Advanced search
Publication Cover
Journal of Management Information Systems Volume 34, 2017 - Issue 2
Journal homepage
4,898
Views
88
CrossRef citations to date
0
Altmetric
Original Articles

Training to Mitigate Phishing Attacks Using Mindfulness Techniques

Matthew L. JensenView further author information
,
Michael DingerView further author information
,
Ryan T. WrightView further author information
&
Jason Bennett ThatcherView further author information
Pages 597-626 | Published online: 17 Aug 2017

References

  • Abbasi, A.; Zahedi, F.; Zeng, D.; Chen, Y.; Chen, H.; and Nunamaker, J.F. Enhancing predictive analytics for anti-phishing by exploiting website genre information. Journal of Management Information Systems, 31, 4 (2015), 109–157.
  • Almomani, A.; Gupta, B.; Atawneh, S.; Meulenberg, A.; and Almomani, E. A survey of phishing email filtering techniques. IEEE Communications Surveys and Tutorials, 15, 4 (2013), 2070–2090.
  • Alnajim, A., and Munro, M. An anti-phishing approach that uses training intervention for phishing websites detection. Paper presented at the Sixth International Conference on Information Technology: New Generations, 2009. ITNG ‘09, 2009, pp. 405–410.
  • Anderson, B.B.; Kirwan, C.B.; Jenkins, J.L.; Eargle, D.; Howard, S.; and Vance, A. How polymorphic warnings reduce habituation in the brain: Insights from an fMRI study. Paper presented at CHI, ACM, Seoul, Korea, 2015.
  • Anti-Phishing Working Group. Phishing activity trends report. In APWG (ed.), Anti-Phishing Working Group, 2016. Available at: docs.apwg.org/reports/apwg_trends_report_q1_2016.pdf (accessed on June 25, 2017)
  • Ashby, F.G.; Maddox, W.T.; and Bohil, C. Observational versus feedback training in rule-based and information-integration category learning. Memory and Cognition, 30, 5 (2002), 666–677.
  • Baer, R.A. Mindfulness training as a clinical intervention: A conceptual and empirical review. Clinical Psychology: Science and Practice, 10, 2 (2003), 125–143.
  • Baer, R.A.; Smith, G.T.; and Allen, K.B. Assessment of mindfulness by self-report: The Kentucky Inventory of Mindfulness Skills. Assessment, 11, 3 (2004), 191–206.
  • Brown, K.W.; Ryan, R.M.; and Creswell, J.D. Mindfulness: Theoretical foundations and evidence for its salutary effects. Psychological Inquiry, 18, 4 (2007), 211–237.
  • Butler, B.S., and Gray, P.H. Reliability, mindfulness, and information systems. MIS Quarterly, 30, 2 (2006), 211–224.
  • Cacioppo, J.T., and Petty, R.E. Effects of message repetition and position on cognitive response, recall, and persuasion. Journal of Personality and Social Psychology, 37, 1 (1979), 97–109.
  • Compeau, D.R., and Higgins, C.A. Application of social cognitive theory to training for computer skills. Information Systems Research, 6, 2 (1995), 118–143.
  • Compeau, D.R., and Higgins, C.A. Computer self-efficacy: Development of a measure and initial test. MIS Quarterly, 19, 2 (1995), 189–211.
  • Cranor, L.F. Can phishing be foiled? Scientific American, 299, 6 (2008), 104–110.
  • D’Arcy, J.; Herath, T.; and Shoss, M.K. Understanding employee responses to stressful information security requirements: A coping perspective. Journal of Management Information Systems, 31, 2 (2014), 285–318.
  • Dennis, A.R., and Carte, T.A. Using geographical information systems for decision making: Extending cognitive fit theory to map-based presentations. Information Systems Research, 9, 2 (1998), 194–203.
  • Dhamija, R.; Tygar, J.D.; and Hearst, M. Why phishing works. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. Montreal, Canada: ACM, 2006, pp. 581–590.
  • Eberth, J., and Sedlmeier, P. The effects of mindfulness meditation: A meta-analysis. Mindfulness, 3, 3 (2012), 174–189.
