Information Security and Privacy (SIG SEC)

Paper Type

Complete

Paper Number

1360

Description

Organizations invest heavily in technology solutions to enhance their cybersecurity, yet it is often human factors, like an employee clicking on a phishing link, that can derail even the most sophisticated security systems. Applying dual-process theories of cognition, we argue that a brief mindfulness practice may prevent habitual responding to phishing attempts by enhancing rational decision making and hence detecting phishing cues. To empirically investigate this idea, we manipulated mindfulness between two groups of participants in an experiment, and measured the ability to detect phishing cues that are easy or difficult to notice in emails from familiar or unfamiliar sources. Our findings suggest that mindfulness helps to detect more phishing cues when emails are difficult and from familiar sources, but not in any of the other experimental conditions. Subsequently, we draw theoretical implications for the role of human factors in cybersecurity behavior, and offer practical suggestions for security training.

Share

COinS
 
Aug 9th, 12:00 AM

Mindfulness and Cybersecurity Behavior: A comparative analysis of rational and intuitive cybersecurity decisions

Organizations invest heavily in technology solutions to enhance their cybersecurity, yet it is often human factors, like an employee clicking on a phishing link, that can derail even the most sophisticated security systems. Applying dual-process theories of cognition, we argue that a brief mindfulness practice may prevent habitual responding to phishing attempts by enhancing rational decision making and hence detecting phishing cues. To empirically investigate this idea, we manipulated mindfulness between two groups of participants in an experiment, and measured the ability to detect phishing cues that are easy or difficult to notice in emails from familiar or unfamiliar sources. Our findings suggest that mindfulness helps to detect more phishing cues when emails are difficult and from familiar sources, but not in any of the other experimental conditions. Subsequently, we draw theoretical implications for the role of human factors in cybersecurity behavior, and offer practical suggestions for security training.

When commenting on articles, please be friendly, welcoming, respectful and abide by the AIS eLibrary Discussion Thread Code of Conduct posted here.