Decision Support Systems 45 (2008) 897912

Contents lists available at ScienceDirect

Decision Support Systems

j o u r n a l h o m e p a g e : w w w. e l s e v i e r. c o m / l o c a t e / d s s

Assessing anti-phishing preparedness: A study of online banks in Hong Kong

Indranil Bose , Alvin Chung Man Leung
Room 730 Meng Wah Complex, School of Business, The University of Hong Kong, Pokfulam Road, Hong Kong

a r t i c l e

i n f o

a b s t r a c t
Phishing has enormous impacts on the nancial industry. This research aims to investigate antiphishing preparedness of banks in Hong Kong. Web sites of registered Hong Kong banks are analyzed. Information related to phishing and anti-phishing measures adopted by banks are gathered and scores are assigned to banks according to a model measuring accessibility, usability, and information content. A combined score is computed for each bank by measuring the average performance of the bank Web site in all three aspects. The analysis revealed that banks in Hong Kong were generally prepared for countering phishing attacks, and separated out into three clusters that differed in terms of accessibility. The research identied that phishing information was easier to access and was richer in content and coverage compared to information related to anti-phishing measures. Although banks attached importance to information related to anti-phishing measures they needed to improve the accessibility of such information on their Web sites and needed to provide anti-phishing measures related information corresponding to all possible types of phishing attacks including malware and phishing e-mail. 2008 Elsevier B.V. All rights reserved.

Article history: Received 4 August 2007 Received in revised form 24 January 2008 Accepted 5 March 2008 Available online 13 March 2008 Keywords: Accessibility Anti-phishing Anti-phishing preparedness Assessment Banking industry Hong Kong Information content Usability Web site analysis

1. Introduction Phishing is an identity fraud with a short history of 12 years [38] but a tremendous growth rate of 74.0% from September 2006 to September 2007 [4]. It is dened as a form of social engineering in which an attacker, also known as a phisher, attempts to fraudulently retrieve legitimate users' condential and sensitive credentials by mimicking electronic communications from a trustworthy or public organization in an automated fashion [37]. It is known that 5% of recipients of phishing e-mails have fallen into the trap [55]. Financial sector is the most popular target of phishing with 91.3% of phishing scams targeted to this industry in September 2007 [4]. The nancial loss to the entire business sector has been huge with a direct nancial loss of US $1.2 billion [52,53]. With the increasing popularity of electronic commerce, that is expected to exceed US$1 trillion globally [41], phishing is becoming more and more prevalent.

Corresponding author. Tel.: +852 2241 5845; fax: +852 2858 5614. E-mail addresses: bose@business.hku.hk (I. Bose), alvincm@gmail.com (A.C.M. Leung). 0167-9236/$ see front matter 2008 Elsevier B.V. All rights reserved. doi:10.1016/j.dss.2008.03.001

Online security, privacy and condentiality are often listed as key concerns of customers in many surveys conducted in the eld of e-commerce [21,35]. In a survey conducted by the European Electronic Messaging Association, 79% of interviewees indicated that security was their top concern [68] while 91% of online account holders expected stronger online authentication mechanisms offered by their service providers in a survey conducted by RSA [66]. The results showed that people were becoming more and more conscious about the safety of online transactions. It is believed that service providers who failed to address the security concerns might shatter the trust of their customers. Banking industry is chosen as the target for this study. Banks generally perceive interruption, interception, modication, and fabrication as serious online threats [42]. Hong Kong is a major international hub of the nancial sector and the headquarters of various nancial institutions. With increasing use of broadband connections and Internet banking, Hong Kong has witnessed a growing trend in e-mail related frauds, especially during the holiday season [63]. Several phishing incidences that have occurred in Hong Kong have drawn the attention of the global nancial sector [10,67]. 12 people were arrested in Hong Kong for stealing HK$600,000 in a phishing

898

I. Bose, A.C.M. Leung / Decision Support Systems 45 (2008) 897912

scam targeted to HSBC in 2004 [67] and 14 suspects were apprehended by the Dutch police for hosting a phishing Web site similar to that of ABN AMRO Hong Kong in 2007 [50]. According to RSA's Monthly Online Fraud Report, Hong Kong moved from the third to the second position by hosting 15% of the reported phishing attacks related to US brands in April 2007. This was a signicant increase over a gure of hosting only 2% of phishing attacks in February 2007 [8]. In this research, we investigate the preparedness of banks in Hong Kong in the face of potential phishing attacks. We study the variety of information related to phishing and anti-phishing measures provided by the banks on their ofcial Web sites and provide judgment on the quality of the Web sites containing that information. Establishment and maintenance of trust is very critical for businesses, especially online businesses, where the customers cannot verify the quality of products in advance [11,30,40]. Failure to establish trust may discourage customers from engaging in online transactions that risk disclosure of personal information [7,34,39]. Therefore, phishing is a major enemy of e-commerce service providers. Better preventive mechanisms against phishing are essential for all online service providers. The primary objective of this research is to assess antiphishing preparedness of banks in Hong Kong based on security information available on their ofcial Web sites. We sought to answer the following three questions: (1) How well do banks present different types of anti-phishing information that can be categorized into phishing information and anti-phishing measures? (2) How do banks perform in terms of accessibility, usability, and content of this information? (3) What is the status of overall anti-phishing preparedness of banks? 2. Review of literature This research addresses assessment of phishing preparedness of banks based on information available on their Web sites. In this section the literature related to this research is discussed under three headings. The various mechanisms of phishing attacks and the plethora of methods that are used to counter these attacks are discussed rst. Next, we reviewed literature that established the criteria to be used for assessing Web sites. The following section justied the choice of metrics for assessment of anti-phishing preparedness, namely, accessibility, usability, and information content. 2.1. Phishing and anti-phishing Phishing consists of several stages. Financial Services Technology Consortium (FSTC) decomposed the phishing lifecycle into six stages, namely, Planning, Setup, Attack, Collection,