  • Federal Bureau of Investigation. FBI warns of dramatic increase in business e-mail scams. 2016. Available at: http://fbi.gov/contact-us/field-offices/phoenix/news/press-releases/fbi-warns-of-dramatic-increase-in-business-e-mail-scams (accessed on June 25, 2017)
  • Finn, P., and Jakobsson, M. Designing and conducting phishing experiments. IEEE Technology and Society, 6, 2 (2008), 66–68.
  • Fornell, C., and Larcker, D.F. Evaluating structural equations models with unobservable variables and measurement error. Journal of Marketing Research, 18, 1 (1981), 39–50.
  • Fuller, C.M.; Biros, D.P.; and Imperial, M.J. Knowledge retention in information assurance computer-based training: A comparative study of two courses for network user training. In Proceedings of the Sixth Annual Security Conference, Las Vegas, NV: Virginia Commonwealth University, 2007, pp. 28-1–28-14.
  • Gefen, D.; Straub, D.W.; and Rigdon, E.E. An update and extension to SEM Guidelines for Administrative and Social Science Research. MIS Quarterly, 35, 2 (2011), iii–xiv.
  • Green, D.M., and Swets, J.A. Signal Detection Theory and Psychophysics. New York, NY: Wiley, 1966.
  • Grossman, P.; Niemann, L.; Schmidt, S.; and Walach, H. Mindfulness-based stress reduction and health benefits: A meta-analysis. Journal of Psychosomatic Research, 57, 1 (2004), 35–43.
  • Guo, K.H.; Yuan, Y.; Archer, N.P.; and Connelly, C.E. Understanding nonmalicious security violations in the workplace: A composite behavior model. Journal of Management Information Systems, 28, 2 (2011), 203–236.
  • Hair, J.F. Jr.; Anderson, R.E.; Tatham, R.L.; and Black, W.C. Multivariate Data Analysis with Readings. Englewood Cliffs, NJ: Prentice Hall, 1998.
  • Harbison, C. 10 largest data breaches of 2014; The Sony hack is not one of them! iDigital Times, Available at: http://www.idigitaltimes.com/10-largest-data-breaches-2014-sony-hack-not-one-them-403219 (accessed on June 25, 2017)
  • Heartfield, R., and Loukas, G. A Taxonomy of attacks and a survey of defence mechanisms for semantic social engineering attacks. ACM Computing Surveys (CSUR), 48, 3 (2015), 37-1–37-39.
  • Hoetker, G. The use of logit and probit models in strategic management research: Critical issues. Strategic Management Journal, 28, 4 (2007), 331–343.
  • Hong, J. The state of phishing attacks. Communications of the ACM, 55, 1 (2012), 74–81.
  • Hosmer, D.W., and Lemeshow, S. Applied Logistic Regression. New York, NY: Wiley, 2000.
  • Jackson, C.; Simon, D.; Tan, D.; and Barth, A. An evaluation of extended validation and picture-in-picture phishing attacks. In S. Dietrich and R. Dhamija (eds.), Financial Cryptography and Data Security. Berlin, Germany: Springer, 2007, pp. 281–293.
  • Jarvenpaa, S.L. The effect of task demands and graphical format on information processing strategies. Management Science, 35, 3 (1989), 285–303.
  • Jarvenpaa, S.L., and Dickson, G.W. Graphics and managerial decision making: research based guidlines. Communications of the ACM, 31, 6 (1988), 764–774.
  • Jarvenpaa, S.L.; Tractinsky, N.; and Saarinen, L. Consumer trust in an Internet store: A cross-cultural validation. Journal of Computer‐Mediated Communication, 5, 2 (1999), 1–35.
  • Jo, B. Statistical power in randomized intervention studies with noncompliance. Psychological Methods, 7, 2 (2002), 178–193.
  • Johnson, J. If 2014 was the year of the data breach, brace for more. Forbes, 2015. Available at: https://www.forbes.com/sites/danielfisher/2015/01/02/if-2014-was-the-year-of-the-data-breach-brace-for-more (accessed on June 25, 2017)
  • Kaufman, R.L. Comparing the effects of dichotomous logistic regression: A variety of standardized coefficients. Social Science Quarterly, 77, 1 (1996), 90–109.
