How do we assess user confidence in handling phishing?