IAENG International Journal of Computer Science, 38:4, IJCS 38 4 07Online Phishing in the Eyes of Online ShoppersPing An Wang, Member, IAENG Abstract – Online phishing has been a fast growinginformation security risk and concern for ecommerceconsumers. However, various levels of uncertainties exist inconsumer knowledge and evaluation of online phishing risks.Drawing upon research in decision under risks anduncertainties, this study categorizes an online consumer’sknowledge of phishing risks as falling under one of fouruncertainty states: known certainty, known uncertainty,unknown uncertainty, and unknowable uncertainty. Thisresearch focuses on the effect of uncertainty levels of ecommerce consumers’ knowledge of phishing risks on theironline purchase intentions and decision. A series of four groupexperiments were conducted with the four uncertaintyknowledge states as treatments among 120 subjects. Theexperimental results indicate that consumer willingness to payto avoid risks and their intention to purchase online varysystematically under different uncertainty levels of knowledgeof phishing risks.Index Terms – E-commerce, intention to purchase, phishing,uncertainties, willingness to payI. INTRODUCTIONPhishing has been a serious online risk related to privacy,security, and trust and is still a phenomenon of great practicalsignificance for B2C (business-to-consumer) e-commerce. Phishers often try to lure victims into clicking a spoofeduniversal resource locator (URL) pointing to a rogue Webpage to steal sensitive personal and financial informationfrom unsuspecting online consumers . There has beenconsiderable research on online risks and consumer decisionmaking in the B2C e-commerce context [2, 23, 30].However, existing research in this area of online risksprimarilyfocuses on determinants of subjective probability and valueand assumes that consumers judge i) the subjectiveprobability of a loss, and, ii) the subjective magnitude ofconsequences of the loss, and compute an expectation ofloss. A significant problem is that neither the probability ofoccurrence of online risks nor the consequences of riskyevents are always known to consumers. For example, thelikelihood and consequences of a credit card fraud resultingfrom an online transaction are not known for sure even toexperts . Thus, the question arises as to how onlineconsumers judge phishing risks and decide on onlinepurchases under various uncertain knowledge conditions ofthe risks.Manuscript draft was received on August 15, 2011; revised andresubmitted on August 23, 2011.Ping An Wang, PhD, is Professor of Computer Information Technologyat Allegheny County College South Campus in Pittsburgh, PA 15122, USA(Contact phone: 412-469-6320; Contact email: [email protected]).This study argues that consumer decisions in risky onlineenvironments are made under uncertain conditions whererisk probability information is imprecise, vague, orambiguous. Based on research in decision under risks anduncertainties, this study categorizes an online consumer’sknowledge of the phishing risk as falling under one of fourfine-grained uncertainty states: known certainty, knownuncertainty, unknown uncertainty, and unknowableuncertainty. An online consumer’s risk evaluation andpurchase intention and decision are strongly affected by hisor her assumption of the variant of uncertainty regarding theextent and severity of the phishing security risk involved inthe online transaction.The primary goal of this research is to investigate howvariant degrees of uncertainty of online consumers’knowledge of phishing risks affect their judgment of andbehavioral response to the risks. Section II below reviewsrelevant information systems (IS) literature on decisionunder risks and uncertainty. Section III discusses theresearch model and hypotheses proposed. Section IVintroduces the experiment method used for the study.Section V reports the data analysis and findings. Section VIconcludes the paper.II. LITERATURE REVIEWThere has been considerable IS research interest indecision under uncertainty and the impacts of onlinesecurity risks. However, there has not been a systematicmodel and approach available to address the impacts ofvariant uncertainties of knowledge of online informationsecurity risks on consumer decision making in the B2C ecommerce context. The theoretical basis for prior researchon decision under risk and uncertainty primarily falls intothree categories: utility theory, attitudinal theories, and thepsychometric paradigm.A. Risk Studies Based on Utility TheoryThe classical notion of risk in decision theory isprimarily modeled using utility theory. Utility theoryassumes that people are rational and should choose theoption that maximizes the expected utility, which is theproduct of probability and payoff. Utility theory alsoassumes that all risk probabilities and payoff are known to apoint estimate but does not allow ambiguity, or a variantform of uncertainty. In reality, however, uncertainty doesoccur when risk probabilities or payoff is missing orunknown. The subjective expected utility (SEU) model ofutility theory proposed by Savage  argues that people’ssubjective preferences and beliefs, rather than objectiveprobabilities, are used in the evaluation of an uncertain(Advance online publication: 12 November 2011)
