Phishing Susceptibility in Context: A Multi-level Information Processing Perspective on Deception Detection
Wright, R.T., Johnson, S.L., Kitchens, B. "Phishing Susceptibility in Context: A Multi-level Information Processing Perspective on Deception Detection" MIS Quarterly.
1 Pages Posted: 1 Jul 2020 Last revised: 1 Jun 2022
Date Written: May 31, 2022
Abstract
This article has been accepted for publication in MIS Quarterly on behalf of the Regents of the University of Minnesota and the MIS Research Center.
Despite widespread awareness of risks, significant investments in cybersecurity protection, and substantial economic incentives to avoid security breaches, organizations remain vulnerable to phishing attacks. Phishing research has informed effective practical interventions to address phishing susceptibility that emphasize the importance of broadly applicable IT security knowledge. Yet, employees still frequently fall victim to phishing attempts. To help understand why, we conceptualize phishing susceptibility as failure to differentiate between deceptive and legitimate information processing requests that occur within the context of an employee’s typical job responsibilities. We apply this contextual lens to identify characteristics of knowledge workers’ organizational task and social context that may enhance or diminish performance in detecting deception in phishing email attempts. To test our hypotheses, we conduct a study in which employees of the finance division of a large university encountered simulated email-based phishing attempts as part of their normal work routine. We find evidence supporting our hypotheses that an individual’s susceptibility to phishing attacks is influenced by their position in the knowledge flows of the organization and by the impact of workgroup responsibilities on their cognitive processing. We contend that phishing susceptibility is not merely a matter of IT security knowledge, but is also influenced by contextualized, multi-level influences on information processing. As phishing attacks are increasingly targeted to specific organizational settings, it is even more important to incorporate this contextualized information processing view of phishing susceptibility.
Keywords: Cybersecurity, Phishing, Phishing Susceptibility, Information Security, Contextual theory, Social Network Analysis, multi-level model
Suggested Citation: Suggested Citation