pith. sign in

arxiv: 2605.21246 · v1 · pith:ELU6PPQJnew · submitted 2026-05-20 · 💻 cs.CR · cs.CY

Profiling User Vulnerability to Phishing Through Psychological and Behavioral Factors

Valeria Formisano , Danilo Gentile , Gennaro Esposito Mocerino , Michela Ponticorvo , Luigi Gallo , Alessio Botta , Davide Marocco This is my paper

Pith reviewed 2026-05-21 03:51 UTC · model grok-4.3

classification 💻 cs.CR cs.CY
keywords phishinguser vulnerabilitypsychological factorsbehavioral factorsexploratory factor analysisclusteringcybersecurity awarenessdecision making
0
0 comments X

The pith

The combination of operational maturity, decision-making speed, and cognitive approach determines how well users resist phishing attacks.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

This paper studies why some people spot phishing attempts while others do not by examining data from 1,086 participants who faced a realistic detection task. It applies factor analysis to identify five underlying constructs and then clusters users according to seniority and creativity dimensions. The central result is that technical knowledge by itself does not protect against phishing; instead, how mature the user is, how quickly they decide, and how they approach problems together shape their outcomes. Most participants land in a high-risk group that decides fast and analyzes less. These patterns indicate that standard training programs overlook individual differences and would benefit from adapting to specific thinking styles.

Core claim

Exploratory factor analysis on the Spamley dataset reveals five latent constructs named Seniority, Expertise, Creativity, Stability, and Vulnerability. K-Means clustering on the Seniority and Creativity dimensions separates participants into an Aware profile, marked by greater operational maturity and slower critical evaluation, and a High-Risk profile, marked by hasty decisions and reduced critical analysis. Behavioral measures confirm that faster response times distinguish vulnerable users from resilient ones, establishing that resilience depends on the interaction of maturity, decision speed, and cognitive approach rather than expertise alone.

What carries the argument

K-Means clustering on the Seniority and Creativity factors extracted via Exploratory Factor Analysis, which produces two user profiles that explain differences in phishing detection performance.

If this is right

  • Security training must shift from uniform programs to ones that target specific cognitive biases and decision habits.
  • The majority high-risk group requires interventions focused on slowing impulsive responses and encouraging deeper analysis.
  • Technical knowledge cannot be assumed to provide adequate protection without accompanying maturity and deliberate evaluation.
  • Organizations can improve outcomes by assessing user profiles to deliver more relevant awareness efforts.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • If response time remains a consistent marker, email clients could add real-time prompts for users who decide too quickly.
  • The same profiling method could extend to other social-engineering threats such as voice or text-based attacks.
  • Training that explicitly teaches users to pause before acting could be tested to see whether it reduces actual phishing success rates.
  • Repeating the analysis across cultures or age groups would show whether the high-risk majority finding applies more broadly.

Load-bearing premise

The clusters found in this sample of participants represent stable, general differences in how people handle phishing rather than patterns limited to the dataset or task.

What would settle it

A new study with different participants or a changed phishing task that fails to recover the same two profiles or shows no connection between decision speed and vulnerability would disprove the main claim.

Figures

Figures reproduced from arXiv: 2605.21246 by Alessio Botta, Danilo Gentile, Davide Marocco, Gennaro Esposito Mocerino, Luigi Gallo, Michela Ponticorvo, Valeria Formisano.

Figure 1
Figure 1. Figure 1: A possible email presented to the user during the test. Each email is composed of several fields, which are characterized by different special features in the dataset. median time spent was 4 minutes, so we filtered out from the dataset all users with attention check "3" that took less than 2 minutes, as we have observed it’s a largely insufficient time to complete the questionnaire while paying attention,… view at source ↗
Figure 2
Figure 2. Figure 2: Heatmap of questionnaire items weights relative to the 5 identified factors. Questionnaire items aggregate best in 5 factors, with seniority, expertise and creativity having the strongest loadings. senting the majority of the sample, this group exhibits the highest vulnerability to threats. It is characterized by the lowest baseline recall rate (68.8%) and faster, potentially more impulsive, average reacti… view at source ↗
Figure 3
Figure 3. Figure 3: Factors distribution of the two identified profiles. The factors that best model the profiles of resilient users and users at risk are the ones related to seniority and openness. 4 Discussion, Practical Implications and Future Works A preliminary exploration of correlations reveals that the ability to recognize phishing threats is supported by a combination of demographic and professional maturity (age, ye… view at source ↗
read the original abstract