IAENG International Journal of Computer Science, 38:4, IJCS 38 4 07knowledge. Slovic  further suggested that the level ofknowledge attribute seems to influence the relationshipbetween perceived risk, perceived benefit, and riskacceptance. However, he did not distinguish differentdegrees of uncertainties. Also, his study did not touch uponany online security or phishing risks for e-commerce.Nyshadham and Ugbaja  used psychometrictechniques to study how B2C e-commerce consumersorganize novel online risks in memory. The study called forfurther analysis to define the risk dimensions. Using thepsychometric paradigm, Gabriel and Nyshadham studied perceptions of online risks that affect onlinepurchase intentions in the B2C e-commerce environment.The focus of the study was to develop a taxonomy of onlinerisks and construct a cognitive map of online consumers’risk perceptions and attitudes. The results suggested thatknowledge of risks is an important parameter of online riskperceptions. However, the study did not focus on thevariable of knowledge and did not go into fine-grainednotion of risk probability.Glover and Benbasat  proposed a “comprehensivemodel of perceived risk” for e-commerce transactionsfollowed by a field study of online participants. Their studyindicated the important role of consumer perceptions ofrisks in online transactions. Their model of perceived risk isdriven by a marketing theory of risk and consists of threedimensions: risk of functionality inefficiency, risk ofinformation misuse, and risk of failure to gain productbenefit. Consumers’ level of risk knowledge is not one ofthe dimensions or the focus of the study. Although theinformation misuse risk dimension seems to be genericallyinclusive of possible misuse of personal and financialinformation, the study does not specifically address theonline phishing risk.This research is to address the common limitations ofprior studies by focusing on the uncertainty of knowledge ofonline phishing risks in e-commerce decision making andadopting a fine-grained taxonomy of degrees ofuncertainties. The purpose of the study is to measure theeffect of knowability of risk on a person's decision makingwhen faced with online phishing risks. Chow and Sarin defined knowability as one’s assumption about theavailability of information regarding the uncertainty ofprobability. Decision situations are usually either undercertainty or uncertainty. In contrast to known certainty,Chow and Sarin proposed and distinguished three types ofuncertainties: known, unknown, and tionofuncertainties of risk knowledge is the theoretical basis forthis study. Accordingly, the uncertainties are broken downinto four levels or degrees of conditions: known certainty,known uncertainty, unknowable uncertainty, and unknownuncertainty. Table I below defines the four degrees ofuncertainties with examples.Degree ofUncertaintyTable I. Uncertainties of Risk n on allattributes andalternatives areavailable.A vendor guaranteesthat none of its onlinetransactions involvesphishing, due to strongonline securitymechanism.KnownUncertaintyRisk probabilityis precisely andofficiallyspecified.It is officiallyconfirmed that 3% ofonline transactions withthe vendor involvephishing.UnknowableUncertaintyRisk probabilityis unavailable toall.It is impossible foranyone to know exactlywhat percentage ofonline transactions withthe vendor involvesphishing.UnknownUncertaintyRisk probabilityis missing to onebut may bepossessed byothers.The public is only toldthat less than 5% onlinetransactions with thevendor involvephishing. But the exactpercentage is notdisclosed.III. RESEARCH MODELThe research model, shown in Fig. 1 below, is used toguide this study. The model was based on the modelinitially proposed and updated by Wang [32, 33].Degrees ofUncertaintiesKnownCertaintyEvaluation ofPhishing RisksWillingness to tion to Purchase(ITP)UnknownUncertaintyFig. 1. Research Model.(Advance online publication: 12 November 2011)
IAENG International Journal of Computer Science, 38:4, IJCS 38 4 07The research model is contextualized for the differentdegrees of uncertainties of risk knowledge. The construct ofphishing risk evaluation reflects consumers’ subjectivebeliefs and judgment of online phishing risks and protectionmechanisms. Decision behaviors under risks are related topeople’s degrees of knowledge of the risk probabilities.Hogarth and Kunreuther  found that people demonstratedifferent observable behaviors between situations wherethey do and do not have knowledge about probabilities andoutcomes. Thus, this study proposes that uncertainty levelsof risk knowledge affect online shoppers’ risk evaluationand their intention and decision to purchase under risks.Known certainty is obviously the ideal knowledge levelfor