness of and self-reported behavior regarding policies and best practices of
cyber behavior; 2) millennial baseline performance regarding risky behaviors in cyberspace
related to organizational policy; and 3) post-intervention reductions in risky behaviors after
technology-mediated interventions that raise awareness about observed specific risky
behaviors and inform about best practices. The goal of the Millennial Cybersecurity Project is
to provide insights into millennial behaviors and possible tools for behavior modification so as
to better inform awareness training practices, improve millennial adherence to cybersecurity
policies, and reduce risky behaviors in cyberspace.
Background
Born after 1980 and the first generation to come of age in the new millennium, millennials
are the first “always connected” generation [1, 2, 22]. Growing up in the age of digital
technology and social media, they treat their multi-tasking hand-held gadgets like a body part.
For millennials, technology provides a new ecosystem for their social lives that increasingly
merges with their work lives. Technology-mediated messaging—from emails to product
advertisements—is becoming the dominant mode of communication with this generation. At
the same time millennials have a greater degree of trust in the virtual world that is not shared
by older generations—especially the baby boomers. For many millennials, this increasing trust
1
The URL address for the website is: http://cybersafe.unc.edu
3
of technology and feelings of security in the virtual world have led to a dissolution of
conventional boundaries between private and public and a tendency to overlook risks
associated with technology use [10, 11].
New cyber threats resulting from risky behaviors by millennials are the result of the
convergence of three trends. First, the millennials’ workplace is no longer defined by the four
walls of their organization. Rather millennials make less of a distinction between work and
play—working on the road, at home, and even on vacation. Second, technology has mo ved
from hard-wired systems to wireless mobile technologies including smartphones, notebooks,
and iPads (among others) for work-related tasks. In addition, collaboration is the dominant
mode of work and play using social networking, online chats, and othe r technologies. These
factors, combined with millennials’ indiscriminate use of these technologies, exposes
businesses to new and greater vulnerabilities. Several points can be made:
1. Lack of Awareness of Organizational Cybersecurity Policies
In a 2010 survey of millennials by Accenture, o nly 40 percent reported that their employers
have published detailed policies related to posting work or client information on public web sites.
Further, only 34 percent of millennials said they were aware of their company's cybersecurity
policy. Approximately 31 percent of millennials said they don’t know if their company has such
a policy, 17 percent said their employer hasn’t published such a policy, 6 percent said that
whatever policy their company has published is too complex to understand, and 6 percent said
they will post work or client information on public sites regardless of any policy, at least when
communicating with colleagues [2].
2. Limited Adherence to Organizational Cybersecurity Policies
Studies have also shown that millennials routinely bypass corporate approvals and policies
when using various devices and technologies. Equal numbers of millennials report that they
have accessed online collaborative tools (75 percent) and online applications (71 percent) from
free public websites when those technologies were not available at work or not meeting their
expectation. Approximately 45 percent of millennials use social networking web sites at work,
regardless of whether their organization or company prohibits their use [20].
3. Need for New Approaches that Build Awareness of Risky Cyber Behaviors
Organizations from the White House 2 and large multinationals to SMEs and non-profit
organizations are searching for strategies to accommodate millennial attitudes toward
technology and cybersecurity, and to reconcile these attitudes with need for enterprise security,
data privacy, and regulatory compliance [4, 6, 12, 13, 16, 21, 27]. The university, and in
particular the Kenan-Flagler Business School, offers an excellent microcosm of the millennial
2
In October 2011, the White House held many events and activities along with federal, state, and local
government, the private sector, and international partners as part of National Cybersecurity Month.
4
generation. Kenan-Flagler students will become employers and managers in a range of
companies and industries. These students can be expected to be aware of organizational
perspectives towards cybersecurity, yet many demonstrate many of the risky generational
behaviors that create vulnerabilities in an organization’s cyber environment.
Risky behavior permeates almost all human activity. When asked to compare the level of
risk between various alternatives, evidence shows that people’s choices are based on their
knowledge of the threat and how they feel about it, i.e. their level of anxiety, concern, or fear.
Risk assessment by experts is based on objective information about a threat to a given
subject, knowledge of the level of exposure of the subject, and estimation of the probability that
the subject will be impacted by the adverse outcome of the threat. To calculate risk, experts
utilize measurable norms vetted by other professionals and their representative associations.
General public perceptions are commonly subjective and may not match experts’ views, being
guided by personal experiences, circumstances and, like experts, highly influenced by the
standards of their groups of peers. Studies have shown that millennials are “risk seekers,” e.g.
enjoying extreme sports, while older people tend to be risk averse.
The challenge for organizations is to turn millennial affinity for technology into new tools to
build awareness of cybersecurity vulnerabilities and to modify behavior so as to reduce those
vulnerabilities [27]. The contributions of this project are multiple. First, the results of this study
confirmed that millennials engage in risky cyber behaviors in the workplace (i.e. university),
thereby validating previously self-reported survey results. Further technology-mediated
interventions were shown by experiment to be effective in reducing risky behaviors, suggesting
opportunities for new tools for behavior modification in cyberspace. Based on the results of
the Millennial Cybersecurity Project, employment screening could be tailored to include
measures of risky behavior that eliminate inappropriate employment candidates, or to select
candidates whose behaviors are more easily modified within the workplace.
Conceptual Approach
The Millennial Cybersecurity Project explores the premise that the best way to
communicate with millennials is to use the language of technology [8, 20, 23, 25]. We address
the broad question as to whether digitally encoded and delivered interventions that target risky
behaviors by millennials is more effective in reducing risky behavior than traditional classroom
approaches that include printed informational materials and even traditional emails. These
questions are important since cybersecurity policies today tend to be delivered by “babyboomer” managers and professors using methods that may not be as effective communication
vehicles for millennials.
Our conceptual model is provided in Figure 1. The model suggests that each millennial
5
can be associated with a baseline level of awareness of and adherence to organizational
policies about cybersecurity, and that this awareness is associated with a set of baseline
behaviors. Our premise is that an intervention, delivered digitally and in real time , can raise the
awareness of and adherence to best practice policies regarding cyber behavior and thereby
reduce future risky behaviors in cyberspace concerning password generation a nd phishing
emails.
Figure1. Millennial Cybersecurity Project Conceptual Model
We explore three specific modes of technology-mediated interaction with millennials to
reduce risky behavior. These interactions are combined to create customized “interventions”
associated with password and phishing email behavior. The three digital interactions are:
1) Avatars and Digital (Self) Representations. The effectiveness of avatars and other
digital (self) representation technologies have been the focus of a new stream of
research to modify personal behavior [5, 18]. In virtual environments an avatar is
defined as “a perceptible digital representation whose behaviors reflect those executed,
typically in real time, by a specific human being” [3]. The theory is that in the anonymity
of the online environment, people are de-individuated and will adhere to a new identity
that is inferred from avatars, in many cases from their own avatars. The phenomenon
in which people infer their expected behaviors and attitudes from observing their
avatar’s appearance is known as the Proteus Effect after the Greek god who could
change shape. This phenomenon, first described by researchers at Stanford University,
occurs when a subject transfers expectations or understanding of their avatar’s
behavior to their own real-world behavior [29] and has been documented in
experiments elsewhere [7, 14, 19, 26, 29, 30].
2) Digital Messaging. The emergence of the digital environment and new technologies
for interpersonal interactions within that environment has changed how people
6
communicate with one another—not only the way they shape information into
“messages” but also the frequency of communications and the mode of communication
according to device. We refer to digital “messaging” as a (usually) short communication
transmitted by words, signals, or other graphical means from one person or group to
another in a digital format that can include graphical representations of concepts and
ideas. The digital messaging trend among millennials is towards shorter, more
frequent, and more interactive communications where the messages can be parsed
quickly and easily. In the digital world, an emphasis on “short” and “simple” is
increasingly dictated by the device—long texts are reduced to phrases and graphics to
convey both factual information and emotion. Tweets, for example, cannot exceed 140
characters. And millennials are frequent users of emoticons—the abbreviated smiley
and other faces by which they alert a responder to the tenor or temper of a statement.
3) Real-Time Performance Feedback. Modification of personal behavior through
feedback of performance is well-documented in the academic literature and, while there
are exceptions, most studies confirm a positive relationship between feedback and
improved performance. In the typical classroom, for example, personal feedback from
the teacher or professor has been shown to reduce disruptive behavior in elementary
school children and improve academic performance, respectively. New digital
technologies have broadened the potential for online feedback as a tool for enhanced
learning and real-time feedback of performance has been explored in a number of
domains from athletics [15] to business [17[ to medicine [24].
