Limited Attention in Response to Email Scam -- A Toy Model

About one year ago or so, I started a project on consumer’s fraud protection issue, especially on how to protect consumers from falling prey to phishing emails – the emails sent by scammers to obtain senstive information such as password, credit card number. How to model consumer’s response to the scam? Natually I would assume that conusmers have limited attention. That is, paying attention is effortful and costly. More effort the consumer exerts, the more accurate information the consumer will acquire. Therefore the consumer has to make tradeoff between acquiring accurate information and exerting effort. A simple (toy) model is built as follows:

  • When a user receives an email, the prior belief that the email is unsafe and safe is \(B_{0}\) and \(1-B_{0}\), respectively.
  • The user exerts some effort \(e\) to verify whether the email is safe. Given the effort level \(e\), the user would receive a signal \(s\) which is informative about the nature of the email.
  • Based on the signal, the user updates her belief \(B_{t}\) and decides whether to neglect or comply to the content of the email.
  • If the email is safe, the user will receive \(v\) (\(v>0\)) by complying to it and incur cost \(m\) (\(m>0\)) by neglecting it. If the email is unsafe, the user will receive damage \(d\) (\(d>0\)) by complying to it and receive \(0\) by neglecting it.

We model the user’s limited attention as a process of costly information acquisition. There are two types of email: \(T=\{safe, unsafe\}=\{1, -1\}\) and \(P(T=1)=B_{0}\). The user observe a signal \(S=\{-1,1\}\) about the type of the email. The informativeness of the signal \(S\) is represented as:

\[\small g(S=s|T)=\frac{1+T\cdot s}{2}\]

From equation above, we can easily verify that \(\small g(S=1|T=1)=g(S=-1|T=-1)=1\) and \(\small g(S=-1|T=1)=g(S=1|T=-1)=0\). For simplicity, here we assume the signal is perfectly correlated with the type of the email.

The user chooses the effort level \(e\) (\(e\in [0,1]\)) to verify the email. The effort level will determine the informativeness of the signal that the user will observe. Given the effort level and the type of the email, the distribution of the signal the user receives is a mixture between an informative experiment \(g(S=s|T)\) and an uninformative signal \(h(s)=\frac{1}{2}\)

\[\small f(S=s|T,e)=e\cdot g(S=s|T)+(1-e)\cdot \frac{1}{2}\]

As a result, the signal is perfectly informative if the user exerts effort \(e=1\):

\[\small f(s=1|T=1,e=1)=f(s=-1|T=-1,e=1)=1\] \[\small f(s=-1|T=1,e=1)=f(s=1|T=-1,e=1)=0\]

The signal is completely uninformative if the user exerts effort \(e=0\): \[\small f(s=1|T=1,e=0)=f(s=-1|T=-1,e=0)=\frac{1}{2}\] \[\small f(s=-1|T=1,e=0)=f(s=1|T=-1,e=0)=\frac{1}{2}\]

Conditional on the signal and effort level, the user update her belief about the nature of the email in a Bayesian fashion:

\[\small B(T=1|S=s,e)\] \[\small =\frac{f(S=s|T=1,e)\cdot P(T=1)}{f(S=s|T=1,e)\cdot P(T=1)+f(S=s|T=-1,e)\cdot P(T=-1)}\]

Based on the updated belief, the user decides whether to neglect the email or comply to the content of the email, represented by \(A=\{n, c\}\). The expected utility of neglecting and complying are \(E[U_n]\) and \(E[U_c]\), respectively. The user would comply to the content of the email if \(E[U_c] \geq E[U_n]\). That is:

\[\small \begin{split} & B(T=1|S=s,e)\cdot v + B(T=-1|S=s,e)\cdot(-d) \\ &\quad \geq B(T=1|S=s,e)\cdot (-m) + B(T=-1|S=s,e)\cdot 0 \end{split}\]

\(\Rightarrow\) \[\small \frac{d}{v+m}\leq \frac{f(S=s|T=1,e)}{f(S=s|T=-1,e)}\]

\[\small =\frac{[e\cdot \frac{1+s}{2}+(1-e)\cdot \frac{1}{2}]\cdot B_0}{[e\cdot \frac{1-s}{2}+(1-e)\cdot \frac{1}{2}]\cdot (1-B_0)}\]

The user solves the following problem:

\[V(e, A) = arg\max_{e \in [0,1]}\Big[\sum_{T\in \Gamma}\sum_{s \in S}P(T)\cdot f(s|T,e)\Big]\Big[\max_{a\in A}\sum_{T\in \Gamma}B(T|s,e)U_a \Big]-K(e)\]

\(K(e)\) is the cost of paying attention by exerting \(e\). The first term in equation is the probability of each signal, and the second is the maximum achievable expected utility from choosing to neglect (\(a=n\)) or comply (\(a=c\)) to the email given the updated belief \(B(T|s,e)\).

To gain some basic intuition of the model, assume the user chooses only two effort level: \(e\in \{0,1\}\). If \(e=1\), then \(K(e)=k\). And we further assume \(B_0\geq \frac{d}{v+m+d}\), which implies that if the user exerts no effort \(e=0\) and hence receives uninformative signal \(\small f(s=1|T=1,0)=f(s=-1|T=1,0)=f(s=1|T=-1,0)=f(s=-1|T=-1,0)=\frac{1}{2}\), the user would comply to the email (by equation ). If the user exert \(e=1\), then the signal is completely informative (by equation above). As a result, the user will neglect the email if observing \(s=-1\) and comply to the email if observing \(s=1\).

