Training to Mitigate the Threat of Phishing Attacks: A ...
Training to Mitigate the Threat of Phishing Attacks: A Mindfulness ApproachAbstractDespite significant investments in technology to combat phishing, firms lose billions of dollars each year due to phishing attacks. Anti-phishing training using behavioral modeling has reduced vulnerability to phishing attacks; however, there is some dispute regarding training’s proper level of conceptualization. Researchers and practitioners have embraced concrete training approaches that prescribe a search for specific cues or adherence to discrete rules to avoid phishing messages. We advocate for a more abstract training approach which is focused on the mental model individuals use to evaluate suspicious messages. The abstract approach, based on the concept of mindfulness, encourages individuals to move from mindless assessments to carefully scrutinizing the actions called for by emails. To evaluate these completing training approaches, we developed two anti-phishing training programs using behavioral modeling: an abstract mindfulness program and a concrete situation-specific training program. We tested their relative effectiveness in a field study at a US university that involved 355 email users, including students, faculty and staff. To evaluate the robustness of the training, we delivered each training program in one of two formats (text-only or graphics) and used generic and customized phishing messages. Results provide support for the abstract mindfulness approach as a more effective means of training individuals to avoid phishing attacks than the concrete situation-specific approach.Keywords: phishing, training, spear phishing, mindfulness, mindlessness Training to Mitigate the Threat of Phishing Attacks: A Mindfulness ApproachIntroductionWe all receive them: email messages that ask us to click on a link to avoid catastrophes such as saving our bank accounts from being closed or our email accounts from imminent deletion. Some emails are readily identified as fraudulent, others might require more consideration, but a few fool even the keenest evaluators ADDIN EN.CITE <EndNote><Cite><Author>Jackson</Author><Year>2007</Year><RecNum>4684</RecNum><DisplayText>(Jackson et al. 2007)</DisplayText><record><rec-number>4684</rec-number><foreign-keys><key app="EN" db-id="xr0s0sp0vrpe5ze5tetxvwwnp5xd9aaezsd9" timestamp="1398184946">4684</key></foreign-keys><ref-type name="Book Section">5</ref-type><contributors><authors><author>Jackson, C.</author><author>Simon, D.</author><author>Tan, D.</author><author>Barth, A.</author></authors><secondary-authors><author>Dietrich, Sven</author><author>Dhamija, Rachna</author></secondary-authors></contributors><titles><title>An evaluation of extended validation and picture-in-picture phishing attacks</title><secondary-title>Financial Cryptography and Data Security</secondary-title><tertiary-title>Lecture Notes in Computer Science</tertiary-title></titles><periodical><full-title>Financial Cryptography and Data Security</full-title></periodical><pages>281-293</pages><volume>4886</volume><keywords><keyword>Computer Science</keyword></keywords><dates><year>2007</year></dates><publisher>Springer Berlin / Heidelberg</publisher><isbn>978-3-540-77365-8</isbn><urls><related-urls><url>;(Jackson et al. 2007). These kinds of threats against individuals are increasing. Symantec’s Internet Security Threat Report ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Symantec.</Author><Year>2014</Year><RecNum>4681</RecNum><DisplayText>(2014)</DisplayText><record><rec-number>4681</rec-number><foreign-keys><key app="EN" db-id="xr0s0sp0vrpe5ze5tetxvwwnp5xd9aaezsd9" timestamp="1398184029">4681</key></foreign-keys><ref-type name="Web Page">12</ref-type><contributors><authors><author>Symantec.</author></authors></contributors><titles><title>Internet Security Threat Report 2014. Volume 189</title></titles><volume>2014</volume><number>April 22</number><dates><year>2014</year></dates><publisher>Symantec.</publisher><urls><related-urls><url> </url></related-urls></urls></record></Cite></EndNote>(2014) stated that in 2013 there was a 91% increase in phishing campaigns. But not only does phishing threaten individuals, it also presents a substantial risk for organizations. Of all the phishing campaigns detected, 39% were sent to large enterprises (over 2500 employees). For example, between November 27th and December 15th in 2013, the credit and debit card information of more than 70 million people who bought goods at Target stores were stolen by cybercriminals who were able to gain access by using login information garnered during a phishing attack ADDIN EN.CITE <EndNote><Cite><Author>Bjorhus</Author><Year>2014</Year><RecNum>4679</RecNum><DisplayText>(Bjorhus 2014)</DisplayText><record><rec-number>4679</rec-number><foreign-keys><key app="EN" db-id="xr0s0sp0vrpe5ze5tetxvwwnp5xd9aaezsd9" timestamp="1398183875">4679</key></foreign-keys><ref-type name="Web Page">12</ref-type><contributors><authors><author>Bjorhus, Jennifer</author></authors></contributors><titles><title>Target breach started as an e-mail phishing expedition.</title></titles><volume>2014</volume><number>April 22</number><dates><year>2014</year></dates><pub-location>StarTribune</pub-location><urls><related-urls><url> </url></related-urls></urls></record></Cite></EndNote>(Bjorhus 2014). In another example in 2013, an Associated Press (AP) employee responded to a phishing attack which allowed the phishers to monitor the employee’s keystrokes and hack into AP’s official Twitter account. Using the Twitter account, the phishers posted that a bomb exploded at the Whitehouse, which caused the Standard & Poors Index to fall by $136 billion ADDIN EN.CITE <EndNote><Cite><Author>Dave</Author><Year>2013</Year><RecNum>4680</RecNum><DisplayText>(Dave 2013)</DisplayText><record><rec-number>4680</rec-number><foreign-keys><key app="EN" db-id="xr0s0sp0vrpe5ze5tetxvwwnp5xd9aaezsd9" timestamp="1398183955">4680</key></foreign-keys><ref-type name="Web Page">12</ref-type><contributors><authors><author>Dave, Paresh</author></authors></contributors><titles><title>Email 'phishing' attacks by hackers growing in number, intensity.