The Millennial Cybersecurity Project addresses three research questions, each of which is
discussed in the pages which follow:
1) Our model suggests that each millennial can be associated with a baseline level of
awareness of and adherence to an organization’s policies about cybersecurity.
Specifically, how a ware are millennials at the Kenan-Flagler Business School of
university policies regarding cybersecurity and what is their self-reported level of
behavior regarding these policies?
2) While there have been many studies of millennials as to their behaviors and attitudes
toward cybersecurity [1, 2, 22], there have been few that validate these self-reports with
empirical evidence of risky behaviors. Specifically, what are the baseline cybersecurity
behaviors of Kenan-Flagler millennials regarding password generation and phishing
emails and do they align with self-reported behaviors?
3) The success of approaches to modify risky behavior in cyberspace depends on how
and whether the information is encoded and delivered (i.e. “messaged”) in a digital
format that is more aligned with how millennials consume and create information.
Specifically, can risky behavior regarding password generation and phishing emails by
Kenan-Flagler millennials be reduced by interventions that are delivered online and in
7
real time—and that include one or more of the above technology-mediated digital
interactions?
Methods and Results
Experiment 1: Understanding Millennial Attitudes about Cybersecurity
To establish the level of awareness about cybersecurity threats and behaviors of UNC’s
Kenan-Flagler millennial students a baseline survey was used to gather data about students’
attitudes toward UNC’s Information Security Policies and cybersecurity in general. The
surveys collected three categories of question:
1) descriptive information about the
respondent; 2) self-reported conformance with seven UNC cybersecurity policies shown in
Table 1; and 3) self-reported problems resulting from potentially risky behavior in cyberspace.
Surveys were collected during three different student events in August 2011 shown below:
Table 1. UNC Cybersecurity Policies 3
Collection
Method
UNC Policy
Email
Phishing links/attachment
Email
Phishing for personal info
Online
Social Engineering
Online
Password generation
Daemon
OS critical updates
Daemon
Antivirus updates
Daemon
Firewall status
Kenan-Flagler BSBA Orientation. Full day
orientation event for incoming BSBA junior students
to the Kenan-Flagler Business School on August
20, 2011.
Kenan-Flagler MBA Welcome Reception.
Welcome Reception for incoming MBA students
and Master of Accounting students to the KenanFlagler Business School on August 23, 2011.
Kenan-Flagler ITS Laptop Cleanup Day.
Bimonthly event on August 25, 2011 where all
Kenan-Flagler students learn about cybersecurity.
A total of 189 anonymous surveys were collected of which 134 were from millennials and
49 from non-millennial students and staff. 4. The baseline survey showed that UNC millennials:
1) lack a comprehensive and consistent methodology for password usage; 2) have difficulty
identifying emails with social engineering attacks such as phishing and scam emails; and 3)
show a general lack of awareness of certain best practices necessary to assure a safe
experience in cyberspace. Figure 2 shows the reported frequency by gender and age group of
3
The initial project scope included all seven policies. However, bas ed on limitations at UNC regarding privacy
and the loading of daemon soft ware on students’ laptops, the revised scope includes only the first four policy
categories (phishing emails and password generation/social engineering).
4
Six participants did not provide their age group and were excluded from the sample.
8
selected risky behaviors and behaviors related to password usage. Figure 3 illustrates the
distribution by gender of 1) self-reported cybersecurity behaviors related to UNC policies, and
2) self-reported negative experiences related to risky behaviors.
Figure 2. Distribution of Some Risky Cyber Behaviors by Age Group and Gender
Figure 3. Cybersecurity Behaviors and Experiences Self-Reported on Surveys
Specific observations include:
Policies Regarding Firewalls, Antivirus, and OS Updates. Survey results indicate that a
majority of millennials comply with UNC policies regarding Firewalls, Antivirus, and OS
Updates but that there are some differences between genders for some behaviors :
a) Majority report use of antivirus and automatic updates (86% for males and 76% for
females);
9
b) Majority report automatic update of operating system (81% for males and 71% for
females). Approximately 40% of males reported also performing manual updates
versus only 19% of females.
c) Majority report active firewall in use (74% for males and 57% for females), however,
35% of females didn’t know if their computer had a firewall compared with only 15% of
males.
Password Behaviors. Millennials reported inconsistent behavior regarding password use—
specifically the use of the same password for some computers or systems and different
passwords for others. These conflicting behaviors suggest that students may lack awareness
of best practices regarding password use across technologies/systems. Females, in particular,
may engage in more risky behavior than males when choosing passwords due to lack of
awareness of best practices:
a) Approximately 76% of males reported using the same password on some of their
computer systems and different passwords on other computers compared with 89%
for females;
b) Approximately 36% of males reported using the same password on all their systems
compared with 30% reported by females.
c) Approximately 60% of males and females report the use of different passwords in all
their systems/technologies.
d) Given the above variability of behaviors regarding password usage, it is not
inconsistent that a majority of millennials reported forgetting passwords. Males
showed a higher incidence of forgetfulness (62%), compared with only 38% for
women.
Problems Due to Risky Behaviors. An unexpectedly large fraction of millennials reported
experiencing problems with their computers after engaging in certain online behaviors.
Differences were observed between males and females. However, it is not clear whether
these differences are due to riskier male behavior—or whether males are more knowledgeable
than females on this particular issue.
a) Approximately 32% of both males and females experienced problems after visits to
unsecure web sites;
b) Approximately, 32% of males reported experiencing problems with computer virus
attacks against 24% of females.
c) Approximately 28% of males and only 10% of women reported attacks by spyware
and malware. These results suggest that millennials may lack a clear understanding
of the difference between spyware and malware attacks, since almost exactly the
same answers were provided for the questions targeting these two problems.
10
d) A small number of students reported problems with social engineering websites after
providing personal information (9% of males and 6% of females). Even though these
are small numbers, they may have significant impact on an organization’s vulnerability
since a network is only as strong as its weakest link.
e) Approximately equal numbers of males and females reported problems after receiving
illegitimate emails, i.e. phishing email or email scam (21% for females and 17% for
males).
The results of the baseline survey indicate that millennials are aware of best practices
about how to protect one’s system through the use of firewall, antivirus and operating system
updates. However, results suggest that millennials are not as knowledgeable regarding the
dangers of inadequate password usage or risky practices in cyberspace that can create
vulnerabilities, for example phishing emails. Reported behaviors suggest that male millennials
are somewhat more knowledgeable than female millennials. However, males also appear to
experience more problems due, perhaps, to higher engagement in riskier online behaviors
than their female counterparts.
Experiment 2: Determining Baseline Risky Behaviors in Millennials
In Experiment 2 we investigated baseline cybersecurity behaviors regarding phishing
emails and password generation, and explored whether these results confirm the self -reported
behaviors discussed in the last section.
Studies have shown that young people, including millennials, tend to be inaccurate when
self-reporting behavior. In addition, this inaccuracy may be exacerbated when there is a
negative connotation associated to the behavior reported, as it is the case with risky cyber
behaviors.
Phishing Email Behaviors
Description. This experiment compared the ability of millennials and non-millennials to
identify phishing emails as fraudulent or legitimate based on the level of sophistication of the
phishing technique and the purported sender of the email—and explored which clues were
considered in the decision-making process. We explore, first, the premise that observed
behavior regarding phishing emails is determined by how skilled millennials are in identifying
clues that determine fraudulence. Second, we explore whether the level of ascribed trust in an
email sender is directly related to the likelihood that a millennial will open a phishing email.
Millennials may perceive potentially fraudulent emails from people and organizations to which
they have strong social connections such as Facebook and LinkedIn as more trustworthy than
similar emails from “arms-length” organizations. That is, millennials will tend to overlook clues
11
of fraudulence and ascribe more trust to an email when it is believed to come from a source
such as Facebook or LinkedIn.
Experimental Design. A web-based experiment was designed, developed 5, and
implemented for a sample of more than 100 millennial (undergraduate and MBA) students and
staff at the Kenan-Flagler Business School. The purpose of the experiment was to compare
the observed behaviors of millennials and non-millennials regarding phishing emails (opening
the emails, clicking on links and attachments, forwarding to others, and sharing of personal
information). The experiment was conducted during the Kenan-Flagler Security Day on
February 23, 2012. The usable sample was comprised of 56 millennials and 44 nonmillennials (52 females and 48 males).
