Advanced search
Publication Cover
European Journal of Information Systems Volume 32, 2023 - Issue 2
Submit an article Journal homepage
1,360
Views
2
CrossRef citations to date
0
Altmetric
Research Article

Learning not to take the bait: a longitudinal examination of digital training methods and overlearning on phishing susceptibility

Christopher Nguyena Logistics Management Institute, McLean, VA, USACorrespondence[email protected]
View further author information
,
Matthew Jensenb University of Oklahoma, Norman, OK, USAView further author information
&
Eric Dayb University of Oklahoma, Norman, OK, USAView further author information
Pages 238-262 | Received 24 Aug 2019, Accepted 10 May 2021, Published online: 20 Jun 2021

References

  • Abbasi, A., Zahedi, F., & Kaza, S. (2012). Detecting fake medical web sites using recursive trust labeling. ACM Transactions on Information Systems (TOIS), 30(4), pp. 1–36. https://doi.org/10.1145/2382438.2382441
  • Abbasi, A., Zahedi, F. M., Zeng, D., Chen, Y., Chen, H., & Nunamaker, J. F. (2015). Enhancing predictive analytics for anti-phishing by exploiting website genre information. Journal of Management Information Systems, 31 (4), pp. 109–157. https://doi.org/10.1080/07421222.2014.1001260
  • Addas, S., & Pinsonneault, A. (2018). E-mail interruptions and individual performance: Is there a silver lining? MIS Quarterly, 42(2), pp. 381–405. https://doi.org/10.25300/MISQ/2018/13157
  • Aleroud, A., & Zhou, L. (2017). Phishing environments, techniques, and countermeasures: A survey. Computers & Security, 68(c), pp. 160–196.
  • Alnajim, A., & Munro, M. (2009). An evaluation of users’ anti-phishing knowledge retention. International Conference on Information Management and Engineering (ICIME’09). Kuala Lumpur, Malaysia.
  • APWG (Producer). (2017). Phishing activity trends report, 4th Quarter 2016.
  • Arthur Jr., W., Jr., Bennett Jr., W., Stanush, P. L., & McNelly, T. L. (1998). Factors that influence skill decay and retention: A quantitative review and analysis. Human Performance, 11(1), pp. 57–101. https://doi.org/10.1207/s15327043hup1101_3
  • Arthur, W., Jr., & Day, E. A. (2019). Skill decay: The science and practice of mitigating loss and enhancing retention. In P. Ward, J. M. Schragen, J. Gore, & E. Roth (Eds.), The Oxford handbook of expertise: Research & application(pp. 1-26). Oxford University Press.
  • Baer, R. A. (2003). Mindfulness training as a clinical intervention: A conceptual and empirical review. Clinical Psychology: Science and Practice, 10(2), pp. 125–143. https://doi.org/10.1093/clipsy.bpg015
  • Baer, R. A., Smith, G. T., & Allen, K. B. (2004). Assessment of mindfulness by self-report: The Kentucky inventory of mindfulness skills. Assessment, 11(3), pp. 191–206. https://doi.org/10.1177/1073191104268029
  • Biros, D., George, J., & Zmud, R. (2002). Inducing sensitivity to deception in order to improve decision making performance: A field study. MIS Quarterly, 26(2), pp. 119–144. https://doi.org/10.2307/4132323
  • Brown, K. W., Ryan, R. M., & Creswell, J. D. (2007). Mindfulness: Theoretical foundations and evidence for its salutary effects. Psychological Inquiry, 18(4), pp. 211–237. https://doi.org/10.1080/10478400701598298
  • Canfield, C. I., & Fischhoff, B. (2018). Setting priorities in behavioral interventions: An application to reducing phishing risk. Risk Analysis, 38(4), 826–838. https://doi.org/10.1111/risa.12917
  • Canfield, C. I., Fischhoff, B., & Davis, A. (2016). Quantifying phishing susceptibility for detection and behavior decisions. Human Factors, 58(8), pp. 1158–1172. https://doi.org/10.1177/0018720816665025
  • Compeau, D. R., & Higgins, C. A. (1995). Application of social cognitive theory to training for computer skills. Information Systems Research, 6(2), pp. 118–143. https://doi.org/10.1287/isre.6.2.118
  • Craig, C. S., Sternthal, B., & Olshan, K. (1972). The effect of overlearning on retention. Journal of General Psychology, 87(1), pp. 86–94.
