Saved in:
Bibliographic Details
Main Authors: Formisano, Valeria, Gentile, Danilo, Mocerino, Gennaro Esposito, Ponticorvo, Michela, Gallo, Luigi, Botta, Alessio, Marocco, Davide
Format: Preprint
Published: 2026
Subjects:
Online Access:https://arxiv.org/abs/2605.21246
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866917516687704064
author Formisano, Valeria
Gentile, Danilo
Mocerino, Gennaro Esposito
Ponticorvo, Michela
Gallo, Luigi
Botta, Alessio
Marocco, Davide
author_facet Formisano, Valeria
Gentile, Danilo
Mocerino, Gennaro Esposito
Ponticorvo, Michela
Gallo, Luigi
Botta, Alessio
Marocco, Davide
contents Phishing remains one of the most pervasive cybersecurity threats, shifting the focus from technological vulnerabilities to human cognitive and psychological factors. In coherence with the trend of studies on phishing to increasingly focus on human aspects and vulnerable users profiling, this study investigates the multidimensional nature of user susceptibility by analyzing data from the Spamley dataset, involving 1,086 participants evaluated through a realistic phishing detection task. Using Exploratory Factor Analysis (EFA), five latent constructs were identified, named: Seniority, Expertise, Creativity, Stability, and Vulnerability. Behavioral findings, validating self-reported impulsivity through its negative correlation with response times, demonstrate that faster decision-making significantly distinguishes vulnerable users from resilient ones. A K-Means clustering procedure, driven by the dimensions of Seniority (F1) and Creativity (F3), revealed two distinct user profiles: the Aware User and the High-Risk User. The results demonstrate that technical knowledge alone is insufficient to guarantee resilience; rather, the interaction between operational maturity, decision-making speed, and cognitive approach determines effectiveness. The findings suggest that the majority of users fall into the High-Risk category, characterized by hasty evaluation processes and lower critical analysis. These results underline the urgent need to move beyond "one-size-fits-all" training toward personalized, adaptive cybersecurity programs that actively address cognitive biases and behavioral tendencies.
format Preprint
id arxiv_https___arxiv_org_abs_2605_21246
institution arXiv
publishDate 2026
record_format arxiv
spellingShingle Profiling User Vulnerability to Phishing Through Psychological and Behavioral Factors
Formisano, Valeria
Gentile, Danilo
Mocerino, Gennaro Esposito
Ponticorvo, Michela
Gallo, Luigi
Botta, Alessio
Marocco, Davide
Cryptography and Security
Computers and Society
Phishing remains one of the most pervasive cybersecurity threats, shifting the focus from technological vulnerabilities to human cognitive and psychological factors. In coherence with the trend of studies on phishing to increasingly focus on human aspects and vulnerable users profiling, this study investigates the multidimensional nature of user susceptibility by analyzing data from the Spamley dataset, involving 1,086 participants evaluated through a realistic phishing detection task. Using Exploratory Factor Analysis (EFA), five latent constructs were identified, named: Seniority, Expertise, Creativity, Stability, and Vulnerability. Behavioral findings, validating self-reported impulsivity through its negative correlation with response times, demonstrate that faster decision-making significantly distinguishes vulnerable users from resilient ones. A K-Means clustering procedure, driven by the dimensions of Seniority (F1) and Creativity (F3), revealed two distinct user profiles: the Aware User and the High-Risk User. The results demonstrate that technical knowledge alone is insufficient to guarantee resilience; rather, the interaction between operational maturity, decision-making speed, and cognitive approach determines effectiveness. The findings suggest that the majority of users fall into the High-Risk category, characterized by hasty evaluation processes and lower critical analysis. These results underline the urgent need to move beyond "one-size-fits-all" training toward personalized, adaptive cybersecurity programs that actively address cognitive biases and behavioral tendencies.
title Profiling User Vulnerability to Phishing Through Psychological and Behavioral Factors
topic Cryptography and Security
Computers and Society
url https://arxiv.org/abs/2605.21246