Phishing Susceptibility in Context: A Multi-level Information Processing Perspective on Deception Detection

Wright, R.T., Johnson, S.L., Kitchens, B. "Phishing Susceptibility in Context: A Multi-level Information Processing Perspective on Deception Detection" MIS Quarterly.

1 Pages Posted: 1 Jul 2020 Last revised: 1 Jun 2022

See all articles by Ryan Wright

Ryan Wright

University of Virginia - McIntire School of Commerce

Steven L. Johnson

University of Virginia - McIntire School of Commerce

Brent Kitchens

University of Virginia - McIntire School of Commerce

Date Written: May 31, 2022

Abstract

This article has been accepted for publication in MIS Quarterly on behalf of the Regents of the University of Minnesota and the MIS Research Center.

Despite widespread awareness of risks, significant investments in cybersecurity protection, and substantial economic incentives to avoid security breaches, organizations remain vulnerable to phishing attacks. Phishing research has informed effective practical interventions to address phishing susceptibility that emphasize the importance of broadly applicable IT security knowledge. Yet, employees still frequently fall victim to phishing attempts. To help understand why, we conceptualize phishing susceptibility as failure to differentiate between deceptive and legitimate information processing requests that occur within the context of an employee’s typical job responsibilities. We apply this contextual lens to identify characteristics of knowledge workers’ organizational task and social context that may enhance or diminish performance in detecting deception in phishing email attempts. To test our hypotheses, we conduct a study in which employees of the finance division of a large university encountered simulated email-based phishing attempts as part of their normal work routine. We find evidence supporting our hypotheses that an individual’s susceptibility to phishing attacks is influenced by their position in the knowledge flows of the organization and by the impact of workgroup responsibilities on their cognitive processing. We contend that phishing susceptibility is not merely a matter of IT security knowledge, but is also influenced by contextualized, multi-level influences on information processing. As phishing attacks are increasingly targeted to specific organizational settings, it is even more important to incorporate this contextualized information processing view of phishing susceptibility.

Keywords: Cybersecurity, Phishing, Phishing Susceptibility, Information Security, Contextual theory, Social Network Analysis, multi-level model

Suggested Citation

Wright, Ryan and Johnson, Steven L. and Kitchens, Brent, Phishing Susceptibility in Context: A Multi-level Information Processing Perspective on Deception Detection (May 31, 2022). Wright, R.T., Johnson, S.L., Kitchens, B. "Phishing Susceptibility in Context: A Multi-level Information Processing Perspective on Deception Detection" MIS Quarterly., Available at SSRN: https://ssrn.com/abstract=3622310 or http://dx.doi.org/10.2139/ssrn.3622310

Ryan Wright (Contact Author)

University of Virginia - McIntire School of Commerce ( email )

P.O. Box 400173
Charlottesville, VA 22904-4173
United States

Steven L. Johnson

University of Virginia - McIntire School of Commerce ( email )

P.O. Box 400173
Charlottesville, VA 22904-4173
United States

Brent Kitchens

University of Virginia - McIntire School of Commerce ( email )

P.O. Box 400173
Charlottesville, VA 22904-4173
United States

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Downloads
375
Abstract Views
2,165
Rank
155,012
PlumX Metrics