Study participants were shown a sequence of three screens. On the first screen,
participants were shown one of eight emails and asked to indicate whether it was fraudulent or
legitimate. Once a participant has indicated whether the email is fraudulent or legitimate, he or
she is provided with a list of clues representing commonly accepted best practices for
identifying legitimate and fraudulent phishing emails. The participant is then asked to indicate
which of those clues, if any, helped in the decision process. The lists of clues are provided in
Table 3 below. The third screen asked participants for their millennial status (i.e. 17 or under,
18 to 31, older than 31) and gender. Each email was characterized by one of two levels of
trust (financial organization versus social network) and degree of phishing sophistication
(obvious clues versus subtle clues).
The 2-way experimental design is shown on the Table 2 below.
Table 2. Experimental Design for Phishing Email Experiment
Trust Level
LOW TRUST
(Financial
Organizations)
Email Sender
Obvious Clues
Subtle Clues
BANK OF AMERICA
Misspellings, Incorrect
Grammar, etc.
Erroneous links, Out-of-date
forms, Multiple Recipients,
etc.
PAYP AL
Misspellings, Incorrect
Grammar, etc.
Erroneous links, Out-of-date
forms, Multiple Recipients,
etc.
LINKEDIN
Misspellings, Incorrect
Grammar, etc.
Erroneous links, Out-of-date
forms, Multiple Recipients,
etc.
FACEBOOK
Misspellings, Incorrect
Grammar, etc.
Erroneous links, Out-of-date
forms, Multiple Recipients,
etc.
HIGH TRUS T
(Social Networks)
5
Survey instruments designed and implemented using Qualtrics.
12
Table 3. Lists of Clues for Identifying Phishing Emails
Clues of Legitimate Email
Clues of Phishing Email
Trustworthy sender
Unknown sender
Addressed directly to me
Never dealt with this company
Presence of corporate logo
List of recipients indicates mass email
Presence of security certification padlock
List of recipients seems suspicious
Recognize embedded link addresses
Contains suspicious link
[Correct language] 6
Too many grammatical/misspelling errors
[Plausible contents]7
Suspicious contents resemble known email
scams
Results. We first comment on results for the entire sample of millennials and nonmillennials based on results in Table 4. A broad inability to identify phishing emails was
observed. Only 68% of sample correctly identified emails as phishing , against 32% who
incorrectly indicated phishing emails were legitimate. Emails from financial organizations were
correctly identified with slightly more skill (52%) than emails from social networks (48%).
Table 4. Results of Phishing Email Experiment Stratified by Sender Type
Trust Level
Sender
Correct
Answers (% )
Incorrect
Answers (% )
Total
LOW TRUST
(Financial
Organizations)
BANK OF AMERICA
20
6
26
PAYP AL
17
9
26
HIGH TRUS T
(Social Networks)
FACEBOOK
18
7
25
LINKEDIN
13
10
23
68
32
100
TOTAL
The stratification of the results by ge nder and sender type, shown in Table 5, indicates
that of those participants correctly identifying phishing emails, females (62%) were moderately
better than males (38%) if the sender was a financial organization. Since the Kenan-Flagler
6
While noticeably incorrect language can serve as a good indicator of a phishing email, correct language is not
particularly helpful on determining t he legitimacy of a message. Thus, this clue did not appear on the list of clues
presented to participants after their decision on the test email legitimacy.
7
Similarly, while suspicious contents should raise concerns about email’s legitimacy, plausible contents per se is
not a clear sign of an email authenticity. For this reason, this clue was omitted from the list shown to participants.
13
staff is mostly female—and they work on administrative tasks related to financial
documentation—these results may be skewed by their knowledge of standard norms for
financial communications. Males did comparatively better discerning social networking
phishing emails (58%) than females (42%).
Table 5. Results of Phishing Email Experiment Stratified by Gender and Sender Type
Gender
FEMALE
MALE
Sender Type
Correct
Answers (% )
Incorrect
Answers (% )
Totals
Financial Organization
23
9
32
Social Network
13
7
20
Financial Organization
14
6
20
Social Network
18
10
28
68
32
100
TOTAL
Participants relied on a range of clues to correctly identify phishing emails as fraudulent
or legitimate as shown in Figure 4. Overall, 158 clues, or reasons, were selected by
participants from the lists in Table 3 above. Interestingly, the top two reasons cited in deciding
that an email was a fake were related to recognition and/or trust of the sender and any
embedded links. This seems to indicate that if people are better trained in recognizing unsafe
links and learn to trust messages from unknown sources less, then their ability to identify
phishing emails may improve significantly.
Figure 4. Distribution of Clues Selected By Participants For Phishing Email Decision
14
When only millennials were included in the sample, the results were similar to the results
for the sample as a whole (i.e. both millennials and non-millennials). As shown in Table 6, for
the 66 millennials in the sample, nearly 70% correctly identified phishing emails as either
legitimate or fraudulent.
The identification of sender—financial organization of social
networking site—did not appear to affect the ability of millennials to identify phishing emails.
Table 6. Results of Phishing Email Experiment Stratified by Sender Type (Millennials)
Sender Type
Sender
Correct
Answers (% )
Incorrect
Answers (% )
Totals (% )
LOW TRUST
(Financial
Organization)
BANK OF AMERICA
17%
6%
23%
PAYPAL
17%
11
27%
HIGH TRUS T
(Social Network)
FACEBOOK
21%
6%
27%
LINKE DIN
14%
9%
23%
69%
31%
100%
TOTAL
Participants relied on a range of clues to correctly identify phishing emails . The results
shown in Figure 5 indicate that, while the overall range of reasons cited for correctly identifying
phishing emails is comparable of that of the entire sample, the most frequently cited reason for
Figure 5. Distribution of Clues Selected By Millennials For Phishing Email Decision
15
incorrectly identifying a phishing email as legitimate does not follow the same pattern. For
millennials, the presence of the corporate logo on the email was the most frequently cited
reason (29%) millennials incorrectly identified an email as legitimate; “trustworthy sender” was
the second most cited reason (26%). This choice should not come as a surprise since the
millennials participating in this study are all business students and staff from UNC’s KenanFlagler Business School. This finding reinforces that “trust” is a crucial factor governing
people’s judgment in cyberspace and indicates that behavior modification based on “t rust”
should be differentiated based on the target group profile.
Password Generation Behaviors
Description. A second online experiment was designed, developed, 8 and implemented to
determine a baseline of observed behaviors regarding password generation (password length,
complexity, memorability, customization, and re-use on different systems). The experiment
assessed participants’ ability to create new passwords during “online” visits to two websites—
one a UNC web site and the other a retail website. This password generation baseline
experiment consisted of 112 millennial (undergraduate, MBA, and MAC) students and nonmillennial staff at the Kenan-Flagler Business School.
Results. Results were analyzed with respect to password length, complexity, and
repeated use of same “string” in both passwords—including entering the same password
twice.
a. Password Length Results
The mandatory minimal password length for all users of the Kenan-Flagler computer
network is 8 characters. Therefore, it was expected that, due to habit, the millennials would
have passwords 8 or more characters long. Thus, it was not surprising that t he mean length
computed for both Password 1 and Password 2 was 10 characters. Figure 6 provides the
distribution of the length of Password 1 and Password 2 which serves as the baseline for our
subsequent experiment on modification of risky password behavior. Note that a few outliers
appear in this distribution, i.e. passwords more than 15 characters long. Although very long
passwords are useful for high security systems, i.e. common practice for routers’ passwords is
26 characters long, it is not clear why a student would use such a long password for this
experiment, except for “beating the system” and to receive the maximum score.
b. Password Complexity Results
Besides mandating passwords at least 8 characters long, Kenan-Flagler passwords must
meet the standard minimum requirements for “traditional” passwords and contain at least one
of each of these sets of characters: lowercase letters, uppercase letters, digits, and special
symbols. The strength of a password can be measured based on the combination of use of
8
Customized software and website were developed in-house using Java and PHP technologies.