</title></titles><volume>2014</volume><number>April 22</number><dates><year>2013</year></dates><pub-location>LA Times</pub-location><urls><related-urls><url>;(Dave 2013). Clearly, phishing is a significant problem to both consumers and large enterprises.Phishing is a form of social engineering in which an attacker, also known as a phisher, attempts to fraudulently retrieve another’s confidential credentials, collect private information, or install malicious software on another’s machine by imitating electronic communications from a trustworthy source ADDIN EN.CITE <EndNote><Cite><Author>Myers</Author><Year>2007</Year><RecNum>4534</RecNum><DisplayText>(Hong 2012; Myers 2007)</DisplayText><record><rec-number>4534</rec-number><foreign-keys><key app="EN" db-id="xr0s0sp0vrpe5ze5tetxvwwnp5xd9aaezsd9" timestamp="1363276542">4534</key></foreign-keys><ref-type name="Book Section">5</ref-type><contributors><authors><author>Myers, S.</author></authors><secondary-authors><author>Jakobsson, M.</author><author>Myers, S.</author></secondary-authors></contributors><titles><title>Introduction to phishing</title><secondary-title>Phishing and Countermeasures: Understanding the Increasing Problem of Electronic Identity Theft</secondary-title></titles><pages>1-29</pages><dates><year>2007</year></dates><pub-location>Hoboken, NJ</pub-location><publisher>Wiley</publisher><urls></urls></record></Cite><Cite><Author>Hong</Author><Year>2012</Year><RecNum>7535</RecNum><record><rec-number>7535</rec-number><foreign-keys><key app="EN" db-id="a9f2v2s03sv0soe5e52xwr9oas05vs059t2d" timestamp="1343426670">7535</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Hong, J.</author></authors></contributors><titles><title>The state of phishing attacks</title><secondary-title>Communications of the ACM</secondary-title></titles><periodical><full-title>Communications of the ACM</full-title></periodical><pages>74-81</pages><volume>55</volume><number>1</number><dates><year>2012</year></dates><isbn>0001-0782</isbn><urls></urls></record></Cite></EndNote>(Hong 2012; Myers 2007). Phishing is typically carried out through email, although it has also been employed in text messaging and through social media ADDIN EN.CITE <EndNote><Cite><Author>Jagatic</Author><Year>2007</Year><RecNum>7539</RecNum><DisplayText>(Jagatic et al. 2007)</DisplayText><record><rec-number>7539</rec-number><foreign-keys><key app="EN" db-id="a9f2v2s03sv0soe5e52xwr9oas05vs059t2d" timestamp="1345216877">7539</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Jagatic, T. N.</author><author>Johnson, N. A.</author><author>Jakobsson, M.</author><author>Menczer, F.</author></authors></contributors><titles><title>Social Phishing</title><secondary-title>Communications of the ACM</secondary-title></titles><periodical><full-title>Communications of the ACM</full-title></periodical><pages>94-100</pages><volume>50</volume><number>10</number><keywords><keyword>PHISHING</keyword><keyword>ACCESS to information</keyword><keyword>COMPUTER crimes</keyword><keyword>E-mail</keyword><keyword>WEBSITES</keyword><keyword>ONLINE social networks</keyword><keyword>BLOGS</keyword><keyword>CORRUPT practices</keyword><keyword>INDIANA University at Indianapolis</keyword></keywords><dates><year>2007</year></dates><publisher>Association for Computing Machinery</publisher><isbn>00010782</isbn><accession-num>26803437</accession-num><urls><related-urls><url>;(Jagatic et al. 2007). A common phishing attack consists of an unsolicited email sent to an Internet user which requests personal or private information (e.g., login credentials, banking information). The email may appear to be from a legitimate source and it directs users to a fraudulent website which appears to represent a legitimate organization. If the user supplies the requested information, the phisher may then sell the information to other criminals or use the information to assume the user’s identity, commit financial fraud, or steal other private information. Monetary damages from phishing attacks have been estimated to total several billion dollars annually ADDIN EN.CITE <EndNote><Cite><Author>Hong</Author><Year>2012</Year><RecNum>7535</RecNum><DisplayText>(Gartner Group 2007; Hong 2012)</DisplayText><record><rec-number>7535</rec-number><foreign-keys><key app="EN" db-id="a9f2v2s03sv0soe5e52xwr9oas05vs059t2d" timestamp="1343426670">7535</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Hong, J.</author></authors></contributors><titles><title>The state of phishing attacks</title><secondary-title>Communications of the ACM</secondary-title></titles><periodical><full-title>Communications of the ACM</full-title></periodical><pages>74-81</pages><volume>55</volume><number>1</number><dates><year>2012</year></dates><isbn>0001-0782</isbn><urls></urls></record></Cite><Cite><Author>Gartner Group</Author><Year>2007</Year><RecNum>4</RecNum><record><rec-number>4</rec-number><foreign-keys><key app="EN" db-id="2epwwvtr1ffvzeeaxsaxftrxsaze5fvpdpx5">4</key></foreign-keys><ref-type name="Web Page">12</ref-type><contributors><authors><author>Gartner Group,</author></authors></contributors><titles><title>Gartner Survey Shows phishing attacks escalated in 2007; More than $3 billion lost to these attacks</title></titles><dates><year>2007</year><pub-dates><date>August 2012</date></pub-dates></dates><publisher>;(Gartner Group 2007; Hong 2012). But the potential damage to organizations spreads beyond financial losses to include theft of corporate secrets ADDIN EN.CITE <EndNote><Cite><Author>Markoff</Author><Year>2008</Year><RecNum>4685</RecNum><Prefix>e.g.