What Kind of Interventions Can Help Users from Falling for Phishing Attempts: A Research Proposal for Examining Stage-Appropriate Interventions

Because successful phishing attacks are expensive to society, it is imperative to understand how to promote protective behavior for IS end-users. Our research program in progress will extend IS Security research by empirically testing a theoretical hybrid continuum-stage model of protective behavior of IS end-users. The results of the first step of our research program confirmed that users progress through stages of preventive behavior, ranging from a denial stage (Stage 0), an awareness stage (Stage 1), and, finally, a coping and planning stage (Stage 2) over time. Thus, there is a need to understand how we can design and empirically test stage-appropriate interventions to move users from one stage to the next. Informed by the literature in health behavior change models, this proposed second phase of our research program will longitudinally monitor the effects of both simulated phishing attempts and stage-appropriate interventions in a field experiment.

[1]  R W Rogers,et al.  Identifying effective components of alcohol abuse prevention programs: effects of fear appeals, message style, and source expertise. , 1983, The International journal of the addictions.

[2]  Ronald C. Dodge,et al.  Phishing for user security awareness , 2007, Comput. Secur..

[3]  Ralf Schwarzer,et al.  Modelando el cambio en el comportamiento de salud: Cómo predecir y modificar la adopción y el mantenimiento de comportamientos de salud/Modeling Health Behavior Change: How to Predict and Modify the Adoption and Maintenance of Health Behaviors , 2009 .

[4]  Lorrie Faith Cranor,et al.  Phishguru: a system for educating users about semantic attacks , 2009 .

[5]  Michael Workman,et al.  A test of interventions for security threats from social engineering , 2008, Inf. Manag. Comput. Secur..

[6]  Alexander J. Rothman,et al.  Stage theories of health behavior: conceptual and methodological issues. , 1998, Health psychology : official journal of the Division of Health Psychology, American Psychological Association.

[7]  M. Becker,et al.  The Health Belief Model: A Decade Later , 1984, Health education quarterly.

[8]  Mo Adam Mahmood,et al.  Employees' Behavior towards IS Security Policy Compliance , 2007, 2007 40th Annual Hawaii International Conference on System Sciences (HICSS'07).

[9]  P. Sheeran Intention—Behavior Relations: A Conceptual and Empirical Review , 2002 .

[10]  Markus Jakobsson,et al.  Social phishing , 2007, CACM.

[11]  Rui Chen,et al.  Why do people get phished? Testing individual differences in phishing vulnerability within an integrated, information processing model , 2011, Decis. Support Syst..

[12]  Lorrie Faith Cranor,et al.  Teaching Johnny not to fall for phish , 2010, TOIT.

[13]  R. W. Rogers,et al.  Protection motivation and self-efficacy: A revised theory of fear appeals and attitude change , 1983 .

[14]  Elizabeth Sillence,et al.  It won't happen to me: Promoting secure behaviour among internet users , 2010, Comput. Hum. Behav..

[15]  R. Schwarzer Social-Cognitive Factors in Changing Health-Related Behaviors , 2001 .

[16]  Justin Scott Giboney,et al.  Trends in Phishing Attacks: Suggestions for Future Research , 2011, AMCIS.

[17]  Lorrie Faith Cranor,et al.  Lessons from a real world evaluation of anti-phishing training , 2008, 2008 eCrime Researchers Summit.

[18]  I. Rosenstock,et al.  Social Learning Theory and the Health Belief Model , 1988, Health education quarterly.

[19]  Ponnurangam Kumaraguru,et al.  Who falls for phish?: a demographic analysis of phishing susceptibility and effectiveness of interventions , 2010, CHI.

[20]  Xinguang Sheng,et al.  A policy analysis of phishing countermeasures , 2009 .

[21]  Deborah Compeau,et al.  Of races to run and battles to be won: Technical skill updating, stress, and coping of IT professionals , 2007 .

[22]  Thomas J. Coates,et al.  Towards an Understanding of Risk Behavior: An AIDS Risk Reduction Model (ARRM) , 1990, Health education quarterly.

[23]  Marti A. Hearst,et al.  Why phishing works , 2006, CHI.

[24]  Ryan T. Wright,et al.  The Influence of Experiential and Dispositional Factors in Phishing: An Empirical Investigation of the Deceived , 2010, J. Manag. Inf. Syst..

[25]  I. Ajzen,et al.  Prediction of goal directed behaviour: Attitudes, intentions and perceived behavioural control , 1986 .

[26]  A. J. Ferguson Fostering E-Mail Security Awareness: The West Point Carronade , 2005 .

[27]  Robert LaRose,et al.  Keeping our network safe: a model of online protection behaviour , 2008, Behav. Inf. Technol..

[28]  Jason Hong,et al.  The state of phishing attacks , 2012, Commun. ACM.

[29]  Ralf Schwarzer,et al.  Self-regulatory Processes in the Adoption and Maintenance of Health Behaviors , 1999, Journal of health psychology.

[30]  Atreyi Kankanhalli,et al.  Studying users' computer security behavior: A health belief perspective , 2009, Decis. Support Syst..

[31]  R. W. Rogers,et al.  A Protection Motivation Theory of Fear Appeals and Attitude Change1. , 1975, The Journal of psychology.

[32]  I. Rosenstock Why people use health services. , 1966, The Milbank Memorial Fund quarterly.