  • Kelton, A.S.; Pennington, R.R.; and Tuttle, B.M. The effects of information presentation format on judgment and decision making: A review of the information systems research. Journal of Information Systems, 24, 2 (2010), 79–105.
  • Kirk, J. Ham-fisted phishing attack seeks LinkedIn logins. CSO Magazine, 2015. Available at: http://www.csoonline.com/article/2868889/cyber-attacks-espionage/hamfisted-phishing-attack-seeks-linkedin-logins.html (accessed on June 25, 2017)
  • Kumaraguru, P.; Cranshaw, J.; Acquisti, A.; Cranor, L.; Hong, J.; Blair, M.A.; and Pham, T. School of phish: A real-world evaluation of anti-phishing training. In SOUPS ‘09 Proceedings of the Fifth Symposium on Usable Privacy and Security. Mountain View, CA: ACM, 2009, pp. 1–12.
  • Kumaraguru, P.; Rhee, Y.; Acquisti, A.; Cranor, L.; Hong, J.; and Nunge, E. The design and evalaution of an embedded training email systems. Computer Human Interaction (CHI). San Jose, CA: ACM Press, 2007, pp. 905–914.
  • Kumaraguru, P.; Sheng, S.; Acquisti, A.; Cranor, L.F.; and Hong, J. Teaching Johnny not to fall for phish. ACM Transactions on Internet Technology (TOIT), 10, 2 (2010), 7-1–7-31.
  • Langer, E. Mindfulness in the age of complexity. Harvard Business Review, 92, 3 (2014), 68–73.
  • Langer, E.J. Mindfulness. Reading, MA: Addison-Wesley, 1989.
  • Langer, E.J. The Power of Mindful Learning. Reading, MA: Addison-Wesley 1997.
  • Langer, E.J., and Piper, A. The Prevention of Mindlessness. Journal of Personality and Social Psychology, 53 (1987), 280–287.
  • Lau, M.A.; Bishop, S.R.; Segal, Z.V.; Buis, T.; Anderson, N.D.; Carlson, L.; Shapiro, S.; Carmody, J.; Abbey, S.; and Devins, G. The Toronto mindfulness scale: Development and validation. Journal of Clinical Psychology, 62, 12 (2006), 1445–1467.
  • Leary, M.R.; Adams, C.E.; and Tate, E.B. Hypo-egoic self-regulation: Exercising self-control by diminishing the influence of the self. Journal of Personality, 74, 6 (2006), 1803–1831.
  • Lim, K.H., and Benbasat, I. The effect of multimedia on perceived equivocality and perceived usefulness of information systems. MIS Quarterly, 24, 3 (2000), 449–471.
  • Malhotra, N.K.; Kim, S.S.; and Agarwal, J. Internet users’ information privacy concerns (IUIPC): The construct, the scale, and a causal model. Information Systems Research, 15, 4 (2004), 336–355.
  • Mayer, R.E. Multimedia Learning. New York, NY: Cambridge University Press, 2001.
  • Meservy, T.O.; Jensen, M.L.; and Fadel, K. Evaluation of competing candidate solutions in electronic networks of practice. Information Systems Research, 25, 1 (2014), 15–34.
  • Mohammad, R.M.; Thabtah, F.; and McCluskey, L. Tutorial and critical analysis of phishing websites methods. Computer Science Review, August (2015), 1–24.
  • Mohebzada, J.G.; El Zarka, A.; Bhojani, A.H.; and Darwish, A. Phishing in a university community: Two large scale phishing experiments. 2012 International Conference on Innovations in Information Technology (IIT), IEEE, 2012, pp. 249–254.
  • Myers, S. Introduction to phishing. In M. Jakobsson and S. Myers (eds.), Phishing and Countermeasures: Understanding the Increasing Problem of Electronic Identity Theft. Hoboken, NJ: Wiley, 2007, pp. 1–29.
  • Ndubisi, N.O. Mindfulness, reliability, pre-emptive conflict handling, customer orientation and outcomes in Malaysia’s healthcare sector. Journal of Business Research, 65, 4 (2012), 537–546.
  • Norton, E.C.; Wang, H.; and Ai, C. Computing interaction effects and standard errors in logit and probit models. Stata Journal, 4, 2 (2004), 154–167.
  • Orlikowski, W.J., and Yates, J. Genre repertoire: The structuring of communicative practices in organizations. Administrative Science Quarterly, 39, 4 (1994), 541–574.