`, </Prefix><DisplayText>(e.g., Markoff 2008)</DisplayText><record><rec-number>4685</rec-number><foreign-keys><key app="EN" db-id="xr0s0sp0vrpe5ze5tetxvwwnp5xd9aaezsd9" timestamp="1398184946">4685</key></foreign-keys><ref-type name="Web Page">12</ref-type><contributors><authors><author>Markoff, J.</author></authors></contributors><titles><title>Larger prey are targets of phishing</title><secondary-title>New York Times</secondary-title></titles><dates><year>2008</year><pub-dates><date>April 16, 2008</date></pub-dates></dates><pub-location>New York, NY</pub-location><publisher>;(e.g., Markoff 2008), stealing classified information ADDIN EN.CITE <EndNote><Cite><Author>Hesseldahl</Author><Year>2011</Year><RecNum>9</RecNum><Prefix>e.g.`, </Prefix><DisplayText>(e.g., Hesseldahl 2011)</DisplayText><record><rec-number>9</rec-number><foreign-keys><key app="EN" db-id="2epwwvtr1ffvzeeaxsaxftrxsaze5fvpdpx5">9</key></foreign-keys><ref-type name="Web Page">12</ref-type><contributors><authors><author>Hesseldahl, A</author></authors></contributors><titles><title>Lockheed Martin confirms it came under attack</title></titles><dates><year>2011</year><pub-dates><date>August 28, 2012</date></pub-dates></dates><publisher>;(e.g., Hesseldahl 2011), and espionage ADDIN EN.CITE <EndNote><Cite><Author>Grow</Author><Year>2008</Year><RecNum>4686</RecNum><Prefix>e.g.`, </Prefix><DisplayText>(e.g., Grow et al. 2008)</DisplayText><record><rec-number>4686</rec-number><foreign-keys><key app="EN" db-id="xr0s0sp0vrpe5ze5tetxvwwnp5xd9aaezsd9" timestamp="1398184946">4686</key></foreign-keys><ref-type name="Web Page">12</ref-type><contributors><authors><author>Grow, B.</author><author>Epstein, K.</author><author>Tschang, C.</author></authors></contributors><titles><title>The New E-spionage Threat</title></titles><dates><year>2008</year><pub-dates><date>August 26, 2012</date></pub-dates></dates><publisher>;(e.g., Grow et al. 2008).A typical phishing attack consists of blanketing a large number of email users with messages soliciting information. As information about individuals becomes publically available, phishers have increasingly turned from sending generic messages to sending customized messages to specific organizations, groups within an organization (e.g., executives), or even targeted individuals ADDIN EN.CITE <EndNote><Cite><Author>Federal Bureau of Investigation</Author><Year>2009</Year><RecNum>4687</RecNum><DisplayText>(Federal Bureau of Investigation 2009)</DisplayText><record><rec-number>4687</rec-number><foreign-keys><key app="EN" db-id="xr0s0sp0vrpe5ze5tetxvwwnp5xd9aaezsd9" timestamp="1398184947">4687</key></foreign-keys><ref-type name="Online Multimedia">48</ref-type><contributors><authors><author>Federal Bureau of Investigation, </author></authors></contributors><titles><title>Spear phishers: Angling to steal your financial info</title></titles><dates><year>2009</year><pub-dates><date>August 28, 2012</date></pub-dates></dates><urls><related-urls><url>;(Federal Bureau of Investigation 2009). For example, using stolen user information, phishers assumed LinkedIn’s identity to attempt to elicit information from LinkedIn customers ADDIN EN.CITE <EndNote><Cite><Author>Perlroth</Author><Year>2012</Year><RecNum>4688</RecNum><DisplayText>(Perlroth 2012)</DisplayText><record><rec-number>4688</rec-number><foreign-keys><key app="EN" db-id="xr0s0sp0vrpe5ze5tetxvwwnp5xd9aaezsd9" timestamp="1398184947">4688</key></foreign-keys><ref-type name="Online Multimedia">48</ref-type><contributors><authors><author>Perlroth, N. </author></authors></contributors><titles><title>That was fast: Criminals exploit linkedIn breach for phishing attacks</title></titles><dates><year>2012</year><pub-dates><date>August 28, 2012</date></pub-dates></dates><urls><related-urls><url>;(Perlroth 2012). Customized attacks are effective because they draw on existing pools of trust and knowledge to elicit information from potential victims. Such customized attacks, sometimes called spear phishing, have even resulted in serious security breaches. For example, an attachment in an email to a senior executive at the defense contractor Booz Allen Hamilton, ostensibly containing a request from the Pentagon, actually contained malware that stole sensitive information ADDIN EN.CITE <EndNote><Cite><Author>Grow</Author><Year>2008</Year><RecNum>4686</RecNum><Prefix>e.g.`, </Prefix><DisplayText>(e.g., Grow et al. 2008)</DisplayText><record><rec-number>4686</rec-number><foreign-keys><key app="EN" db-id="xr0s0sp0vrpe5ze5tetxvwwnp5xd9aaezsd9" timestamp="1398184946">4686</key></foreign-keys><ref-type name="Web Page">12</ref-type><contributors><authors><author>Grow, B.</author><author>Epstein, K.</author><author>Tschang, C.</author></authors></contributors><titles><title>The New E-spionage Threat</title></titles><dates><year>2008</year><pub-dates><date>August 26, 2012</date></pub-dates></dates><publisher>;(e.g., Grow et al. 2008). To mitigate the danger posed by generic and customized phishing attacks, three primary techniques have been advanced: 1) automated prevention whereby phishing emails and websites are automatically discovered and quarantined or removed; 2) better warning mechanisms for when users encounter potential phishing attacks (e.g., within an Internet browser or email software); and 3) user training where users are taught to identify and avoid phishing emails and phishing websites ADDIN EN.CITE <EndNote><Cite><Author>Hong</Author><Year>2012</Year><RecNum>7535</RecNum><DisplayText>(Hong 2012)</DisplayText><record><rec-number>7535</rec-number><foreign-keys><key app="EN" db-id="a9f2v2s03sv0soe5e52xwr9oas05vs059t2d" timestamp="1343426670">7535</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Hong, J.