SPRITE+ Expert Fellow Spotlight – Emma Williams

This article was edited by SPRITE+ Research Associate Dmitry Dereshev, with responses and edits from Lecturer in Marketing at the University of Bristol Dr. Emma Williams.

Today the spotlight is on Emma Williams – Chartered Psychologist, Chartered Scientist, Associate Fellow of the British Psychological Society, Lecturer in Marketing at the University of Bristol, and a SPRITE+ Expert Fellow. Some of Emma's latest publications include:

• Developing a Measure of Information Seeking about Phishing (more about it in this article)
• "It wouldn't happen to me": Privacy concerns and perspectives following the Cambridge Analytica scandal
• The impact of surface features on choice of (in)secure answers by Stackoverflow readers

A bit about you and your role

How would you describe your job to a 12-year-old?

I am interested in how people behave online, how they use smartphones and social media, and how they interact with other people. Specifically, I am interested in fake news, scam emails, and how we can keep our information safe.

Could you describe what you do during a typical workday?

I am a research psychologist. My typical workday as an academic involves a mix of teaching, research, and admin. Right now it is generally online, no matter what I am doing. I read a lot of social science research, as well as research from the computer science domain.

There are also committee meetings, and research collaborations for developing grants with people from other disciplines. During research meetings we consider potential research projects and how we can interact with consumers and users to explore how they can be best educated about security. It is very interesting, but with so many things it can also be a challenge.

I also teach marketing and consumer behaviour. I am looking at how I can develop and integrate some of my research into my teaching for next year. For instance, I am hoping to teach marketing students about privacy and security. If they are going to be marketing smart home products in the future, for instance, how can they communicate with consumers better about security?

Could you describe a challenging project that you’ve recently worked on?

I have been looking at how we can engage different stakeholders with our research, so that people can understand how it applies to their lives. Traditionally, academics are focused on writing research papers – those are the things we are judged on, and that’s how we often communicate with other academics. But there is now more focus on impact.

For instance, now we might consider digital campaigns as part of the release of our research, reaching different audiences on social media, developing materials and videos to better explain our research to a wider audience. We also have to think how wider audiences can engage with our research, and even feed into it in the future.

I found it really useful to engage with our internal comms and marketing teams at the university. They are good at designing materials that people find interesting and engaging. Although I teach marketing, their expertise at the practice level is really useful. They can also measure engagement, so we have an idea of who is viewing things, who is engaging with the materials, and so on.

What training/experience did you have at the start of your career?

I did an undergraduate degree in psychology and also a PhD in psychology.

How did you get into your current role?

I spent a few years after my PhD working in the public and private sectors doing research roles. I have also worked in hospitals and in special needs education, jobs that were still related to psychology and human behaviour, but in a very different context.

I came back to academia in 2015 to take up a postdoc at the University of the West of England, then moved to University of Bath. I then took on a fellowship at Bristol University, followed by a lectureship there.

All of those experiences have been very useful. It can be a challenge to go from industry to academia, but I have gained diverse experiences of different work environments that I still use now. It feeds both into my research and my teaching practice, and it probably helped me in my job applications. It has really been a journey rather than a destination, and it has moved me around quite a lot in my career.

What was the difference for you when it comes to research roles in the different environments you’ve experienced?

When I was in industry, it was very common for things to be done straight away and decisions to be made very quickly. Academia can often move much slower in terms of getting contracts done and things like that. Part of this can be because of the peer review process, which is really important, but can take a long time.

This difference in speeds can cause tensions when you are working between the two, because industry can be used to working much faster, and they can thus be more responsive and adaptive.

On the other hand, when I worked in industry, we were probably less aware of the range of information that is out there. Academics often produce an awful lot of journal papers and visit a lot of conferences so we can end up with a really in-depth knowledge. In industry, it is quite difficult to keep up with that kind of knowledge and to even access papers when you do not have journal subscriptions, and have only the abstracts to go off of.

Being able to work across the two would be really beneficial for people, I think, because they can get more in-depth knowledge and access all of that science and understand it better. But equally, it would be nice if academia could sometimes work a bit faster, so that they can support industry in that sense, especially in terms of the institutional practices, and some of the decision-making.

What do you wish you'd known when you started your career?

What could have been useful to know was how normal rejection is in academia. Constantly having your work critiqued through peer review is a really important academic practice. But when you are new to it, I think it can be difficult to go through, and to have your manuscripts rejected, and to be faced with the comments that come alongside that.

There is now much more information on social media from senior academics saying: “I have had this many papers rejected and this many grants turned down”. I think knowing that information now is helpful, but when I was doing my PhD back in 2008, that awareness might have been useful in terms of not taking things personally and knowing that it is very normal for people to go through this.