decision making. The constructs of variant uncertaintiesare based on Chow and Sarin . Chow and Sarin viewknown uncertainty as the most comfortable uncertainty topeople and preferable to vagueness in probability. Unknownuncertainty is less preferable than unknowable uncertainty,and it is the least comfortable level of uncertainty to adecision maker. Unknowable uncertainty, according toChow and Sarin, is the intermediate comfort level ofuncertainty to people and more tolerable than unknownuncertainty. Thus, the following two hypotheses areproposed for this study:Hypothesis 1: Known uncertainty is preferable tounknowable uncertainty in consumer evaluation of onlinephishing risks.Hypothesis 2: Unknowable uncertainty is preferable tounknown uncertainty in consumer evaluation of onlinephishing risks.Consumers’ behavioral response to online phishing risksconsists of willingness to pay (WTP) to avoid the risks andtheir intention to purchase (ITP) online under the risks.Prior research in decision theories suggested that individualsare willing to pay a premium to avoid uncertainty of risks[6, 24]. The WTP amount is expected to grow as consumerperceived phishing risks increase. In addition, according tothe theory of reasoned action (TRA), attitudes andperceptions determine behavioral intentions which areantecedents to actual behavior. Thus, this study alsoproposes that ITP is expected to decrease as the perceivedphishing risk level increases.IV. METHODOLOGYAn experimental study was used to test the researchmodel. Variant degree of uncertainty is the key treatmentvariable, and WTP and ITP are the primary dependentvariables. The design of the experiment and questions werebased on the prior experiments developed and pilot testedby Wang .The experiment for this study was conducted among atotal of 120 undergraduate students recruited from a collegein northeastern United States. The subjects were randomlydivided into four test groups, each receiving a differentuncertainty treatment: known certainty (KC), knownuncertainty (KU), unknowable uncertainty (UBU), andunknown uncertainty (UNU). The treatment variable wasinduced among subjects using hypothetical risk scenariosand vignettes of online phishing scenarios adapted fromWang . Each scenario depicts an online phishing riskscenario corresponding to a different uncertainty degree inTable I above. Based on the vignette, subjects providedjudgments on the amount they are willing to pay (WTP) toavoid the phishing risk and intention to purchase (ITP)online under the risk. An analogy type manipulation checkquestion was also given to check if the treatment variablewas properly understood by the subject. Table II belowshows the manipulation check used for the four differentexperiment scenarios. Demographic data were collectedfrom subjects at the end of the experiment.Table II. Manipulation Checks for ExperimentsManipulation Check:Treatment Variables:Question:Legend: Knowability levelsKU Known UncertaintyUBU Unknowable UncertaintyUNU Unknown UncertaintyKC Known CertaintyIf the phishing risk iscompared to thechance of randomlydrawing a red ballfrom an urn of 100 redand black balls mixedtogether, the scenariogiven resembles whichof the following?KU Treatment Vignette:A published study concludes that about3% of online transactions from sites suchas E-WizWire involve phishing risks.Choices are: a, b, c, d.UBU Treatment Vignette:Research studies have concluded that,while the probability of phishingoccurring due to online transactions withfirms like E-WizWire is small, it is notpossible to compute a reliable estimate ofthe rate. Thus, there seems to be no wayof knowing the probability of phishingrisks arising from a transaction.Choices are: a, b, c, d.UNU Treatment Vignette:A published summary of a study says thatthe estimated rate of transaction fromfirms like E-WizWire leading to phishingis less than 5%. The study was conductedby a coalition of online vendors andcomputer security firms. The study wasprivately funded and thus the details ofthe study are not made available to thepublic. The exact rate information may beknown only to some insiders but unknownto the public.Choices are: a, b, c, d.KC Treatment Vignette:E-WizWire guarantees in writing andwith full guarantee that none of theironline transactions will involve phishingrisks, due to their strong online securitymechanism. Should it happen that atransaction with E-WizWire involvesphishing risks, the firm will pay all coststo recover any loss at no expense to theuser.Choices are: a, b, c, d.(Advance online publication: 12 November 2011)Expected Answer:a. Out of 100 balls inthe urn, 3 are red andthe rest are black.Expected Answer:b. Out of 100 balls inthe urn, there is noway of knowing howmany are red and howmany are black.Expected Answer:c. Out of 100 balls inthe urn, we only knowthat the number of redballs is below 5. Butmost people do notknow exactly howmany are red and howmany are black.Expected Answer:d. It is officiallyannounced that thereare no red balls out ofthe 100 balls in theurn.
