The Gullibility Scale and susceptibility to phishing

Back in 2015, American journalist and New York Times columnist Frank Bruni wrote a passionate piece on the world of anti-vaxxers, the role the internet may be playing in our collective intelligence and humanity’s propensity to believe everything within indexing reach of a search engine:

Although the Internet could be making all of us smarter, it makes many of us stupider, because it’s not just a magnet for the curious. It’s a sinkhole for the gullible. It renders everyone an instant expert. You have a degree? Well, I did a Google search!

I’m fairly sure there has always been a proportion of our species more trusting of others, the good-hearted, happy to put faith in bold assertions, those now dubbed gullible and open to exploitation. Whether or not the internet can be shown to be making many of us ‘stupider’, it has certainly changed the playing field for the criminally minded.

The late 1970s era ‘crime triangle’ offers an easy way to visualise and understand crime problems – three things must exist in order to have a crime: an offender, a victim, and a location. Traditional crime prevention efforts looked to remove one of more aspects of the triangle to decrease the potential for harm – don’t walk through that rough neighbourhood at night and your likelihood of meeting an offender and becoming a victim is reduced. What the internet has done is turn the high risk rough neighbourhood from a known geographic location with visual warning signs to a far larger area with fewer potential clues to detect danger and take early evasive action.

If location is harder to address, why not look to identify and assist potential victims? That has been the intent behind the Security Quotient research and it’s great to see a similar strategic effort underway at Macquarie University in Sydney to identify susceptibility to scams.

Gotcha! Behavioural validation of the Gullibility Scale looks to develop a similar psychometric scale to test and identify those who may fall victim to online harms.

The scoring construct – using HEXACO personality factors, Need for Cognition, Need for Closure, Sense of Self, and the Gullibility Scale – has some potential symmetry to other international efforts including the researchers at the Universities of Cambridge and Helsinki who have developed the ‘Susceptibility to Persuasion II (StP-II)’ test that can be used to predict who may be more likely to become a victim of cybercrime.

In short, research over 219 undergraduate students found:

  • Participants scored as gullible were more likely to engage with scam emails by clicking on links.
  • Gullibility was also associated with emotionality and a poor sense of self.

Examining emotionality more closely, “people who are naturally inclined to be more emotionally reactive are consequently more likely to be persuaded by scam material.”

This emotional reactivity can be linked to feelings of stress, anger or pain and may lead to impulsive behaviour with potential poor outcomes – the archetypal decision made in the heat of the moment. Chris Hadnagy, my favourite social engineer, has talked at length about phishers using ‘amygdala hijacking’ to trigger physiological and psychological responses before the brain has time to kick in.

Could reading your emails in a heightened ‘fight-or-flight’ state lead to poor outcomes? There are certainly links to the UK’s Take Five fraud prevention campaign which highlights the need to stop, think and challenge your initial emotional response to email and phone based deception offences.

It will be interesting to follow the work of the team in Australia and see how their Gullibility Scale develops.

Applying the Security Quotient score: Identifying high-risk individuals who may be predisposed to falling victim to cybercrime

Over the course of undertaking this research, it has become clear that there is significant potential to use ‘cyber psychology’ in the form of the Security Quotient scale to identify high risk individuals who may be predisposed to fall victim to common socio technical attacks like phishing and internet scams.

A simple psychometric test that also allows for demographic, health and lifestyle factors and how they may shape risk appetite and risk perception could be used to target cybercrime prevention and intervention efforts to a subset of individuals at the greatest risk of victimisation. Such efforts could deliver real harm reduction across both social and financial domains of wellbeing.

Second stage methods utilised both the psychometric scales and demographic survey response data and identified the following preliminary findings:

  • SeBIS, CFC-F and DOSPERT-R scale scores used to identify 11 Very High Risk individuals from 103 validated survey responses.
  • 36% of those identified had previously suffered a financial loss due to cybercrime; all bar one had experienced a security incident.
  • More than half did not exercise and the remainder did significantly less than the study average (2hrs 5 mins).
  • Individuals who had suffered the highest number of incidents were more likely to smoke, take less exercise and not be saving towards their future.
  • They were also significantly younger than the survey median age at 33.8 (Millennials).
  • 55% of smokers and 42% of those who did not invest in their future via Kiwisaver or other channels had suffered a financial loss, compared with a survey average of 21%.
  • 50% of those unemployed and looking for work had been a victim of cybercrime and had suffered a financial loss.

Data analysis identified two groups of note – 22 ‘Victors’ and 20 ‘Victims’ based on self-reported answers to the second survey:


Those who reported suffering no incidents or losses were older, predominantly female, less likely to smoke, keen investors, avid
exercisers. 4% better at online safety and security practices (SeBIS) than the study average; slightly more future focused (CFC-F); 9%
lower risk appetite than study average (DOSPERT-R).


Those who had lost money were more likely to be smokers, not actively investing, risk takers by nature. Less confident at online
safety and security practices than the study average, scoring 10% below the Victors (SeBIS). Risk appetite 16% higher than the Victors

In summary, the first two scales offer good ‘predictive’ insights into security knowledge and ability and future focused behaviour – Very High Risk (VHR) individuals are ‘correctly’ identified to some extent as victims of cybercrime. For DOSPERT-R, there appears to be a sweet spot at the start of the High Risk band; VHR recreational risk takers identified by the DOSPERT-R scale appear to be resilient ‘Victors’. Combining the three scale scores via weighting or other means is required to produce a final Security Quotient metric.

Further statistical analysis will help validate these preliminary findings (potential linear / logistic / multinomial regression). The small sample size for the second stage survey is an issue to prove that the Security Quotient model is both valid and repeatable. A larger survey dataset is necessary to validate the concept and two large employers have now provided a further pool of responses to analyse. A larger dataset (1000+) could allow nationality to be assessed for evaluation of Hofstede cultural ‘Individualism’ also being a protective/risk factor.

The full report to InternetNZ was published in May 2019 as part of the funding proposal; analysis of third stage surveying of 700 participants from two major NZ employers is now underway to validate the Security Quotient model.

Next steps

If the Security Quotient model can be fully validated through final analysis of the third stage survey responses and found to be repeatable there is the possibility that the approach could be used to target cybercrime prevention and intervention efforts to the subset of individuals at the greatest risk of victimisation.

Learnings from other risk based modelling approaches can also be used in future work to benefit from research efforts developed predominantly for commercial underwriting gains in the US personal, life and auto insurance markets and known links to other behavioural risks such as financial lending.

The advanced US lending and insurance markets have increasingly targeted indicative aspects of psychometric/behavioural relationships with claims histories and credit scores. Recent research has shown that both outcomes are influenced by sensation seeking/self control theories that match other OCEAN personality traits that can be measured using the CFC-F and DOSPERT-R scales.

Psycho-social (personality) and biochemical (biological and inheritable trait) links have increasingly been shown to predict risk-taking behaviour in one realm also maps to risk-taking behaviour in others. In our increasingly data-rich environments, insurers in the US are looking to leverage such data to evolve the insurance marketplace as predictors of loss propensity.