16
these characters by a password meter algorithm. A password meter takes into account not
only which types of characters are used to form a password, but also the sequence in which
they appear and the length of the password to compute a pass word complexity score—a
measure of the password’s strength. Following the minimum guidelines does not provide a
guarantee that the password generated will have a high complexity score but ensures a certain
level of protection. It was interesting to verify whether participants’ password complexity
behavior would be influenced by the practices mandated by UNC, as it had happened for the
password length behavior—and whether these practices would help them generate passwords
with high complexity scores.
Figure 6. Distribution of Baseline Password Length Behavior
Frequency Count
30
Password 1
25
Password 2
20
15
10
5
0
6
7
8
9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Password Length
The distribution of the complexity scores for the baseline Password 1 and Password 2 is
presented in Figure 7. The mean computed for the password complexity scores obtained in
this experiment was 60, which serves as the breakpoint between a “good” and “strong”
password on the password meter program used in this experiment. Overall, the baseline
distribution shows that password complexity behavior for a large number of Kenan-Flagler
millennials is acceptable.
c. Password Repeated Use Results
To better protect an individual’s multiple computer accounts and to avoid compromising
all accounts simultaneously, security experts recommend that users generate different
passwords for different systems. This is one of the UNC information security policies
considered in this study. Risky behavior associated with repeated use of a single password in
more than one system was tested by comparing Password 1 and Password 2. We found that
36 students, or 32% of the sample, entered the same password for the two different websites
they were shown. All those who did not repeat the password were millennials, of which twothirds were males and one-third were female. Regarding to affiliation, 61% of those who
17
repeated passwords were MBA students, 19% BSBA students, 6% MAC students, 8%
indicated no affiliation to Kenan-Flagler, and 6% were staff.
Figure 7. Distribution of Baseline Password Complexity Behavior
25
Frequency Count
Password 1
Password2
20
15
10
5
0
0-10
10-20
20-30
30-40
40-50
50-60
60-70
70-80
80-90
90-100
Password Complexity Score
Experiment 3: Modifying Risky Behavior in Millennials
In Experiment 3 we explore the effectiveness of digitally-mediated interventions in
modifying risky behavior by millennials regarding password generation and phishing emails.
For each behavior an “intervention” was designed that fuses digital messaging of a
“strategy”—to include the use of an avatar for personalized delivery as appropriate—and
feedback to the millennial about the riskiness of his or her observed behaviors.
Modifying Risky Behavior in Phishing Emails
Description. An intervention experiment was designed, developed9 and implemented to
test millennial ability to recognize phishing emails and to improve their behavior appropriately
(do not open email, do not open any attachments, do not send any personal information). The
goal of the intervention was to modify risky behavior by reinforcing a “safe” strategy for
recognizing and handling phishing emails from suspicious sources. As shown in Figure 8, the
phishing strategy is comprised of a set of features or clues and appropriate actions to take if
the email is suspected to be phishing—accompanied by an avatar to personalize the
messaging.
9
Surveys were developed in Qualtrics.
18
Figure 8. Example of Avatar-Based Phishing Email Strategy Email
19
Actions correspond to accepted best possible practices. For example, some clues (fishy
subject, suspicious sender, etc.) should be examined before opening an email; others can be
examined only afterward opening (suspicious links, etc.). The intervention consists of a
personalized reinforcement for correct responses and personalized remedial reinforcement for
incorrect responses—in each case the intervention is accompanied by a “messaging” of the
phishing strategy.
Reinforcement emails are personalized according to the behavior of the millennial. For
example, if the millennial did not open the phishing email, a positive reinforcement for “correct”
behavior was sent; If the millennial opened the phishing email and clicked on a bad link, a
reinforcement email for “incorrect” behavior was sent alerting the millennial that he or she had
been observed opening a phishing email and clicking on a suspicious link. Examples of
reinforcement emails for correct and incorrect behavior are provided in Figure 9. The
reinforcement email at the top of Figure 9 was sent to a millennial who incorrectly opened a
phishing email and clicked on a link; the reinforcement email in the middle was sent to a
millennial who opened the phishing email but did not click on the bad link; the reinforcement
email at the bottom was sent to a millennial who neither opened nor clicked.
Experimental Design. This 2-way experiment explored whether millennials are more
likely to open phishing emails from senders with a higher trust level and whether they can
discern a sophisticated phishing email with subtle clues such as erroneous links, out-of-date
forms, and suspicious attachments from phishing emails with obvious clues such as
misspellings, requests for personal information, multiple recipients, and incorrect grammar.
We were also interested in knowing whether millennials are more inclined to overlook clues if
the source of the email “appears” to come from a “high-trust” sender. For example, a low-trust
sender would be an organization that does not have any personal connection to the millennial
and may not even be an organization that is familiar to the individual. Examples might be a
recognized scam-type email from a source in Nigeria or some other source of dubious
heritage. A high-trust email would “appear” to come from a sender with whom the recipient is
familiar or with whom the recipient has exchanged emails in the past. Examples might be
Facebook, LinkedIn, or even UNC.
Table 7 provides an overview of the experimental design and the types of emails
according to trust level. Over the course of three weeks, students were sent a series of six
phishing emails, two for each of three levels of trust. Emails contained several types of clues
as to whether those were indeed a phishing email as described above. In addition, to test
response to “social engineering” attacks some emails requested that students provide personal
information in return for a service, reward, information, etc. Sample emails for low, medium
and high trust are provided in Appendix A to this document.
20
Figure 9. Example of Avatar “Positive” Reinforcement Email
21
Table 7. Experimental Design for Phishing Email Experiment
Trust
Level
Delivery
Order
Email Sender and Description
INTERVENTION GROUP
1
LOW
TRUST
CONTROL GROUP
NACHA – The Electronic Payments Association
Intervention and Reinforcement
2
American Bankers Association (ABA)
Intervention and Reinforcement
Intervention and Reinforcement
4
HIGH
TRUST
No Email
Triangle Carolina Mornings
No Email
6
No Email
Free Tickets from Chapel Hill Cinema Grill
Intervention and Reinforcement
5
No Email
NC QUICK PASS
3
MEDIUM
TRUST
No Email
No Email
Free Tickets from UNC Athletics Association
The experiment included a control group and an intervention group. The control group
received a text email describing the standard policies regarding acceptable online behavior
from the Kenan-Flagler IT department, but did not receive any “messaging” of the phishing
strategy or any personalized avatar-based reinforcement interventions in response to their
behavior. The second group received reinforcement interventions as described above and
shown in Figure 9 as well as with an avatar-delivered strategy “message” as shown in Figure
8. The reinforcement email was personalized to their observed level of performance . People
that did not open a phishing email were given positive reinforcement congratulating them on
correct behavior, while people who opened a phishing email were alerted to their incorrect
behavior.
Results. Table 8 summarizes the results of intervention on observed phishing behavior
during the first 24 hours after the test phishing emails were sent. Student responses were
automatically tracked through subscription to a third-party email tracking service. For each
phishing email, Table 8 reports several metrics (i.e. number of times the email was read,
whether it was forwarded to others, whether links or attachments were clicked, and whether
unsolicited and solicited replies were sent from students). A total of 63 millennials participated
in this experiment divided between the “intervention” group that received interventions and the
“control” group that received no intervention.
