Litcius/Paper detail

Improving Phishing Reporting Using Security Gamification

Matthew L. Jensen, Ryan Wright, Alexandra Durcikova, Shamya Karumbaiah

2022Journal of Management Information Systems37 citationsDOI

Abstract

Phishing is an increasing threat that causes billions in losses and damage to productivity, trade secrets, and reputations each year. This work explores how security gamification techniques can improve phishing reporting. We contextualized the cognitive evaluation theory (CET) as a kernel theory and constructed a prototype phishing reporting system. With three experiments in a simulated work setting, we tested gamification elements of validation, attribution, incentives, and public presentation for improvements in experiential (e.g., motivation) and instrumental outcomes (e.g., hits and false positives) in phishing reporting. Our findings suggest public attribution with rewards and punishments best balance the competing necessities of accuracy with widespread reporting. Furthermore, our results demonstrate the unique benefits of security gamification to phishing reporting over and above other phishing mitigation techniques (e.g., training and warnings). However, we also noted that unintended consequences in false alarms might arise from shifts in motivation resulting from public display of incentives. These findings suggest that carefully calibrated external incentives (rather than intrinsic rewards) are most likely to improve the ancillary task of phishing reporting.

Topics & Concepts

PhishingIncentiveInternet privacyComputer scienceFalse positive paradoxUnintended consequencesTask (project management)Computer securityThe InternetWorld Wide WebArtificial intelligenceEngineeringEconomicsMicroeconomicsPolitical scienceLawSystems engineeringSpam and Phishing DetectionCybercrime and Law Enforcement StudiesMisinformation and Its Impacts