Building the Human Firewall: Combating Phishing through Collective Action of Individuals Using Leaderboards

40 Pages Posted: 1 Jul 2020

See all articles by Matthew L. Jensen

Matthew L. Jensen

University of Oklahoma - Michael F. Price College of Business

Ryan Wright

University of Virginia - McIntire School of Commerce

Alexandra Durcikova

University of Oklahoma - Division of Management Information Systems (MIS)

Shamya Karumbaiah

University of Pennsylvania - Department of Computer and Information Science

Date Written: July 1, 2020

Abstract

Phishing is an increasing organizational threat that causes billions in losses and damage to productivity, trade secrets, and reputation each year. This work explores how organizations can use gamification techniques to improve phishing detection efforts by individuals to create a human firewall. We build on cognitive evaluation theory to begin a new area of inquiry in gamification of IT security. With three experiments in a mock work setting, we test leaderboard components of validation, attribution, incentives, and public presentation for improvements in experiential (e.g., motivation) and instrumental outcomes (e.g., hits and false positives) in phishing reporting. Our findings suggest public attribution with rewards and punishments best balance the competing necessities of accuracy with widespread reporting. Further, our results demonstrate leaderboards’ unique benefits to phishing reporting over and above other phishing mitigation techniques (training and warnings). However, we noted that unintended consequences in false alarms may arise from shifts in motivation resulting from public display of incentives.

Keywords: Phishing, reporting, leaderboards, cognitive evaluation theory, gamification, gamification elements, groups, motivation, validation, attribution, incentives, public display, accuracy, hits, false positives, work disruption

Suggested Citation

Jensen, Matthew L. and Wright, Ryan and Durcikova, Alexandra and Karumbaiah, Shamya, Building the Human Firewall: Combating Phishing through Collective Action of Individuals Using Leaderboards (July 1, 2020). Available at SSRN: https://ssrn.com/abstract=3622322 or http://dx.doi.org/10.2139/ssrn.3622322

Matthew L. Jensen (Contact Author)

University of Oklahoma - Michael F. Price College of Business ( email )

307 West Brooks
Norman, OK 73019-4004
United States

Ryan Wright

University of Virginia - McIntire School of Commerce ( email )

P.O. Box 400173
Charlottesville, VA 22904-4173
United States

Alexandra Durcikova

University of Oklahoma - Division of Management Information Systems (MIS) ( email )

307 W. Brooks, Suite 307E
Norman, OK 73019
United States

Shamya Karumbaiah

University of Pennsylvania - Department of Computer and Information Science ( email )

3330 Walnut Street
Philadelphia, PA 19104
United States

Do you have negative results from your research you’d like to share?

Paper statistics

Downloads
321
Abstract Views
1,438
Rank
172,280
PlumX Metrics