ABSTRACT
Phishing is an increasing threat that causes billions in losses and damage to productivity, trade secrets, and reputations each year. This work explores how security gamification techniques can improve phishing reporting. We contextualized the cognitive evaluation theory (CET) as a kernel theory and constructed a prototype phishing reporting system. With three experiments in a simulated work setting, we tested gamification elements of validation, attribution, incentives, and public presentation for improvements in experiential (e.g., motivation) and instrumental outcomes (e.g., hits and false positives) in phishing reporting. Our findings suggest public attribution with rewards and punishments best balance the competing necessities of accuracy with widespread reporting. Furthermore, our results demonstrate the unique benefits of security gamification to phishing reporting over and above other phishing mitigation techniques (e.g., training and warnings). However, we also noted that unintended consequences in false alarms might arise from shifts in motivation resulting from public display of incentives. These findings suggest that carefully calibrated external incentives (rather than intrinsic rewards) are most likely to improve the ancillary task of phishing reporting.
Acknowledgment
This research was supported by a grant from the National Science Foundation, Social and Economic Division, Project# 1421580.
Disclosure statement
No potential conflict of interest was reported by the author(s).
Supplemental data
Supplemental data for this article can be accessed online at https://doi.org/10.1080/07421222.2022.2096551.
Notes
i The punishment-only condition is analogous to public shaming actions of regulators (e.g., HIPAA data breach wall of shame; https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf) and companies (e.g., Wall of shame for those who fall for phishing attacks; [89]) that try to improve security behavior through threat of punishment. A 2020 survey of UK businesses suggested that 15 percent of respondents name and shame employees for failing mock phishing training (https://www.helpnetsecurity.com/2020/08/05/4-in-10-organizations-punish-staff-for-cybersecurity-errors/). In the context of phishing reporting, there are no rewards for correct reports, just punishment for incorrect reports.
ii The training video, developed in part for use in this study, received an honorable mention award from ACM Special Interest Group University and College Computing Sevices which held an international competition for Short Promotional Videos see: https://siguccs.hosting.acm.org/Conference/2016/index.php/awards/
Additional information
Notes on contributors
Matthew L. Jensen
Matthew L. Jensen ([email protected]; corresponding author) is Associate Professor of Management Information Systems and a co-director of the Center for Applied Social Research at the University of Oklahoma. His interests include computer-aided decision making, human-computer interaction, and computer-mediated communication. Dr. Jensen studies how people attribute credibility in mediated interactions and how people filter and evaluate information they find online. His research has been published in Journal of Management Information Systems, Information Systems Research, MIS Quarterly, and other journals. He has been the primary investigator or co-primary investigator on externally funded research projects totaling more than $8 million.
Ryan T. Wright
Ryan Wright ([email protected]) is the C. Coleman McGehee Professor and the Senior Associate Dean of Faculty and Research at the McIntire School of Commerce at the University of Virginia. Dr. Wright’s research interests include IT security and privacy, and the diffusion of IT innovations. He has over 70 peer-reviewed publications and has garnered funding from the National Science Foundation, the State of Massachusetts, the State of Virginia. His research has been featured in the Harvard Business Review, The Washington Post, Forbes, USA Today, and many other outlets. He has presented his research at such events as TEDx, Salesforce, Personifest, and Association for Finance and Technology.
Alexandra Durcikova
Alexandra Durcikova ([email protected]) is an Associate Professor of MIS and Mertes Presidential Professor at the Price College of Business, University of Oklahoma. She holds a Ph.D. from the University of Pittsburgh. Dr. Durcikova’s research focuses on knowledge repositories, knowledge sharing, end-user security, and phishing attack detection. The National Science Foundation funded her research on phishing attack detection. Her publications have appeared in leading journals, including Information Systems Research, Journal of Management Information Systems, MIS Quarterly, European Journal of Information Systems, Information Systems Journal, and in the proceedings of numerous international conferences. She has received multiple awards for her teaching.
Shamya Karumbaiah
Shamya Karumbaiah ([email protected]) is a postdoctoral fellow in the Human-Computer Interaction Institute at Carnegie Mellon University. She earned her Ph.D. from the University of Pennsylvania working as a research fellow at the Penn Center for Learning Analytics. She will be joining the University of Wisconsin-Madison as an assistant professor in Spring 2023. Dr. Karumbaiah’s research focuses on promoting student engagement and learning in adaptive learning environments in a fair and equitable manner. Her work has been published in leading journals on affective computing and educational artificial intelligence, with four of her first-authored articles nominated for best research paper awards. For her work on bias, she was selected in the 2021 cohort of EECS rising stars by Massachussetts Institute of Technology (MIT).