</author></authors></contributors><titles><title>The state of phishing attacks</title><secondary-title>Communications of the ACM</secondary-title></titles><periodical><full-title>Communications of the ACM</full-title></periodical><pages>74-81</pages><volume>55</volume><number>1</number><dates><year>2012</year></dates><isbn>0001-0782</isbn><urls></urls></record></Cite></EndNote>(Hong 2012). Although technical solutions (e.g., techniques 1 and 2) have been widely investigated ADDIN EN.CITE <EndNote><Cite><Author>Kumaraguru</Author><Year>2010</Year><RecNum>7497</RecNum><Prefix>see </Prefix><DisplayText>(see Kumaraguru et al. 2010)</DisplayText><record><rec-number>7497</rec-number><foreign-keys><key app="EN" db-id="a9f2v2s03sv0soe5e52xwr9oas05vs059t2d" timestamp="1329863914">7497</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Kumaraguru, P.</author><author>Sheng, S.</author><author>Acquisti, A.</author><author>Cranor, L.F.</author><author>Hong, J.</author></authors></contributors><titles><title>Teaching johnny not to fall for phish</title><secondary-title>ACM Transactions on Internet Technology (TOIT)</secondary-title></titles><periodical><full-title>ACM Transactions on Internet Technology (TOIT)</full-title></periodical><pages>7</pages><volume>10</volume><number>2</number><dates><year>2010</year></dates><isbn>1533-5399</isbn><urls></urls></record></Cite></EndNote>(see Kumaraguru et al. 2010) and have improved defenses against attacks ADDIN EN.CITE <EndNote><Cite><Author>Almomani</Author><Year>2013</Year><RecNum>4682</RecNum><DisplayText>(Almomani et al. 2013)</DisplayText><record><rec-number>4682</rec-number><foreign-keys><key app="EN" db-id="xr0s0sp0vrpe5ze5tetxvwwnp5xd9aaezsd9" timestamp="1398184400">4682</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Almomani, Ammar</author><author>Gupta, B</author><author>Atawneh, Samer</author><author>Meulenberg, A</author><author>Almomani, Eman</author></authors></contributors><titles><title>A Survey of Phishing Email Filtering Techniques</title><secondary-title>IEEE Communications Surveys & Tutorials</secondary-title></titles><periodical><full-title>IEEE Communications Surveys & Tutorials</full-title></periodical><pages>2070-2090</pages><volume>15</volume><number>4</number><dates><year>2013</year></dates><isbn>1553-877X</isbn><urls></urls></record></Cite></EndNote>(Almomani et al. 2013), phishers continue to draw in victims each year. In part, this is because technical solutions lack the ability to detect each new permutation of phishing attacks ADDIN EN.CITE <EndNote><Cite><Author>Liu</Author><Year>2006</Year><RecNum>724</RecNum><DisplayText>(Liu et al. 2006)</DisplayText><record><rec-number>724</rec-number><foreign-keys><key app="EN" db-id="xr0s0sp0vrpe5ze5tetxvwwnp5xd9aaezsd9" timestamp="1271097092">724</key><key app="ENWeb" db-id="UBLLiQrtqggAADvUvSc">436</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Liu, W.</author><author>Deng, X.</author><author>Huang, G.</author><author>Fu, A.Y.</author></authors></contributors><titles><title>An antiphishing strategy based on visual similarity assessment</title><secondary-title>IEEE Internet Computing</secondary-title></titles><periodical><full-title>IEEE Internet Computing</full-title></periodical><pages>58-65</pages><volume>10</volume><number>2</number><dates><year>2006</year></dates><isbn>1089-7801 </isbn><urls></urls></record></Cite></EndNote>(Liu et al. 2006). In addition, Internet protocols (e.g., SMTP) and services (e.g., DNS) require substantial change if they are to be used to effectively identify phishing attempts ADDIN EN.CITE <EndNote><Cite><Author>Webber</Author><Year>2012</Year><RecNum>4689</RecNum><DisplayText>(Webber et al. 2012)</DisplayText><record><rec-number>4689</rec-number><foreign-keys><key app="EN" db-id="xr0s0sp0vrpe5ze5tetxvwwnp5xd9aaezsd9" timestamp="1398184947">4689</key></foreign-keys><ref-type name="Book Section">5</ref-type><contributors><authors><author>Webber, Carine</author><author>Lima, Maria de Fátima W. do Prado</author><author>Hepp, Felipe</author></authors><secondary-authors><author>Sambath, Sabo</author><author>Zhu, Egui</author></secondary-authors></contributors><titles><title>Testing phishing detection criteria and methods </title><secondary-title>Frontiers in Computer Education</secondary-title><tertiary-title>Advances in Intelligent and Soft Computing</tertiary-title></titles><pages>853-858</pages><volume>133</volume><keywords><keyword>Engineering</keyword></keywords><dates><year>2012</year></dates><publisher>Springer Berlin / Heidelberg</publisher><isbn>978-3-642-27551-7</isbn><urls><related-urls><url>;(Webber et al. 2012). Our focus on the user is important because, if technical solutions fail to detect phishing e-mails, it is ultimately the user who decides whether to respond to a phisher’s request for information. Even though users constitute the final defense against phishing e-mails, scant academic attention has been paid to the design of anti-phishing training programs ADDIN EN.CITE <EndNote><Cite><Author>Kumaraguru</Author><Year>2010</Year><RecNum>7497</RecNum><DisplayText>(Kumaraguru et al. 2010)</DisplayText><record><rec-number>7497</rec-number><foreign-keys><key app="EN" db-id="a9f2v2s03sv0soe5e52xwr9oas05vs059t2d" timestamp="1329863914">7497</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Kumaraguru, P.</author><author>Sheng, S.</author><author>Acquisti, A.</author><author>Cranor, L.F.</author><author>Hong, J.