If the user exerts \(e=0\), then:

\[\small \begin{split} & B_0 \Big\{ f(s=1|T=1,0)[B(T=1|s=1,0)\cdot v + B(T=-1|s=1,0)\cdot (-d)] \\ &\quad +f(s=-1|T=1,0)[B(T=1|s=-1,0)\cdot v + B(T=-1|s=-1,0)\cdot (-d)]\Big\} \\ &\quad (1-B_0) \Big\{ f(s=1|T=-1,0)[B(T=1|s=1,0)\cdot v + B(T=-1|s=1,0)\cdot (-d)] \\ &\quad +f(s=-1|T=-1,0)[B(T=1|s=-1,0)\cdot v + B(T=-1|s=-1,0)\cdot (-d)]\Big\} \\ &\quad = B_0 \cdot v + (1-B_0)\cdot (-d) \end{split}\]

If the user exerts \(e=1\), then:

\[\small \begin{split} & B_0 \Big\{ f(s=1|T=1,1)[B(T=1|s=1,1)\cdot v + B(T=-1|s=1,1 )\cdot (-d)] \\ &\quad +f(s=-1|T=1,0)[B(T=1|s=-1,0)\cdot (-m) + B(T=-1|s=-1,0)\cdot 0]\Big\} \\ &\quad (1-B_0) \Big\{ f(s=1|T=-1,0)[B(T=1|s=1,0)\cdot v + B(T=-1|s=1,0)\cdot (-d)] \\ &\quad +f(s=-1|T=-1,0)[B(T=1|s=-1,0)\cdot (-m) + B(T=-1|s=-1,0)\cdot 0]\Big\} -k \\ &\quad = B_0\cdot v-k \end{split}\]

From equations above, \(V(1,A)\geq V(0,A)\) if \(B_0\leq \frac{d-k}{d}\). Together with early assumption that \(B_0\geq \frac{d}{v+m+d}\), we have the observation that if \(\frac{d}{v+m+d}\leq B_0 \leq \frac{d-k}{d}\) (suppose \(k\leq \frac{d(v+m)}{v+m+d}\)), then the user will exert \(e=1\).

On the other hand, suppose \(B_0\leq \frac{d}{v+m+d}\), and then the user will choose to neglect the email conditional on a completely uninformative signal. If the user exerts \(e=0\), then:

\[\small \begin{split} & B_0 \Big\{ f(s=1|T=1,0)[B(T=1|s=1,0)\cdot (-m) + B(T=-1|s=1,0)\cdot 0] \\ &\quad +f(s=-1|T=1,0)[B(T=1|s=-1,0)\cdot (-m) + B(T=-1|s=-1,0)\cdot 0]\Big\} \\ &\quad (1-B_0) \Big\{ f(s=1|T=-1,0)[B(T=1|s=1,0)\cdot (-m) + B(T=-1|s=1,0)\cdot 0] \\ &\quad +f(s=-1|T=-1,0)[B(T=1|s=-1,0)\cdot (-m) + B(T=-1|s=-1,0)\cdot 0]\Big\} \\ &\quad = B_0 \cdot (-m) \end{split}\]

If the user exerts \(e=1\), then:

\[\small \begin{split} & B_0 \Big\{ f(s=1|T=1,1)[B(T=1|s=1,1)\cdot v + B(T=-1|s=1,1 )\cdot (-d)] \\ &\quad +f(s=-1|T=1,0)[B(T=1|s=-1,0)\cdot (-m) + B(T=-1|s=-1,0)\cdot 0]\Big\} \\ &\quad (1-B_0) \Big\{ f(s=1|T=-1,0)[B(T=1|s=1,0)\cdot v + B(T=-1|s=1,0)\cdot (-d)] \\ &\quad +f(s=-1|T=-1,0)[B(T=1|s=-1,0)\cdot (-m) + B(T=-1|s=-1,0)\cdot 0]\Big\} -k \\ &\quad = B_0\cdot v-k \end{split}\]

In such case, the user will exert \(e=1\) if \(\frac{k}{v+m}\leq B_0 \leq \frac{d}{v+m+d}\).

As can be seen, if \(B_0\leq \frac{k}{v+m}\) which implies that the prior of receiving a safe email is low, exerting effort is not cost-effective, and the user will exert zero effort and neglect the email irrespective of the signals. If \(B_0\geq \frac{d-k}{d}\), implying that the prior of receiving a safe email is high, exerting effort is not cost-effective either, and the user will exert zero effort and comply to the email irrespective of the signals. The user will exert \(e=1\) only when \(\frac{k}{v+m} \leq B_0 \leq \frac{d-k}{d}\). User’s prior \(B_0\) and corresponding action is presented in Figure 2.

Observations: From the analysis above, we obtained the following observations:

  • Impact of attention cost: If the cost of paying attention is decreasing, i.e., \(k\) goes smaller, the region that \(e=1\) becomes larger. When \(k=0\), the user will always exert effort.
  • Impact of value of complying: As the value of complying to a safe email \(v\) or the cost of neglecting a safe email \(m\) increases, the region that \(e=1\) becomes larger.
  • Impact of cost of complying: As the cost of complying to a unsafe email \(d\) increase, the region that \(e=1\) becomes larger.
  • Impact of cost of complying: Suppose the user cannot exert \(e=1\) (which may be resulted from fatigue), the user will choose \(\{e=0, comply\}\) if \(B_0\geq \frac{d}{v+m+d}\) and choose \(\{e=0, neglect\}\) if \(B_0<\frac{d}{v+m+d}\) (see Figure 3).