IAENG International Journal of Computer Science, 38:4, IJCS 38 4 07V. DATA ANALYSIS AND RESULTSA total of 120 responses were received from the fourgroup experiments. A total of three responses were found tohave failed the manipulation check question and wereexcluded from data analysis.A. DemographicsTable IV. Tukey Post Hoc Tests for y HSD KCKU1.2667(*)UBU2.8333(*)UNU5.2471(*)KUBasic data on demographics and relevant onlineexperience were collected from the subjects. The datainclude age, gender, Internet usage, and experience in onlinepurchase and online credit card payment. The data show thatover 90% of the subjects have had prior experiencepurchasing online and making online payment by creditcard. In addition, over 80% of the subjects have used theInternet for four or more years. On average, over 95% of thesubjects use the Internet between 1 and 10 hours per day.The age of the subjects for the pilot study falls between 18and 50. The gender ratio of the subjects (56% female and44%) male is very close to the gender ratio of the generalstudent population at the sampled college.B. ANOVA ResultsANOVA was performed on WTP and ITP using theuncertainty treatment level as the independent variable. TheANOVA results suggest that the subjective estimates onwillingness to pay to avoid the online phishing risk and onthe scale of intention to purchase online are significantlydifferent across the four treatment levels in the experiment.This shows that variant uncertainty levels have a significanteffect on online consumer decisions.Follow-up post hoc tests were conducted using SPSS tocompare the pairwise differences among the means of WTPand ITP. Tables III and IV below display the test output.The test results clearly indicate significant differencesacross the treatment conditions for both WTP and ITP.Table III suggests that consumers are willing to pay astatistically significant amount of approximately 2.50 toavoid moving from known uncertainty to unknowableuncertainty and approximately 3.50 to avoid moving fromunknowable uncertainty to unknown uncertainty in judgingonline phishing risk scenarios.Table III. Tukey Post Hoc Tests for y HSD (*)2.4963(*)-3.5135(*)8.4601(*)6.0098(*)3.5135(*)* The mean difference is significant at the .05 )-3.9805(*)-2.4138(*)* The mean difference is significant at the .05 level.KUUBUIn terms of the ITP measure, Table IV suggests thatonline consumers have statistically greater intentions topurchase online under reduced uncertainty conditions. TableIII shows that the average intention to purchase under theknowable uncertainty condition is 1.5667 greater than thatunder the unknowable condition. The average ITP underunknowable uncertainty is 2.4138 greater than that underthe unknown uncertainty condition.VI. CONCLUSIONThis study proposed a fine-grained approach tounderstanding variant degrees of uncertainties of consumerknowledge of online phishing risks. The goal of the studywas to investigate the effect of variant levels of uncertaintieson B2C e-commerce consumer decision making in onlinepurchase. The experimental results provided empiricalsupport for the research model and the hypotheses of thisstudy. The finding suggests that consumer judgment ofonline phishing risks and intention to purchase varysystematically with the uncertainty conditions of their riskknowledge. The pairwise differences for WTP and ITPindicate that consumers prefer known uncertainty overunknowable uncertainty over unknown uncertainty in thisorder in judging online phishing risks. This study can befurther extended to future studies of other online securityrisks involving decision under uncertainty.A practical implication of the finding of this study is forB2C e-commerce vendors. The research suggests that onlinevendors may increase consumer intention to purchase bylowering uncertainty and presenting online phishing riskswith more precise risk probability and outcome estimates.B2C e-commerce consumers will find this research modeland findings helpful to improving their knowledge of onlinephishing risks and enhancing their online purchase decisionprocess.There could be promising further research in this area.One valuable research topic could be to develop a morecomprehensive model of how B2C ecommerce consumersview and respond to online phishing risks. This model couldincorporate not only the dimension of risk knowledge butalso attributes of personal characteristics and the decision(Advance online publication: 12 November 2011)
