John McAlaney, Bournemouth University

Prof. John McAlaney

Professor of Psychology

Bournemouth university

Cybersecurity is in the eye of the beholder

Can we use eye tracking to understand why people engage with phishing emails?


Professor John McAlaney is a Chartered Psychologist and Chartered Scientist, based within the Department of Psychology of the Faculty of Science and Technology at Bournemouth University. He completed his PhD at the University of West of Scotland, where he explored the social psychological factors associated with risky alcohol use.

He has since expanded his research to include psychological determinants of other risk behaviours including gambling, digital addiction, and cybersecurity. He has secured funding in the form of grants and several match-funded PhD studentships to further develop these research areas.

John applies this research to real-world problems through his role as a Trustee of the Gordon Moody Association, a residential service for individuals who have experienced gambling harms. His work has been used as the basis for policy documents within the British Psychological Society and he has advised industry, charity, and government bodies in the UK and internationally.

Presentation overview

Cybersecurity attacks are often dependent on some form of interaction by the target, such as in the case of a target clicking on a link contained within a phishing email. As such it is important to understand the decision-making processes that underpin social engineering attacks and other exploits; however, a challenge in doing so is that people are not fully consciously aware of their own cognitions when they are subjected to a social engineering attack. Eye-tracking technology can address this by recording the precise eye movements of individuals whilst they are part of a cybersecurity incident, such as being the recipient of a phishing email. In an exploratory study we used a laboratory-based eye-tracker to analyse how 22 participants engaged with a series of emails, some of which contained common indicators of a phishing email: namely misspellings, financial information, a request for urgent action and the use of threatening language. As expected, we found the trustworthiness of emails was influenced by the presence or absence of these phishing indicators; however, we also discovered unexpected results where the eye movements of participants did not match what would be anticipated from the trustworthiness rating they had provided.

This suggests that there may be a more complex relationship between the elements of a phishing email and the effectiveness of it than has previously been appreciated by either cybersecurity experts, or the authors of such phishing emails. With the rise of eye-tracking software that can operate through a desktop or laptop webcam this study has implications for how eye-tracking can be utilised outside of the laboratory to improve cybersecurity in everyday settings. It also demonstrates the potential for eye-tracking technologies to better understand social engineering techniques beyond the use of phishing emails.