Fraud, and Post-Attack [74] while McAfee summarized it into email retrieval, fraudulent e-mail generation, and harvesting personal information via malicious attachments, forms or Web site visits [71]. Phishing attacks can be categorized into malware, phishing e-mail, bogus Web sites, and identity theft. Malware is dened as programs that are designed to perform intentional unauthorized action [45]. Malware including virus, Trojan, and JavaScript code that perform cross-scripting attacks [31] is commonly used in phishing by attaching them to e-mails or embedding them in phishing sites to steal victims' private information surreptitiously. Anti-virus, anti-Trojan, and antikeylogger are useful tools against them. Phishing e-mail is another common channel of proliferation of phishing messages. Phishers pretend to be a trustable third party and send mass e-mail to the public and ask recipients to reply with condential information or click onto an attached hyperlink leading to a phishing Web site. Gartner estimated that 2 million people had been enticed to release their sensitive information [61]. Another emerging trend is phishing attacks via Internet Relay Chat [47]. In order to deter such phishing attacks, one effective method is to adopt authentication of incoming emails [6], for instance, digitally signed e-mail for verication of company identity [25]. Many companies such as Cisco Systems, Microsoft, and Yahoo advocate mechanisms to authenticate source of incoming e-mails [49]. Mechanisms like Sender Policy Framework, DomainKey, and SenderID have been suggested for providing authentication [73]. Making use of alias e-mail addresses is also useful for minimizing the consequences [44]. The third channel of phishing attacks is via bogus Web sites. Phishers rst build a Web site which looks very similar to that of a trustable third party and then invite the general public to log onto the bogus site by giving away condential information for verication. In order to combat this attack, it is important to ensure that the digital server certicate exists for the site that is being visited. Measures such as trusted path ensured browsers are also useful to deter such phishing attacks [16]. After obtaining users' condential information such as user name and password from an online banking Web site, phishers commit identity theft by impersonating the victim at the Web site of the bank they mimic. Two-factor authentication in the form of hardware security token, one time password and digital certicate, and zero knowledge proof are effective in deterring identity thefts. Table 1 provides a summary of the four types of phishing attacks and the possible anti-phishing measures that are adopted to counter them. To better prevent phishing, both customers and companies have responsibilities to protect their own assets. Van der Merwe and Bekker outlined ve anti-phishing strategies for service providers, namely, education, preparation, avoidance, intervention, and treatment [72]. Anti-phishing measures such as technology based tools (as listed in Table 1) and corporate

Table 1 Summary of phishing attacks and possible anti-phishing measures Malware Firewall Anti-virus Anti-keylogger Anti-Trojan Phishing e-mail Alias e-mail address Digitally signed e-mail Bogus Web sites Digital server certicate Trusted path ensured browser Identity theft Two-factor authentication Hardware security box One time password Personal certicate Zero knowledge proof

I. Bose, A.C.M. Leung / Decision Support Systems 45 (2008) 897912

899

policies dealing with online transactions are effective measures to deter phishing in the latter four strategies. Apart from them, companies should impart knowledge about these measures to customers. It has been suggested in some research studies that disclosing security and privacy policies, technologies, and refund or replacement policies can boost trust and retain condence of customers [14,46]. Among the ve strategies suggested by van der Merwe and Bekker, education is the most important. In a survey, it was found that less than 70% of respondents from UK and Australia were familiar with the term phishing [66]. It showed the necessity of companies to alert customers about phishing and to educate them on ways to handle such attacks. 2.2. Assessment of commercial Web sites Commercial Web sites are the major channel of communication between companies and customers. Web sites support ve main objectives of marketing, namely, brand image, corporate philosophy, direct response, retail sale, and index of samples [17]. Perception of Web sites is also found to be an antecedent factor of e-trust and affective reactions [36]. As customers' perception of Web sites is critically important for companies [51], many studies have been conducted to determine what factors make a Web site successful. It is well known that user satisfaction is an important criterion of Web site success apart from technology utilization [26,29]. Furthermore, Eighmey found that playfulness, clarity of purpose, timeliness, and the approach to presenting information are Web site success factors [18] whereas according to Palmer speed of access, navigation, content, interactivity, and responsiveness are the most inuential factors [64]. In the context of e-commerce, Liu and Arnett stated that apart from being secure, a successful Web site should be attractive, trustworthy, dependable, reliable, and capable of generating customer satisfaction [54]. In the domain of Internet banking, it was found that perceived usefulness, perceived Web security, and perceived ease of use are determinant factors for use of Internet banking [9]. In fact, measures of Web site success are more than one. However, the common theme of the existing research is that satisfying customers' needs is a prime criterion of success. D'Ambra and Rice found that intrinsic purposes such as fun and hobbies and extrinsic purposes such as nding information, avoiding shopping costs, and nding hard to locate information usually had positive impacts on the overall Web site experience [13]. Therefore, to evaluate the success of a Web site, we need to

consider whether the Web site possessed features that satised both intrinsic and extrinsic purposes of customers. To assess commercial Web sites, many frameworks have been proposed by researchers. Ho analyzed values of commercial Web sites using a framework that included criteria like timeliness, custom, logistics, and seasonal factors [33]. Elliot et al. also proposed a model to evaluate Web content such as company information, product/service promotion, transaction processing, and customer service [20]. Olsina et al. proposed a Web site Quality Evaluation Method (QEM) based on functionality, usability, efciency, and site reliability [62]. The quantitative Web Assessment Index (WAI) proposed by Gonzalez and Palacios was similar to QEM and was based on criteria such as accessibility, speed, navigation, and content [27]. Findings from literature indicate that assessment of Web site should separate information content and system quality as determinants of satisfaction [15]. Keeping this in mind, McKinney et al. proposed a model which separated Web site quality into information quality to be determined on the basis of relevance, timeliness, reliability, scope, and perceived usefulness and system quality to be determined by usability, navigation, and interactivity [57]. Prior research on evaluation of commercial Web sites provide us with a strong foundation for analyzing Web sites. However, assessment metrics in the context of anti-phishing preparedness were not available in the literature. 2.3. Criteria for assessment of anti-phishing preparedness There are many articles related to assessment of commercial Web sites. We aggregated measures from various studies into our model for assessment of phishing related preparedness. Web information quality and Web system quality are both essential factors in analyzing information available on the Web [57]. Web information quality is measured by content specic factors such as relevance, timeliness, reliability, scope, and perceived usefulness whereas Web system quality is determined by factors such as accessibility, usability, navigation, and interactivity [57]. Based on the metrics of Web information quality, we derived the assessment criterion of information content. From the metrics of Web system quality and from the Web usage and design assessment models developed by Cox and Dale [12], and Van der Merwe and Bekker [72], we developed the assessment criteria for accessibility and usability. Table 2 shows the extraction process of the three criteria from available literature. Below is a more detailed description of the main components of the assessment framework.

