Authors : Alunyo, Inemesit Isaiah; Aruwa, Benedict Mohammed

Volume/Issue : Volume 11 - 2026, Issue 5 - May

Google Scholar : https://tinyurl.com/3pmyruws

Scribd : https://tinyurl.com/484p6m7x

DOI : https://doi.org/10.38124/ijisrt/26May265

Note : A published paper may take 4-5 working days from the publication date to appear in PlumX Metrics, Semantic Scholar, and ResearchGate.

Abstract : Current detection frameworks largely analyze emails as technical artifacts while overlooking the behavioral evidence generated during user evaluation. This gap is consequential in settings such as Nigeria, where rapid digital adoption and emerging data-protection obligations under the Nigeria Data Protection Act 2023 (NDPA 2023) create both an elevated threat environment and a legal requirement for privacy-conscious security design. This paper applies design science research (DSR) methodology following the process model of Peffers et al. (2007). It addresses problem identification, definition of solution objectives, and artifact design, and conducts an internal ex ante evaluation covering theoretical coherence, design requirement traceability, architectural consistency, and regulatory risk alignment. The artifact has four components: a theory-derived behavioral feature model grounded in Human Error Theory (HET), DualProcess Theory (DPT), and Protection Motivation Theory (PMT); a client-side pipeline producing 12 privacy-minimized interaction indicators; a distributed federated learning (FL) architecture with participant-level differential privacy (DP) and a formal adversarial threat model; and a governance layer aligned with NDPA 2023 obligations. Its value lies in theory-derived behavioral feature operationalization, distributed DP with adversarial threat modeling, and an NDPAaligned governance specification, contributing to cognitive cybersecurity, privacy-preserving machine learning, and African digital governance research.

Keywords : Phishing Detection; Behavioral Analytics; Human Error Theory; Federated Learning; Differential Privacy; Design Science Research; Nigeria; NDPA 2023; Cognitive Cybersecurity; Privacy-Preserving Machine Learning

References :