Phishing remains one of the most pervasive cybersecurity threats, shifting the focus from technological vulnerabilities to human cognitive and psychological factors. In coherence with the trend of studies on phishing to increasingly focus on human aspects and vulnerable users profiling, this study investigates the multidimensional nature of user susceptibility by analyzing data from the Spamley dataset, involving 1,086 participants evaluated through a realistic phishing detection task. Using Exploratory Factor Analysis (EFA), five latent constructs were identified, named: Seniority, Expertise, Creativity, Stability, and Vulnerability. Behavioral findings, validating self-reported impulsivity through its negative correlation with response times, demonstrate that faster decision-making significantly distinguishes vulnerable users from resilient ones. A K-Means clustering procedure, driven by the dimensions of Seniority (F1) and Creativity (F3), revealed two distinct user profiles: the Aware User and the High-Risk User. The results demonstrate that technical knowledge alone is insufficient to guarantee resilience; rather, the interaction between operational maturity, decision-making speed, and cognitive approach determines effectiveness. The findings suggest that the majority of users fall into the High-Risk category, characterized by hasty evaluation processes and lower critical analysis. These results underline the urgent need to move beyond "one-size-fits-all" training toward personalized, adaptive cybersecurity programs that actively address cognitive biases and behavioral tendencies.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

3 major / 2 minor

Summary. The manuscript analyzes phishing susceptibility using the Spamley dataset of 1,086 participants who performed a realistic phishing detection task. Exploratory Factor Analysis identifies five latent constructs (Seniority, Expertise, Creativity, Stability, Vulnerability). K-Means clustering on the Seniority (F1) and Creativity (F3) dimensions yields two profiles: Aware User and High-Risk User. A negative correlation between self-reported impulsivity and response time is reported as behavioral validation. The central claim is that the interaction of operational maturity, decision-making speed, and cognitive approach determines resilience, with the majority of users in the High-Risk profile marked by hasty evaluation and lower critical analysis; the authors recommend personalized rather than one-size-fits-all training.

Significance. If the derived profiles prove stable and externally valid, the work would usefully advance human-factors research in cybersecurity by showing that technical knowledge alone is insufficient and that psychological and behavioral dimensions interact to shape vulnerability. The realistic task and sample size are positive features; reproducible code or factor-loading tables would further strengthen the contribution.

major comments (3)
  1. [Abstract / EFA procedure] Abstract and EFA description: no factor-retention criteria (eigenvalue threshold, scree plot, parallel analysis), rotation method, or loading cutoff are stated. Because the subsequent K-Means step uses only F1 (Seniority) and F3 (Creativity), the absence of these details makes the factor definitions and the two-profile solution load-bearing for the central claim.
  2. [Abstract / K-Means clustering] Clustering analysis (Abstract): the K-Means procedure on the two EFA dimensions reports neither elbow/silhouette metrics, bootstrap stability, split-sample replication, nor external validation against actual phishing success rates. Without these checks the assertion that the majority of users belong to the High-Risk cluster (hasty/low-critical-analysis) remains vulnerable to sample-specific artifacts.
  3. [Results] Results: the quantitative support for the 'majority High-Risk' assignment (exact cluster sizes, proportions, or statistical tests) is not supplied in the abstract or summary, weakening the empirical grounding of the profile-distribution claim.
minor comments (2)
  1. [Abstract] The abstract would be clearer if it reported at least one key quantitative result (e.g., cluster sizes or correlation coefficient) alongside the qualitative conclusions.
  2. [Abstract] Notation for the five factors (F1, F3, etc.) should be introduced consistently when first mentioned.

Simulated Author's Rebuttal

3 responses · 0 unresolved

We thank the referee for the constructive comments that highlight opportunities to improve methodological transparency and the presentation of quantitative results. We address each major comment below and will revise the manuscript to incorporate the requested details.

read point-by-point responses

  1. Referee: [Abstract / EFA procedure] Abstract and EFA description: no factor-retention criteria (eigenvalue threshold, scree plot, parallel analysis), rotation method, or loading cutoff are stated. Because the subsequent K-Means step uses only F1 (Seniority) and F3 (Creativity), the absence of these details makes the factor definitions and the two-profile solution load-bearing for the central claim.

