MIS Quarterly Executive


CIOs and IT managers need to mitigate the risks to information and IT assets arising from deception-based attacks. Common examples of deception are social engineering and phishing, both aimed at getting people to divulge information that will enable unauthorized access to computer systems. One well-known hacker has claimed it is easier to ask people for the required information than to employ highly technical hacking techniques.Mitigating deception threats is not easy because people are not very good at detecting deception, the overall success rate is only just over 50%. However, our research has shown that training and especially e-training can improve people's knowledge about deception and their ability to recognize it. There are two types of deception training: tactics-based and cue-based. Tactics-based training teaches people to look for the tactics deceivers commonly use to hide the truth. However, the tactics employed are very domain specific, for example, they will be different in the accounting and HR domains.Deception cues are not context-specific and people can easily be taught how to recognize them. The cues fall into three categories: (1) Physiological (sweating, increased heart rate); (2) Psychomotor (eye contact, gesturing); and (3) Linguistic (such as limited use of the personal pronoun). In two studies carried out a year apart with United States Air Force officers in the communication and information career field, we showed that appropriate training can improve deception detection. The studies also showed that those who used an e-training system performed better than those who participated in conventional classroom learning. One of the studies was designed to test the effectiveness of adding additional interactive capabilities to the e-training system. It showed that including features that require students' continued engagement and interactivity (such as quizzes to reinforce the learning) are well worth the small additional investment.Four actions for CIOs and IT managers in organizations at risk of losing valuable information from deception-based attacks arise from our research: (1) Provide employees with training on what deception is and how to recognize it; (2) Focus the training on how to detect the deception cues that leak from deceivers; (3) Use a well-designed e-training system that allows trainees to go at their own pace; and (4) Enhance e-training with features such as a navigable outline, search tools, and tools that involve practice and feedback.