Training to Mitigate Phishing Attacks Using Mindfulness Techniques. Issue 2 (3rd April 2017)
- Record Type:
- Journal Article
- Title:
- Training to Mitigate Phishing Attacks Using Mindfulness Techniques. Issue 2 (3rd April 2017)
- Main Title:
- Training to Mitigate Phishing Attacks Using Mindfulness Techniques
- Authors:
- Jensen, Matthew L.
Dinger, Michael
Wright, Ryan T.
Thatcher, Jason Bennett - Abstract:
- Abstract: Phishing attacks are at a record high and are causing billions of dollars in losses. To mitigate phishing's impact, organizations often use rule-based training to teach individuals to identify certain cues or apply a set of rules to avoid phishing attacks. The rule-based approach has improved organizational defenses against phishing; however, regular repetition of rule-based training may not yield increasing resistance to attacks. To expand the toolkit available to combat phishing attacks, we used mindfulness theory to develop a novel training approach that can be performed after individuals are familiar with rule-based training. The mindfulness approach teaches individuals to dynamically allocate attention during message evaluation, increase awareness of context, and forestall judgment of suspicious messages—techniques that are critical to detecting phishing attacks in organizational settings, but are unaddressed in rule-based instruction. To evaluate the efficacy of our approach, we compared rule-based and mindfulness training programs in a field study at a U.S. university that involved 355 students, faculty, and staff who were familiar with phishing attacks and received regular rule-based guidance. To evaluate the robustness of the training, we delivered each program in text-only or text-plus-graphics formats. Ten days later, we conducted a phishing attack on participants that used both generic and customized phishing messages. We found that participants whoAbstract: Phishing attacks are at a record high and are causing billions of dollars in losses. To mitigate phishing's impact, organizations often use rule-based training to teach individuals to identify certain cues or apply a set of rules to avoid phishing attacks. The rule-based approach has improved organizational defenses against phishing; however, regular repetition of rule-based training may not yield increasing resistance to attacks. To expand the toolkit available to combat phishing attacks, we used mindfulness theory to develop a novel training approach that can be performed after individuals are familiar with rule-based training. The mindfulness approach teaches individuals to dynamically allocate attention during message evaluation, increase awareness of context, and forestall judgment of suspicious messages—techniques that are critical to detecting phishing attacks in organizational settings, but are unaddressed in rule-based instruction. To evaluate the efficacy of our approach, we compared rule-based and mindfulness training programs in a field study at a U.S. university that involved 355 students, faculty, and staff who were familiar with phishing attacks and received regular rule-based guidance. To evaluate the robustness of the training, we delivered each program in text-only or text-plus-graphics formats. Ten days later, we conducted a phishing attack on participants that used both generic and customized phishing messages. We found that participants who received mindfulness training were better able to avoid the phishing attack. In particular, improvement was observed for participants who were already confident in their detection ability and those who reported low e-mail mindfulness and low perceptions of Internet risk. This work introduces and provides evidence supporting a new approach that may be used to develop anti-phishing training. … (more)
- Is Part Of:
- Journal of management information systems. Volume 34:Issue 2(2017)
- Journal:
- Journal of management information systems
- Issue:
- Volume 34:Issue 2(2017)
- Issue Display:
- Volume 34, Issue 2 (2017)
- Year:
- 2017
- Volume:
- 34
- Issue:
- 2
- Issue Sort Value:
- 2017-0034-0002-0000
- Page Start:
- 597
- Page End:
- 626
- Publication Date:
- 2017-04-03
- Subjects:
- information security -- mindfulness -- mindlessness -- phishing -- security training -- signal detection
Management information systems -- Periodicals
Management information systems
Periodicals
658.4038011 - Journal URLs:
- http://www.tandfonline.com/loi/mmis20#.V2kZarn2bcs ↗
http://www.jstor.org/journals/07421222.html ↗
http://www.tandfonline.com/ ↗
http://firstsearch.oclc.org/journal=0742-1222;screen=info;ECOIP ↗ - DOI:
- 10.1080/07421222.2017.1334499 ↗
- Languages:
- English
- ISSNs:
- 0742-1222
- Deposit Type:
- Legaldeposit
- View Content:
- Available online (eLD content is only available in our Reading Rooms) ↗
- Physical Locations:
- British Library DSC - 5011.350000
British Library DSC - BLDSS-3PM
British Library HMNTS - ELD Digital Store - Ingest File:
- 4424.xml