  • Pavlou, P.A., and Gefen, D. Building effective online marketplaces with institution-based trust. Information Systems Research, 15, 1 (2004), 37–59.
  • Perez, E., and Prokupecz, S. How the U.S. thinks Russians hacked the White House. CNN, 2015. Available at: http://www.cnn.com/2015/04/07/politics/how-russians-hacked-the-wh (accessed on June 25, 2017)
  • Petersen, T. A comment on presenting results from logit and probit models. American Sociological Review, 50, 1 (1985), 130–131.
  • Png, I.L., and Wang, Q. Information security: Facilitating user precautions vis-à-vis enforcement against attackers. Journal of Management Information Systems, 26, 2 (2009), 97–121.
  • Polites, G.; Roberts, N.; and Thatcher, J. Conceptualizing models using multidimensional constructs: A conceptual review and guidelines for their use. European Journal of Information Systems, 21, 1 (2012), 22–48.
  • Polites, G.L., and Karahanna, E. The embeddedness of information systems habits in organizational and individual level routines: Development and disruption. MIS Quarterly, 37, 1 (2013), 221–246.
  • Puhakainen, P., and Siponen, M. Improving employees’ compliance through information systems security training: An action research study. MIS Quarterly, 34, 4 (2010), 757–778.
  • Purkait, S. Phishing counter measures and their effectiveness: Literature review. Information Management and Computer Security, 20, 5 (2012), 382–420.
  • Roberts, N.; Thatcher, J.; and Klein, R. Tying context to post-adoption behavior with information technology: A conceptual and operational definition of mindfulness. AMCIS 2007 Proceedings, Keystone, CO, 2007, pp. 1–6.
  • Savvas, A. 91% of cyberattacks begin with spear phishing email. TechWorld. TechWorld, 2012. Available at: http://www.techworld.com/news/security/91-of-cyberattacks-begin-with-spear-phishing-email-3413574/ (accessed on June 25, 2017)
  • Sedlmeier, P.; Eberth, J.; Schwarz, M.; Zimmermann, D.; Haarig, F.; Jaeger, S.; and Kunze, S. The psychological effects of meditation: A meta-analysis. Psychological Bulletin, 138, 6 (2012), 1139–1171.
  • Segars, A. Assessing the unidimensionality of measurement: A paradigm and illustration within the context of information systems research. Omega, 25, 1 (1997), 107–121.
  • Shapiro, S.L.; Schwartz, G.E.; and Bonner, G. Effects of mindfulness-based stress reduction on medical and premedical Students. Journal of Behavioral Medicine, 21, 6 (1998), 581–599.
  • Speier, C. The influence of information presentation formats on complex task decision-making performance. International Journal of Human-Computer Studies, 64, 11 (2006), 1115–1131.
  • Srikwan, S., and Jakobsson, M. Using cartoons to teach internet security. Cryptologia, 32, 2 (2008), 137–154.
  • Sun, H.; Fang, Y.; and Zhou, H. Choosing a fit technology: Understanding mindfulness in technology adoption and continuance. Journal of the Association for Information Systems, 17, 6 (2016), 377–412.
  • Symantec. Internet security threat report 2013. Mountain View, CA: Symantec Corporation, 2013. Available at: http://www.symantec.com/content/en/us/enterprise/other_resources/b-istr_main_report_v18_2012_21291018.en-us.pdf (accessed on June 25, 2017)
  • Symantec. Internet security threat report 2014. Vol. 189, 2014. Available at: symantec.com/content/en/us/enterprise/other_resources/b-istr_main_report_v19_21291018.en-us.pdf (accessed on June 25, 2017)
  • Taylor, P.J.; Russ-Eft, D.F.; and Chan, D.W.L. A meta-analytic review of behavior modeling training. Journal of Applied Psychology, 90, 4 (2005), 692–709.
  • Teasdale, J.D.; Williams, J.M.G.; Soulsby, J.M.; Segal, Z.V.; Ridgeway, V.A.; and Lau, M.A. Prevention of relapse/recurrance in major depression by mindfulness-based cognitive therapy. Journal of Consulting and Clinical Psychology, 68, 4 (2000), 615–623.
