Combating Phishing Attacks: A Knowledge Management Approach

This paper explores how an organization can utilize its employees to combat phishing attacks collectively through coordinating their activities to create a human firewall. We utilize knowledge management research on knowledge sharing to guide the design of an experiment that explores a central reporting and dissemination platform for phishing attacks. The 2x2 experiment tests the effects of public attribution (to the first person reporting a phishing message) and validation (by the security team) of phishing messages on reporting motivation and accuracy. Results demonstrate that knowledge management techniques are transferable to organizational security and that knowledge management can benefit from insights gained from combating phishing. Specifically, we highlight the need to both publicly acknowledge the contribution to a knowledge management system and provide validation of the contribution. As we saw in our experiment, doing only one or the other does not improve outcomes for correct phishing reports (hits).

[1]  Matthew L. Jensen,et al.  Evaluation of Competing Candidate Solutions in Electronic Networks of Practice , 2014, Inf. Syst. Res..

[2]  Paul A. Pavlou,et al.  Building Effective Online Marketplaces with Institution-Based Trust , 2004, Inf. Syst. Res..

[3]  Sirkka L. Jarvenpaa,et al.  Consumer Trust in an Internet Store: A Cross-Cultural Validation , 2006, J. Comput. Mediat. Commun..

[4]  Lee Sproull,et al.  What's Mine Is Ours, or Is It? A Study of Attitudes about Information Sharing , 1994, Inf. Syst. Res..

[5]  Mikko T. Siponen,et al.  Motivating IS security compliance: Insights from Habit and Protection Motivation Theory , 2012, Inf. Manag..

[6]  C. Anumba,et al.  Knowledge Management in UK Construction: Strategies, Resources and Barriers , 2004 .

[7]  Varun Grover,et al.  Analyzing methodological rigor of MIS survey research from 1980-1989 , 1993, Inf. Manag..

[8]  Steven B. Andrews,et al.  Structural Holes: The Social Structure of Competition , 1995, The SAGE Encyclopedia of Research Design.

[9]  David F. Larcker,et al.  Structural Equation Models with Unobservable Variables and Measurement Error: Algebra and Statistics: , 1981 .

[10]  Kelly J. Fadel,et al.  If it's fair, I'll share: The effect of perceived knowledge validation justice on contributions to an organizational knowledge repository , 2014, Inf. Manag..

[11]  Robert W. Zmud,et al.  Behavioral Intention Formation in Knowledge Sharing: Examining the Roles of Extrinsic Motivators, Social-Psychological Factors, and Organizational Climate , 2005, MIS Q..

[12]  Merrill Warkentin,et al.  Fear Appeals and Information Security Behaviors: An Empirical Study , 2010, MIS Q..

[13]  Ryan T. Wright,et al.  Where Did They Go Right? Understanding the Deception in Phishing Communications , 2010 .

[14]  Jason Hong,et al.  The state of phishing attacks , 2012, Commun. ACM.

[15]  Fernando Olivera,et al.  Memory Systems In Organizations: An Empirical Investigation Of Mechanisms For Knowledge Collection, Storage And Access , 2000 .

[16]  Ryan T. Wright,et al.  The Influence of Experiential and Dispositional Factors in Phishing: An Empirical Investigation of the Deceived , 2010, J. Manag. Inf. Syst..

[17]  T. Brown,et al.  Confirmatory Factor Analysis for Applied Research , 2006 .

[18]  Jason Bennett Thatcher,et al.  Internal and External Dimensions of Computer Self-Efficacy: An Empirical Examination , 2008, IEEE Transactions on Engineering Management.

[19]  Alexandra Durcikova,et al.  How Knowledge Validation Processes Affect Knowledge Contribution , 2009, J. Manag. Inf. Syst..

[20]  Desney S. Tan,et al.  An Evaluation of Extended Validation and Picture-in-Picture Phishing Attacks , 2007, Financial Cryptography.

[21]  Matthew L. Jensen,et al.  Effects of Automated and Participative Decision Support in Computer-Aided Credibility Assessment , 2009, J. Manag. Inf. Syst..

[22]  Shin-Yuan Hung,et al.  The influence of intrinsic and extrinsic motivation on individuals' knowledge sharing behavior , 2011, Int. J. Hum. Comput. Stud..

[23]  Snejina Michailova,et al.  Diagnosing and Fighting Knowledge-Sharing Hostility , 2002 .

[24]  Christopher B. Mayhorn,et al.  Something Smells Phishy: Exploring Definitions, Consequences, and Reactions to Phishing , 2012 .

[25]  Rui Chen,et al.  Why do people get phished? Testing individual differences in phishing vulnerability within an integrated, information processing model , 2011, Decis. Support Syst..

[26]  Naresh K. Malhotra,et al.  Internet Users' Information Privacy Concerns (IUIPC): The Construct, the Scale, and a Causal Model , 2004, Inf. Syst. Res..

[27]  Samer Faraj,et al.  Why Should I Share? Examining Social Capital and Knowledge Contribution in Electronic Networks of Practice , 2005, MIS Q..

[28]  Markus Jakobsson,et al.  Introduction to Phishing , 2006 .

[29]  Phil Wood Confirmatory Factor Analysis for Applied Research , 2008 .

[30]  H. Raghav Rao,et al.  Protection motivation and deterrence: a framework for security policy compliance in organisations , 2009, Eur. J. Inf. Syst..

[31]  Andrew B. Whinston,et al.  Research Commentary: Introducing a Third Dimension in Information Systems Design - The Case for Incentive Alignment , 2001, Inf. Syst. Res..

[32]  Lorrie Faith Cranor,et al.  Lessons from a real world evaluation of anti-phishing training , 2008, 2008 eCrime Researchers Summit.

[33]  Atreyi Kankanhalli,et al.  Contributing Knowledge to Electronic Knowledge Repositories: An Empirical Investigation , 2005, MIS Q..

[34]  S. Kiesler,et al.  The kindness of strangers: on the usefulness of electronic weak ties for technical advice , 1996 .