</author></authors></contributors><titles><title>Teaching johnny not to fall for phish</title><secondary-title>ACM Transactions on Internet Technology (TOIT)</secondary-title></titles><periodical><full-title>ACM Transactions on Internet Technology (TOIT)</full-title></periodical><pages>7</pages><volume>10</volume><number>2</number><dates><year>2010</year></dates><isbn>1533-5399</isbn><urls></urls></record></Cite></EndNote>(Kumaraguru et al. 2010).Past information systems (IS) research has demonstrated a clear benefit to behavior modeling as a general strategy for training individuals about IS topics ADDIN EN.CITE <EndNote><Cite><Author>Santhanam</Author><Year>in press</Year><RecNum>4690</RecNum><DisplayText>(Santhanam et al. in press)</DisplayText><record><rec-number>4690</rec-number><foreign-keys><key app="EN" db-id="xr0s0sp0vrpe5ze5tetxvwwnp5xd9aaezsd9" timestamp="1398184947">4690</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Santhanam, R. </author><author>Mun, Y.</author><author>Sasidharan, S.</author><author>Park, S.</author></authors></contributors><titles><title>Toward an integrative understanding of information technology training research across information systems and human computer interaction: A comprehensive review</title><secondary-title>AIS Transaction on Human-Computer Interaction</secondary-title></titles><periodical><full-title>AIS Transaction on Human-Computer Interaction</full-title></periodical><dates><year>in press</year></dates><urls></urls></record></Cite></EndNote>(Santhanam et al. in press). However, within behavior modeling, there are two variants of training approaches: one that is more concrete and prescribes discrete actions that are required from the learner; the second is more abstract and equips learners with mental structures that link training material with existing knowledge ADDIN EN.CITE <EndNote><Cite><Author>Sein</Author><Year>1989</Year><RecNum>4691</RecNum><DisplayText>(Sein et al. 1989)</DisplayText><record><rec-number>4691</rec-number><foreign-keys><key app="EN" db-id="xr0s0sp0vrpe5ze5tetxvwwnp5xd9aaezsd9" timestamp="1398184947">4691</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Sein, M. K.</author><author>Bostrom, R. P.</author></authors></contributors><titles><title>Individual differences and conceptual models in training novice users</title><secondary-title>Human-Computer Interaction</secondary-title></titles><periodical><full-title>Human-Computer Interaction</full-title></periodical><pages>197-229</pages><volume>4</volume><number>3</number><dates><year>1989</year></dates><isbn>0737-0024</isbn><urls></urls></record></Cite></EndNote>(Sein et al. 1989). Both training approaches have produced success in the IS domain, but differences have emerged in their relative effectiveness according to the task and individual differences ADDIN EN.CITE <EndNote><Cite><Author>Santhanam</Author><Year>in press</Year><RecNum>4690</RecNum><DisplayText>(Bostrom et al. 1990; Santhanam et al. in press)</DisplayText><record><rec-number>4690</rec-number><foreign-keys><key app="EN" db-id="xr0s0sp0vrpe5ze5tetxvwwnp5xd9aaezsd9" timestamp="1398184947">4690</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Santhanam, R. </author><author>Mun, Y.</author><author>Sasidharan, S.</author><author>Park, S.</author></authors></contributors><titles><title>Toward an integrative understanding of information technology training research across information systems and human computer interaction: A comprehensive review</title><secondary-title>AIS Transaction on Human-Computer Interaction</secondary-title></titles><periodical><full-title>AIS Transaction on Human-Computer Interaction</full-title></periodical><dates><year>in press</year></dates><urls></urls></record></Cite><Cite><Author>Bostrom</Author><Year>1990</Year><RecNum>4692</RecNum><record><rec-number>4692</rec-number><foreign-keys><key app="EN" db-id="xr0s0sp0vrpe5ze5tetxvwwnp5xd9aaezsd9" timestamp="1398184947">4692</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Bostrom, R. P.</author><author>Olfman, L.</author><author>Sein, M. K.</author></authors></contributors><titles><title>The importance of learning style in end-user training</title><secondary-title>MIS Quarterly</secondary-title></titles><periodical><full-title>MIS Quarterly</full-title></periodical><volume>14</volume><number>1</number><dates><year>1990</year></dates><isbn>0276-7783</isbn><urls></urls></record></Cite></EndNote>(Bostrom et al. 1990; Santhanam et al. in press). Past anti-phishing research and practice has largely embraced the concrete training approach PEVuZE5vdGU+PENpdGU+PEF1dGhvcj5LdW1hcmFndXJ1PC9BdXRob3I+PFllYXI+MjAxMDwvWWVh
cj48UmVjTnVtPjc0OTc8L1JlY051bT48UHJlZml4PmUuZy5gLCA8L1ByZWZpeD48RGlzcGxheVRl
eHQ+KGUuZy4sIENyYW5vciAyMDA4OyBLdW1hcmFndXJ1IGV0IGFsLiAyMDEwKTwvRGlzcGxheVRl
eHQ+PHJlY29yZD48cmVjLW51bWJlcj43NDk3PC9yZWMtbnVtYmVyPjxmb3JlaWduLWtleXM+PGtl
eSBhcHA9IkVOIiBkYi1pZD0iYTlmMnYyczAzc3Ywc29lNWU1Mnh3cjlvYXMwNXZzMDU5dDJkIiB0
aW1lc3RhbXA9IjEzMjk4NjM5MTQiPjc0OTc8L2tleT48L2ZvcmVpZ24ta2V5cz48cmVmLXR5cGUg
bmFtZT0iSm91cm5hbCBBcnRpY2xlIj4xNzwvcmVmLXR5cGU+PGNvbnRyaWJ1dG9ycz48YXV0aG9y
cz48YXV0aG9yPkt1bWFyYWd1cnUsIFAuPC9hdXRob3I+PGF1dGhvcj5TaGVuZywgUy48L2F1dGhv
cj48YXV0aG9yPkFjcXVpc3RpLCBBLjwvYXV0aG9yPjxhdXRob3I+Q3Jhbm9yLCBMLkYuPC9hdXRo
b3I+PGF1dGhvcj5Ib25nLCBKLjwvYXV0aG9yPjwvYXV0aG9ycz48L2NvbnRyaWJ1dG9ycz48dGl0
bGVzPjx0aXRsZT5UZWFjaGluZyBqb2hubnkgbm90IHRvIGZhbGwgZm9yIHBoaXNoPC90aXRsZT48
c2Vjb25kYXJ5LXRpdGxlPkFDTSBUcmFuc2FjdGlvbnMgb24gSW50ZXJuZXQgVGVjaG5vbG9neSAo
VE9JVCk8L3NlY29uZGFyeS10aXRsZT48L3RpdGxlcz48cGVyaW9kaWNhbD48ZnVsbC10aXRsZT5B
Q00gVHJhbnNhY3Rpb25zIG9uIEludGVybmV0IFRlY2hub2xvZ3kgKFRPSVQpPC9mdWxsLXRpdGxl
PjwvcGVyaW9kaWNhbD48cGFnZXM+NzwvcGFnZXM+PHZvbHVtZT4xMDwvdm9sdW1lPjxudW1iZXI+
MjwvbnVtYmVyPjxkYXRlcz48eWVhcj4yMDEwPC95ZWFyPjwvZGF0ZXM+PGlzYm4+MTUzMy01Mzk5
PC9pc2JuPjx1cmxzPjwvdXJscz48L3JlY29yZD48L0NpdGU+PENpdGU+PEF1dGhvcj5DcmFub3I8
L0F1dGhvcj48WWVhcj4yMDA4PC9ZZWFyPjxSZWNOdW0+NDY5MzwvUmVjTnVtPjxyZWNvcmQ+PHJl
Yy1udW1iZXI+NDY5MzwvcmVjLW51bWJlcj48Zm9yZWlnbi1rZXlzPjxrZXkgYXBwPSJFTiIgZGIt
aWQ9InhyMHMwc3AwdnJwZTV6ZTV0ZXR4dnd3bnA1eGQ5YWFlenNkOSIgdGltZXN0YW1wPSIxMzk4
MTg0OTQ3Ij40NjkzPC9rZXk+PC9mb3JlaWduLWtleXM+PHJlZi10eXBlIG5hbWU9IkpvdXJuYWwg
QXJ0aWNsZSI+MTc8L3JlZi10eXBlPjxjb250cmlidXRvcnM+PGF1dGhvcnM+PGF1dGhvcj5DcmFu
