Improving Cybersecurity Behaviors: A Proposal for Analyzing Four Types of Phishing Training

Phishing is an attack on organizational data that involves employees. In order to prepare for these attacks some safeguards can be put into place, but ultimately employees need to be trained in how to identify and respond to phishing attacks. There are a number of different methods that can be used for employee phishing training, but are these methods effective? This proposal presents a plan to analyze the effectiveness of four different types of organizational phishing training in order to determine which types of phishing training methods are effective

Untangling a Web of Lies: Exploring Automated Detection of Deception in Computer-Mediated Communication

Safeguarding organizations against opportunism and severe deception in computer-mediated communication (CMC) presents a major challenge to CIOs and IT managers. New insights into linguistic cues of deception derive from the speech acts innate to CMC. Applying automated text analysis to archival email exchanges in a CMC system as part of a reward program, we assess the ability of word use (micro-level), message development (macro-level), and intertextual exchange cues (meta-level) to detect severe deception by business partners. We empirically assess the predictive ability of our framework using an ordinal multilevel regression model. Results indicate that deceivers minimize the use of referencing and self-deprecation but include more superfluous descriptions and flattery. Deceitful channel partners also over structure their arguments and rapidly mimic the linguistic style of the account manager across dyadic e-mail exchanges. Thanks to its diagnostic value, the proposed framework can support firms’ decision-making and guide compliance monitoring system development

Multiple Case Study Approach to Identify Aggravating Variables of Insider Threats in Information Systems

Malicious insiders present a serious threat to information systems due to privilege of access, knowledge of internal computer resources, and potential threats on the part of disgruntled employees or insiders collaborating with external cybercriminals. Researchers have extensively studied insiders’ motivation to attack from the broader perspective of the deterrence theory and have explored the rationale for employees to disregard/overlook security policies from the perspective of neutralization theory. This research takes a step further: we explore the aggravating variables of insider threat using a multiple case study approach. Empirical research using black hat analysis of three case studies of insider threats suggests that, while neutralization plays an important role in insider attacks, it takes a cumulative set of aggravating factors to trigger an actual data breach. By identifying and aggregating the variables, this study presents a predictive model that can guide IS managers to proactively mitigate insider threats. Given the economic and legal ramifications of insider threats, this research has implications relevant both for both academics and security practitioners

The Role of E-Training in Protecting Information Assets Against Deception Attacks

CIOs and IT managers need to mitigate the risks to information and IT assets arising from deception-based attacks. Common examples of deception are social engineering and phishing, both aimed at getting people to divulge information that will enable unauthorized access to computer systems. One well-known hacker has claimed it is easier to ask people for the required information than to employ highly technical hacking techniques.Mitigating deception threats is not easy because people are not very good at detecting deception, the overall success rate is only just over 50%. However, our research has shown that training and especially e-training can improve people\u27s knowledge about deception and their ability to recognize it. There are two types of deception training: tactics-based and cue-based. Tactics-based training teaches people to look for the tactics deceivers commonly use to hide the truth. However, the tactics employed are very domain specific, for example, they will be different in the accounting and HR domains.Deception cues are not context-specific and people can easily be taught how to recognize them. The cues fall into three categories: (1) Physiological (sweating, increased heart rate); (2) Psychomotor (eye contact, gesturing); and (3) Linguistic (such as limited use of the personal pronoun). In two studies carried out a year apart with United States Air Force officers in the communication and information career field, we showed that appropriate training can improve deception detection. The studies also showed that those who used an e-training system performed better than those who participated in conventional classroom learning. One of the studies was designed to test the effectiveness of adding additional interactive capabilities to the e-training system. It showed that including features that require students\u27 continued engagement and interactivity (such as quizzes to reinforce the learning) are well worth the small additional investment.Four actions for CIOs and IT managers in organizations at risk of losing valuable information from deception-based attacks arise from our research: (1) Provide employees with training on what deception is and how to recognize it; (2) Focus the training on how to detect the deception cues that leak from deceivers; (3) Use a well-designed e-training system that allows trainees to go at their own pace; and (4) Enhance e-training with features such as a navigable outline, search tools, and tools that involve practice and feedback