Table 2 Metrics of security information assessment Supporting studies Aladwani and Palvia [1] Delone and McLean [15] Goodhue [28] McKinney et al. [57] Strong et al. [69] Accessibility Ease of navigation, and search facilities Convenience of access Accessibility, and locatability Speed of access, and availability of Web sites Ease of access Usability Proper use of fonts and graphics, graphicstext balance, and style consistency Readability, clarity, format, and appearance Compatibility, presentation, and lack of confusion Visual appearance, ease of use, and navigation Accuracy, objectivity, interpretability, and ease of understanding Information content Usefulness of content, and completeness of content Understandability Reliability, and level of detail Relevance, timeliness, reliability, scope, and perceived usefulness Relevancy, completeness, concise representation, and consistent representation

900

I. Bose, A.C.M. Leung / Decision Support Systems 45 (2008) 897912

2.4. Accessibility Accessibility refers to easiness in obtaining a piece of information. For a Web site, accessibility of information may be determined by the number of clicks needed to retrieve it. High accessibility of information of interest to visitors enhances the quality of the Web site [27]. We counted the number of clicks required to reach each piece of information available on the bank's Web site. This indirectly evaluated the perceived importance of each piece of anti-phishing information from the bank's point of view. 2.5. Usability Usability refers to user-friendliness in accessing Web pages containing different pieces of security information. Apart from product related information, this is considered to be an important criterion of Web site success [19,60,70]. Good usability may induce trust among customers, while poor usability may dissuade potential customers from using the service provided by the companies and hurt brand image [3,19,58]. Usability is composed of clarity of purpose, interface and design, communication, and navigation. Clarity of purpose, which allows visitors to nd out the gist of a Web page, is thought to deliver greatest benet to a commercial Web site [18]. Interface and design refer to overall appearance of Web sites. They are important elements of usability because interface and design aws such as wrong spelling, inconsistent style, crooked columns, and conicting colors upset visitors of Web sites [23,59]. When visitors encounter poor interface and design, they consider the company to be careless and incompetent [2,32,39]. Effective communication between customers and company can nurture trust between parties and facilitate e-commerce [5]. Navigation is an important feature that smoothes the process of browsing and locating relevant information on a Web site [22,56]. A usage-oriented hierarchy of navigation structure is found to be of higher usability in knowledge acquisition tasks than subject-oriented hierarchy [24]. Forrester Research also found that poor navigability of commercial Web sites could result in 50% loss in potential sales and 40% loss in repeat visits [27]. In order to measure different criteria of usability quantitatively, Cox and Dale identied several factors that are suitable for assessment of clarity of purpose, interface and design, and communication of usability [12] whereas van der Merwe and Bekker determined the criteria groups for Interface, Navigation, and Content [72]. By adapting the assessment metrics, we come up with new assessment measures that are useful for evaluation of Web pages containing phishing related information. These are listed in Table 3. 2.6. Information content Information content includes materials that are used to present anti-phishing information on the banks' Web sites. Palmer stated that amount of information, variety of information, word count, and content quality are important indicators of information content [64]. In the context of e-commerce, quality of information and method of delivery of information are found to be extremely important [43]. However Pitt et al. found that

the former was more signicant for Web usage satisfaction [65]. In the assessment of information content, we devised two measures of information content, namely, information breadth and information depth. We dened information breadth as variety of anti-phishing information against different phishing attacks (i.e. phishing information and anti-phishing measures) and information depth as variety of content presentation or variety of presentation methods that facilitated understanding

Table 3 List of criteria for assessment of usability (adapted from [12,72]) Criteria Clarity of purpose Essential components

Clear from start that adequate security measures have been adopted for the company's online banking system from ofcial homepage or login page of the company Security information is clearly structured on homepage Interface and Links design Correctly described Change color once used Consistency Page layout is similar for each page Menu Navigation bars exist Button to main security page exists in every page Screens Does not open new screens Search Site map/table of content exists Search toolbar exists Drop down lists exist Few and relevant results on one page Graphic design principles Web page is concise and clear Effective use of white space Effective and consistent use of color Effective and consistent use of backgrounds Effective graphics/typeface/color combinations Graphics and media Icon is easy to understand Not excessively used Size of media has no impact on loading time Style and text Consistent style of page Consistent and easy to read typeface Correct spelling and grammar Concise and relevant text Purpose of each Web page made clear from the very beginning Communication Text No endless scrolling pages (i.e. important content can be seen easily from the page without scrolling down too much) Flexibility and compatibility Pages sized to t browser windows Web content is viewable in different browsers Web content is not distorted in any browser Printable version of certain pages available Text only version of certain pages available Foreign language support available Accommodation made for disabled users (i.e. font size enlarge and minimize button is available) Navigation Search engine and help function Search engine accurate Good description of search engine ndings No search engine errors Help function exists Navigational necessity No broken links No under construction pages Clear label of current position on site

I. Bose, A.C.M. Leung / Decision Support Systems 45 (2008) 897912

901

Fig. 1. Assessment model of anti-phishing preparedness.

of security information (e.g. graphs, charts, tables, and demonstrations). 3. Research framework In order to achieve our primary objective of assessing antiphishing preparedness of banks, we developed a component assessment model of anti-phishing preparedness. The objective of the model was to determine how well individual bank's Web site presented materials related to security information in the context of anti-phishing. We believe our framework will have a high impact on banking practices by revealing the strengths and deciencies in the anti-phishing preparedness of banks from the three different perspectives of accessibility, usability, and information content. Individual banks will be able to understand from this framework what qualities they lack in anti-phishing preparedness in comparison to their peers. This may lead to re-design of their Web sites in future so as to make their customers better prepared against the threat of anti-phishing. Based on our preliminary study, the security materials can be categorized into two, namely, phishing information and antiphishing measures. Phishing information is dened as customeroriented security information in the context of anti-phishing. Such information can be categorized into security alerts, security tips, and jargon glossary. Security alerts refer to precautionary messages listed by companies that enhance the awareness of end users. Security tips refer to advice given to end users with regard to anti-phishing so that they can protect themselves against potential phishing attacks. Jargon glossary refers to

simple explanation of security terminology so that they can be understood by novice users. Anti-phishing measures refer to policies, strategies, or tools that have been implemented by banks to deter phishing. They vary from company to company. Examples include digital server certicate and two-factor authentication tools. The research framework is shown in Fig. 1. 3.1. Accessibility This takes into consideration the number of clicks from a bank's homepage to other pages containing phishing information and information related to anti-phishing measures. Paths leading to corresponding pages were recorded and average number of clicks leading to pages containing the two types of information was computed. The lower the average number of clicks, the less is the effort required by the customers for locating relevant information on the Web site of the bank, and better is the bank Web site in terms of accessibility. Accessibility only focused on easiness in reaching different anti-phishing information and so if a Web site did not contain any particular type of anti-phishing information, it was not considered in the computation of nal accessibility score. 3.2. Usability This represents the user-friendliness of each bank's Web site. We split Web pages into groups containing phishing information and anti-phishing measures and assigned scores to individual groups following the usability assessment model of Cox and Dale [12] and Van der Merwe and Bekker [72]. We

902

I. Bose, A.C.M. Leung / Decision Support Systems 45 (2008) 897912 Table 6 Assessment criteria of information depth Measures of information depth Use Use Use Use Use Use Use Use of of of of of of of of pictures tables external links for more detail animation in demo questions in FAQ hyperlinks leading to section in the same page (for non-FAQ page) hyperlinks leading to another page containing security information white papers/user manuals

Table 4 Assessment criteria of information breadth of phishing information Types of phishing attacks Malware Phishing information Security tips Security alerts Jargon glossary Security tips Security alerts Jargon glossary Security tips Security alerts Jargon glossary Security tips Security alerts Jargon glossary

