Security Risk Scale: A Case of Email Phishing Detection using Text Mining

The rise of cybersecurity defense has led to threat actors needing to deploy more resources to break into systems. However, the human factor remains the weakest link for system penetration through social engineering techniques, especially when phishing is used. While cybersecurity and risk management go hand in hand, a measure of the risk posed by the threats in our environment is a crucial control factor. In this study, an experimental test was conducted on 327 simulated phishing tests with probable responses of mail users. Our goal was to determine the emotion that triggers interaction when a false email is used to trick victims into unintentionally submitting data, providing unauthorized access to the mail server. Four major causes of successful phishing attacks where emotions are triggered were found to be the manipulation of curiosity, fear, authority, and empathy. For enhancing phishing detection, we proposed a framework that dynamically scales the security risks resulting from the social engineering attack through the content of the phishing email received in real time. Although the technical controls have proven to be far more effective in securing systems, the framework provides administrative techniques with risk scales that organizations with mail servers can use to train their staff and resolve the ever-growing security problem of social engineering attacks through phishing emails.