    Authors: We agree that the abstract should explicitly state the EFA procedures to support the subsequent clustering. The full methods section describes the use of parallel analysis for factor retention, varimax rotation, and a 0.40 loading cutoff for item inclusion. We will revise the abstract to include a concise description of these criteria, the rotation method, and the loading threshold so that the definitions of F1 and F3 are transparent from the outset. revision: yes

  2. Referee: [Abstract / K-Means clustering] Clustering analysis (Abstract): the K-Means procedure on the two EFA dimensions reports neither elbow/silhouette metrics, bootstrap stability, split-sample replication, nor external validation against actual phishing success rates. Without these checks the assertion that the majority of users belong to the High-Risk cluster (hasty/low-critical-analysis) remains vulnerable to sample-specific artifacts.

    Authors: We acknowledge the value of these validation steps. In the revised manuscript we will report the elbow method and silhouette scores that supported the choice of two clusters. We will also add results from split-sample replication confirming cluster stability. The High-Risk profile is already associated with lower phishing detection accuracy in the data; we will make this external validation explicit by reporting the performance differences between clusters. revision: yes

  3. Referee: [Results] Results: the quantitative support for the 'majority High-Risk' assignment (exact cluster sizes, proportions, or statistical tests) is not supplied in the abstract or summary, weakening the empirical grounding of the profile-distribution claim.

    Authors: We agree that the abstract and summary should contain the specific numbers. We will update both to report the exact cluster sizes, the proportion of users assigned to the High-Risk profile, and the statistical tests comparing phishing task performance across profiles. revision: yes

Circularity Check

0 steps flagged

No circularity: empirical statistical analysis on independent dataset

full rationale

The paper applies standard Exploratory Factor Analysis to extract five latent constructs from the 1,086-participant Spamley dataset responses, followed by K-Means clustering on two of those dimensions (Seniority F1 and Creativity F3) to define user profiles. These steps are data-driven procedures with no equations, self-definitional loops, fitted parameters renamed as predictions, or load-bearing self-citations that reduce the central claims to inputs by construction. The reported profiles, correlations with response times, and majority High-Risk assignment are outputs of the analysis rather than tautological restatements of the input data or prior author results. The derivation chain is self-contained against external benchmarks and does not exhibit any of the enumerated circularity patterns.

Axiom & Free-Parameter Ledger

2 free parameters · 2 axioms · 0 invented entities

The central findings rest on the assumption that self-reported and behavioral data from the phishing task accurately reflect latent psychological constructs, plus standard statistical assumptions for EFA and clustering.

free parameters (2)
  • Number of factors retained in EFA
    Set to five to define the latent constructs of Seniority, Expertise, Creativity, Stability, and Vulnerability.
  • Number of clusters in K-Means
    Set to two to separate Aware and High-Risk user profiles using Seniority and Creativity dimensions.
axioms (2)
  • domain assumption Responses in the Spamley dataset validly measure real-world phishing susceptibility and related psychological traits.
    Invoked when interpreting EFA factors and clustering results as profiles of vulnerability.
  • standard math Standard assumptions of EFA (linearity, sufficient sample size, factorability) hold for this dataset.
    Required for the validity of the five identified latent constructs.

pith-pipeline@v0.9.0 · 5784 in / 1428 out tokens · 50368 ms · 2026-05-21T03:51:14.276129+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

28 extracted references · 28 canonical work pages

  1. [1]

    Sen- sors21(21), 7301 (2021)

    Abdelhamid, N., Ayesh, A., Thabtah, F.: Prevention and mit- igation measures against phishing emails: A review. Sen- sors21(21), 7301 (2021). https://doi.org/10.3390/s21217301, https://pmc.ncbi.nlm.nih.gov/articles/PMC8478002/

    work page doi:10.3390/s21217301 2021

  2. [2]

    An extension of HybridSynchAADL and its application to collaborating au- tonomous UA Vs

    Aldaraani, N., Petrie, H., Shahandashti, S.F.: Online security attack experience and worries of young adults in the kingdom of saudi arabia. In: Furnell, S., Clarke, N. (eds.) Human Aspects of Information Security and Assurance. pp. 364–376. Springer Nature Switzerland (2023). https://doi.org/10.1007/978-3-031- 38530-8_29

    work page doi:10.1007/978-3-031- 2023

  3. [3]

    Frontiers in Computer Science3, 563060 (2021)

    Alkhalil, Z., Hewage, C., Nawaf, L., Khan, I.: Phishing attacks: A recent compre- hensive study and a new anatomy. Frontiers in Computer Science3, 563060 (2021). https://doi.org/10.3389/fcomp.2021.563060

    work page doi:10.3389/fcomp.2021.563060 2021

  4. [4]

    Comput- ers & Security (2023)