Phishing e-mail

Bogus Web sites

Identity theft

evaluated the design of the Web page from the perspectives of clarity of purpose, interface and design, communication, and navigation as shown in Table 3. A score of 1 was assigned if a Web site containing particular type of anti-phishing security information met the criteria as outlined in each category. Otherwise a score of 0 was assigned. A binary score rather than a continuous score was used so as to avoid ambiguities related to subjective rating indicating to what extent the criterion was met. An average of all criteria scores was computed as category score and an average of all category scores was computed as the score for phishing and anti-phishing. The total usability score was derived by averaging the scores for the two types of information. The assessment criteria contained both objective and subjective measures. Assessment for the subjective measures was based on the authors' personal judgment. 3.3. Information content

the category of phishing information, we assessed information breadth as shown in Table 4. We measured the variety of information based on different types of phishing attacks, namely, malware, phishing e-mail, bogus Web sites, and identity theft. For each type of phishing attack, we categorized the information provided by banks into three items, namely, security tips, security alerts, and jargon glossary. A score of 1 was assigned to the sub-category for the presence of information and 0 for the absence. For the category of antiphishing measures, we assessed information breadth using the criteria listed in Table 5. We measured information depth using the criteria listed in Table 6. For computing the overall score of phishing information, we determined the average of scores obtained from information breadth and information depth. In the same way we obtained overall score for anti-phishing measures. For the overall score of information content, we computed the average score of a bank for phishing information and anti-phishing measures. 4. Research methodology

Information content was determined by measuring the variety of information (information breadth) based on the categorization of various phishing attacks and the variety of ways of presenting this information (information depth). For

The key steps of the research methodology are listed in Fig. 2. 4.1. Step 1: identication of Hong Kong banks Our research targets were local banks of Hong Kong with Web sites offering retail banking service to local customers. We classied registered banks of Hong Kong into banks with online banking services and banks without online banking services. According to the Hong Kong Banking Authority, there were 133 licensed banks till August 2006. Among them, 44 had branch ofces in Hong Kong while others had a principal place of business. Among those 44 banks only 36 banks had ofcial Web sites. These 36 banks were the subject of the study. 4.2. Step 2: information retrieval and assessment of anti-phishing preparedness Security information on the banks' Web page was categorized into phishing information and anti-phishing measures. Based on the two categories, relevant information was retrieved and analyzed from October 2005 to September 2006. Paths leading to the corresponding Web pages were recorded for assessment of accessibility. Features of usability of Web pages as outlined in Table 3 were determined. Content of information was analyzed as outlined in Tables 4 and 5 under the headings of information breadth. Presentation methods were recorded for assessment of information depth

Table 5 Assessment criteria of information breadth of anti-phishing measures Types of phishing attacks Malware Anti-phishing measures Firewall Anti-virus Anti-keylogger Intrusion detection system Online screen keyboard Alias e-mail Digitally signed e-mail Bank e-mail Trusted path browser Customer service/security incident hotline Digital server certicate Hardware device SMS-based one time password Personal digital certicate Random session key Zero knowledge proof Auto-logoff Auto-suspension Last logon time stamp Security socket 128-bit encryption Security team No simultaneous login

Phishing e-mail

Bogus Web sites

Identity theft

I. Bose, A.C.M. Leung / Decision Support Systems 45 (2008) 897912

903

Fig. 2. Schematic diagram of research methodology.

as shown in Table 6. The assessment of security information was conducted by the authors. We made the assessment criteria as objective as possible so that the use of subjective judgment was minimal. Furthermore, special domain expertise was not necessary in the assessment process as we only measured the presence or absence of features on the Web sites. The overall phishing preparedness scores (OP) of individual banks using the three assessment criteria were computed. The details of the process for calculation of scores are provided below. OPi Ai Ui ICi =3 where OPi is the overall phishing preparedness score of bank i. Ai, Ui, and ICi are the average score obtained by bank i in the categories of accessibility, usability, and information content respectively. Ai PIAi AMAi =2 Ui PIUi AMUi =2 ICi PIICi AMICi =2 where PIKi and AMKi (K = A, U, IC) are the average phishing information score and average anti-phishing measures score

in the areas of accessibility, usability, and information content for bank i respectively. PIAi MAi PAi BAi IAi =4 where MAi, PAi, BAi, and IAi are the average sub-score of accessibility of phishing information in the context of malware, phishing e-mail, bogus Web sites, and identity theft for bank i respectively. PIUi CPUi IDUi CMUi NVUi =4 where CPUi, IDUi, CMUi, and NVUi are the average sub-score of usability for clarity of purpose, interface and design, communication, and navigation for bank i respectively. PIICi IBICi IDICi =2 where IBICi and IDICi are the average score of information breadth and information depth for bank i respectively. IBICi MIBi PIBi BIBi IIBi =4 IDICi MIDi PIDi BIDi IIDi =4

904 Table 7 List of banks in Hong Kong Bank ID 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 Name of bank

I. Bose, A.C.M. Leung / Decision Support Systems 45 (2008) 897912

Year of establishment in Hong Kong a 1984 1984 1993 1964 1948 1918 1984 1992 1947 1965 1924 1947 2003 1994 1970 1952 1929 1993 1981 1984 1998 1955 1931 1948 1995 1950 2003 1965 1960 1956

Total asset 2006 (in million) b 987,064 Euro 127,853 USD 1,459,737 USD 928,953 HKD 1,719,483 RMB 294,202 HKD 1,440,343 Euro 934,102 RMB 33,986 HKD 1,500,000 USD c 102,142 HKD 102,037 HKD d 44,868 USD 48,209 USD 53,347 HKD 669,064 HKD 3,150,840 HKD 48,690 USD 146,392 HKD 1,351,520 USD 132,400 Euro e 63,030 HKD 102,037 HKD d 97,944 HKD 17,233 HKD 93,760 HKD 391,042 HKD 161,312 SGD 122,151 HKD 84,981 HKD

Net income 2006 (in million) b 4,461 Euro 3,707 USD 21,133 USD 14,284 HKD 12,274 RMB 3,486 HKD 7,300 Euro 6,794 RMB 494 HKD 24,589 USD c 1,128 HKD 1,201 HKD d 626 USD 334 USD 327 HKD 12,346 HKD 377,709 HKD 275 USD 1,246 HKD 14,444 USD 3,430 Euro e 503 HKD 1,201 HKD d 1,692 HKD 146 HKD 1,663 HKD 295 HKD 2,570 SGD 1,662 HKD 1,606 HKD

No. of employees worldwide in 2007 106,999 65,800 203,425 230,649 67,467 8,653 141,911 23,202 N/A N/A N/A 1,701 c 12,907 N/A 900 8,625 312,000 N/A 346,094 179,847 50,000 e N/A 1,701 c N/A N/A N/A 59,205 21,209 2,436 1,520

