Modeling phishing susceptibility as decisions from experience
Traditional anti-phishing training is often non-personalized and does not typically account for human experiential learning. However, to personalize training, one requires accurate models and predictions of individual susceptibility to phishing emails. The present research is a step toward this goal. We propose an Instance-Based Learning model of phishing detection decision-making, constructed in the ACT-R cognitive architecture. We demonstrate the model’s ability to predict behavior in a frequency training study, and its generality by predicting behavior in another phishing detection study. The results shed additional light on human susceptibility to phishing emails and highlight the effectiveness of modeling phishing detection as decisions from experience. We discuss the implications of these results for personalized anti-phishing training.