MIS Quarterly Executive


While there are various forms of computer attack, this article deals with the growing trend of hackers and insiders manipulating data they are unauthorized to see or change. As employees and managers increasingly rely on information systems to make decisions, others can influence those decisions, and even the decision-makers' behavior, by manipulating the data the decision makers use. While organizations typically rely on intrusion detection systems and firewalls to protect their information assets, employees must also be made aware that data deception is possible, so that they realize the information they depend on might have been manipulated. This article describes a field experiment that analyzed the effectiveness of alternative approaches to sensitizing decision makers to the possibility of manipulated data. Once sensitized, they may either truly discover data manipulation (detection success) or falsely discover manipulation (false alarm). We found that traditional classroom training had no effect on raising the decision makers' sensitivity, while warnings of possible poor data quality did lead to higher detection of the erroneous data. However, warnings combined with just-in-time training resulted in better detection success, but also in more false alarms. But even the best detectors were only able to spot 25 percent of the manipulated data. Nonetheless, the study underscores the need for both strong perimeter defenses as well as a sensitized workforce when a data manipulation incident is suspected.