22
Table 8. Results of Phishing Email Experiment (First 24 Hours after Delivery)
Type
Intervention Group
Control Group
Tracking Statistics
FIRST EXPERIMENT: NACHA – The Electronic Payments Association
LOW
TRUST
Read email
Forwarded
Clicked link1
Clicked link2
Unsolicited email
78.6%
28.6%
50.0%
28.6%
7.1%
Read email
Forwarded
Clicked link1
Clicked link2
Unsolicited email
67.3%
28.6%
34.7%
12.2%
4.1%
#Email read
#Forwarded
#Links clicked
#Unsolicited email
120
22
71
4
SECOND EXPERIMENT: American Bankers Association (ABA)
Read email
Forwarded
Clicked link1
Clicked link2
Solicited email back
50%
0%
0%
0%
0%
Read email
Forwarded
Clicked link1
Clicked link2
Solicited email back
38.8%
6.1%
0%
0%
0%
#Email read
#Forwarded
#Links clicked
#Emailed back
33
3
0
0
THIRD EXPERIMENT: NC QUICK PASS
MEDIUM
TRUST
Read email
Forwarded
Clicked link1
Clicked link2
Clicked attachment
Unsolicited email
28.6%
0%
0%
0%
0%
0%
Read email
Forwarded
Clicked link1
Clicked link2
Clicked attachment
Unsolicited email
61.2%
12.2%
0%
6.1%
20.4%
0%
#Email read
#Forwarded
#Links clicked
#Clicked attachment
#Unsolicited email
61
6
3
10
0
FOURTH EXPERIMENT: Chapel Hill Cinema Grill
Read email
Forwarded
28.6%
7.1%
Solicited email back
55.1% #Email read
6.1% #Forwarded
2.0% #Solicited email
back
FIFTH EXPERIMENT: Triangle Carolina Mornings
HIGH
TRUST
0%
Read email
Forwarded
Solicited email back
Read email
Forwarded
Clicked link1
57.1%
14.3%
7.1%
Read email
Forwarded
Clicked link1
Clicked link2
Clicked attachment
Unsolicited email
7.1%
14.3%
7.1%
Clicked link2
Clicked attachment
Unsolicited email
51.0% #Email read
2.0% #Forwarded
0% #Links clicked
4.1% #Clicked attachment
0%
0% #Unsolicited email
46
4
1
60
3
6
2
1
SIXTH EXPERIMENT: UNC Athletics Department
Read email
Forwarded
Clicked link
Clicked attachment
Solicited email back
78.6%
78.6%
28.6%
0%
0%
0%
Read email
75.5% #Email read
Forwarded
Clicked link
Clicked attachment
Solicited email back
16.3%
6.1%
10.2%
6.1%
23
#Forwarded
#Links clicked
#Clicked attachment
#Emailed back
107
12
5
5
3
Initial inspection of the results suggests that the intervention had a quantitative and
positive effect in modifying millennials’ behavior upon receiving phishing emails. The rate at
which each of the phishing emails was opened for both the intervention and control groups is
shown in Figure 10. The read rate is computed as the number of times the phishing email
was opened/read by each group during the first 24 hours after each email was delivered. To
better understand the observed behaviors, we focus on three behaviors corresponding to low,
medium and high trust behavior indicated by the arrows in Figure 10 :
Figure 10. Experimental Results of Intervention for Phishing Email Behavior
a. Low-Trust Phishing Emails
An overwhelmingly large—and worrisome—fraction of both the intervention (80%) and
control groups (70%) opened and read the first phishing email from NACHA—The Electronic
Payments Association—an assumedly unknown sender 10. The email, which reported a
problem with a recent payment, contained a number of clues that should have alerted
millennials that it was a fake. Once open, millennials recognized the email as phishing when
they repeatedly received a “SERVER NOT FOUND” error message after clicking on links
embedded in the email. Many millennials contacted Kenan-Flagler IT HelpDesk staff with
questions about phishing and virus infection, and requests for computer “clean-up”. The large
response to the email was unanticipated, as was the response in alerting IT. The IT staff was
10
We assume that the sender is not well known by millennials becaus e, although NACHA is a real organization, it
is fairly obscure to the general public.
24
instructed to “play along” and not to disclose that this email was part of an experiment. They
provided feedback to students’ enquiries following standard departmental procedures. Several
millennials replied to the phishing email asking for further information regarding their “rejected
transaction”. Although the Millennial Cybersecurity Project was heavily publicized to KenanFlagler students, staff, and faculty during the campaign to solicit volunteers, among all 63
participants of this experiment only one millennial speculated that this first phishing email was
part of the study and contacted IT Helpdesk to confirm this hypothesis.
An intervention consisting of a reinforcement email encoding the “safe” phishing strategy
and a personalized message was sent to the intervention group 24 hours after the phishing
email was delivered and before the delivery of the second phishing email from .the American
Bankers Association (ABA). Although no intervention was sent to the control group, we
observed a pronounced reduction (almost 30% for both groups) in the number of instances in
which the second phishing email was opened and read, as well as a sharp drop in other risky
behaviors. We hypothesize that more than one factor may have contributed to this observation.
First, the control group may have reduced their risky behavior due to the fact that this email
repeated the “financial” theme of the first email. This may have increased millennials’
suspicions, who then decided to not open or explore the email further. Second, as can be
seen in the example emails provided in Appendix A, this phishing email is distinguished from
the first email in that it contains a request for personal information from the recipient—a well
known “give away” of email scams. Third, members of the control group who contacted IT Help
Desk after the first phishing email were reminded of best practices and may have acted more
cautiously immediately afterward.
b. Medium-Trust Phishing Emails
The positive impact of the intervention in reducing risky behavior can be discerned more
clearly for the medium-trust emails. The third phishing email is from NC Quick Pass, a prepaid account used for all (unmanned) electronic toll collection in North Carolina. Services are
fairly new having started only last year. A strong state-wide advertisement campaign was
launched to inform the public about the program and required procedures for enrollment. All
registered drivers in the state, which include a large number of millennials in this study, can
therefore be assumed to have some knowledge and interest in learning which roads are now
subject to a toll fee collection. Thus, the response to this phishing email was expected to be
higher than that of the low-trust emails for the control group. If the intervention was effective
we would expect that the intervention group would exhibit less risky behavior. This expectati on
was confirmed by the data; the increase in risky behavior occurred for the control group but not
for the intervention group. Specifically, the number of emails read by the control group
increased from 39% for the ABA email to 61% for the NC Quick Pass one, while the number of
emails read by the intervention group decreased from 50% for the ABA email to 29% for the
NC Quick Pass email. These opposing trends are seen as positive support for that intervention
and reinforcement feedback are able to modify risky phishing behavior through raised
25
awareness of best practices. While some millennials in the intervention group still opened the
phishing email, none clicked on the embedded link or attachment. Besides opening the email,
20% of the control group still missed the clues and clicked on the “invoice” attached while 6%
clicked on a (suspicious) link to access the NC Quick Pass website.
Low read rates persisted when the two groups were sent the fourth email from Chapel Hill
Cinema Grill. This email tried to persuade millennials to provide personal information—
promising free movie tickets to a (fictitious) local theater. A company logo was also added to
the message since results from Experiment 2 suggested that logos strengthen millennials’
level of trust and appeal to their preference for visually appealing symbols. Results showed
the same trend as the previous email. The intervention group read only 29% of emails while
the control group read 55% of the emails. One millennial from the control group provided the
sender with the requested personal information (c.f. mailing address and UNC class in order to
receive the promised free tickets).
c. High-Trust Phishing Emails.
The high-trust emails were designed to further test whether interventions are effective in
reducing risky behaviors for emails from high-trust senders. The fifth email from fictitious
sender Triangle Carolina Mornings was designed to elicit high trust among millennial students
at UNC because it described a Kenan-Flagler student club. Recall that, in Experiment 2 we
observed that millennials were inclined to overlook usual clues when they receive an email
from a high-trust sender. Consistent with the previous four emails, the intervention group
received a reinforcement email and phishing strategy “message” 24 hours after the initial
delivery of the phishing email and prior to the delivery of the fifth phishing email.
Results indicated that intervention was only partially successful in preventing millennials
from opening the phishing email. Among the intervention group, especially, the clues with
which millennials had identified phishing emails in previous tests were overlooked. The number
of students from the intervention group who opened the email increased from 29% on the
Cinema Grill email to 57%, while the no intervention group slipped from 55% to 51%. These
results are attributed to the level of high trust associated with this phishing (c.f. as shown on
the example provided on Appendix A, the phishing email’s subject line read Kenan-Flagler
Networking Event, which appealed to new students who had just arrived at the Business
School for the summer session. Again, one millennial sent an unsolicited reply to the sender
reporting an error when trying to open the “attached” Meeting Agenda and requesting a new
copy.
The sixth and last high-trust email was sent to millennials without any prior reinforcement.
The phishing email from UNC Athletics Department included the possibility of receiving free
tickets to UNC games—a credible and highly desired situation by millennials. We anticipated
that this email would present millennials with an irresistible offer and attract a large number of
participants into opening the email and providing the personal information requested. Of the
26
intervention group, the number opening the email increased from 57% to 79%. Of the control
group, the number opening the email also increased from 51% to 76%. The results obtained
were not surprising, given the attractiveness of the email, but still interesting. In addition, 6%
of the control group attempted to click on embedded links, 10% attempted to click on the
attachment, and 6% emailed back for tickets, while the intervention group presented no ne of
these risky behaviors. Three millennials in the control group replied to the request for personal
information while none replied in the intervention group.