ABN AMRO Bank N.V. American Express Bank Limited Bank of America (Asia) Limited Bank of China (Hong Kong) Limited Bank of Communications Company Limited. Bank of East Asia Limited BNP Paribas China Merchants Bank Company Limited. Chiyu Banking Corporation Limited Citibank (Hong Kong) Limited CITIC Ka Wah Bank Limited Dah Sing Bank Limited DBS Bank (Hong Kong) Limited First Commercial Bank Limited Fubon Bank (Hong Kong) Limited Hang Seng Bank Limited Hongkong and Shanghai Banking Corporation Limited Hua Nan Commercial Bank Limited Industrial and Commercial Bank of China (Asia) Limited JPMorgan Chase Bank, National Association KBC Bank N.V. Liu Chong Hing Bank Limited Mevas Bank Limited Nanyang Commercial Bank Limited. Public Bank (Hong Kong) Limited (formerly known as Asia Commercial Bank Limited) Shanghai Commercial Bank Limted Standard Chartered Bank (Hong Kong) Limited United Overseas Bank Limited Wing Hang Bank Limited Wing Lung Bank Limited

N/A: Not available. a Data from Hong Kong Company Registry. b Data retrieved from annual report of banks. c Data in 2005 retrieved from Wikipedia. d Data of Dah Sing Banking Group Limited, which consists of one securities trading company, one offshore joint venture, and two subsidiary banks, namely, Dah Sing Bank and Mevas Bank. e Data of KBC Group NV, which is the parent company of KBC Bank.

where MIBi, PIBi, BIBi, and IIBi are the average sub-score of information breadth and MIDi, PIDi, BIDi, and IIDi are the average sub-score of information depth in the context of malware, phishing e-mail, bogus Web sites, and identity theft for bank i respectively. All sub-scores are obtained by dividing the number of features in that category that are present for bank i (presence of each feature generates a score of 1 and absence generates a score of 0) by the total number of features in that category that are considered for bank i. A similar calculation scheme as detailed above is also used for obtaining the scores and sub-scores for AMAi, AMUi, and AMICi respectively. It was found that six banks did not possess any information related to phishing or anti-phishing measures and therefore did not have any scores. After removal of those banks, our target research banks were as shown in Table 7. 4.3. Step 3: interpretation and evaluation When assessment using all three categories was completed, average scores were obtained. Performance of the banks was evaluated by comparing individual scores with average category score. Based on the score obtained by banks

from the perspectives of accessibility, usability, and information content, some guidelines were listed for bank operators. 5. Results As shown in Table 8, most banks without online banking did not contain any anti-phishing information at all with only

Table 8 Prole of banks in Hong Kong Categories of banks Banks with Web sites Banks with online banking (a) Banks showing both types of information (b) Banks showing phishing information only (c) Banks showing anti-phishing measures only (d) Banks showing no relevant information Banks without online banking (a) Banks showing both types of information (b) Banks showing phishing information only (c) Banks showing anti-phishing measures only (d) Banks showing no relevant information Number of banks (%) 36 29 25 0 4 0 7 0 1 0 6

I. Bose, A.C.M. Leung / Decision Support Systems 45 (2008) 897912

905

Fig. 3. a. Scatter plot of accessibility. b. Decomposition of phishing information score of accessibility. c. Decomposition of anti-phishing measures score of accessibility.

906 Table 9 Average scores for assessment of accessibility

I. Bose, A.C.M. Leung / Decision Support Systems 45 (2008) 897912

Phishing information Malware Phishing e-mail Bogus Web sites Identity theft Overall accessibility 2.28 1.96 2.25 2.17 2.13

Anti-phishing measures 2.56 N/A 2.11 2.44 2.32

Overall security information 2.34 1.96 2.12 2.31 2.15

one bank displaying phishing information. Among banks with online banking, though the majority showed both types of information, 13.8% exhibited information related to antiphishing measures only. This showed that in terms of both types of anti-phishing information, banks allocated more resources on anti-phishing measures adopted than on phishing information so as to convince their customers that their online banking systems were safe. In this section, scores of banks containing relevant antiphishing information were determined. Banks which did not display any type of anti-phishing information were removed from further consideration. As shown in Fig. 3a, majority of banks required 23 clicks for both types of information. However, phishing information was easier to access than antiphishing measures in general. The former required 2.13 clicks on average while the latter required 2.32 clicks as shown in Table 9. Fig. 3b showed that among the four types of phishing information, phishing e-mail related information generally required less number of clicks for access. Fig. 3c showed that phishing e-mail was absent and information related to bogus Web sites was the easiest to access with regard to anti-phishing measures. This led to a surprising conclusion that although banks considered information related to phishing e-mail to be very important they felt that relevant anti-phishing measures in this sub-category were not effective and hence they were not discussed on their Web sites. Fig. 4a represented a straight line with slope approximately equal to 1, which implied that phishing information and anti-phishing measures had a similar score in terms of usability for Hong Kong banks. The similarity of score was mainly due to fact that the layout of the Web pages containing the needed information was quite similar. From Fig. 4b and c, it could be seen that the category of interface and design scored the highest followed by communication, navigation, and clarity of purpose for both phishing information and antiphishing measures. As shown in Table 10, the considerable difference in scores between interface and design and other categories illustrated that banks advocated the overall design of Web pages the most. Fig. 5a showed a positive relationship between the scores for phishing information and anti-phishing measures. As shown in Fig. 5b and c, the scores for information depth were consistently higher than that for information breadth in both categories. Table 11 showed that the average score of information depth was the same for phishing information and anti-phishing measures, which implied that banks in general had a consistent style of presentation of both types of information. FAQs and demonstrations were the common methods of presentation. In the category of phishing information, banks usually provided customers with security tips covering all possible phishing attacks. For anti-phishing measures,

banks in general did not cover as many areas. The main coverage of anti-phishing measures was in the sub-categories of bogus Web sites and identity theft with very little coverage for malware and no coverage for phishing e-mail. The above assessment models evaluated the performance of banks' Web sites from different user perspectives. As the unit of raw scores was different, transformation was necessary to establish a common ground for comparison of scores in various categories and sub-categories. For accessibility, the transformed score is computed by using the formula (max x) / (max min) where x is the raw score obtained by the individual bank, and max and min are the maximum and minimum scores obtained by any bank in that category respectively. For others, the formula used is (x min)/ (max min) . After transformation, the score is restricted between 0 and 1. The higher the transformed score, the better is the performance of the bank. Fig. 6a showed that Hong Kong banks can be clustered into three groups in terms of overall anti-phishing preparedness. The clusters were clearly different from each other in terms of accessibility. Comparing Fig. 6b and c we observe that though usability remained similar, accessibility and information content obtained higher scores for phishing information than for anti-phishing measures. 6. Discussion The results of this research have led to interesting ndings related to overall anti-phishing preparedness of Hong Kong banks. Specic ndings are discussed below. 6.1. Difference in accessibility between phishing information and anti-phishing measures For Hong Kong banks, phishing information was easier to access than anti-phishing measures. It showed that banks considered this type of information to be more important. However, the ranking of various components was quite different among the two types of information. In the category of phishing information, phishing e-mail was the easiest to access, with less than 2 clicks on average to access it. However, for anti-phishing measures, it was absent for all banks. Banks were unable to implement any effective measures to prevent phishing e-mail. On the other hand, malware was least easy to access for both types of anti-phishing information. It showed that banks perceived information in this category commonplace among the public and did not make any special effort to make it easier to access. 6.2. Similarity in usability for both types of information In terms of usability, phishing information and antiphishing measures displayed similar features. This was

I. Bose, A.C.M. Leung / Decision Support Systems 45 (2008) 897912

907

Fig. 4. a. Scatter plot of usability. b. Decomposition of phishing information score of usability. c. Decomposition of anti-phishing measures score of usability.

