"Experiences and challenges with phishing of people with intellectual disabilities"

Vollständige Arbeit als PDF zum Download

Abstract

More and more activities take place online nowadays. Therefore, access to online services is crucial to participate in modern society. People with disabilities are frequently excluded from full digital participation because digital devices and software do not consider accessibility to a sufficient level [1, 2]. In order to give everyone the same possibilities for digital participation, a rethinking is needed in all areas of information technology. With regard to cybersecurity, this means taking the accessibility of security systems more into account. This can be done by providing accessible options for accomplishing security-related tasks like authentication, but also by broadening the view for threats and attack scenarios related to specific characteristics and needs of marginalised groups [3, 4]. One of the most common cyber attacks is phishing [5, 6] ; a form of social engineering attack which "electronically deceives a user to conform to some action, subsequently, divulging sensitive information" [7]. To offer all members of society the highest possible degree of safety from phishing attacks, it is necessary to include the perspectives of marginalised groups into defense strategies.

This thesis examines the experiences and challenges of people with intellectual disabilities with phishing. Therefore interviews with twelve participants with intellectual disabilities were conducted which involved an e-mail assessment task with three example e-mails. The interviews were analysed using content structuring qualitative content analysis. The data shows that phishing attacks are a relevant issue for people with intellectual disabilities and that experiences with phishing attacks are common in this population. The results further display that the capability to detect malicious e-mails varies strongly between individuals. Also the awareness for risks and privacy issues differs among the participants: some expressed awareness for possible risks while others reported problematic behavior with regard to e-mail attacks. The assessment strategies of the participants mainly focused on the content of an e-mail instead of technical, more reliable clues. The study identifies missing knowledge about attacks and defense strategies as having a negative impact on the capability of people with intellectual disabilities to detect phishing. Furthermore, difficulties with reading and understanding text are found to be impeding in this context. Get support from others, mainly family and professional caregivers, is determined as a prominent strategy of people with intellectual disabilities to assess and handle suspicious e-mails. Concerns because of the immanent privacy issues of this strategy were not brought up by any of the participants. The results of this study indicate that educational interventions using easy-to-read language and text-alternatives are a promising approach to support people with intellectual disabilities in detecting malicious e-mails. The role of caregivers and relatives of people with intellectual disabilities should also be considered in such interventions.

References

[1] D. Lussier-Desrochers, C. L. Normand, A. Romero-Torres, Y. Lachapelle, V. Godin-Tremblay, M.-È. Dupont, J. Roux, L. Pépin- Beauchesne, and P. Bilodeau, “Bridging the digital divide for people with intellectual disability”, Cyberpsychology: Journal of Psychosocial Research on Cyberspace, vol. 11, no. 1, May 2017. doi: 10.5817/CP2017-1-1.

[2] S. J. Macdonald and J. Clayton, “Back to the future, disability and the digital divide”, Disability & Society, vol. 28, no. 5, pp. 702– 718, 2013. doi: 10.1080/09687599.2012.732538.

[3] K. Renaud and L. Coles-Kemp, “Accessible and inclusive cyber security: A nuanced and complex challenge”, SN Computer Science, vol. 3, no. 5, p. 346, Jun. 2022. doi: 10.1007/s42979-022- 01239-1.

[4] Y. Wang, “The third wave? inclusive privacy and security”, in Proceedings of the 2017 New Security ParadigmsWorkshop, ser. NSPW ’17, Santa Cruz, CA, USA: Association for Computing Machinery, 2017, pp. 122–130. doi: 10.1145/3171533.3171538.

[5] European Union Agency for Cybersecurity, “ENISA threat landscape 2023: July 2022 to June 2023”, 2023, [Online]. Available: https://www.enisa.europa.eu/publications/enisa-threatlandscape- 2023.

[6] Federal Bureau of Investigation, “Internet crime report 2023”, 2023, [Online]. Available: https://www.ic3.gov/media/PDF/ AnnualReport/2023_IC3Report.pdf.

[7] K. Jansson and R. von Solms, “Phishing for phishing awareness”, Behaviour & Information Technology, vol. 32, no. 6, pp. 584–593, 2013. doi: 10.1080/0144929X.2011.632650.