We draw the following preliminary conclusions from the results observed on the risky
phishing behavior illustrated by Figure 7:
1) The level of trust of the sender of the email, as evident from the sender’s email
address and the subject of the email, is a determining factor in millennials’ decision to
open a phishing email;
2) There appears to be a limit on the effectiveness of the intervention (reinforcement and
messaging of strategy with avatars) in modifying risky cybersecurity be haviors;
3) Although limited, the results show that the combined use of a strategy and avatars
had a positive impact which seemed to have some persistent results;
4) The results are sufficiently positive results to warrant a larger study aimed at verifying
whether the intervention can be improved and whether it would be as effective with
other millennials, i.e. non-business students.
Modifying Risky Behaviors in Password Creation and Use
Description. An online experiment was designed, developed and implemented to
compare the effectiveness of different interventions in modifying behaviors relative to the
creation of passwords and their use by millennials. UNC millennials know the basics of
generating a complex password but the large majority do not know strategies for creating
passwords that are easy to remember and strong (i.e. difficult to “crack”), and that can be
customized for multiple sites. This leads to risky behaviors such as writing down the
passwords on paper or choosing simple passwords and/or using the same password for
multiple sites. The goal of the experiment was to test millennials’ ability to generate passwords
that are difficult to “crack” and to develop a strategy for creating multiple passwords for multiple
uses that are both easy to remember and difficult to “crack.”
There are best practice standards for password length and complexity, but use pattern
and memorability are intertwined parameters that are more difficult to standardize. Experts
agree that using the same password everywhere is risky because, even if that is a very strong
password—long and complex, if it is ‘cracked’ the information it guards will be exposed on all
systems at once. On the other hand, using different passwords everywhere which are lengthy
and complex may produce a less memorable password and lead to the adoption of risky
27
behaviors, such as writing it down to avoid forgetting it. Table 9 summarizes risky versus best
practices standards for these four parameters that are key elements of creating a strong
password.
Table 9. Risky vs. Best Practices Behaviors for Password Creation and Use
Password Cyber Behaviors
PARAMETER
RISKY PRACTICES
BEST PRACTICES
Memorability
Lack of customization
(hard to remember)
Customized
(easy to remember)
Length
Short (<8 characters)
Long (>=8 characters)
Complexity
Simple, easy to crack
(<60 score)
Complex, hard to crack
(>=60 score)
Use Pattern
Same everywhere
Different everywhere
In this experiment, we develop two interventions: 1) messaging of a “safe” password
strategy; and 2) providing real-time feedback about password generation performance, as
described below:
a) Intervention 1: Real-Time Feedback. Intervention 1 comprises reinforcement
messaging that contains real-time feedback about the millennial’s password
generation performance. Millennials are provided with the complexity scores for the
passwords they generated in a tabular format. These scores are not accompanied by
a reinforcement message from an avatar. No information about password strategy is
provided. Millennials try to improve their scores without clear guideli nes as to best
practices. An example of Intervention 1 is provided in Figure 11.
b) Intervention 2: Real-Time Feedback + Password Strategy “Messaging” + Avatar.
Intervention 2 comprises a message that contains real-time performance feedback
and a “strategy” for improving password skill. This performance feedback is
accompanied by a reinforcement message from an avatar of a hacker. An example of
performance feedback message for Intervention 2 is provided in Figure 12. A
strategy is based on the concept of a “paraphrase” which has the quality of being
easier to remember than traditional (random) passwords. A paraphrase consists of the
first letter of each word on a phrase, song, poem, or sentence. When choosing a
paraphrase a person should make sure to select some phrase that can be easily
remember but not easily associated with them by other people. For example, one
should not select as their paraphrase their favorite saying which hangs on a plaque
above their desks. Paraphrases should still meet the requirements for traditional
passwords, including be 8 to 26 characters in length, and include at least one
28
character of at least three of the following sets: lowercase letters: a-z, uppercase
letters: A-Z, digits: 0-9, and special symbols: ? . , _ - % + = $ !. As shown in Figure 13,
the strategy developed for this experiment entails the following four “steps” : 1) choose
a password base (c.f. the first line of a memorable song) ; 2) make it longer (c.f. add
the next line or repeat); 3) make it more complex (c.f. add numbers and special
characters); and 4) customize for different sites. This strategy is delivered by an
avatar. The use of the cyberwoman and hacker avatars attempts to convey to
millennials the subliminal message of “good behavior” and “bad/risky behavior” by
associating cyberwoman with the password strategy that conforms with the best
practices for password creation while linking the hacker’s feedback message about
how risky it is to use weak passwords as the hacker is actively seeking to find easy
passwords to “crack”. The strategy is delivered in real-time using a sequence of
animated screens corresponding to each strategy step. Figure 14 illustrates the
animated strategy messaging
Figure 11. Performance Feedback for Intervention 1
29
Figure 12. Intervention Feedback for Intervention 2
30
Figure 13. Example of Password Strategy “Messaging” with Avatar
31
Figure 14. Example of Animated Strategy “Messaging”
32
Experimental Design. The high-level experimental design is provided on Table 10. The
sample included 112 millennials; 54 received Intervention 1 and 58 received Intervention 2.
Millennials log-on to an experimental web site comprised of a series of screens. The first
screen requests demographic information such as age (i.e. 17 or under, 18 to 31, older than
31) and gender. The next two screens ask millennials to provide passwords for each of the
web sites shown in Table 10. After creating passwords for the first two websites to determine
baseline performance, students are shown an intervention. Password experiments are online
so the intervention can be provided “on the fly”, or instantaneously as the person goes through
the experiment. The different groups receive different reinforcement messages. One half of
the group received Intervention 1 or real-time performance feedback of complexity scores; the
other half received Intervention 2 or real-time reporting of scores delivered by an avatar
followed by the strategy messaging.
Table 10. Overview of Experimental Design for Password Experiment
Type Of Experiment
PHASE
INTERVENTION 1
INTERVENTION 2
DEMOGRAPHI CS
ASSESSMENT
Log-On
Personal Demographics
Log-On
Personal Demographics
First Website
UNC Alumni Association
First Website
UNC Alumni Association
Second Website
Second Website
ASDA Online Shopping Site
ASDA Online Shopping Site
Real-Time Performance
Feedback
Real-Time Performance
Feedback With
Strategy+Avatar
Third Website
Third Website
Great Southern Travel Site
Great Southern Travel Site
Fourth Website
Fourth Website
Netflix Movie Site
Netflix Movie Site
BAS ELI NE
PASSWORD
ASSESSMENT
PASSWORD
STRATEGY FOR
MULTIPLE SITES
Final Reporting of Scores
Intervention 1 group is shown only the complexity scores computed for their passwords.
Besides their complexity scores, Intervention 2 group receives customized feedback message
delivered by a “hacker avatar” to motivate the student to make a greater effort to create
stronger passwords, as well as the scores for the passwords they submitted. The following
several screens deliver the password strategy. After the scores are shown, the password
33
strategy “message” provides instructions to create a stronger password. The millennials are
then asked to provide two more passwords, at the completion of which they are again shown
their scores and any improvements are noted. As each password is entered, it is automatically
recorded by the system for subsequent analysis according to the dimensions of the strategy
(i.e. length, complexity, repetition of strings). A sample sequence of screen shots as seen by
the millennials is provided in Appendix B.
Results. Results with respect to password length, complexity, and repeated use of same
password during the experiment are analyzed next.
a. Password Length
Both types of intervention improved millennials password length, with the strategy+avatar
intervention resulting in significantly more students with improved scores. A straightforward
way to measure password length improvement is to compare the average length of preintervention passwords 1 and 2 against the average length of post-intervention passwords 3
and 4. Using this approach, a student is considered to have improved his/her behavior
performance with respect to password length, after been shown the intervention, if the average
length of passwords 3 and 4 is greater than the average length of passwords 1 and 2. We
found that 75% of the students in the Intervention 2 group—those whose feedback/
reinforcement message contained the strategy with avatars—have improved their password
length against only 46% of the students in the Intervention 1 group—those who only received
password complexity scoring. By the same token, a student’s behavior performance regarding
password length is considered worse, if the average length of the post-intervention passwords
3 and 4 is smaller than the average length of the pre -intervention passwords 1 and 2. We
found that only 17% of students in Intervention group 2 showed a worse behavior against 33%
of Intervention 1 group. Some millennials recorded no change. In Intervention 1 group 21% of
the students fall under this category versus only 8% of students in Intervention 2 group.
