Improving Phishing Reporting Using Security Gamification

• Published in: Journal of management information systems Vol. 39; no. 3; pp. 793 - 823
• Main Authors: Jensen, Matthew L., Wright, Ryan T., Durcikova, Alexandra, Karumbaiah, Shamya
• Format: Journal Article
• Language: English
• Published: Abingdon Routledge 03.07.2022; Taylor & Francis Ltd
• Subjects: Attribution; Cognitive evaluation theory; False alarms; Gamification; Incentives; leaderboards; Mitigation; Motivation; online gamification; Phishing; phishing reporting; Productivity; Rewards; Secrets; Security; security gamification; Trade secrets; Warnings
• ISSN: 0742-1222; 1557-928X
• DOI: 10.1080/07421222.2022.2096551

Phishing is an increasing threat that causes billions in losses and damage to productivity, trade secrets, and reputations each year. This work explores how security gamification techniques can improve phishing reporting. We contextualized the cognitive evaluation theory (CET) as a kernel theory and constructed a prototype phishing reporting system. With three experiments in a simulated work setting, we tested gamification elements of validation, attribution, incentives, and public presentation for improvements in experiential (e.g., motivation) and instrumental outcomes (e.g., hits and false positives) in phishing reporting. Our findings suggest public attribution with rewards and punishments best balance the competing necessities of accuracy with widespread reporting. Furthermore, our results demonstrate the unique benefits of security gamification to phishing reporting over and above other phishing mitigation techniques (e.g., training and warnings). However, we also noted that unintended consequences in false alarms might arise from shifts in motivation resulting from public display of incentives. These findings suggest that carefully calibrated external incentives (rather than intrinsic rewards) are most likely to improve the ancillary task of phishing reporting.