    Alsharnouby, M., et al.: A comprehensive examination of email spoofing: Issues and prospects for email security. Comput- ers & Security (2023). https://doi.org/10.1016/j.cose.2023.103235, https://www.sciencedirect.com/science/article/pii/S0167404823005102

    work page doi:10.1016/j.cose.2023.103235 2023

  5. [5]

    Cialdini, R.B., Cialdini, R.B.: Influence: The psychology of persuasion, vol. 55. Collins New York (2007)

    work page 2007

  6. [6]

    Computers & Security94, 101862 (2020)

    Frauenstein, E.D., Flowerday, S.: Susceptibility to phishing on social network sites: A personality information processing model. Computers & Security94, 101862 (2020). https://doi.org/10.1016/j.cose.2020.101862

    work page doi:10.1016/j.cose.2020.101862 2020

  7. [7]

    Computers & Security139, 103671 (2024)

    Gallo, L., Gentile, D., Ruggiero, S., Botta, A., Ventre, G.: The human factor in phishing: Collecting and analyzing user behavior when reading emails. Computers & Security139, 103671 (2024)

    work page 2024

  8. [8]

    Applied Ergonomics 97, 103526 (2021)

    Ge, Y., Lu, L., Cui, X., Chen, Z., Qu, W.: How personal characteristics impact phishing susceptibility: The mediating role of mail processing. Applied Ergonomics 97, 103526 (2021). https://doi.org/10.1016/j.apergo.2021.103526

    work page doi:10.1016/j.apergo.2021.103526 2021

  9. [9]

    International Journal of Human Resource Development: Practice, Policy and Research8(2), 100–113 (2024)

    Gordon, A., Russ-Eft, D.: How the big five psychological factors affect phish- ing: A literature review. International Journal of Human Resource Development: Practice, Policy and Research8(2), 100–113 (2024). https://doi.org/10.2478/ijhrd- 2024-0007

    work page doi:10.2478/ijhrd- 2024

  10. [10]

    Heliyon3(7), e00346 14 Formisano et al

    Hadlington, L.: Human factors in cybersecurity; examining the link between internet addiction, impulsivity, attitudes towards cyber- security, and risky cybersecurity behaviours. Heliyon3(7), e00346 14 Formisano et al. (2017). https://doi.org/https://doi.org/10.1016/j.heliyon.2017.e00346, https://www.sciencedirect.com/science/article/pii/S2405844017309982

    work page doi:10.1016/j.heliyon.2017.e00346 2017

  11. [11]

    In: Proceedings of the 22nd international conference on world wide web

    Halevi, T., Lewis, J., Memon, N.: A pilot study of cyber security and privacy related behavior and personality traits. In: Proceedings of the 22nd international conference on world wide web. pp. 737–744 (2013)

    work page 2013

  12. [12]

    The Journals of Gerontology: Series B79(11), gbae151 (2024)

    Heemskerk, A., Lin, T., Pehlivanoglu, D., et al.: Interoceptive accuracy enhances deception detection in older adults. The Journals of Gerontology: Series B79(11), gbae151 (2024). https://doi.org/10.1093/geronb/gbae151

    work page doi:10.1093/geronb/gbae151 2024

  13. [13]

    Farrar, Straus and Giroux (2011)

    Kahneman, D.: Thinking, fast and slow. Farrar, Straus and Giroux (2011)

    work page 2011

  14. [15]

    https://doi.org/10.3390/app15042236

    Kavvadias, A., Kotsilieris, T.: Understanding the role of demographic and psycho- logicalfactorsinusers’susceptibilitytophishingemails:Areview.AppliedSciences 15, 2236 (02 2025). https://doi.org/10.3390/app15042236

    work page doi:10.3390/app15042236 2025

  15. [16]

    Proceedings of SECURWARE 2025 (2025)

    Lawall, A.: Quantifying persuasion–a comparative analysis of cialdini’s principles in phishing attacks. Proceedings of SECURWARE 2025 (2025)

    work page 2025

  16. [17]

    Applied Ergonomics86, 103084 (2020)

    Lawson, P., Pearson, C.J., Crowson, A., Mayhorn, C.B.: Email phishing and signal detection: How persuasion principles and personality influence response patterns and accuracy. Applied Ergonomics86, 103084 (2020). https://doi.org/10.1016/j.apergo.2020.103084

    work page doi:10.1016/j.apergo.2020.103084 2020

  17. [18]

    In: 2024 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)