Overall, Intervention 2 group showed a moderate improvement regarding password length
when compared to the Intervention 1 group, as shown in Figure 15.
b. Password Complexity
Both types of intervention improved millennials complexity scores.
A student’s
performance is defined as having improved with respect to password complexity if the average
of the complexity scores of post-intervention passwords 3 and 4 is greater than the average of
the complexity scores for pre-intervention passwords 1 and 2. Post-reinforcement
improvement for password complexity computed for the intervention 2 group was 59% while
that of Intervention 1 group was 54%. The password complexity behavior of 39% of the
students in Intervention 1 group worsened compared with 34% of students Intervention 2
group. No behavioral change was registered for 7% of the students in either group. These
findings are summarized in Figure 16.
34
P Figure 15. Post-Intervention Password Length Improvement By Group
P Figure 16. Post-Intervention Password Complexity Improvement By Group
Both interventions were equally successful in improving password complexity scores. In
this case, the addition of the password strategy and avatar plus score reporting did not
significantly outperform simple feedback of complexity scores. Students from both groups
received a numerical, and the equivalent categorical, score (as computed by a password
meter) and we hypothesize that given the highly competitive nature of Kenan-Flagler students,
the password complexity score was a larger motivating factor in creating a more complex
password. This millennial competitive behavior was registered in the data collected, when
some students, after been shown their scores for the pre-reinforcement passwords they
created, went back to these previous screens and entered new passwords. Unbeknownst to
them, the software program saved all passwords entered. When we examined the data and
noticed this anomaly we decided to use for analysis purposes only their first attempt for each
35
password and to eliminate the secondary input attempts. Results suggest that providing a
numerical score may be enough to influence students to modify their password creation
behavior with respect to complexity.
In a deeper analysis of the data, we eliminate those millennials whose average baseline
password scores were greater than 60 which is the breakpoint between “good” and “strong”
password ability based on the algorithm. In this way, we focus only on the less -aware
students—those whose poor baseline behavior indicates they have something to learn from
the intervention. A score of 60 was also the mean for the complete sample. The distribution of
the password complexity behavior improvement in Figure 17 shows the frequency counts of
pre- and post-intervention password scores for the complete sample and the reduced sample
with scores less than 60. The arrows in the figure highlight the positive (rightward) shift i n the
complexity score frequencies post-intervention, meaning that the intervention positively
affected, i.e. positively modified, students’ password complexity behavior. The effects are
considerably greater for the reduced sample reflecting the relatively larger improvement in
performance of that group.
Figure 17. Distribution of Individual Password Complexity Score Improvement
We also computed the improvement gain in individual password complexity scores after
the intervention by subtracting, for each individual student, the average of the pre -intervention
passwords 1 and 2 from the average of post-intervention passwords 3 and 4. The results,
depicted in Figure 18, show the improvement gains achieved by the reduced sample—
students who had a pre-intervention password average of less the 60—versus the
improvement obtained by the complete sample. The gain can be seen in the rightward shift
of the most frequently observed improvement gains.
36
P Figure 18. Distribution of Password Complexity Score Improvement
20
Frequency Count
Reduced Sample
Whole Sample
15
10
5
0
Password Complexity Improvement
A comparison of the distribution of pre-intervention versus post-intervention password
complexity scores by intervention group is shown in Figure 19. Overall, improvement results
for each intervention group were positive but show different effects. There was a pronounced
positive shift in password complexity score behavior for Intervention 1 which peaked at 65, a
little above the sample mean of 60. The peak for Intervention 2 occurs at 77 suggesting that
Intervention 2 (with the strategy and avatars) had a more positive effect in the modification of
password complexity behavior.
P Figure 19. Comparison of Pre-Intervention and Post-Intervention Password
Complexity Scores By Group
37
c. Password Repeated Use Results
Approximately one-third of the sample or 36 students used the same password for the
two websites 1 and 2. After the intervention, only 19%, or 21 students repeated their
passwords for websites 3 and 4. Thus, there was a 42% improvement with respect to this
behavior. Regarding gender, 50% of females improved their behavior by using different
passwords for websites 3 and 4, compared with only 38% of males. Comparing this behavior
for the two intervention groups we found that they had a very similar outcome as summarized
in Table 11. The groups exhibit the same level of improvement after intervention, more
specifically 13% of intervention group 1 and 15% of intervention 2 group created different
passwords for websites 3 and 4.
Table11. Distribution of Repeated Password Behavior By Group
Website
Intervention 1
Group (% )
Intervention 2
Group (% )
Total (% )
Password 1 and
Password 2
30
33
63
Password 3 and
Password 4
18
19
37
TOTAL
48
52
100
Recommendations
Insights gained from millennial self-reported risky cybersecurity behavior and observed
experiments conducted by the Millennial Cybersecurity Project research team serve as the
basis for the following recommendations herein offered as guideline for better methods to
communicate cybersecurity best practices to millennials in order to increase awareness of and
modification of risky behavior in cyber space.
1) Explore, employ and exploit digital messaging that is short in length, iconic, and
actionable. Millennials grew up with browsers and hyperlinks, email and online
gaming in detriment of other practices common to previous generations. Some
compelling evidence of these trends is the sharp decline in the volume of mail
delivered by the U.S. Postal Service and a report from May 2012 by Funcom—the
online game company—that 1 million users had registered ahead of time to test the
beta version of its new online game “The Secret World”. Millennials are continually
38
exploring beyond Twitter and Facebook, as Pinterest’s—the virtual message board—
more than 11.7 million unique users demonstrate 11. One striking similarity between
sites that, like Pinterest, have millions of followers is the reduced amount of text in
benefit of visual graphics, photography, and the ability to share the contents with
whomever you select.
2) Personalize communications based on the audience’s profile. Insights gained from
this study suggest that UNC millennials fit four different awareness-based categories
of technology users: 1) expert; 2) trained; 3) confused; and 4) uninitiated. Trying to
communicate cybersecurity best practices to these different users with the same level
of information content may end up having limited reach, as it may be too simplistic and
fail to interest the expert or trained millennial, not specific enough to dissipate the
misconceptions of the confused millennial, and not simple and targeted enough for
helping the uninitiated. Overlaying self-digital representation, i.e. avatars, with
feedback and behavioral reinforcement messaging in our experiments led to
improvements in risky behavior on both phishing email and password use.
3) Develop cybersecurity tools that are technology-mediated, more interactive and
capable of providing a user experience of high value. In our experience opportunities
for raising cybersecurity awareness can be brought into the organization environment
with great success. During Security Day, promoted by Kenan-Flagler IT Department
every year, millennials wait in line to play fair games and win small prizes while
“chatting” with IT experts who answer questions and provide information about best
practices. Our phishing email observed experiment was conducted during Security
Day and attracted a large crowd. Mobile apps can be another vehicle for delivering
cybersecurity information to all individuals of an organization.
Conclusions and Future Directions
The Millennial Cybersecurity Project conducted a set of experiments to determine the
effectiveness of interventions such as the use of avatars and other digital (self) representations
for message personalization, real-time digital feedback about observed risky behaviors, and
messaging of policies and best practices in formats and language that are more aligned with
how millennials communicate with others and experience the world. The project’s underlying
premise is that cybersecurity awareness initiatives for millennials might be improved when
messaging is accomplished digitally and in formats consistent with digital devices such as
11
We are presuming that the vast majority of Pinterest users are millennials, although access to data to support
this claim is not available to us at this time.
39
personal computers, cell phones, and mobile devices.
experiments are:
Specific conclusions from these
Understanding Millennial Attitudes about and Behaviors in Cybersecurity. Favorable
results indicate that UNC millennials are aware of best practices about how to protect one’s
system and adhere to UNC information security policies for use of firewall, and antivirus and
operating system automatic updates. However, results also suggest that millennials are not as
knowledgeable regarding the dangers of inadequate password usage or risky practices in
cyberspace that can create vulnerabilities, for example phishing emails. Reported behaviors
suggest that male millennials are somewhat more knowledgeable than female millennials.
Nonetheless, males also appear to experience more problems due, perhaps, to higher
engagement in riskier online behaviors than their female counterparts.