1. A. Vishwanath, B. Harrison, and Y. J. Ng, "Suspicion, cognition, and automaticity model of phishing susceptibility," Communication Research, vol. 45, no. 8, pp. 1146-1166, 2018.
2. O. K. Sahingoz, E. Buber, O. Demir, and B. Diri, "Machine learning based phishing detection from URLs," Expert Systems with Applications, vol. 117, pp. 345-357, 2019.
3. Central Bank of Nigeria, Annual Report on Payment Systems Statistics 2023, CBN, 2024. [Online]. Available: https://www.cbn.gov.ng
4. N. Kshetri, "Cybercrime and cybersecurity in Africa," Journal of Global Information Technology Management, vol. 22, no. 2, pp. 77-81, 2019.
5. A. Vishwanath, T. Herath, R. Chen, J. Wang, and H. R. Rao, "Why do people get phished? Testing individual differences in phishing vulnerability within an integrated, information processing model," Decision Support Systems, vol. 51, no. 3, pp. 576-586, 2011.
6. Nigeria Data Protection Commission (NDPC), Nigeria Data Protection Act 2023, Federal Republic of Nigeria, 2023. [Online]. Available: https://ndpc.gov.ng/ndp-act-2023/
7. A. R. Hevner, S. T. March, J. Park, and S. Ram, "Design science in information systems research," MIS Quarterly, vol. 28, no. 1, pp. 75-105, 2004.
8. K. Peffers, T. Tuunanen, M. A. Rothenberger, and S. Chatterjee, "A design science research methodology for information systems research," Journal of Management Information Systems, vol. 24, no. 3, pp. 45-77, 2007.
9. S. Gregor and A. R. Hevner, "Positioning and presenting design science research for maximum impact," MIS Quarterly, vol. 37, no. 2, pp. 337-355, 2013.
10. J. Hong, "The state of phishing attacks," Communications of the ACM, vol. 55, no. 1, pp. 74-81, 2012.
11. K. L. Chiew, K. S. C. Yong, and C. L. Tan, "A survey of phishing attacks: Their types, vectors and technical approaches," Expert Systems with Applications, vol. 106, pp. 1-20, 2018.
12. T. Peng, I. Harris, and Y. Sawa, "Detecting phishing attacks using natural language processing and machine learning," in Proc. 2018 IEEE 12th International Conference on Semantic Computing (ICSC), pp. 300-301, 2018.
13. C. I. Canfield, B. Fischhoff, and A. Davis, "Quantifying phishing susceptibility for detection and behavior decisions," Human Factors, vol. 58, no. 8, pp. 1158-1172, 2016.
14. R. T. Wright, M. L. Jensen, J. B. Thatcher, M. Dinger, and K. Marett, "Influence techniques in phishing attacks: An examination of vulnerability and resistance," Information Systems Research, vol. 25, no. 2, pp. 385-400, 2014.
15. R. B. Cialdini, Influence: The Psychology of Persuasion, Rev. ed. HarperCollins, 2007.
16. D. Lain, K. Kostiainen, and S. Capkun, "Phishing in organizations: Findings from a large-scale and long-term study," in Proc. 43rd IEEE Symposium on Security and Privacy, pp. 842-859, 2022.
17. D. Oliveira et al., "Dissecting spear phishing emails for older vs young adults," in Proc. 2017 CHI Conference on Human Factors in Computing Systems, pp. 6412-6424, 2017.
18. A. Vishwanath, "Examining the distinct antecedents of e-mail habits and its influence on the outcomes of a phishing attack," Journal of Computer-Mediated Communication, vol. 20, no. 5, pp. 570-584, 2015.
19. L. Gallo, D. Gentile, S. Ruggiero, A. Botta, and G. Ventre, "The human factor in phishing: Collecting and analyzing user behavior when reading emails," Computers & Security, vol. 139, 103671, 2024.
20. H. B. McMahan, E. Moore, D. Ramage, S. Hampson, and B. Aguera y Arcas, "Communication-efficient learning of deep networks from decentralized data," in Proc. 20th International Conference on Artificial Intelligence and Statistics (AISTATS 2017), PMLR 54, pp. 1273-1282, 2017.
21. P. Kairouz et al., "Advances and open problems in federated learning," Foundations and Trends in Machine Learning, vol. 14, no. 1-2, pp. 1-210, 2021.
22. C. Dwork and A. Roth, "The algorithmic foundations of differential privacy," Foundations and Trends in Theoretical Computer Science, vol. 9, no. 3-4, pp. 211-407, 2014.
23. M. Abadi et al., "Deep learning with differential privacy," in Proc. 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 308-318, 2016.
24. R. C. Geyer, T. Klein, and M. Nabi, "Differentially private federated learning: A client level perspective," arXiv preprint arXiv:1712.07557, 2017.
25. L. Zhu, Z. Liu, and S. Han, "Deep leakage from gradients," in Advances in Neural Information Processing Systems 32 (NeurIPS 2019), pp. 14774-14784, 2019.
26. M. Nasr, R. Shokri, and A. Houmansadr, "Comprehensive privacy analysis of deep learning," in Proc. 2019 IEEE Symposium on Security and Privacy, pp. 739-753, 2019.
27. M. Jagielski, A. Oprea, B. Biggio, C. Liu, C. Nita-Rotaru, and B. Li, "Manipulating machine learning: Poisoning attacks and countermeasures for regression learning," in Proc. 2018 IEEE Symposium on Security and Privacy, pp. 19-35, 2018.
28. K. Bonawitz et al., "Practical secure aggregation for privacy-preserving machine learning," in Proc. 2017 ACM SIGSAC Conference on Computer and Communications Security, pp. 1175-1191, 2017.
29. E. Bagdasaryan, A. Veit, Y. Hua, D. Estrin, and V. Shmatikov, "How to backdoor federated learning," in Proc. 23rd International Conference on Artificial Intelligence and Statistics (AISTATS 2020), PMLR 108, pp. 2938-2948, 2020.
30. P. Blanchard, E. M. El Mhamdi, R. Guerraoui, and J. Stainer, "Machine learning with adversaries: Byzantine tolerant gradient descent," in Proc. 31st Conference on Neural Information Processing Systems (NeurIPS 2017), pp. 119-129, 2017.
31. D. Yin, Y. Chen, R. Kannan, and P. Bartlett, "Byzantine-robust distributed learning: Towards optimal statistical rates," in Proc. 35th International Conference on Machine Learning (ICML 2018), PMLR 80, pp. 5650-5659, 2018.
32. Nigerian Communications Commission (NCC), Annual Report on Telecommunications Statistics 2023, NCC, 2023. [Online]. Available: https://www.ncc.gov.ng
33. U. J. Orji, "Cybersecurity law and regulation in Nigeria," Journal of Cybersecurity and Privacy, vol. 1, no. 1, pp. 1-14, 2018. [Source requires author verification]
34. J. Reason, Human Error, Cambridge University Press, 1990.
35. D. Kahneman, Thinking, Fast and Slow, Farrar, Straus and Giroux, 2011.
36. R. W. Rogers, "A protection motivation theory of fear appeals and attitude change," Journal of Psychology, vol. 91, no. 1, pp. 93-114, 1975.
37. T. Herath and H. R. Rao, "Protection motivation and deterrence: A framework for security policy compliance in organisations," European Journal of Information Systems, vol. 18, no. 2, pp. 106-125, 2009.
38. T. Li, A. K. Sahu, M. Zaheer, M. Sanjabi, A. Smola, and V. Smith, "Federated optimization in heterogeneous networks," in Proc. Machine Learning and Systems 2020 (MLSys 2020), vol. 2, pp. 429-450, 2020.
39. L. Bourtoule et al., "Machine unlearning," in Proc. 2021 IEEE Symposium on Security and Privacy, pp. 141-159, 2021.
40. A. P. Felt, R. W. Reeder, E. Ha, and N. Malkin, "Improving SSL warnings: Comprehension and adherence," in Proc. 33rd Annual ACM Conference on Human Factors in Computing Systems (CHI 2015), pp. 2893-2902, 2015.
41. F. Faul, E. Erdfelder, A.-G. Lang, and A. Buchner, "G*Power 3: A flexible statistical power analysis program for the social, behavioral, and biomedical sciences," Behavior Research Methods, vol. 39, no. 2, pp. 175-191, 2007.
42. S. M. Lundberg and S.-I. Lee, "A unified approach to interpreting model predictions," in Proc. 31st Conference on Neural Information Processing Systems (NeurIPS 2017), pp. 4765-4774, 2017.
43. L. F. Cranor, "A framework for reasoning about the human in the loop," in Proc. 1st Conference on Usability, Psychology, and Security (UPSEC 2008), USENIX, 2008.