This study investigates the influence of human cognitive and psychological factors on susceptibility to phishing attacks, moving beyond the conventional focus on technical knowledge. Drawing on the Spamley dataset, the research engaged 1,086 participants in a real-world phishing detection task and integrated exploratory factor analysis (EFA), K-means clustering, behavioral response times, and self-report measures to construct a multidimensional psychobehavioral framework. This approach identified five latent constructs and enabled the classification of distinct user risk profiles. Notably, the “high-risk” group emerged as the predominant cluster, characterized by rapid decision-making coupled with low critical analysis capacity. These findings demonstrate that phishing resilience is jointly determined by cognitive style and decision speed, offering empirical support for the development of personalized cybersecurity training interventions.

Phishing remains one of the most pervasive cybersecurity threats, shifting the focus from technological vulnerabilities to human cognitive and psychological factors. In coherence with the trend of studies on phishing to increasingly focus on human aspects and vulnerable users profiling, this study investigates the multidimensional nature of user susceptibility by analyzing data from the Spamley dataset, involving 1,086 participants evaluated through a realistic phishing detection task. Using Exploratory Factor Analysis (EFA), five latent constructs were identified, named: Seniority, Expertise, Creativity, Stability, and Vulnerability. Behavioral findings, validating self-reported impulsivity through its negative correlation with response times, demonstrate that faster decision-making significantly distinguishes vulnerable users from resilient ones. A K-Means clustering procedure, driven by the dimensions of Seniority (F1) and Creativity (F3), revealed two distinct user profiles: the Aware User and the High-Risk User. The results demonstrate that technical knowledge alone is insufficient to guarantee resilience; rather, the interaction between operational maturity, decision-making speed, and cognitive approach determines effectiveness. The findings suggest that the majority of users fall into the High-Risk category, characterized by hasty evaluation processes and lower critical analysis. These results underline the urgent need to move beyond "one-size-fits-all" training toward personalized, adaptive cybersecurity programs that actively address cognitive biases and behavioral tendencies.