![Sample our Information Science journals, sign in here to start your FREE access for 14 days]({"type":"image" , "src" : "/sda/5940/TOC-Subject-Sample-2021-Communication-Studies.jpg"})
Abstract
Phishing attacks are at a record high and are causing billions of dollars in losses. To mitigate phishing’s impact, organizations often use rule-based training to teach individuals to identify certain cues or apply a set of rules to avoid phishing attacks. The rule-based approach has improved organizational defenses against phishing; however, regular repetition of rule-based training may not yield increasing resistance to attacks. To expand the toolkit available to combat phishing attacks, we used mindfulness theory to develop a novel training approach that can be performed after individuals are familiar with rule-based training. The mindfulness approach teaches individuals to dynamically allocate attention during message evaluation, increase awareness of context, and forestall judgment of suspicious messages—techniques that are critical to detecting phishing attacks in organizational settings, but are unaddressed in rule-based instruction. To evaluate the efficacy of our approach, we compared rule-based and mindfulness training programs in a field study at a U.S. university that involved 355 students, faculty, and staff who were familiar with phishing attacks and received regular rule-based guidance. To evaluate the robustness of the training, we delivered each program in text-only or text-plus-graphics formats. Ten days later, we conducted a phishing attack on participants that used both generic and customized phishing messages. We found that participants who received mindfulness training were better able to avoid the phishing attack. In particular, improvement was observed for participants who were already confident in their detection ability and those who reported low e-mail mindfulness and low perceptions of Internet risk. This work introduces and provides evidence supporting a new approach that may be used to develop anti-phishing training.
Key words and phrases:
Acknowledgments
The authors gratefully acknowledge the assistance of three anonymous reviewers. We also acknowledge participants in research presentations at the University of Oklahoma, Colorado State University, University of British Columbia, University of Dayton, University of Georgia, HEC Montreal, and Temple University.
Supplemental File
Supplemental data for this article can be found on the publisher’s website at 10.1080/07421222.2017.1334499
Notes
1. Federal Trade Commission: https://www.consumer.ftc.gov/articles/0003-phishing; Microsoft: https://www.microsoft.com/en-us/safety/online-privacy/phishing-symptoms.aspx Chase Bank: https://www.chase.com/digital/resources/privacy-security/security/suspicious-emails; Anti-Phishing Working Group: http://apwg.org/resources/Educate-Your-Customers/ (All accessed on June 25, 2017).
2. The university username and password grant access to university e-mail and university resources (e.g., central IT resources, human resource records, academic records).
3. We piloted the instruments using student participants at a different university and found the scales in the survey valid and reliable (see [Citation23]).
4. https://www.consumer.ftc.gov/articles/0003-phishing (accessed on June 25, 2017)
5. http://apwg.org/resources/Educate-Your-Customers/ (accessed on June 25, 2017)
6. https://www.chase.com/digital/resources/privacy-security/security/suspicious-emails (accessed on June 25, 2017)
7. The identification practice and knowledge test were scored out of four. The item about the training helpfulness was “This training helped me learn how to identify phishing messages,” and was scored on a five-point scale with Strongly Disagree and Strongly Agree as endpoints.
8. https://www.staysafeonline.org/stop-think-connect/ (accessed on June 25, 2017)
Additional information
Notes on contributors
Matthew L. Jensen
Matthew L. Jensen ([email protected]; corresponding author) is an associate professor of management information systems and a co-director of the Center for Applied Social Research at the University of Oklahoma. His interests include computer-aided decision making, human-computer interaction, and computer-mediated communication. He studies how people attribute credibility in mediated interactions and how people filter and evaluate information they find online. His research has been published in Information Systems Research, Journal of Management Information Systems, MIS Quarterly, and other journals. He has been primary investigator or co-primary investigator on externally funded research projects totaling more than $8 million.
Michael Dinger
Michael Dinger ([email protected]) is an assistant professor of management in the Johnson College of Business and Economics at the University of South Carolina Upstate. He received a Ph.D. in management information systems from Clemson University. His research interests include IT workforce management, information security, and absorptive capacity. His work appears in MIS Quarterly, Information Systems Research, and Journal of the Association for Information Systems.
Ryan T. Wright
Ryan T. Wright ([email protected]) is an associate professor in the McIntire School of Commerce at the University of Virginia. He holds a Ph.D. from Washington State University and a BS and MBA from the University of Montana. His research interests include IT security and privacy, diffusion of innovations, and digital commerce. His research on cybersecurity has been funded by the State of Massachusetts and the National Science Foundation.
Jason Bennett Thatcher
Jason Bennett Thatcher ([email protected]) is a professor of information systems at Clemson University. He also holds a faculty appointment at the Information Technology University-Copenhagen. His research examines the influence of individual beliefs and characteristics on information technology use. He also studies strategic and human resource management issues related to the application of information technologies in organizations. His work appears in MIS Quarterly, Journal of Applied Psychology, and other journals. He serves as a senior editor at MIS Quarterly as well as president of the Association for Information Systems.