Training to Mitigate Phishing Attacks Using Mindfulness Techniques
成果类型:
Article
署名作者:
Jensen, Matthew L.; Dinger, Michael; Wright, Ryan T.; Thatcher, Jason Bennett
署名单位:
University of Oklahoma System; University of Oklahoma - Norman; University of Oklahoma System; University of Oklahoma - Norman; University of Virginia; Clemson University; University of Copenhagen
刊物名称:
JOURNAL OF MANAGEMENT INFORMATION SYSTEMS
ISSN/ISSBN:
0742-1222
DOI:
10.1080/07421222.2017.1334499
发表日期:
2017
页码:
597-626
关键词:
information-systems
decision-making
STRESS REDUCTION
cognitive fit
models
vulnerability
intervention
reliability
prevention
people
摘要:
Phishing attacks are at a record high and are causing billions of dollars in losses. To mitigate phishing's impact, organizations often use rule-based training to teach individuals to identify certain cues or apply a set of rules to avoid phishing attacks. The rule-based approach has improved organizational defenses against phishing; however, regular repetition of rule-based training may not yield increasing resistance to attacks. To expand the toolkit available to combat phishing attacks, we used mindfulness theory to develop a novel training approach that can be performed after individuals are familiar with rule-based training. The mindfulness approach teaches individuals to dynamically allocate attention during message evaluation, increase awareness of context, and forestall judgment of suspicious messages-techniques that are critical to detecting phishing attacks in organizational settings, but are unaddressed in rule-based instruction. To evaluate the efficacy of our approach, we compared rule-based and mindfulness training programs in a field study at a U.S. university that involved 355 students, faculty, and staff who were familiar with phishing attacks and received regular rule-based guidance. To evaluate the robustness of the training, we delivered each program in text-only or text-plus-graphics formats. Ten days later, we conducted a phishing attack on participants that used both generic and customized phishing messages. We found that participants who received mindfulness training were better able to avoid the phishing attack. In particular, improvement was observed for participants who were already confident in their detection ability and those who reported low e-mail mindfulness and low perceptions of Internet risk. This work introduces and provides evidence supporting a new approach that may be used to develop anti-phishing training.