Quantcast
Channel: Terry Zink: Security Talk
Viewing all articles
Browse latest Browse all 243

The Psychology of Spamming, part 3 - External factors that influence our decisions

$
0
0

Spam, Emotion and Decision

Researchers distinguish between two types of emotions – expected emotions and immediate emotions. Expected emotions are predictions about how we will feel if certain decision outcomes occur. They are forward looking and their benefits are to determine the optimal course of action to maximize our long-term well-being. They are functions of our neocortex.

For the purposes of spamming, it is not expected emotions that spammers (unknowingly) prey upon. Instead, it is our immediate emotions that kick in. Immediate emotions are the affect that we experience at the time of making a decision. These are heuristic judgments that we make to prioritize information and introduce important considerations that are not captured by expected emotions.

Immediate emotions save cognitive processing by triggering time-tested responses to universal experiences. For example, anger triggers aggression, and fear triggers flight. This action tendency lingers for some time if it is not discharged. For example, in one study subjects were told about a perpetrator who committed a crime. They were divided into two groups, and one group was told that the offender was not punished and the other group was told that they were. However, only the group that was told that the offender got away with it led to that group to experiencing anger and demanding harsher penalties rendered in unrelated legal cases. In other words, their emotion persisted and was not “diffused.” In the other group, the offender was punished and through that outlet, their emotion of anger had a mechanism of release.

Immediate emotions do not guide or influence our actions completely, however. At low and moderate levels of affect, immediate emotions play more of an advisory role. Thus, in order to trigger action, more intense levels of affect must be invoked.

Probability

One thing that researchers have discovered is that affect is correlated with the intensity of anticipated outcome, not the probability of it occurring (except in the case of zero probability of outcome). For example, one study demonstrated that when subjects were given an electric shock in response to certain outcomes, they would experience physiological responses (sweating, nervousness, tension) that increased with their perceived intensity of that shock rather than with how likely they were to receive it.

We can see how this is expressed in a phishing scam and that using this analysis, some phishing scams would be more effective than others. When we get a message saying that we will be locked out of our account, that the bank might take that action is less relevant to us than us losing access to our finances.

clip_image002


Wells Fargo is constantly working to ensure security by regularly screening the accounts in our system. We recently upgraded our security services on your account, and until we can collect this information, you will be unable to access your account. We would like to restore your access as soon as possible, and we apologize for the inconvenience.

Why is my account access limited?

Your account access has been limited for the following reason(s):

October 1, 2010:
We have reason to believe that your account was accessed by a third party. Because protecting the security of your account is our primary concern, we have limited access to sensitive Wells Fargo account features. We understand that this may be an inconvenience but please understand that this temporary limitation is for your protection.

Regards,
Wells Fargo Security Department


In the above example, the probability of someone breaking into our account and having that access restricted is what factors into our decision to take action, not that the bank would actually take that action.

Time

Another factor that affects immediate emotions is time. The closer something is approaching in time, the more intensely we will experience positive or negative affect. This is independent of the probability of occurrence.

A modern example of this is the “chickening out” factor. If you ask a group of people to tell a joke in front of their peers in a week’s time, you’ll likely get several volunteers. However, both groups of people can change their minds at any time. As the time approaches, right before the time for the joke to be told, those who had volunteered will have many of them change their minds (a flight to safety to alleviate the fear response). However, none of those who had not volunteered will change their minds and decide to tell the joke after all.

In our phishing example, whether or not they do it intentionally, spammers who put into their messages that a user must take action within a certain time frame – a short time frame – will get greater compliance than those who put no time frame or a longer period of time.

Control

Yet another factor that influences our decisions is our perception about how much control we have over a situation. People that believe that they have the power to reduce or increase a stressful situation report fewer panic symptoms and less distress.

Looking over to phishing, it is important to the phishers to give their victims an “out”. They must act soon otherwise they will be locked out of their accounts. Money is important to people, we need it to live and that’s what goes through our minds. Without our money, how will we live? Yet luckily, all the victim has to do is click on the web link, fill out a few simple details and everything will be okay. The negative affect can be released with a couple of actions. Giving control to the victim helps to alleviate the negative immediate emotion – it pacifies the flight response.


Part 1 - How our brains work
Part 2 - The Limbic system, cognition and affect
Part 3 - External factors that influence our decisions
Part 4 - Why we fall for scams
Parr 5 - Solutions
Part 6 - The Flynn Effect


Viewing all articles
Browse latest Browse all 243

Trending Articles