  • Thatcher, J.B.; Wright, R.T.; Sun, H.; Klein, R.; and Zagenczyk, T. Mindfulness in information technology use: A conceptual and operational definition. MIS Quarterly, forthcoming.
  • van der Merwe, A.; Loock, M.; and Dabrowski, M. Characteristics and responsibilities involved in a phishing attack. In Proceedings of the Fourth International Symposium on Information and Communication Technologies. Cape Town, South Africa: Trinity College Dublin, 2005, pp. 249–254.
  • Vance, A.; Elie-Dit-Cosaque, C.; and Straub, D.W. Examining trust in information technology artifacts: The effects of system quality and culture. Journal of Management Information Systems, 24, 4 (2008), 73–100.
  • Vessey, I., and Galletta, D. Cognitive fit: An empirical study of information acquisition. Information Systems Research, 2, 1 (1991), 63–84.
  • Vishwanath, A. Mobile device affordance: Explicating how smartphones influence the outcome of phishing attacks. Computers in Human Behavior, 63 (2016), 198–207.
  • Vishwanath, A.; Herath, T.; Chen, R.; Wang, J.; and Rao, H.R. Why do people get phished? Testing individual differences in phishing vulnerability within an integrated, information processing model. Decision Support Systems, 51, 3 (2011), 576–586.
  • Vrij, A. Nonverbal communication and deception. In V. Manusov and M.L. Patterson (eds.), The Sage Handbook of Nonverbal Communication. Thousand Oaks, CA: Sage, 2006, pp. 341–359.
  • Werts, C.E.; Linn, R.L.; and Joreskog, K. Interclass reliability estimates: Testing structural assumptions. Educational and Psychological Measurement, 34, 1 (1974), 25–33.
  • Wright, R.T.; Campbell, D.E.; Thatcher, J.B.; and Roberts, N. Operationalizing multidimensional constructs in structural equation modeling: Recommendations for IS research. Communications of the Association for Information Systems, 40 (2012), 367–412.
  • Wright, R.T.; Chakraborty, S.; Basoglu, A.; and Marett, K. Where did they go right? Understanding the deception in phishing communications. Group Decision and Negotiation, 19, 4 (2010), 391–416.
  • Wright, R.T.; Jensen, M.L.; Thatcher, J.; Dinger, M.; and Marett, K. Influence techniques in phishing attacks: An examination of vulnerability and resistance. Information Systems Research, 25, 2 (2014), 385–400.
  • Wright, R.T., and Marett, K. The influence of experiential and dispositional factors in phishing: An empirical investigation of the deceived. Journal of Management Information Systems, 27, 1 (2010), 273–303.
  • Yi, M.Y., and Davis, F.D. Improving computer training effectiveness for decision technologies: Behavior modeling and retention enhancement. Decision Sciences, 32, 3 (2001), 521–544.

Reprints and Corporate Permissions

Please note: Selecting permissions does not provide access to the full text of the article, please see our help page How do I view content?

To request a reprint or corporate permissions for this article, please click on the relevant link below:

Order Reprints Request Corporate Permissions

Academic Permissions

Please note: Selecting permissions does not provide access to the full text of the article, please see our help page How do I view content?

Obtain permissions instantly via Rightslink by clicking on the button below:

Request Academic Permissions

If you are unable to obtain permissions via Rightslink, please complete and submit this Permissions form. For more information, please visit our Permissions help page.

Related research

People also read lists articles that other readers of this article have read.

Recommended articles lists articles that we recommend and is powered by our AI driven recommendation engine.

Cited by lists all citing articles based on Crossref citations.
Articles with the Crossref icon will open in a new tab.