Those findings come from "Keeping Up With the Joneses: Assessing Phishing Susceptibility in an E-mail Task," a research paper that's due to be presented at the International Human Factors and Ergonomics Society Annual Meeting next month. The study, which was authored by five researchers at North Carolina State University (NC State), is part of a phishing-defense research project funded by the National Security Agency.
For the study, the NC State researchers combined personality assessments with tests of students' ability to correctly classify emails as being legitimate or suspicious in targeting for deletion. They also assessed people's ability to mark as "important" emails that required responses or follow-on actions.
[ Are you scam savvy? Protect yourself: How To Spot A Facebook Scam. ]
"The results showed a disconnect between confidence and actual skill, as the majority of participants were not only susceptible to attacks but also overconfident in their ability to protect themselves," said Kyung Wha Hong, the lead author of the paper, in a statement. Notably, 89% of the study participants said they were skilled at recognizing malicious emails, but researchers saw 92% of participants misclassify at least some phishing emails. Furthermore, 52% of participants misclassified over half of the phishing emails, and half of participants deleted at least one legitimate email, believing it to be malicious. All told, only 2% of participants managed to not mishandle either phishing or legitimate communications.
Thus the "Joneses" research paper's conclusion: "gender, dispositional trust, and personality appear to be associated with the ability to correctly categorize emails as either legitimate or phishing."
Paper co-author Christopher B. Mayhorn, an NC State psychology professor, said the dispositional trust finding -- which refers to people's self-assessment of their own expertise -- wasn't a surprise, but that the personality results were. He said the verdict's still out on whether women are more likely phishing victims than men, owing to the groups of students involved having hailed only from the university's psychology and computer science (CS) departments.