Modifying Risky Behavior in Millennials. Overall, improvement results in password
creation and use for the two intervention groups were positive for all three categories: length,
complexity, and repeated use; but show different effects. Regarding password complexity, the
intervention presenting participants with only password scores led to an improvement that
shifted participants with lower scores to slightly higher scores positioned above the sample
mean and the threshold for a strong password. The improvement obtained with the
intervention containing the strategy and ava tars had a more positive effect in the modification
of password complexity behavior translated in higher scores for similar number of participants .
Contact Information
Project Contact Name: Noel P. Greis and Monica L. Nogueira
Mailing Address: Center for Logistics and Digital Strategy
Kenan Institute of Private Enterprise, CB# 3440 Kenan Center
University of North Carolina, Chapel Hill, NC 27599-3440.
Phone: 919-962-8201
Email: noel_greis@unc.edu; monica_nogueira@unc.edu
References
[1] Accenture. (8 November 2008) “Millennials at the Gates: Results from Accenture’s High
Performance IT Research,” Accenture.com. Available at: https://microsite.accenture.com/
foodforthought/downloads/Pages/default.aspx, last accessed 11 April 2011.
40
[2] Accenture. (10 February 2010). “Jumping the boundaries of corporate IT: Accenture global
research on Millennials’ use of technology,” Accenture.com. Report. Available at:
http://www.accenture.com/SiteCollectionDocuments/PDF/global_millennial_generation_re
se arch.pdf, last accessed 11 April 2011.
[3] Bailenson, J.N. and J. Blascovich. (2004) Avatars. Encyclopedia of Human-Computer
Interaction, Berkshire Publishing Group, pp. 64–68.
[4] Barreau, D. (15 January 2008). “The persistence of behavior and form in the organization
of personal information,” J American Society for Information Science Tech , 59 (2), pp.
307–317.
[5] Baylor, A.L. (12 December 2009). “Promoting motivation with virtual agents and avatars:
role of visual presence and appearance,” Phil. Trans. R. Soc. B, 364 (1535), pp. 3559–
3565.
[6] Bulgurcu, B., Cavusoglu, H. and I. Benbasat. (September 2010). “Information Security
Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information
Security Awareness,” MIS Quarterly, 34 (3), pp. 523–548.
[7] Colliver, V. (8 August 2008) “Fat people get online chance to lose weight,” SFGate.com.
Available at: http://articles.sfgate.com/2008-08-08/business/17120627_1_san-francisco-slinden-lab-second-life-virtual-world, last accessed 11 April 2011.
[8] Cone, B.D., Irvine, C.E., Thompson, M.F. and T.D. Nguyen. (February 2007). “A video
game for cyber security training and awareness,” Computers & Security, 26 (1), pp. 63–
72.
[9] Cone, B.D., Irvine, C.E., Thompson, M.F. and T.D. Nguyen. (February 2007). “A video
game for cyber security training and awareness,” Computers & Security, 26 (1), pp. 63–
72.[11] Dickerson, D. “The Millennial Brain and Risk” (12 November 2008). Campus
Activities Programming, pp. 10. Available at: http://ssrn.com/abstract=1300625, accessed
April 2011.
[10] Dickerson, D. “The Millennial Brain and Risk” (12 November 2008). Campus Activities
Programming, pp. 10. Available at: http://ssrn.com/abstract=1300625, accessed April
2011.
[11] Dickerson, D. (Jan/Feb. 2007). “Risk Management and the Millennial Generation,”
Campus Activities Programming. Available: http://ssrn.com/abstract=1093684, accessed
April 2011.
[12] Domínguez, C.M.F., Ramaswamy, M., Martinez, E.M. and M.G. Cleal. (2010). “Framework
for Information Security Awareness Programs,” Issues Inf Sys, XI (1), pp. 402–409.
[13] Hagen, J.M. and E. Albrechtsen. (2009) "Effects on employees' information security
abilities by e-learning,” Information Management & Computer Security, 17 (5), pp. 388–
407.
41
[14] IGI Global. (11 June 2010). “Battling Obesity with Virtual Self-Care: Teaching Students
Design and Exploration,” IGI-Global.com. Available at: http://www.igi-global.com/blogs/
main/10-06-11/Battling_Obesity_with_Virtual_Self-Care_Teaching, last accessed April
2011.
[15] Kirby, R. (April 2009) Development of a Real-time Performance Measurement and
Feedback System for Alpine Skiers. Richard Kirby, Sports Technology. Volume 2, Issue 12, pages 43–52.
[16] Liang, H. and Y. Xue. (July 2010). “Understanding Security Behaviors in personal
Computer Usage: A Threat Avoidance Perspective,” J Assoc Information Sys, 11 (7), pp.
394–413.
[17] Ludwig, T. and, D. Goomas (June 2009) Real-time performance monitoring, goal setting
and feedback for forklift operators in a distribution centre. , Journal of Occupational and
Organizational Psychology, Volume 82, Issue 2, pages 391–403.
[18] Messinger, P.R., Ge, X., Stroulia, E., Lyons, K., Smirnov, K. and M. Boone. (November
2008). “On the Relationship between My Avatar and Myself,” J Virtual Worlds Res, 1 (2).
[19] Morie, J.F. and E. Chance. (March 2011). “Extending the Reach of Health Care for
Obesity and Diabetes Using Virtual Worlds,” J Diabetes Science Technology, 5 (2), pp.
272–276.
[20] Myers, K.K. and K. Sadaghiani. (June 2010). “Millennials in the Workplace: A
Communication Perspective on Millennials’ Organizational Relationships and
Performance,” In: ‘Special Issue on Millennials and the World of Work: What You Didn't
Know You Didn't Know,’ Guest Eds: D.G. Altman and J.J. Deal, J Bus Psychol, 25(2), pp.
225–238, Springer.
[21] Ng, B.Y., Kankanhalli, A. and Y. Xu. ()2009). “Studying users’ computer security behavior;
A health belief perspective,” Decision Support Systems, 46, pp. 815–825.
[22] Pew Research Center. (February 2010). “The Millennials: Confident. Connected. Open to
Change.” Available at: http://pewresearch.org/millennials/, last accessed 11 April 2011.
[23] Rezgui, Y. and A. Marks. (December 2008). “Information security awareness in higher
education: An exploratory study,”
[24] Rafiq A, Tamariz F, Boanca C, Lavrentyev V, Merrell RC (July-August 2008). Objective
assessment of training surgical skills using simulated tissue interface with real-time
feedback Jour. Surgical Educ., 65(4):270-4.
[25] Thomson, M.E. and R. von Solms. (1998). “Information security awareness: educating
your users effectively,” Information Management & Computer Security, 6 (4), pp. 167–173.
[26] University of Southern California. (3 July 2008). “Network Culture Project awards over $1
million lindens for ‘Second Life and the Public Good Community Challenge’,” USC
42
Annenberg News. Available at: http://annenberg.usc.edu/News%20and%20Events/News/
080703SecondLife.aspx, last accessed 11 April 2011.
[27] U.S. Department of Homeland Security. (23 March 2011). “Enabling Distributed Security in
Cyberspace.” Available at: http://blog.dhs.gov/2011/03/enabling -distributed-securityin.html, last accessed 11 April 2011.
[28] Yee, N. and J.N. Bailenson. (2006). “Walk A Mile in Digital Shoes: The Impact of
Embodied Perspective-Taking on The Reduction of Negative Stereotyping in Immersive
Virtual Environments,” In: Proc PRESENCE 2006. August 24–26, Cleveland, Ohio, USA.
[29] Yee, N. and J.N. Bailenson. (2007) “The Proteus Effect: The Effect of Transformed SelfRepresentation on Behavior,” Human Communication Research, 33, pp. 271–290, 2007
International Communication Association.
[30] Zwieg, J. (March 26, 2011). “Meet ‘Future You.’ Like What You See?”
Journal, pp. B7 and B10.
43
Wall Street
Appendix A
Screenshots of Phishing Experiment Emails
Example of “Low Trust” Phishing Email Sent to Students
44
Example of “Low Trust” Phishing Email Sent to Students
45
Example of “Medium Trust” Phishing Email Sent to Students
46
Example of “Medium Trust” Phishing Email Sent to Students
Example of “High Trust” Phishing Email Sent to Students
47
48
Example of “High Trust” Phishing Email Sent to Students
49
Appendix B
Screenshots of Password Experiment Websites
Example of Logon Screen for Password Experiment
50
Example of Website for Creating First Password
51
Example of Website for Creating Second Password
52
Example of Website for Creating Third Password
53
Example of Website for Creating Fourth Password
54