IAENG International Journal of Computer Science, 38:4, IJCS 38 4 07task. The study by Cai and Xu  has found that aestheticdesign qualities such as color, graphics, and the layout of anonline shopping site have an important effect on consumers’online shopping value and experiences. The future modelcould also incorporate the variables of online transactionenvironment and potentially measure and compareconsumers’ levels of priorities among various concerns andrisks in e-commerce transactions. Chan and Chen developed a driving aptitude test to predicate one’sperformance for safe and quality driving. Similarly, ananti-phishing aptitude test could be developed to measureB2C e-commerce consumers’ knowledge of online phishingrisks and predict their performance in online purchasedecisions.REFERENCESAcquisti and J. Grossklags, “Uncertain, Ambiguity, andPrivacy,” Proceedings of the 4th Annual Workshop onEconomics and Information Security, 2005, pp. 1-21. Bhatnagar, S. Misra, and H.R. Rao, “On Risk, Convenience, andInternet Shopping Behavior,” Communications of the ACM, vol. 43,no. 11, 2000, pp. 98-105. I. Bose and A.C.M. Leung, “Unveiling the masks of phishing:Threats, preventive measures, and responsibilities,” Communicationsof the Association for Information Systems,19, 2007, pp. 544-566. S. Cai and Y. Xu. “Designing Not Just for Pleasure: Effects of WebSite Aesthetics on Consumer Shopping Value,” International Journalof Electronic Commerce, vol.15, no. 4, 2011, pp. 159-187. A. H. S. Chan and K. Chen. “The Development of a Driving AptitudeTest for Personnel Decisions,” Engineering Letters,19:2, May 2011,pp.112-118. C.C. Chow and R.K. Sarin, “Known, Unknown, and UnknowableUncertainties,” Theory and Decision, no.52, 2002, pp. 127-138. T. Dinev and Q. Hu, “The Centrality of Awareness in the Formationof User Behavioral Intention toward Protective InformationTechnologies,” Journal of the Association for Information Systems,vol. 8, July 2007, pp. 386-408. D. Ellsberg, “Risk, Ambiguity and the Savage Axioms,” QuarterlyJournal of Economics, no. 75, 1961, pp. 643-669. B. Fischhoff, P. Slovic, and S. Lichtenstein, “How Safe is SafeEnough? A Psychometric Study of Attitudes Towards TechnologicalRisks and Benefits,” Policy Sciences, vol. 9, no. 2, 1978, pp. 127-152.M. Fishbein and I. Ajzen, Belief, Attitude, Intention,and Behavior: AnIntroduction to Theory and Research, Reading, MA: AddisonWesley, 1975.C.R. Fox and A. Tversky, “Ambiguity Aversion and ComparativeIgnorance,” The Quarterly Journal of Economics, vol. 110, no. 3,1995, pp. 585-603.I.J. Gabriel and E. Nyshadham, “A Cognitive Map of People’s OnlineRisk Perceptions and Attitudes: An Empirical Study,” Proceedings ofthe 41st Annual HawaiiInternational Conference on SystemsSciences, 2008, Big Island, HI, pp. 274-283.S. Garera, N. Provos, M. Chew, and A.D. Rubin, “A framework fordetection and measurement of phishing attacks,” WORM’07,November 2, 2007, Alexandria, VA, 1-8. I. Gilboa and D. Schmeidler, “Maxmin Expected Utility with Nonunique Prior,” Journal of Mathematic Economics, no. 18, 1989,pp.141-153. S. Glover and I. Benbasat. “A Comprehensive Model of PerceivedRisk of E-Commerce Transactions,” International Jo
studied perceptions of online risks that affect online purchase intentions in the B2C e-commerce environment. The focus of the study was to develop a taxonomy of online risks and construct a cognitive map of online consumers’ risk perceptions and attitudes. The results suggested that knowledge of risks