b3IsIEwuIEYuPC9hdXRob3I+PC9hdXRob3JzPjwvY29udHJpYnV0b3JzPjx0aXRsZXM+PHRpdGxl
PkNhbiBQaGlzaGluZyBCZSBGb2lsZWQ/PC90aXRsZT48c2Vjb25kYXJ5LXRpdGxlPlNjaWVudGlm
aWMgQW1lcmljYW48L3NlY29uZGFyeS10aXRsZT48L3RpdGxlcz48cGVyaW9kaWNhbD48ZnVsbC10
aXRsZT5TY2llbnRpZmljIEFtZXJpY2FuPC9mdWxsLXRpdGxlPjwvcGVyaW9kaWNhbD48cGFnZXM+
MTA0LTExMDwvcGFnZXM+PHZvbHVtZT4yOTk8L3ZvbHVtZT48bnVtYmVyPjY8L251bWJlcj48a2V5
d29yZHM+PGtleXdvcmQ+Q09NUFVURVIgc2VjdXJpdHkgLS0gUmVzZWFyY2g8L2tleXdvcmQ+PGtl
eXdvcmQ+UEhJU0hJTkc8L2tleXdvcmQ+PGtleXdvcmQ+Q09NUFVURVIgc2VjdXJpdHkgc29mdHdh
cmU8L2tleXdvcmQ+PGtleXdvcmQ+V0VCU0lURVMgLS0gU2VjdXJpdHkgbWVhc3VyZXM8L2tleXdv
cmQ+PGtleXdvcmQ+Q0FSTkVHSUUtTWVsbG9uIFVuaXZlcnNpdHkgLS0gRmFjdWx0eTwva2V5d29y
ZD48a2V5d29yZD5DUkFOT1IsIExvcnJpZSBGYWl0aDwva2V5d29yZD48L2tleXdvcmRzPjxkYXRl
cz48eWVhcj4yMDA4PC95ZWFyPjwvZGF0ZXM+PHB1Ymxpc2hlcj5TY2llbnRpZmljIEFtZXJpY2Fu
PC9wdWJsaXNoZXI+PGlzYm4+MDAzNjg3MzM8L2lzYm4+PGFjY2Vzc2lvbi1udW0+MzUxNTg3NzU8
L2FjY2Vzc2lvbi1udW0+PHVybHM+PHJlbGF0ZWQtdXJscz48dXJsPmh0dHA6Ly9saWJyYXJpZXMu
b3UuZWR1L2FjY2Vzcy5hc3B4P3VybD1odHRwOi8vc2VhcmNoLmVic2NvaG9zdC5jb20vbG9naW4u
YXNweD9kaXJlY3Q9dHJ1ZSZhbXA7ZGI9YXBoJmFtcDtBTj0zNTE1ODc3NSZhbXA7c2l0ZT1lZHMt
bGl2ZTwvdXJsPjwvcmVsYXRlZC11cmxzPjwvdXJscz48cmVtb3RlLWRhdGFiYXNlLW5hbWU+YXBo
PC9yZW1vdGUtZGF0YWJhc2UtbmFtZT48cmVtb3RlLWRhdGFiYXNlLXByb3ZpZGVyPkVCU0NPaG9z
dDwvcmVtb3RlLWRhdGFiYXNlLXByb3ZpZGVyPjwvcmVjb3JkPjwvQ2l0ZT48L0VuZE5vdGU+AG==
ADDIN EN.CITE PEVuZE5vdGU+PENpdGU+PEF1dGhvcj5LdW1hcmFndXJ1PC9BdXRob3I+PFllYXI+MjAxMDwvWWVh
cj48UmVjTnVtPjc0OTc8L1JlY051bT48UHJlZml4PmUuZy5gLCA8L1ByZWZpeD48RGlzcGxheVRl
eHQ+KGUuZy4sIENyYW5vciAyMDA4OyBLdW1hcmFndXJ1IGV0IGFsLiAyMDEwKTwvRGlzcGxheVRl
eHQ+PHJlY29yZD48cmVjLW51bWJlcj43NDk3PC9yZWMtbnVtYmVyPjxmb3JlaWduLWtleXM+PGtl
eSBhcHA9IkVOIiBkYi1pZD0iYTlmMnYyczAzc3Ywc29lNWU1Mnh3cjlvYXMwNXZzMDU5dDJkIiB0
aW1lc3RhbXA9IjEzMjk4NjM5MTQiPjc0OTc8L2tleT48L2ZvcmVpZ24ta2V5cz48cmVmLXR5cGUg
bmFtZT0iSm91cm5hbCBBcnRpY2xlIj4xNzwvcmVmLXR5cGU+PGNvbnRyaWJ1dG9ycz48YXV0aG9y
cz48YXV0aG9yPkt1bWFyYWd1cnUsIFAuPC9hdXRob3I+PGF1dGhvcj5TaGVuZywgUy48L2F1dGhv
cj48YXV0aG9yPkFjcXVpc3RpLCBBLjwvYXV0aG9yPjxhdXRob3I+Q3Jhbm9yLCBMLkYuPC9hdXRo
b3I+PGF1dGhvcj5Ib25nLCBKLjwvYXV0aG9yPjwvYXV0aG9ycz48L2NvbnRyaWJ1dG9ycz48dGl0
bGVzPjx0aXRsZT5UZWFjaGluZyBqb2hubnkgbm90IHRvIGZhbGwgZm9yIHBoaXNoPC90aXRsZT48
c2Vjb25kYXJ5LXRpdGxlPkFDTSBUcmFuc2FjdGlvbnMgb24gSW50ZXJuZXQgVGVjaG5vbG9neSAo
VE9JVCk8L3NlY29uZGFyeS10aXRsZT48L3RpdGxlcz48cGVyaW9kaWNhbD48ZnVsbC10aXRsZT5B
Q00gVHJhbnNhY3Rpb25zIG9uIEludGVybmV0IFRlY2hub2xvZ3kgKFRPSVQpPC9mdWxsLXRpdGxl
PjwvcGVyaW9kaWNhbD48cGFnZXM+NzwvcGFnZXM+PHZvbHVtZT4xMDwvdm9sdW1lPjxudW1iZXI+
MjwvbnVtYmVyPjxkYXRlcz48eWVhcj4yMDEwPC95ZWFyPjwvZGF0ZXM+PGlzYm4+MTUzMy01Mzk5
PC9pc2JuPjx1cmxzPjwvdXJscz48L3JlY29yZD48L0NpdGU+PENpdGU+PEF1dGhvcj5DcmFub3I8
L0F1dGhvcj48WWVhcj4yMDA4PC9ZZWFyPjxSZWNOdW0+NDY5MzwvUmVjTnVtPjxyZWNvcmQ+PHJl
Yy1udW1iZXI+NDY5MzwvcmVjLW51bWJlcj48Zm9yZWlnbi1rZXlzPjxrZXkgYXBwPSJFTiIgZGIt
aWQ9InhyMHMwc3AwdnJwZTV6ZTV0ZXR4dnd3bnA1eGQ5YWFlenNkOSIgdGltZXN0YW1wPSIxMzk4
MTg0OTQ3Ij40NjkzPC9rZXk+PC9mb3JlaWduLWtleXM+PHJlZi10eXBlIG5hbWU9IkpvdXJuYWwg
QXJ0aWNsZSI+MTc8L3JlZi10eXBlPjxjb250cmlidXRvcnM+PGF1dGhvcnM+PGF1dGhvcj5DcmFu
b3IsIEwuIEYuPC9hdXRob3I+PC9hdXRob3JzPjwvY29udHJpYnV0b3JzPjx0aXRsZXM+PHRpdGxl
PkNhbiBQaGlzaGluZyBCZSBGb2lsZWQ/PC90aXRsZT48c2Vjb25kYXJ5LXRpdGxlPlNjaWVudGlm
aWMgQW1lcmljYW48L3NlY29uZGFyeS10aXRsZT48L3RpdGxlcz48cGVyaW9kaWNhbD48ZnVsbC10
aXRsZT5TY2llbnRpZmljIEFtZXJpY2FuPC9mdWxsLXRpdGxlPjwvcGVyaW9kaWNhbD48cGFnZXM+
MTA0LTExMDwvcGFnZXM+PHZvbHVtZT4yOTk8L3ZvbHVtZT48bnVtYmVyPjY8L251bWJlcj48a2V5
d29yZHM+PGtleXdvcmQ+Q09NUFVURVIgc2VjdXJpdHkgLS0gUmVzZWFyY2g8L2tleXdvcmQ+PGtl
eXdvcmQ+UEhJU0hJTkc8L2tleXdvcmQ+PGtleXdvcmQ+Q09NUFVURVIgc2VjdXJpdHkgc29mdHdh
cmU8L2tleXdvcmQ+PGtleXdvcmQ+V0VCU0lURVMgLS0gU2VjdXJpdHkgbWVhc3VyZXM8L2tleXdv
cmQ+PGtleXdvcmQ+Q0FSTkVHSUUtTWVsbG9uIFVuaXZlcnNpdHkgLS0gRmFjdWx0eTwva2V5d29y
ZD48a2V5d29yZD5DUkFOT1IsIExvcnJpZSBGYWl0aDwva2V5d29yZD48L2tleXdvcmRzPjxkYXRl
cz48eWVhcj4yMDA4PC95ZWFyPjwvZGF0ZXM+PHB1Ymxpc2hlcj5TY2llbnRpZmljIEFtZXJpY2Fu
PC9wdWJsaXNoZXI+PGlzYm4+MDAzNjg3MzM8L2lzYm4+PGFjY2Vzc2lvbi1udW0+MzUxNTg3NzU8
L2FjY2Vzc2lvbi1udW0+PHVybHM+PHJlbGF0ZWQtdXJscz48dXJsPmh0dHA6Ly9saWJyYXJpZXMu
b3UuZWR1L2FjY2Vzcy5hc3B4P3VybD1odHRwOi8vc2VhcmNoLmVic2NvaG9zdC5jb20vbG9naW4u
YXNweD9kaXJlY3Q9dHJ1ZSZhbXA7ZGI9YXBoJmFtcDtBTj0zNTE1ODc3NSZhbXA7c2l0ZT1lZHMt
bGl2ZTwvdXJsPjwvcmVsYXRlZC11cmxzPjwvdXJscz48cmVtb3RlLWRhdGFiYXNlLW5hbWU+YXBo
PC9yZW1vdGUtZGF0YWJhc2UtbmFtZT48cmVtb3RlLWRhdGFiYXNlLXByb3ZpZGVyPkVCU0NPaG9z
dDwvcmVtb3RlLWRhdGFiYXNlLXByb3ZpZGVyPjwvcmVjb3JkPjwvQ2l0ZT48L0VuZE5vdGU+AG==
ADDIN EN.CITE.DATA (e.g., Cranor 2008; Kumaraguru et al. 2010). But there are several reasons (discussed below) why the conceptual training approach is beneficial and may even be superior to the concrete approach. Therefore, we focus this paper on the competing approaches to train users to evaluate suspect emails. Our primary research questions are: RQ1: Does behavioral training reduce the likelihood that email users will respond to a phishing attack? RQ2: What is the most effective approach (conceptual or concrete) for conducting anti-phishing training?To address our research questions, we created two computer-based training programs based on competing theoretical approaches. The first uses a concrete approach to create situation-specific training and has been shown to be effective in past research PEVuZE5vdGU+PENpdGU+PEF1dGhvcj5LdW1hcmFndXJ1PC9BdXRob3I+PFllYXI+MjAxMDwvWWVh
cj48UmVjTnVtPjc0OTc8L1JlY051bT48UHJlZml4PmUuZy5gLCA8L1ByZWZpeD48RGlzcGxheVRl
eHQ+KGUuZy4sIENyYW5vciAyMDA4OyBLdW1hcmFndXJ1IGV0IGFsLiAyMDEwKTwvRGlzcGxheVRl
eHQ+PHJlY29yZD48cmVjLW51bWJlcj43NDk3PC9yZWMtbnVtYmVyPjxmb3JlaWduLWtleXM+PGtl
eSBhcHA9IkVOIiBkYi1pZD0iYTlmMnYyczAzc3Ywc29lNWU1Mnh3cjlvYXMwNXZzMDU5dDJkIiB0
aW1lc3RhbXA9IjEzMjk4NjM5MTQiPjc0OTc8L2tleT48L2ZvcmVpZ24ta2V5cz48cmVmLXR5cGUg
bmFtZT0iSm91cm5hbCBBcnRpY2xlIj4xNzwvcmVmLXR5cGU+PGNvbnRyaWJ1dG9ycz48YXV0aG9y