And so do not give up. I think that is what I wish I knew. It is useful to think that just because other people at this point have rejected an article does not mean that it is a complete loss, or that it has nothing to offer. Other people may find it interesting and useful still.

What would you recommend to people who want to follow in your footsteps?

Constantly reflect on what you are interested in. I did not have a specific plan to end up as a lecturer, for instance, I just followed the opportunities that arose, but also made sure I followed what I was interested in.

You can start off on a journey with a particular career in mind, but then get dragged in directions that you don’t think you want to be going in long-term. Keep an eye on where your interests lie and chase those opportunities.

Also, just keep learning. That is one thing that I feel – I am constantly learning. Always learn from other disciplines. There are always other research areas, there are always other methods. What other fields might have that you have not considered? Can you collaborate with those people? Can you learn from them?

What troubles did you have progressing through your career?

Early roles in research are fixed-term, and there are difficulties with having a job that you want to do. When your current project is running out, you can end up applying for things just to fill that space. It can take you in a completely different direction. I think that is always a challenge, being able to balance that out.

I do not think it is an easy area to be in as an early career researcher, but being in a permanent role is not necessarily any easier because you get a huge other part to your role as a researcher, that you are not used to doing, like teaching, admin, and leadership roles. Although they are interesting, there is a whole other learning curve, and it feels like you are in a completely different job all over again, and have to learn it from scratch.

The amount of time it takes to learn those processes, I think, is where the difficulty lies, since you are also trying to get other things done. It depends on what kind of experiences you have, and working in different institutions does give different experiences, but I certainly would not underestimate the challenge it might be to learn processes around teaching, admin and leadership. It is a good challenge and an interesting one, but it is a challenge.

Do you see any changes to teaching now with pandemic-related restrictions in place?

We spent a lot of time learning about online teaching, and the best ways to deliver our classes. Some people had to find new ways of doing certain interactive things they would typically do in a face-to-face environment, and effectively trying to get the best teaching across, and deliver the best student experience that we can.

What one stereotype would like to dispel about your job or industry?

Some perceive academics as closed off, focused on writing research papers that are theoretical in nature. I think this stereotype should be challenged. I think academia is now much more open to engagement, we are much more interested in working with people across different sectors to develop solutions to very practical challenges.

Although I am a psychologist and a social scientist where we do have a lot of females, when you do a lot of work with engineering and computer science colleagues, I think it is important that we highlight the role that diverse knowledge and experiences can play in the technology sector, and in those technical disciplines. I find it really interesting to work with people from a lot of different disciplines.

A bit about your paper

Williams, E. J., & Joinson, A. (2020). Developing a Measure of Information Seeking about Phishing. Journal of Cybersecurity, 6(1). https://doi.org/10.1093/cybsec/tyaa001

What was the problem that you were trying to tackle?

Phishing is a big threat. Understanding how organisations can best reduce that threat is a big issue. This includes the best ways to engage employees with relevant materials, and that is something we do not really know a huge amount about. It is quite difficult to access data around that.

Phishing constantly evolves, and phishing techniques change. It is not something that you can look at once and assume that you know everything. When you receive a very sophisticated phishing email, it can look like your current communications that come from an internal source, so you do not typically expect it to be a phishing attack. We ideally want people to be motivated to actively seek out information so that they can be as up to date as possible.

How may people are affected by this problem?

Anyone who can receive an email, a text, or a call could be affected by phishing.

Phishing is still one of the prime ways to effectively start a cyber-attack: send a phishing email to someone, they click a link in it or download an attachment, and suddenly we have big things like the WannaCry ransomware attack back in 2017.

Whenever there is a new way of communicating, there is a phishing scam related to it. Recently we have seen an increase in COVID-19-related scams and phishing attempts. They come by text messages and by email. I think I got one suggesting some kind of special COVID-19 tax from HMRC. They are common.

It is quite difficult for researchers to a keep up with every new way to phish, to define what it even is, and then to get stuff out there so that the wider public can also keep up with that threat. We are constantly playing catch up, I think.

What would be a typical response to this problem? How effective is it?

There has been a lot of focus on raising awareness of the phishing threat. That is something that has been criticised on an academic level: what does awareness actually mean? Does it help? How can we most effectively reduce the threat of phishing for both organisations and consumers? The advice is constantly changing as to what is likely to be the most effective.

Different organisations have different ways of dealing with phishing. Some use phishing simulations, where organisations create a fake phishing email and send it to their employees. They will see who clicks on it, and thus become aware of the potential risk. It can also be used as a mechanism to direct people to voluntary training, so if you click on a simulated phishing email, it might say: “you've clicked on a phishing email. It might be useful for you to view this kind of training”. Those approaches are useful because people are at risk at home as well as at work. Anything that makes them a little bit more educated about what phishing is, I think, is useful.