908 Table 10 Average scores for assessment of usability

I. Bose, A.C.M. Leung / Decision Support Systems 45 (2008) 897912

Phishing information Clarity of purpose Interface and design Communication Navigation Overall usability 0.35 0.75 0.51 0.46 0.37

Anti-phishing measures 0.38 0.75 0.49 0.43 0.41

Overall security information 0.33 0.69 0.46 0.41 0.39

mainly due to consistent Web page design containing different types of anti-phishing measures. Among the four categories of usability, interface and design was the one with the highest usability score for both types of information. It showed that banks were attentive to interface and design and thus always possessed the essential usability features of Web design. However, in terms of clarity of purpose, most banks performed poorly in presenting both types of information. It is therefore recommended that banks should add some explanation on their Web pages so that the presented information was more meaningful. 6.3. Information content better for phishing information Information depth of various types of anti-phishing information was quite similar. It indicated that banks in general had a consistent style of presentation of information. However, in terms of information breadth, the discrepancy between the two types of information was large. For phishing information, banks in general had a more balanced coverage for all types of phishing attacks. However, for anti-phishing measures, categories such as malware and phishing e-mail received little coverage. The latter one was even absent on the Web pages of all banks. This led to the impression that banks stressed phishing information more in terms of information content than anti-phishing measures. The key ndings of this research are summarized in Table 12. 7. Managerial implications The ndings of this study can provide bank owners with insights about designing Web pages to effectively disseminate anti-phishing information to customers. It can be concluded that Hong Kong banks should have a more balanced accessibility for both phishing information and anti-phishing measures. Currently anti-phishing measures were less easily accessible when compared with phishing information. In terms of usability, banks in general performed well in the subcategory of interface and design. However, much improvement was needed in the area of clarity of purpose. In terms of information content, banks needed to provide a more balanced coverage for different categories of phishing attacks. In terms of anti-phishing measures, the imbalance was even more obvious. Most banks had wider coverage in malware, bogus Web sites, and identity theft with no information related to phishing e-mail. In fact, a wider coverage could provide customers better protection against various types of phishing attacks. Apart from suggesting areas of improvement to bank operators, the research results could be used as a benchmark for further studies on anti-phishing preparedness. Electronic service providers other than banks that face

the threat of phishing might be able to assess their antiphishing preparedness using the same framework because of its' objective and general nature and because it does not include any industry specic requirements. 8. Academician implications To the best of the authors' knowledge, this is the rst study related to assessment of phishing preparedness based on security information available from Web sites of banks. We lled up the gap in the literature related to assessment of phishing preparedness by proposing a new scoring framework, which incorporated criteria such as accessibility, usability, and content of security information. This laid down the foundation for future research in the area of assessment of information security. Furthermore, we illustrated how our framework could be used for assessment of preparedness of 30 banks in Hong Kong. This research would encourage other researchers to search for new criteria that could be used in determining efcient and effective phishing preparedness of corporations other than banks that conduct electronic nancial transactions on the Web. It could also lead to novel country specic studies related to assessment of phishing preparedness. 9. Limitations Some limitations exist in this research. Firstly, we assumed that most of the anti-phishing information is available on the Web and banks did not publish extra information using methods other than the Web to communicate with customers. In reality, this might not be the case since banks communicate with customers using electronic newsletters, mails, and leaets. In fact, a research study found that e-mail was more frequently used by people than Web sites as a means of communication between two parties [48]. Also, our assessment model assumed that accessibility, usability, and information content share equal weights in determining preparedness. Ranking of overall anti-phishing preparedness of banks was based on the average scores of the three assessment schemes. However, in reality, the effectiveness of delivery of anti-phishing information might not be the same for all three evaluation criteria. Further investigation might be required in order to determine the suitable weights for the three schemes. 10. Future research areas Firstly, we might consider information released by banks in addition to that available on their Web sites. Other channels of communication might include e-mails, newsletters and

I. Bose, A.C.M. Leung / Decision Support Systems 45 (2008) 897912

909

Fig. 5. a. Scatter plot of information content. b. Decomposition of phishing information score of information content. c. Decomposition of anti-phishing measures score of information content.

910

I. Bose, A.C.M. Leung / Decision Support Systems 45 (2008) 897912

Table 11 Average scores for assessment of information content Phishing information Information breadth Information depth Overall information content 0.49 0.50 0.43 Anti-phishing measures 0.26 0.50 0.37 Overall security information 0.28 0.38 0.40

leaets. Detailed interviews with bank management teams should help us understand the anti-phishing strategies implemented by banks. Secondly, the research could be extended to other industries as well as geographical regions. We believe some regional and industry specic factors might have signicant inuence on various anti-phishing strategies implemented by companies. Thirdly, some experiments might be conducted with human subjects in order to nd out if their knowledge about phishing is enhanced or not after they are exposed to the phishing related information available from the Web sites of the various banks. Finally, our proposed assessment framework might be further enhanced by using additional assessment criteria of anti-phishing other than accessibility, usability, and information content. More assessment criteria or use of a different weighting scheme might help make assessment of anti-phishing preparedness of banks even better. References