cz48YXV0aG9yPkt1bWFyYWd1cnUsIFAuPC9hdXRob3I+PGF1dGhvcj5TaGVuZywgUy48L2F1dGhv
cj48YXV0aG9yPkFjcXVpc3RpLCBBLjwvYXV0aG9yPjxhdXRob3I+Q3Jhbm9yLCBMLkYuPC9hdXRo
b3I+PGF1dGhvcj5Ib25nLCBKLjwvYXV0aG9yPjwvYXV0aG9ycz48L2NvbnRyaWJ1dG9ycz48dGl0
bGVzPjx0aXRsZT5UZWFjaGluZyBqb2hubnkgbm90IHRvIGZhbGwgZm9yIHBoaXNoPC90aXRsZT48
c2Vjb25kYXJ5LXRpdGxlPkFDTSBUcmFuc2FjdGlvbnMgb24gSW50ZXJuZXQgVGVjaG5vbG9neSAo
VE9JVCk8L3NlY29uZGFyeS10aXRsZT48L3RpdGxlcz48cGVyaW9kaWNhbD48ZnVsbC10aXRsZT5B
Q00gVHJhbnNhY3Rpb25zIG9uIEludGVybmV0IFRlY2hub2xvZ3kgKFRPSVQpPC9mdWxsLXRpdGxl
PjwvcGVyaW9kaWNhbD48cGFnZXM+NzwvcGFnZXM+PHZvbHVtZT4xMDwvdm9sdW1lPjxudW1iZXI+
MjwvbnVtYmVyPjxkYXRlcz48eWVhcj4yMDEwPC95ZWFyPjwvZGF0ZXM+PGlzYm4+MTUzMy01Mzk5
PC9pc2JuPjx1cmxzPjwvdXJscz48L3JlY29yZD48L0NpdGU+PENpdGU+PEF1dGhvcj5DcmFub3I8
L0F1dGhvcj48WWVhcj4yMDA4PC9ZZWFyPjxSZWNOdW0+NDY5MzwvUmVjTnVtPjxyZWNvcmQ+PHJl
Yy1udW1iZXI+NDY5MzwvcmVjLW51bWJlcj48Zm9yZWlnbi1rZXlzPjxrZXkgYXBwPSJFTiIgZGIt
aWQ9InhyMHMwc3AwdnJwZTV6ZTV0ZXR4dnd3bnA1eGQ5YWFlenNkOSIgdGltZXN0YW1wPSIxMzk4
MTg0OTQ3Ij40NjkzPC9rZXk+PC9mb3JlaWduLWtleXM+PHJlZi10eXBlIG5hbWU9IkpvdXJuYWwg
QXJ0aWNsZSI+MTc8L3JlZi10eXBlPjxjb250cmlidXRvcnM+PGF1dGhvcnM+PGF1dGhvcj5DcmFu
b3IsIEwuIEYuPC9hdXRob3I+PC9hdXRob3JzPjwvY29udHJpYnV0b3JzPjx0aXRsZXM+PHRpdGxl
PkNhbiBQaGlzaGluZyBCZSBGb2lsZWQ/PC90aXRsZT48c2Vjb25kYXJ5LXRpdGxlPlNjaWVudGlm
aWMgQW1lcmljYW48L3NlY29uZGFyeS10aXRsZT48L3RpdGxlcz48cGVyaW9kaWNhbD48ZnVsbC10
aXRsZT5TY2llbnRpZmljIEFtZXJpY2FuPC9mdWxsLXRpdGxlPjwvcGVyaW9kaWNhbD48cGFnZXM+
MTA0LTExMDwvcGFnZXM+PHZvbHVtZT4yOTk8L3ZvbHVtZT48bnVtYmVyPjY8L251bWJlcj48a2V5
d29yZHM+PGtleXdvcmQ+Q09NUFVURVIgc2VjdXJpdHkgLS0gUmVzZWFyY2g8L2tleXdvcmQ+PGtl
eXdvcmQ+UEhJU0hJTkc8L2tleXdvcmQ+PGtleXdvcmQ+Q09NUFVURVIgc2VjdXJpdHkgc29mdHdh
cmU8L2tleXdvcmQ+PGtleXdvcmQ+V0VCU0lURVMgLS0gU2VjdXJpdHkgbWVhc3VyZXM8L2tleXdv
cmQ+PGtleXdvcmQ+Q0FSTkVHSUUtTWVsbG9uIFVuaXZlcnNpdHkgLS0gRmFjdWx0eTwva2V5d29y
ZD48a2V5d29yZD5DUkFOT1IsIExvcnJpZSBGYWl0aDwva2V5d29yZD48L2tleXdvcmRzPjxkYXRl
cz48eWVhcj4yMDA4PC95ZWFyPjwvZGF0ZXM+PHB1Ymxpc2hlcj5TY2llbnRpZmljIEFtZXJpY2Fu
PC9wdWJsaXNoZXI+PGlzYm4+MDAzNjg3MzM8L2lzYm4+PGFjY2Vzc2lvbi1udW0+MzUxNTg3NzU8
L2FjY2Vzc2lvbi1udW0+PHVybHM+PHJlbGF0ZWQtdXJscz48dXJsPmh0dHA6Ly9saWJyYXJpZXMu
b3UuZWR1L2FjY2Vzcy5hc3B4P3VybD1odHRwOi8vc2VhcmNoLmVic2NvaG9zdC5jb20vbG9naW4u
YXNweD9kaXJlY3Q9dHJ1ZSZhbXA7ZGI9YXBoJmFtcDtBTj0zNTE1ODc3NSZhbXA7c2l0ZT1lZHMt
bGl2ZTwvdXJsPjwvcmVsYXRlZC11cmxzPjwvdXJscz48cmVtb3RlLWRhdGFiYXNlLW5hbWU+YXBo
PC9yZW1vdGUtZGF0YWJhc2UtbmFtZT48cmVtb3RlLWRhdGFiYXNlLXByb3ZpZGVyPkVCU0NPaG9z
dDwvcmVtb3RlLWRhdGFiYXNlLXByb3ZpZGVyPjwvcmVjb3JkPjwvQ2l0ZT48L0VuZE5vdGU+AG==
ADDIN EN.CITE PEVuZE5vdGU+PENpdGU+PEF1dGhvcj5LdW1hcmFndXJ1PC9BdXRob3I+PFllYXI+MjAxMDwvWWVh
cj48UmVjTnVtPjc0OTc8L1JlY051bT48UHJlZml4PmUuZy5gLCA8L1ByZWZpeD48RGlzcGxheVRl
eHQ+KGUuZy4sIENyYW5vciAyMDA4OyBLdW1hcmFndXJ1IGV0IGFsLiAyMDEwKTwvRGlzcGxheVRl
eHQ+PHJlY29yZD48cmVjLW51bWJlcj43NDk3PC9yZWMtbnVtYmVyPjxmb3JlaWduLWtleXM+PGtl
eSBhcHA9IkVOIiBkYi1pZD0iYTlmMnYyczAzc3Ywc29lNWU1Mnh3cjlvYXMwNXZzMDU5dDJkIiB0
aW1lc3RhbXA9IjEzMjk4NjM5MTQiPjc0OTc8L2tleT48L2ZvcmVpZ24ta2V5cz48cmVmLXR5cGUg
bmFtZT0iSm91cm5hbCBBcnRpY2xlIj4xNzwvcmVmLXR5cGU+PGNvbnRyaWJ1dG9ycz48YXV0aG9y
cz48YXV0aG9yPkt1bWFyYWd1cnUsIFAuPC9hdXRob3I+PGF1dGhvcj5TaGVuZywgUy48L2F1dGhv
cj48YXV0aG9yPkFjcXVpc3RpLCBBLjwvYXV0aG9yPjxhdXRob3I+Q3Jhbm9yLCBMLkYuPC9hdXRo
b3I+PGF1dGhvcj5Ib25nLCBKLjwvYXV0aG9yPjwvYXV0aG9ycz48L2NvbnRyaWJ1dG9ycz48dGl0
bGVzPjx0aXRsZT5UZWFjaGluZyBqb2hubnkgbm90IHRvIGZhbGwgZm9yIHBoaXNoPC90aXRsZT48
c2Vjb25kYXJ5LXRpdGxlPkFDTSBUcmFuc2FjdGlvbnMgb24gSW50ZXJuZXQgVGVjaG5vbG9neSAo
VE9JVCk8L3NlY29uZGFyeS10aXRsZT48L3RpdGxlcz48cGVyaW9kaWNhbD48ZnVsbC10aXRsZT5B
Q00gVHJhbnNhY3Rpb25zIG9uIEludGVybmV0IFRlY2hub2xvZ3kgKFRPSVQpPC9mdWxsLXRpdGxl
PjwvcGVyaW9kaWNhbD48cGFnZXM+NzwvcGFnZXM+PHZvbHVtZT4xMDwvdm9sdW1lPjxudW1iZXI+
MjwvbnVtYmVyPjxkYXRlcz48eWVhcj4yMDEwPC95ZWFyPjwvZGF0ZXM+PGlzYm4+MTUzMy01Mzk5
PC9pc2JuPjx1cmxzPjwvdXJscz48L3JlY29yZD48L0NpdGU+PENpdGU+PEF1dGhvcj5DcmFub3I8
L0F1dGhvcj48WWVhcj4yMDA4PC9ZZWFyPjxSZWNOdW0+NDY5MzwvUmVjTnVtPjxyZWNvcmQ+PHJl
Yy1udW1iZXI+NDY5MzwvcmVjLW51bWJlcj48Zm9yZWlnbi1rZXlzPjxrZXkgYXBwPSJFTiIgZGIt
aWQ9InhyMHMwc3AwdnJwZTV6ZTV0ZXR4dnd3bnA1eGQ5YWFlenNkOSIgdGltZXN0YW1wPSIxMzk4
MTg0OTQ3Ij40NjkzPC9rZXk+PC9mb3JlaWduLWtleXM+PHJlZi10eXBlIG5hbWU9IkpvdXJuYWwg
QXJ0aWNsZSI+MTc8L3JlZi10eXBlPjxjb250cmlidXRvcnM+PGF1dGhvcnM+PGF1dGhvcj5DcmFu
b3IsIEwuIEYuPC9hdXRob3I+PC9hdXRob3JzPjwvY29udHJpYnV0b3JzPjx0aXRsZXM+PHRpdGxl
PkNhbiBQaGlzaGluZyBCZSBGb2lsZWQ/PC90aXRsZT48c2Vjb25kYXJ5LXRpdGxlPlNjaWVudGlm
aWMgQW1lcmljYW48L3NlY29uZGFyeS10aXRsZT48L3RpdGxlcz48cGVyaW9kaWNhbD48ZnVsbC10
aXRsZT5TY2llbnRpZmljIEFtZXJpY2FuPC9mdWxsLXRpdGxlPjwvcGVyaW9kaWNhbD48cGFnZXM+
MTA0LTExMDwvcGFnZXM+PHZvbHVtZT4yOTk8L3ZvbHVtZT48bnVtYmVyPjY8L251bWJlcj48a2V5
d29yZHM+PGtleXdvcmQ+Q09NUFVURVIgc2VjdXJpdHkgLS0gUmVzZWFyY2g8L2tleXdvcmQ+PGtl
eXdvcmQ+UEhJU0hJTkc8L2tleXdvcmQ+PGtleXdvcmQ+Q09NUFVURVIgc2VjdXJpdHkgc29mdHdh
cmU8L2tleXdvcmQ+PGtleXdvcmQ+V0VCU0lURVMgLS0gU2VjdXJpdHkgbWVhc3VyZXM8L2tleXdv
cmQ+PGtleXdvcmQ+Q0FSTkVHSUUtTWVsbG9uIFVuaXZlcnNpdHkgLS0gRmFjdWx0eTwva2V5d29y
ZD48a2V5d29yZD5DUkFOT1IsIExvcnJpZSBGYWl0aDwva2V5d29yZD48L2tleXdvcmRzPjxkYXRl
cz48eWVhcj4yMDA4PC95ZWFyPjwvZGF0ZXM+PHB1Ymxpc2hlcj5TY2llbnRpZmljIEFtZXJpY2Fu
PC9wdWJsaXNoZXI+PGlzYm4+MDAzNjg3MzM8L2lzYm4+PGFjY2Vzc2lvbi1udW0+MzUxNTg3NzU8
L2FjY2Vzc2lvbi1udW0+PHVybHM+PHJlbGF0ZWQtdXJscz48dXJsPmh0dHA6Ly9saWJyYXJpZXMu
b3UuZWR1L2FjY2Vzcy5hc3B4P3VybD1odHRwOi8vc2VhcmNoLmVic2NvaG9zdC5jb20vbG9naW4u
YXNweD9kaXJlY3Q9dHJ1ZSZhbXA7ZGI9YXBoJmFtcDtBTj0zNTE1ODc3NSZhbXA7c2l0ZT1lZHMt
bGl2ZTwvdXJsPjwvcmVsYXRlZC11cmxzPjwvdXJscz48cmVtb3RlLWRhdGFiYXNlLW5hbWU+YXBo
PC9yZW1vdGUtZGF0YWJhc2UtbmFtZT48cmVtb3RlLWRhdGFiYXNlLXByb3ZpZGVyPkVCU0NPaG9z
dDwvcmVtb3RlLWRhdGFiYXNlLXByb3ZpZGVyPjwvcmVjb3JkPjwvQ2l0ZT48L0VuZE5vdGU+AG==