  • Craik, F., & Lockhart, R. S. (1972). Levels of processing: A framework for memory research. Journal of Verbal Learning and Verbal Behavior, 11(6), pp. 671–684. https://doi.org/10.1016/S0022-5371(72)80001-X
  • Dodge, R. C., Carver, C., & Ferguson, A. J. (2007). Phishing for user security awareness. Computers & Security, 26(1), pp. 73–80. https://doi.org/10.1016/j.cose.2006.10.009
  • Dodge, R. C., Coronges, K., & Rovira, E. (2012). Empirical benefits of training to phishing susceptibility. IFIP International Information Security Conference. Heidelberg, Berlin.
  • Downs, J. S., Holbrook, M. B., & Cranor, L. F. (2006). Decision strategies and susceptibility to phishing. Proceedings of the Second Symposium on Usable Privacy and Security, Washington, DC.
  • Driskell, J. E., & Johnston, J. H. (1998). Stress exposure training. In J. A. Cannon-Bowers & E. Salas (Eds.), Making decisions under stress: Implications for individual and team training(pp. 191-217). APA Press.
  • Driskell, J. E., Willis, R. P., & Copper, C. (1992). Effect of overlearning on retention. Journal of Applied Psychology, 77(5), pp. 615–622. https://doi.org/10.1037/0021-9010.77.5.615
  • Evers, J. ( Producer). (2006). User education is pointless.
  • Federal Bureau of Investigation. (2018). Business e-mail compromise the 12 billion dollar scam.
  • Fitts, P. M. (1965). Factors in complex skill training. In R. Glaser (Ed.), Training research and education (pp. 177–197). Wiley.
  • Goel, S., Williams, K., & Dincelli, E. (2017). Got phished? Internet security and human vulnerability. Journal of the Association for Information Systems, 18(1), p 22. https://doi.org/10.17705/1jais.00447
  • Goldberg, L. R. (1992). The development of markers for the big-five factor structure. Psychological Assessment, 4(1), pp. 26–42. https://doi.org/10.1037/1040-3590.4.1.26
  • Good, D. J., Lyddy, C. J., Glomb, T. M., Bono, J. E., Brown, K. W., Duffy, M. K., … Lazar, S. W. (2016). Contemplating mindfulness at work: An integrative review. Journal of Management, 42(1), pp. 114–142. https://doi.org/10.1177/0149206315617003
  • Green, D. M., & Swets, J. A. (1966). Signal detection theory and psychophysics Wiley.
  • Grossman, P., Niemann, L., Schmidt, S., & Walach, H. (2004). Mindfulness-based stress reduction and health benefits: A meta-analysis. Journal of Psychosomatic Research, 57(1), pp. 35–43. https://doi.org/10.1016/S0022-3999(03)00573-7
  • Hair, J. F., Black, B., Babin, B., Anderson, R. E., & Tatham, R. L. (2005). Multivariate data analysis Prentice Hall.
  • Hautus, M. J. (1995). Corrections for extreme proportions and their biasing effects on estimated values of d′. Behavior Research Methods, Instruments and Computers, 27(1), pp. 46–51. https://doi.org/10.3758/BF03203619
  • Hong, J. (2012). The state of phishing attacks. Communications of the ACM, 55(1), pp. 74–81. https://doi.org/10.1145/2063176.2063197
  • Hülsheger, U. R., Alberts, H. J. E. M., Feinholdt, A., & Lang, J. W. B. (2013). Benefits of mindfulness at work: The role of mindfulness in emotion regulation, emotional exhaustion, and job satisfaction. Journal of Applied Psychology, 98(2), pp. 310–325. https://doi.org/10.1037/a0031313
  • Jensen, M. L., Dinger, M., Wright, R. T., & Thatcher, J. B. (2017). Training to mitigate phishing attacks using mindfulness techniques. Journal of Management Information Systems, 34(2), pp. 597–626. https://doi.org/10.1080/07421222.2017.1334499
  • Karpicke, J. D., & Roedinger, H. L. (2007). Repeated retrieval during learning is the key to long-term retention. Journal of Memory and Language, 57, pp. 151–162. 2 https://doi.org/10.1016/j.jml.2006.09.004
  • Karumbaiah, S., Wright, R. T., Durcikova, A., & Jensen, M. L. (2016) Phishing training: A preliminary look at the effects of different types of training. Paper presented at the Workshop on Information Security and Privacy (WISP), Dublin, Ireland.