[1] A.M. Aladwani, P.C. Palvia, Developing and validating an instrument for measuring user-perceived web quality, Information & Management 39 (6) (2002) 467476. [2] J. Alba, J. Lynch, B. Weitz, C. Janiszewski, R. Lutz, A. Sawyer, S. Wood, Interactive home shopping: consumer, retailer, and manufacturer incentives to participate in electronic marketplaces, Journal of Marketing 61 (3) (1997) 3853. [3] S. Alsop, How I judge if a website deserves my business, Fortune 140 (4) (1999) 167168. [4] APWG. Phishing activity trends report for the month of September, 2007. Anti-phishing Working Group, 2007 http://www.antiphishing. org/reports/apwg_report_sept_2007.pdf. [5] A. Armstrong, J. Hagel, The real value of online communities, Harvard Business Review (1996) 134141. [6] S.M. Bellovin, Spamming, phishing, authentication, and privacy, Communications of the ACM 47 (12) (2004) 144. [7] J. Cassell, T. Bickmore, External manifestations of trustworthiness in the interface, Communications of the ACM 43 (12) (2000) 5056. [8] M. Chapman, US brands milked for phishing emails, Vnunet.com, US, 2007 http://www.vnunet.com/vnunet/news/2189751/brands-milkedphishing-emails. [9] T.C.E. Cheng, D.Y.C. Lam, A.C.L. Yeung, Adoption of internet banking: an empirical study in Hong Kong, Decision Support Systems 42 (3) (2006) 15581572. [10] T. Chui, Citibank pledges to stay ahead of cyber criminals, The Standard, Hong Kong, 2007 http://www.thestandard.com.hk/news_detail.asp? pp_cat=11&art_id=37234&sid=11976247&con_type=1. [11] C.L. Corritore, B. Kracher, S. Wiedenbeck, On-line trust: concepts, evolving themes, a model, International Journal of HumanComputer Studies 58 (6) (2003) 737758. [12] J. Cox, B.G. Dale, Key quality factors in Web site design and use: an examination, International Journal of Quality and Reliability Management 19 (6/7) (2002) 862888. [13] J. D'Ambra, R.E. Rice, Emerging factors in user evaluation of the World Wide Web, Information & Management 38 (6) (2001) 373384. [14] K. De Ruyter, M. Wetzels, M. Kleijnen, Customer adoption of e-service: an experimental study, International Journal of Service Industry Management 12 (2) (2001) 184207. [15] W. DeLone, E. McLean, Information systems success: the quest for the independent variable, Information Systems Research 3 (1) (1992) 6095.

[16] R. Dhamija, J.D. Tygar, The battle against phishing: Dynamic Security Skins, Proceedings of the 2005 Symposium on Usable Privacy and Security, ACM Press, Pittsburgh, Pennsylvania, 2005, pp. 7788. [17] U.M. Dholakia, L.L. Rego, What makes commercial Web pages popular? An empirical investigation of Web page effectiveness, European Journal of Marketing 32 (7/8) (1998) 724736. [18] J. Eighmey, Proling user responses to commercial Web sites, Journal of Advertising Research 37 (3) (1997) 5966. [19] S. Elliot, S. Fowell, Expectations versus reality: a snapshot of consumer experiences with Internet retailing, International Journal of Information Management 20 (5) (2000) 323336. [20] S.R. Elliot, A.S. Morup-Petersen, N. Bjon-Andersen, Towards a framework for evaluation of commercial Web sites, Proceedings of Thirteenth International Bled Electronic Commerce Conference, Bled, Slovenia, 2000, pp. 6986. [21] Ernst, Young, E-commerce: 1999 special report technology in nancial services, Ernst & Young, 1999. [22] J.R. Evans, V.E. King, Business-to-business marketing and the World Wide Web: Planning, managing and assessing Web sites, Industrial Marketing Management 28 (4) (1999) 343358. [23] A. Everard, D.F. Galletta, How presentation aws affect perceived site quality, trust, and intention to purchase from an online store, Journal of Management Information Systems 22 (3) (2005) 5595. [24] X. Fang, C.W. Holsapple, An empirical study of web site navigation structures' impacts on web site usability, Decision Support Systems 43 (2) (2007) 476491. [25] S.L. Garnkel, D. Margrave, J.I. Schiller, E. Nordlander, R.C. Miller, How to make secure email easier to use, Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, ACM Press, Portland, Oregon, 2005, pp. 701710, USA. [26] M. Gelderman, The relation between user satisfaction, usage of information systems and performance, Information & Management 34 (1) (1998) 1118. [27] F.J.M. Gonzalez, T.M.B. Palacios, Quantitative evaluation of commercial web sites: an empirical study of Spanish rms, International Journal of Information Management 24 (4) (2004) 313328. [28] D.L. Goodhue, Understanding user evaluations of information systems, Management Science 41 (12) (1995) 1827. [29] D.L. Goodhue, B.D. Klein, S.T. March, User evaluations of IS as surrogates for objective performance, Information & Management 38 (2) (2000) 87101. [30] S. Grabner-Krauter, E.A. Kaluscha, Empirical research in on-line trust: a review and critical assessment, International Journal of Human Computer Studies 58 (6) (2003) 783812. [31] O. Hallaraker, G. Vigna, Detecting malicious JavaScript code in Mozilla, Proceedings of the Tenth IEEE International Conference on Engineering of Complex Computer Systems, 2005, pp. 8594. [32] J.T. Hancock, P.J. Dunham, Impression formation in computer-mediated communication revisited: an analysis of the breadth and intensity of impressions, Communication Research 28 (3) (2001) 325347. [33] J. Ho, Evaluating the World Wide Web: a global study of commercial sites, Journal of Computer-Mediated Communication 3 (1) (1997) http:// jcmc.huji.ac.il/vol3/issue1/ho.html. [34] D.L. Hoffman, T.P. Novak, M. Peralta, Building consumer trust online, Communications of the ACM 42 (4) (1999) 8085. [35] D. Hutchinson, M. Warren, Security for Internet banking: a framework, Logistics Information Management 16 (1) (2003) 6473. [36] Y. Hwang, D.J. Kim, Customer self-service systems: the effects of perceived Web quality with service contents on enjoyment, anxiety, and e-trust, Decision Support Systems 43 (3) (2007) 746760. [37] M. Jakobsson, S. Myers, Phishing and countermeasures : understanding the increasing problem of electronic identity theft, Wiley-Interscience, Hoboken, N.J., 2007. [38] L. James, Phishing exposed, Syngress, Rockland, Mass, 2005. [39] S.L. Jarvenpaa, N. Tractinsky, Consumer trust in an internet store: a cross-cultural validation, Journal of Computer-Mediated Communication 5 (2) (1999) http://jcmc.indiana.edu/vol5/issue2/jarvenpaa.html. [40] A. Josang, R. Ismail, C. Boyd, A survey of trust and reputation systems for online service provision, Decision Support Systems 43 (2) (2007) 618644.

I. Bose, A.C.M. Leung / Decision Support Systems 45 (2008) 897912

911

Fig. 6. a. 3D scatter plot of overall scores of Hong Kong banks. b. Decomposition of overall phishing information score. c. Decomposition of overall anti-phishing measures score.

912 Table 12 Summary of key ndings Phishing information

I. Bose, A.C.M. Leung / Decision Support Systems 45 (2008) 897912

Anti-phishing measures Bogus Web sites was the easiest to access while malware was the most difcult. Phishing e-mail was absent for all banks Interface and design achieved highest score while clarity of purpose scored the lowest.

