Associate Professor, Dept of Management
Friday, May 2, 2014
10:00am – 11:30am Speakman Hall 200
Seminar Title: Training to mitigate the Threat of Phishing Attacks: A Mindfulness Approach
Despite significant investments in technology to combat phishing, firms lose billions of dollars each year due to phishing attacks. Anti-phishing training using behavioral modeling has reduced vulnerability to phishing attacks; however, there is some dispute regarding training’s proper level of conceptualization. Researchers and practitioners have embraced concrete training approaches that prescribe a search for specific cues or adherence to discrete rules to avoid phishing messages. We advocate for a more abstract training approach which is focused on the mental model individuals use to evaluate suspicious messages. The abstract approach, based on the concept of mindfulness, encourages individuals to move from mindless assessments to carefully scrutinizing the actions called for by emails. To evaluate these completing training approaches, we developed two anti-phishing training programs using behavioral modeling: an abstract mindfulness program and a concrete situation-specific training program. We tested their relative effectiveness in a field study at a US university that involved 355 email users, including students, faculty and staff. To evaluate the robustness of the training, we delivered each training program in one of two formats (text-only or graphics) and used generic and customized phishing messages. Results provide support for the abstract mindfulness approach as a more effective means of training individuals to avoid phishing attacks than the concrete situation-specific approach.