What we do not have is any actual data that suggests that it definitively reduces the risk. In fact, phishing simulations might actually damage the relationship you have with your employees, depending on how they are done. So, it remains an open question as to whether that's an effective thing to do.

Sometimes, banks will run big social media campaigns reminding their clients about phishing threat, and scams more generally. It is very difficult to know how effective any of these things are. That is something we just do not have data on.

How was your approach different?

We were interested in developing a validated survey measure to do further research in this area. Instead of looking at what makes people more susceptible to phishing email, we considered it in relation to what motivates people to engage with protective information in the first place.

We have used Protection Motivation Theory which comes from the health domain, which considers how people protect themselves from threats, such as stopping smoking. We have applied that to our information-seeking context. The questions were: how do people view threats from phishing? How do they view information about phishing? Do they feel they are able to keep up to date with the phishing techniques? Do they feel that information about phishing will actually reduce the threat? How might that influence their intentions to keep engaging with that material in the future?

Because information-seeking has not been commonly looked at, it was mainly done to spark more research in the area, to move some parts of the debate away from susceptibility, and towards how we can engage people. I think that is an important area that I feel we are struggling with: what techniques might we be able to build in the future to maximise engagement?

What did you find out?

It was about people feeling able to access the protective information, and feeling that knowing that information will actually help them. Both of those concepts are emerging as key to people’s intentions to keep up to date with phishing techniques and engage with those materials in the future. We also found that those who consider phishing to be a more severe threat tend to have greater future intentions to keep up to date with phishing techniques.

However, if you feel like the phishing threat is severe, but you do not have confidence in finding relevant information or you think that phishing awareness info is useless, you could end up using what we call maladaptive coping, which is more denial and avoidance of the issues.

Our study suggests that we really need to consider what we mean by education and awareness. Awareness of the information alone does not actually translate into you being less susceptible to the phishing emails. People’s claims that they were keeping up to date with these things were not reflected in them being less susceptible to a phishing quiz. The ability to spot a phish may be related to self-reported technical knowledge, but our findings are not conclusive on that.

We don’t want maladaptive coping strategies like avoidance and denial, and we don’t want overconfidence that then leads to people assuming that they will be able to spot a phish, and not even considering that they could click on a phishing link and end up a victim.

What impact on practice do you hope your results will achieve?

To provoke both researchers and organisations to consider education more, I suppose. To consider information seeking as an area of study. To explore how effective or not effective different interventions might be. And to open up a dialogue with consumers and employees regarding how they want to be engaged with.

We are pushing information out there, but we do not necessarily have a dialogue with consumers about what they want to know, how they want to know it, and what would be most useful to them. There is a lot of information out there about threats related to everything we do, so there is competition for people’s time, focus and energy.

I am hoping that the paper stimulates more work around engagement with protective information, with cybersecurity more generally, and phishing and online scams specifically. Whenever we talk to employees, they always want to understand the problem more, to know what they can do. People want to protect themselves at home and at work, but they struggle to spend the time, or understand where they should be looking, so we need a better understanding of what people want.

A bit about your involvement with SPRITE+

How would you describe your research or business interest in relation to SPRITE+?

I am a social scientist, focused on cybersecurity and privacy. I previously focused on things like phishing and scams, and people’s susceptibility to them, and how to reduce that. I am now considering consumer engagement with smart devices, and secure cyber-behaviours in relation to that.

I focus on privacy and security, but I am also interested in aspects like trust at a more interdisciplinary level – that is what I teach in marketing, which relates to trust in organisations, trust in technologies, and adoption of those technologies.

How do you hope to benefit from working with SPRITE+ network?

I would like to use it to expand my network, to link with more people in the area, particularly those working in other disciplines, where I have not collaborated before. Digital TIPS is an area that is growing, and there are lots of disciplines now working on it.

I also enjoy engagement with organisations that are working with some of these challenges. I am using SPRITE+ network as a catalyst to identify where there may be problems in areas I can contribute to, and how I can work more effectively across those divides.

Which of the SPRITE+ Challenge Themes can you relate to from the job that you do? How does it impact your role?

I am particularly interested in Digital Vulnerabilities – understanding how emerging technologies and online services are viewed from a consumer perspective, and how digital vulnerabilities emerge in relation to that; how that might relate to different groups of consumers; how we can identify these harms before they actually emerge, so that we can better protect consumers; and the decisions and choices that they make.

This overlaps a lot with Digital Technologies and Change, because I am interested in emerging harms which would depend on the changes in digital technologies, particularly around choices that people make in using these technologies. I am very interested in adoption of technology and how people view security risks when they purchase things, keep using them, and adopt new technology.

From a marketing perspective, I am interested in ethics related to some of these technological changes. We have seen smart devices that have subsequently been removed from the market because of security risks. How can we inform people about security risks of products, so that they can make informed decisions?

All the themes are fascinating, to be honest, but those are the ones I work in.