Finding Phishing information was easier to access than antiphishing measures

Accessibility Phishing e-mail was the easiest to access while malware was the most difcult Usability Interface and design achieved highest score while clarity of purpose scored the lowest Information Information breadth and information content depth attained almost similar score Finding

Both types of information exhibited similar scores although scores for anti-phishing measures were slightly higher The score for information breadth was half that of Phishing information performed better than antiinformation depth phishing measures with much higher score for information breadth Phishing information was better in terms of accessibility and information content and anti-phishing measures information was better in terms of usability. On the whole, Hong Kong banks attached more importance to anti-phishing measures information.

[41] J.B.D. Joshi, W.G. Aref, A. Ghafoor, E.H. Spafford, Security models for Web-based applications, Communications of the ACM 44 (2) (2001) 3844. [42] B. Jung, I. Han, S. Lee, Security threats to Internet: a Korean multiindustry investigation, Information & Management 38 (8) (2001) 487498. [43] P. Katerattanakul, K. Siau, Measuring information quality of Web sites: development of an instrument, Proceeding of the Twentieth International Conference on Information Systems, Association for Information Systems, Charlotte, North Carolina, 1999, pp. 279285, United States. [44] M. Kawashima, T. Abe, S. Minamoto, T. Nakagawa, Cryptographic alias e-mail addresses for privacy enforcement in business outsourcing, Proceedings of the 2005 Workshop on Digital Identity Management, ACM Press, Fairfax, VA, 2005, pp. 4653, USA. [45] D.M. Kienzle, M.C. Elder, Recent worms: a survey and trends, Proceedings of the 2003 ACM Workshop on Rapid Malcode, ACM Press, Washington, DC, 2003, pp. 110, USA. [46] K.K. Kim, B. Prabhakar, Initial trust and the adoption of B2C e-commerce: the case of Internet banking, Database for Advances in Information Systems 35 (2) (2004) 50. [47] E. Kirda, C. Kruegel, Protecting users against phishing attacks, The Computer Journal 49 (5) (2006) 554561. [48] R. Kraut, V. Lundmark, S. Kiesler, T. Mukhopadhyay, W. Scherlis, Why people use the Internet, HomeNet Project, 1997 http://homenet.hcii.cs. cmu.edu/progress/purpose.html. [49] G. Lawton, E-mail authentication is here, but has it arrived yet? IEEE Computer 38 (11) (2005) 1719. [50] J. Libbenga, Dutch arrest 14 mules in ABN AMRO scam, The Register, UK, 2007 http://www.channelregister.co.uk/2007/12/20/arrests_in_money_mules_scam/. [51] K. Lindroos, Use quality and the World Wide Web, Information and Software Technology 39 (12) (1997) 827836. [52] R. Lininger, R.D. Vines, Phishing: cutting the identity theft line, Wiley, Indianapolis, Ind., 2005. [53] A. Litan, Phishing attack victims likely targets for identity theft. Gartner Research, 2004. [54] C. Liu, K.P. Arnett, Exploring the factors associated with Web site success in the context of electronic commerce, Information & Management 38 (1) (2000) 2333. [55] S. Loftesness, Responding to phishing attacks. Glenbrook Partners, http://www.glenbrook.com/opinions/phishing.htm2004. [56] S. Machlis, Quick study: cookies are a marketer's dream, but do they watch too closely? Computerworld 32 (28) (1998) 25. [57] V. McKinney, K. Yoon, F. Zahedi, The measurement of Web-customer satisfaction: an expectation and disconrmation approach, Information Systems Research 13 (3) (2002) 296316. [58] D.H. McKnight, V. Choudhury, C. Kacmar, Developing and validating trust measures for e-commerce: an integrative typology, Information Systems Research 13 (3) (2002) 334359. [59] R. Molich, J. Nielsen, Improving a humancomputer dialogue, Communications of the ACM 33 (3) (1990) 338348. [60] M. Murray, Evaluating Web impactthe death of the highway metaphor, Direct Marketing 59 (9) (1997) 3639. [61] G. Ollman, The phishing guide understanding and preventing, Next Generation Security Software Ltd., 2004 http://www.technicalinfo.net/ papers/Phishing.html.

[62] L. Olsina, D. Godoy, G.J. Lafuente, G. Rossi, Specifying quality characteristics and attributes for websites, First ICSE Workshop on Web Engineering, Los Angeles USA, 1999. [63] C. Ong, Filter service to block phishing, South China Morning Post, Hong Kong, 2004. [64] J.W. Palmer, Web site usability, design, and performance metrics, Information Systems Research 13 (2) (2002) 151167. [65] L.F. Pitt, R.T. Watson, C.B. Kavan, Service quality: a measure of information systems effectiveness, MIS Quarterly 19 (2) (1995) 173187. [66] P. Pradhan, Survey shows online banking needs changes. Tech2.com India, 2007 http://www.tech2.com/india/news/general/survey-showsonline-banking-needs-changes/3987/0. [67] T. Richardson, 12 arrested in HK phishing scam, The Register (2004) http://www.theregister.co.uk/2004/10/18/hk_phishing/. [68] B. Shankar, Electronic commerce will be a big business, Telecommunications 30 (7) (1996) 24. [69] D.M. Strong, Y.W. Lee, R.Y. Wang, Data quality in context, Communications of the ACM 40 (5) (1997) 103110. [70] D.M. Szymanski, D.H. Henard, Customer satisfaction: a meta-analysis of the empirical evidence, Academy of Marketing Science. Journal 29 (1) (2001) 1635. [71] G. Tally, R. Thomas, T.V. Vleck, Anti-phishing: best practices for institutions and consumers. McAfee Research, http://www.mcafee. com/us/local_content/white_papers/wp_anti_phishing.pdf2004. [72] R. Van der Merwe, J. Bekker, A framework and methodology for evaluating e-commerce Web sites, Internet Research 13 (5) (2003) 330341. [73] A. Weiss, Trends for 2005, Networker 8 (4) (2004) 2027. [74] R. Wetzel, Tackling phishing, Business Communications Review 35 (2) (2005) 46.

Indranil Bose is an associate professor of Information Systems at the School of Business, The University of Hong Kong. He holds a B. Tech. from the Indian Institute of Technology, MS from the University of Iowa, MS and Ph.D. from Purdue University. His research interests are in telecommunications, information security, data mining, and supply chain management. His publications have appeared in Communications of the ACM, Communications of AIS, Computers and Operations Research, Decision Support Systems, Ergonomics, European Journal of Operational Research, Information & Management, and Operations Research Letters. He is listed in the International Who's Who of Professionals 20052006, Marquis Who's Who in the World 2006, Marquis Who's Who in Asia 2007, Marquis Who's Who in Science and Engineering 2007, and Marquis Who's Who of Emerging Leaders 2007.

Alvin Chung Man Leung is pursuing MPhil in Information Systems at the School of Business, the University of Hong Kong. He obtained BBA (Information Systems) in 2005 and BEng (Software Engineering) in 2006 from the University of Hong Kong. His research interests are in the areas of Information Security and nancial data mining. His research has appeared in Communications of AIS, Communications of the ACM and proceedings of international conferences.