  • Kumaraguru, P., Cranshaw, J., Acquisti, A., Cranor, L., Hong, J., Blair, M. A., & Pham, T. (2009). School of phish: A real-world evaluation of anti-phishing training. SOUPS ‘09 Proceedings of the 5th Symposium on Usable Privacy and Security, Mountain View, CA.
  • Kumaraguru, P., Rhee, Y., Acquisti, A., Cranor, L., Hong, J., & Nunge, E. (2007) Protecting people from phishing: The design and evaluation of an embedded training email system. Paper presented at the CHI’07: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, New York, NY.
  • Kumaraguru, P., Rhee, Y., Hasan, S., Acquisti, A., Cranor, L., & Hong, J. (2007). Getting users to pay attention to anti-phishing education: Evaluation of retention and transfer. Proceedings of the APWG 2nd Annual eCrime Researchers Summit, New York, NY.
  • Kumaraguru, P., Sheng, S., Acquisti, A., Cranor, L. F., & Hong, J. (2010). Teaching johnny not to fall for phish. ACM Transactions on Internet Technology (TOIT), 10(2), p 7. https://doi.org/10.1145/1754393.1754396
  • Langer, E. J. (1989). Mindfulness Addison-Wesley.
  • Lopez, M. A. (1980). Social-skills training with institutionalised elderly: Effects of precounseling structuring and overlearning on skill acquisition and transfer. Journal of Counseling Psychology, 27(3), pp. 286–293. https://doi.org/10.1037/0022-0167.27.3.286
  • Malhotra, N. K., Kim, S. S., & Agarwal, J. (2004). Internet users’ information privacy concerns (IUIPC): The construct, the scale, and a causal model. Information Systems Research, 15(4), pp. 336–355. https://doi.org/10.1287/isre.1040.0032
  • Mayhorn, C. B., & Nyeste, P. G. (2012). Training users to counteract phishing. Work, 41(1), pp. 3549–3552. https://doi.org/10.3233/WOR-2012-1054-3549
  • McKnight, D. H., Choudhury, V., & Kacmar, C. (2002). Developing and validating trust measures for e-commerce: An integrative typology. Information Systems Research, 13(3), pp. 334–359. https://doi.org/10.1287/isre.13.3.334.81
  • Myers, S. (2007). Introduction to phishing. In M. Jakobsson & S. Myers (Eds.), Phishing and Countermeasures: Understanding the Increasing Problem of Electronic Identity Theft (pp. 1–29). Wiley.
  • Nielsen, J. ( Producer). (2004). User education is not the answer to security problems.
  • Noe, R. A., & Schmitt, N. (1986). The influence of trainee attitudes on training effectiveness: Test of a model. Personnel Psychology, 39(3), pp. 497–523. https://doi.org/10.1111/j.1744-6570.1986.tb00950.x
  • Petelka, J., Zou, Y., & Schaub, F. (2019) Put your warning where your link is: Improving and evaluating email phishing warnings. Paper presented at the Proceedings of the 2019 CHI Conference on Human Factors in Computing Systems, Glasgow, Scotland Uk.
  • Png, I. P. L., & Wang, Q.-H. (2009). Information security: Facilitating user precautions vis-à-vis enforcement against attackers. Journal of Management Information Systems, 26 (2), pp. 97–121. https://doi.org/10.2753/MIS0742-1222260205
  • Purkait, S. (2012). Phishing counter measures and their effectiveness – Literature review. Information Management & Computer Security, 20(5), pp. 382–420. https://doi.org/10.1108/09685221211286548
  • Rohrer, D., & Taylor, K. (2006). The effects of overlearning and distributed practice on the retention of mathematics knowledge. Applied Cognitive Psychology, 20, pp. 1209–1224. 9 https://doi.org/10.1002/acp.1266
  • Rohrer, D., Taylor, K., Pashler, H., Wixted, J. T., & Cepeda, N. J. (2005). The effect of overlearning on long‐term retention. Applied Cognitive Psychology, 19(3), pp. 361–374. https://doi.org/10.1002/acp.1083
  • Schendel, J. D., & Hagman, J. D. (1982). On sustaining procedural skills over a prolonged retention interval. Journal of Applied Psychology, 67, pp. 605–610. 5 https://doi.org/10.1037/0021-9010.67.5.605
  • Scott, G., Leritz, L. E., & Mumford, M. D. (2004). The effectiveness of creativity training: A quantitative review. Creativity Research Journal, 16(4), 361–388. https://doi.org/10.1080/10400410409534549
