Paper ID
2216
Paper Type
short
Description
Phishing e-mails are a costly problem for organizations that automated phishing detection systems have been unable to stop. Accordingly, most organizations train their members how to detect and safely respond to phishing e-mails. Most phishing training take a rules-based or behavioral approach. Rules-based approaches provide simple heuristics to employees to follow, but have been criticized for their lack of flexibility. Behavioral approaches, including mindfulness-based training, improve attentiveness, but have been criticized for being misapplied. In a multi-study research program, we evaluate phishing training methods to determine which is the most successful for improving phishing detection. We also uncover the mechanisms through which these training programs improve phishing detection and offer a new integrated phishing training method. Our empirical results indicate that an integrated training program that combines mindfulness concepts, and targets specific linguistic identifiers of phishing, provide the greatest improvements to phishing detection rates.
Recommended Citation
Harrison, Andrew; Samuel, Binny; Shan, Zhe; Cook, Michael; Zu, Tianhai; and Dawani, Diksha, "Learning to See the Hook: Comparing Phishing Training Approaches" (2019). ICIS 2019 Proceedings. 23.
https://aisel.aisnet.org/icis2019/cyber_security_privacy_ethics_IS/cyber_security_privacy/23
Learning to See the Hook: Comparing Phishing Training Approaches
Phishing e-mails are a costly problem for organizations that automated phishing detection systems have been unable to stop. Accordingly, most organizations train their members how to detect and safely respond to phishing e-mails. Most phishing training take a rules-based or behavioral approach. Rules-based approaches provide simple heuristics to employees to follow, but have been criticized for their lack of flexibility. Behavioral approaches, including mindfulness-based training, improve attentiveness, but have been criticized for being misapplied. In a multi-study research program, we evaluate phishing training methods to determine which is the most successful for improving phishing detection. We also uncover the mechanisms through which these training programs improve phishing detection and offer a new integrated phishing training method. Our empirical results indicate that an integrated training program that combines mindfulness concepts, and targets specific linguistic identifiers of phishing, provide the greatest improvements to phishing detection rates.