ABSTRACT:
User susceptibility to phishing messages on social media is a growing information security concern. Contingency factors that can influence this susceptibility and the theoretical mechanisms through which they operate need more scholarly attention. To bridge this gap, we present a temptation and restraint (TR) model (a specific manifestation of the dual–system theory) of social media phishing susceptibility, which explains it as an outcome of a struggle between users’ temptation toward engaging with a social media phishing message and their cognitive and behavioral restraint against it. The balance in this struggle is a function of various situational contingencies. First, via a Delphi study, we identify four key situational contingency factors in the context of social media that can influence this balance: (1) poor sleep quality, (2) social media ostracism, (3) source likability, and (4) fear appeals. Next, via five randomized controlled experiments using an ostensible social media paradigm with social media users, we show that the TR model explains (a) why and how users engage with social media phishing messages, and (b) when users are more or less susceptible to it based on key situational contingency factors. Our findings offer a nuanced perspective on social media phishing susceptibility, elucidate the fundamental roles of situational contingencies in the genesis of social media phishing victimization, and delineate important directions for future research in this area
Key words and phrases: Online phishing, temptation and restraint, social media, phishing susceptibility, situational contingency, Dual-System Theory