Objective: To determine if there are age-related differences in phishing vulnerability and if those differences exist under various task conditions (e.g., framing and time pressure).
Background: Previous research suggests that older adults may be a vulnerable population to phishing attacks. Most research exploring age differences has used limiting designs, including retrospective self-report measures and restricted email sets.
Method: The present studies explored how older and younger adults classify a diverse sample of 100 legitimate and phishing emails. In Experiment 1, participants rated the emails as either spam or not spam. Experiment 2 explored how framing would alter the results when participants rated emails as safe or not safe. In Experiment 3, participants performed the same task as Experiment 1, but were put under time pressure.
Results: No age differences were observed in overall classification accuracy across the three experiments, rather all participants exhibited poor performance (20%-30% errors). Older adults took significantly longer to make classifications and were more liberal in classifying emails as spam or not safe. Time pressure seemed to remove this bias but did not influence overall accuracy.
Conclusion: Older adults appear to be more cautious when classifying emails. However, being extra careful may come at the cost of classification speed and does not seem to improve accuracy.
Application: Age demographics should be considered in the implementation of a cyber-training methodology. Younger adults may be less vigilant against cyber threats than initially predicted; older adults might be less prone to deception when given unlimited time to respond.
Keywords: age; cybersecurity; decision making; designing for the elderly; signal-detection theory.