Ryan T. Wright

The Influence of Experiential and Dispositional Factors in Phishing: An Empirical Investigation of the Deceived

Phishing has been a major problem for information systems managers and users for several years now. In 2008, it was estimated that phishing resulted in close to

Training to Mitigate Phishing Attacks Using Mindfulness Techniques

50 billion in damages to U.S. consumers and businesses. Even so, research has yet to explore many of the reasons why Internet users continue to be exploited. The goal of this paper is to better understand the behavioral factors that may increase ones susceptibility for complying with a phishers request for personal information. Using past research on deception detection, a research model was developed to help explain compliant phishing responses. The model was tested using a field study in which each participant received a phishing e-mail asking for sensitive information. It was found that four behavioral factors were influential as to whether the phishing e-mails were answered with sensitive information. The paper concludes by suggesting that the behavioral aspect of susceptible users be integrated into the current tools and materials used in antiphishing efforts.

Combating Phishing Attacks: A Knowledge Management Approach

Abstract Phishing attacks are at a record high and are causing billions of dollars in losses. To mitigate phishing’s impact, organizations often use rule-based training to teach individuals to identify certain cues or apply a set of rules to avoid phishing attacks. The rule-based approach has improved organizational defenses against phishing; however, regular repetition of rule-based training may not yield increasing resistance to attacks. To expand the toolkit available to combat phishing attacks, we used mindfulness theory to develop a novel training approach that can be performed after individuals are familiar with rule-based training. The mindfulness approach teaches individuals to dynamically allocate attention during message evaluation, increase awareness of context, and forestall judgment of suspicious messages—techniques that are critical to detecting phishing attacks in organizational settings, but are unaddressed in rule-based instruction. To evaluate the efficacy of our approach, we compared rule-based and mindfulness training programs in a field study at a U.S. university that involved 355 students, faculty, and staff who were familiar with phishing attacks and received regular rule-based guidance. To evaluate the robustness of the training, we delivered each program in text-only or text-plus-graphics formats. Ten days later, we conducted a phishing attack on participants that used both generic and customized phishing messages. We found that participants who received mindfulness training were better able to avoid the phishing attack. In particular, improvement was observed for participants who were already confident in their detection ability and those who reported low e-mail mindfulness and low perceptions of Internet risk. This work introduces and provides evidence supporting a new approach that may be used to develop anti-phishing training.

Introduction to Human-Computer Interaction (HCI) Minitrack

This paper explores how an organization can utilize its employees to combat phishing attacks collectively through coordinating their activities to create a human firewall. We utilize knowledge management research on knowledge sharing to guide the design of an experiment that explores a central reporting and dissemination platform for phishing attacks. The 2x2 experiment tests the effects of public attribution (to the first person reporting a phishing message) and validation (by the security team) of phishing messages on reporting motivation and accuracy. Results demonstrate that knowledge management techniques are transferable to organizational security and that knowledge management can benefit from insights gained from combating phishing. Specifically, we highlight the need to both publicly acknowledge the contribution to a knowledge management system and provide validation of the contribution. As we saw in our experiment, doing only one or the other does not improve outcomes for correct phishing reports (hits).

Curriculum Guidelines for Undergraduate Degree Programs in Information Systems

The Human-Computer Interaction (HCI) minitrack provides a forum for HCI researchers to exchange a broad and comprehensive range of issues related to the design, development, and assessment of humancomputer interaction. Papers selected for the HCI minitrack draw on a broad range of research methodologies including developmental, conceptualization, theorization, and experimentation to name a few. Given the fast pace of change within the HCI arena (e.g., new applications, new types of users, new types of devices, and so on), it is our hope that the papers presented in this minitrack will prove interesting and relevant to both the academic and practitioner communities.