    Mocerino, G.E., Velotti, C., Gentile, D., Gallo, L., Botta, A., Ventre, G.: Work in progress: Implicit association tests for understanding human factor in phishing beyond awareness. In: 2024 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW). pp. 519–526. IEEE (2024)

    work page 2024

  18. [19]

    Frontiers in Psychology12, 561011 (2021)

    Moustafa, A.A., Bello, A., Maurushat, A.: The role of user behaviour in im- proving cyber security management. Frontiers in Psychology12, 561011 (2021). https://doi.org/10.3389/fpsyg.2021.561011

    work page doi:10.3389/fpsyg.2021.561011 2021

  19. [20]

    PNAS Nexus3(8), pgae296 (2024)

    Pehlivanoglu, D., Shoenfelt, A., Hakim, Z., et al.: Phishing vulnerability com- pounded by older age, apolipoprotein e e4 genotype, and lower cognition. PNAS Nexus3(8), pgae296 (2024). https://doi.org/10.1093/pnasnexus/pgae296

    work page doi:10.1093/pnasnexus/pgae296 2024

  20. [21]

    In: 2024 Silicon Valley Cybersecurity Conference (SVCC)

    Pietrantonio, F., Botta, A., Zinno, S., Ventre, G., Gallo, L., Mancuso, L., Presta, R.: A gaze-based analysis of human detection of email phishing. In: 2024 Silicon Valley Cybersecurity Conference (SVCC). pp. 1–8. IEEE (2024)

    work page 2024

  21. [22]

    https://spamley.comics.unina.it, ac- cessed 20 April 2026

    Spamley Project: Spamley web application. https://spamley.comics.unina.it, ac- cessed 20 April 2026

    work page 2026

  22. [23]

    Computers in Human Behavior Reports19, 100694 (2025)

    Stylianou, I., Bountakas, P., Zarras, A., Xenakis, C.: Suspicious minds: Psycho- logical techniques correlated with online phishing attacks. Computers in Human Behavior Reports19, 100694 (2025). https://doi.org/10.1016/j.chbr.2025.100694

    work page doi:10.1016/j.chbr.2025.100694 2025

  23. [24]

    https://doi.org/10.5114/cipp/204034

    Takiguchi, Y., Kikutani, M.: Examination of the role of dispositional and state suspicionindeceptiveratingsandveracityjudgments.CurrentIssuesinPersonality Psychology (2025). https://doi.org/10.5114/cipp/204034

    work page doi:10.5114/cipp/204034 2025

  24. [25]

    In: Proceedings of the Human Fac- tors and Ergonomics Society Annual Meeting

    Tornblad, M.K., Jones, K.S., Namin, A.S., Choi, J.: Characteristics that pre- dict phishing susceptibility: A review. In: Proceedings of the Human Fac- tors and Ergonomics Society Annual Meeting. vol. 65, pp. 938–942 (2021). https://doi.org/10.1177/1071181321651330

    work page doi:10.1177/1071181321651330 2021

  25. [26]

    Communication Research45(8), 1146–1166 (2018)

    Vishwanath, A., Harrison, B., Ng, Y.J.: Suspicion, cognition, and automatic- ity model of phishing susceptibility. Communication Research45(8), 1146–1166 (2018). https://doi.org/10.1177/0093650215627483 Title Suppressed Due to Excessive Length 15

    work page doi:10.1177/0093650215627483 2018

  26. [27]

    In: ICISSP (2)

    Wafik, P., Botta, A., Gallo, L., Mocerino, G.E., Herbert, C., Annicchiarico, I., El Bolock, A., Abdennadher, S.: Enhanced predictive clustering of user profiles: A model for classifying individuals based on email interaction and behavioral pat- terns. In: ICISSP (2). pp. 363–374 (2025)

    work page 2025

  27. [28]

    phisher-men

    Welk, A., Hong, K.W., Zielinska, O., Tembe, R., Murphy-Hill, E., Mayhorn, C.: Will the “phisher-men” reel you in? International Jour- nal of Cyber Behavior, Psychology and Learning5, 1–17 (10 2015). https://doi.org/10.4018/IJCBPL.2015100101

    work page doi:10.4018/ijcbpl.2015100101 2015

  28. [29]

    Frontiers in Psychology16, 1637935 (2025)

    Xu, F., Liu, A., Li, X.: Victimization mechanisms and countermeasures in telecom network fraud: A dual-system theoretical perspective. Frontiers in Psychology16, 1637935 (2025). https://doi.org/10.3389/fpsyg.2025.1637935

    work page doi:10.3389/fpsyg.2025.1637935 2025