Faculty

Commerce Professor Ryan Wright Talks Better Resistance to Phishing in HBR

In a September-October 2020 article for Harvard Business Review, Professor Ryan Wright and colleague Matthew Jensen offer several methods to strengthen security training effectiveness for employees against phishing attacks.

Ryan Wright

Phishing accounts for 90% of all data breaches, yet despite the best efforts of organizations to educate their employees, 30% of duplicitous emails are opened regardless. By waging successful attacks, cybercriminals can cost an exploited firm $3.8 million on average. How can organizations better prepare their employees to be more vigilant and learn to avoid taking the bait of phishing scams?

Fannie Mae Chief Information Security Officer and Commerce Alum Christopher Porter’s Take

In an HBR companion article, Fannie Mae Chief Information Security Officer and McIntire alum Christopher Porter (A&S ’98, M.S. in MIT ’10) explains his methods for defending the mortgage lending giant from phishing. In “Making the Lessons Personal Means They’re More Likely to Stick,” Porter discusses how stressing the human element, practicing mindfulness, and injecting an element of fun yield effective results for Fannie Mae’s nearly 7,500 employees and thousands of contractors and consultants.

Enhancing monthly mock phishing exercises with weekly security awareness campaigns, Porter ensures Fannie Mae maintains a proactive approach that reinforces the actions required of employees when encountering phishing. The exercises are composed of themes that focus on the loss an attacker threatens from non-response, false promises offered from clicking on a link, and emotional bait that exploits curiosity.

Porter delves into the link between mindfulness exercises and the ability to better detect a scam. He also shows employees how protecting their personal information at home (personal finances, family privacy) personalizes the experience and improves vigilance in the office.

Detailing findings from their research, Commerce Professor Ryan Wright and Matthew Jensen of the University of Oklahoma suggest that practicing mindfulness, creating strong team dynamics, and instituting gamified training may help to mitigate the risk and reinforce valuable security practices.

In a September-October 2020 Harvard Business Review article, “Boost Your Resistance to Phishing Attacks,” Wright and Jensen explain that while requiring employees to complete training modules once or twice per year is useful for increasing awareness and setting guidelines, repetition of rules can actually become counterproductive.

“Rather than ask people to memorize a laundry list of constantly changing cues, organizations can take a more holistic tack,” Wright says. By adding mindfulness instruction, employees may slow down and be more purposeful in their analysis.

The research (some of which was conducted in a working paper with fellow McIntire Professors Steven Johnson and Brent Kitchens) suggests that strong group dynamics can help prevent vulnerability to attacks, as those employees who were more connected to each other were less duped by phishing schemes. Sharing security information among employee teammates, either formally or informally, may also help managers to hold groups accountable for staying attentive to necessary training.

The HBR article also explores a technique for making the most of group dynamics through gamification—adding a competitive angle to better enforce cybersecurity. In one example, by incorporating a leaderboard to award points to employees for correct reports or to deduct points for false alarms, the act of openly comparing the performance of those involved proved to be an effective motivator for providing useful phishing reports.

Read the full article at Harvard Business Review.

Get all the latest news and updates delivered straight to your inbox every month.