  • Sheng, S., Holbrook, M., Kumaraguru, P., Cranor, L. F., & Downs, J. (2010). Who falls for phish?: A demographic analysis of phishing susceptibility and effectiveness of interventions. Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, Atlanta, GA.
  • Sheng, S., Magnien, B., Kumaraguru, P., Acquisti, A., Cranor, L. F., Hong, J., & Nunge, E. (2007). Anti-phishing phil: The design and evaluation of a game that teaches people not to fall for phish. Presented at the Symposium On Usable Privacy and Security (SOUPS) 2007, Pittsburgh, PA.
  • Sun, H., Fang, Y., & Zou, H. (2016). Choosing a fit technology: Understanding mindfulness in technology adoption and continuance. Journal of the Association for Information Systems, 17(6), pp. 377–412. https://doi.org/10.17705/1jais.00431
  • Swanson, E. B., & Ramiller, N. C. (2004). Innovating mindfully with information technology. MIS Quarterly, 28(4), pp. 553–583. https://doi.org/10.2307/25148655
  • Swets, J. A., Dawes, R. M., & Monahan, J. (2000). Psychological science can improve diagnostic decisions. Psychological Science in the Public Interest, 1(1), pp. 1–26. https://doi.org/10.1111/1529-1006.001
  • Thatcher, J. B., Wright, R. T., Sun, H., Zagenczyk, T. J., & Klein, R. (2018). Mindfulness in information technology use: Definitions, distinctions, and a new measure. MIS Quarterly, 42(3), pp. 831–847. https://doi.org/10.25300/MISQ/2018/11881
  • Vishwanath, A., Herath, T., Chen, R., Wang, J., & Rao, H. R. (2011). Why do people get phished? Testing individual differences in phishing vulnerability within an integrated, information processing model. Decision Support Systems, 51(3), pp. 576–586. https://doi.org/10.1016/j.dss.2011.03.002
  • Volkamer, M., Renaud, K., Reinheimer, B., Rack, P., Ghiglieri, M., Mayer, P., … Gerber, N. (2018). Developing and evaluating a five minute phishing awareness video. International Conference on Trust and Privacy in Digital Business,Regensburg, Germany.
  • Wang, X., Day, E. A., Kowollik, V., Schuelke, M. J., & Hughes, M. G. (2013). Factors influencing knowledge and skill decay after training: A meta-analysis. InW. Arthur, E. A. Day, W. Bennett, & A. Portrey (Eds.), Individual and team skill decay: State of the science and implications for practice (pp. 68–116). Taylor-Francis.
  • Wright, R. T., Jensen, M. L., Thatcher, J., Dinger, M., & Marett, K. (2014). Influence techniques in phishing attacks: An examination of vulnerability and resistance. Information Systems Research, 25(2), pp. 385–400. https://doi.org/10.1287/isre.2014.0522
  • Wright, R. T., & Marett, K. (2010). The influence of experiential and dispositional factors in phishing: An empirical investigation of the deceived. Journal of Management Information Systems, 27(1), pp. 273–303. https://doi.org/10.2753/MIS0742-1222270111
  • Zhang, Y., Egelman, S., Cranor, L., & Hong, J. (2006). Phinding phish: Evaluating anti-phishing tools. Proceedings of the 14th Annual Network and Distributed System Security Symposium, San Diego, California, USA.

Reprints and Corporate Permissions

Please note: Selecting permissions does not provide access to the full text of the article, please see our help page How do I view content?

To request a reprint or corporate permissions for this article, please click on the relevant link below:

Order Reprints Request Corporate Permissions

Academic Permissions

Please note: Selecting permissions does not provide access to the full text of the article, please see our help page How do I view content?

Obtain permissions instantly via Rightslink by clicking on the button below:

Request Academic Permissions

If you are unable to obtain permissions via Rightslink, please complete and submit this Permissions form. For more information, please visit our Permissions help page.

Related research

People also read lists articles that other readers of this article have read.

Recommended articles lists articles that we recommend and is powered by our AI driven recommendation engine.

Cited by lists all citing articles based on Crossref citations.
Articles with the Crossref icon will open in a new tab.