ADDIN EN.CITE.DATA (e.g., Cranor 2008; Kumaraguru et al. 2010). The second uses a novel conceptual approach and is based on mindfulness and systematic information processing (Langer 1989). We tested these two training approaches in text-only and graphics-based formats in a field experiment at a Midwestern university where students, faculty, and staff participated in the training. Then, with the cooperation of university officials, we carried out generic and customized phishing attacks on the university students, faculty and staff, soliciting from them their university credentials. The results showed that the conceptual approach using mindfulness outperformed the concrete, situation-specific training approach in countering both generic and customized phishing messages, regardless of the presentation format employed in the training.Theoretical DevelopmentBehavior modeling is a training strategy wherein desired behaviors are demonstrated and practiced by targeted learners. Behavior modeling typically: 1) describes the phenomenon, 2) provides cues or rules for identifying the phenomenon, 3) provides an opportunity to practice the behavior, and 4) provides reinforcement following the practice ADDIN EN.CITE <EndNote><Cite><Author>Compeau</Author><Year>1995</Year><RecNum>687</RecNum><Prefix>for example see </Prefix><DisplayText>(for example see Compeau et al. 1995a)</DisplayText><record><rec-number>687</rec-number><foreign-keys><key app="EN" db-id="xr0s0sp0vrpe5ze5tetxvwwnp5xd9aaezsd9" timestamp="1271097092">687</key><key app="ENWeb" db-id="UBLLiQrtqggAADvUvSc">407</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Compeau, D. R.</author><author>Higgins, C. A.</author></authors></contributors><titles><title>Application of social cognitive theory to training for computer skills</title><secondary-title>Information Systems Research</secondary-title></titles><periodical><full-title>Information Systems Research</full-title></periodical><pages>118-143</pages><volume>6</volume><number>2</number><dates><year>1995</year></dates><urls></urls></record></Cite></EndNote>(for example see Compeau et al. 1995a). Behavior modeling has been shown to be effective in both in-person and computer-based training environments. In a systematic review of training strategies, Santhanam and colleagues ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Santhanam</Author><Year>in press</Year><RecNum>4690</RecNum><DisplayText>(in press)</DisplayText><record><rec-number>4690</rec-number><foreign-keys><key app="EN" db-id="xr0s0sp0vrpe5ze5tetxvwwnp5xd9aaezsd9" timestamp="1398184947">4690</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Santhanam, R. </author><author>Mun, Y.</author><author>Sasidharan, S.</author><author>Park, S.</author></authors></contributors><titles><title>Toward an integrative understanding of information technology training research across information systems and human computer interaction: A comprehensive review</title><secondary-title>AIS Transaction on Human-Computer Interaction</secondary-title></titles><periodical><full-title>AIS Transaction on Human-Computer Interaction</full-title></periodical><dates><year>in press</year></dates><urls></urls></record></Cite></EndNote>(in press) found behavior modeling to be more effective than alternative training methods such as self-study ADDIN EN.CITE <EndNote><Cite><Author>Simon</Author><Year>1996</Year><RecNum>4694</RecNum><DisplayText>(Simon et al. 1996)</DisplayText><record><rec-number>4694</rec-number><foreign-keys><key app="EN" db-id="xr0s0sp0vrpe5ze5tetxvwwnp5xd9aaezsd9" timestamp="1398184947">4694</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Simon, S. J.</author><author>Grover, V.</author><author>Teng, J. </author><author>Whitcomb, K.</author></authors></contributors><titles><title>The relationship of information system training methods and cognitive ability to end-user satisfaction, comprehension, and skill transfer: A longitudinal field study</title><secondary-title>Information Systems Research</secondary-title></titles><periodical><full-title>Information Systems Research</full-title></periodical><pages>466-490</pages><volume>7</volume><number>4</number><dates><year>1996</year></dates><isbn>1047-7047</isbn><urls></urls></record></Cite></EndNote>(Simon et al. 1996) and lecture-based instruction PEVuZE5vdGU+PENpdGU+PEF1dGhvcj5Cb2x0PC9BdXRob3I+PFllYXI+MjAwMTwvWWVhcj48UmVj
TnVtPjQ2OTU8L1JlY051bT48RGlzcGxheVRleHQ+KEJvbHQgZXQgYWwuIDIwMDE7IENvbXBlYXUg
ZXQgYWwuIDE5OTVhOyBKb2huc29uIGV0IGFsLiAyMDAwOyBTaW1vbiBldCBhbC4gMTk5NjsgWWkg
ZXQgYWwuIDIwMDEpPC9EaXNwbGF5VGV4dD48cmVjb3JkPjxyZWMtbnVtYmVyPjQ2OTU8L3JlYy1u
dW1iZXI+PGZvcmVpZ24ta2V5cz48a2V5IGFwcD0iRU4iIGRiLWlkPSJ4cjBzMHNwMHZycGU1emU1
dGV0eHZ3d25wNXhkOWFhZXpzZDkiIHRpbWVzdGFtcD0iMTM5ODE4NDk0NyI+NDY5NTwva2V5Pjwv
Zm9yZWlnbi1rZXlzPjxyZWYtdHlwZSBuYW1lPSJKb3VybmFsIEFydGljbGUiPjE3PC9yZWYtdHlw
ZT48Y29udHJpYnV0b3JzPjxhdXRob3JzPjxhdXRob3I+Qm9sdCwgTS4gQS48L2F1dGhvcj48YXV0
aG9yPktpbGxvdWdoLCBMLiBOLjwvYXV0aG9yPjxhdXRob3I+S29oLCBILiBDLjwvYXV0aG9yPjwv
YXV0aG9ycz48L2NvbnRyaWJ1dG9ycz48dGl0bGVzPjx0aXRsZT5UZXN0aW5nIHRoZSBpbnRlcmFj
dGlvbiBlZmZlY3RzIG9mIHRhc2sgY29tcGxleGl0eSBpbiBjb21wdXRlciB0cmFpbmluZyB1c2lu
ZyB0aGUgc29jaWFsIGNvZ25pdGl2ZSBtb2RlbDwvdGl0bGU+PHNlY29uZGFyeS10aXRsZT5EZWNp
c2lvbiBTY2llbmNlczwvc2Vjb25kYXJ5LXRpdGxlPjwvdGl0bGVzPjxwZXJpb2RpY2FsPjxmdWxs
LXRpdGxlPkRlY2lzaW9uIFNjaWVuY2VzPC9mdWxsLXRpdGxlPjwvcGVyaW9kaWNhbD48cGFnZXM+
MS0yMDwvcGFnZXM+PHZvbHVtZT4zMjwvdm9sdW1lPjxudW1iZXI+MTwvbnVtYmVyPjxkYXRlcz48
eWVhcj4yMDAxPC95ZWFyPjwvZGF0ZXM+PGlzYm4+MTU0MC01OTE1PC9pc2JuPjx1cmxzPjwvdXJs
cz48L3JlY29yZD48L0NpdGU+PENpdGU+PEF1dGhvcj5Db21wZWF1PC9BdXRob3I+PFllYXI+MTk5
NTwvWWVhcj48UmVjTnVtPjY4NzwvUmVjTnVtPjxyZWNvcmQ+PHJlYy1udW1iZXI+Njg3PC9yZWMt
bnVtYmVyPjxmb3JlaWduLWtleXM+PGtleSBhcHA9IkVOIiBkYi1pZD0ieHIwczBzcDB2cnBlNXpl
NXRldHh2d3ducDV4ZDlhYWV6c2Q5IiB0aW1lc3RhbXA9IjEyNzEwOTcwOTIiPjY4Nzwva2V5Pjxr
ZXkgYXBwPSJFTldlYiIgZGItaWQ9IlVCTExpUXJ0cWdnQUFEdlV2U2MiPjQwNzwva2V5PjwvZm9y
ZWlnbi1rZXlzPjxyZWYtdHlwZSBuYW1lPSJKb3VybmFsIEFydGljbGUiPjE3PC9yZWYtdHlwZT48
Y29udHJpYnV0b3JzPjxhdXRob3JzPjxhdXRob3I+Q29tcGVhdSwgRC4gUi48L2F1dGhvcj48YXV0
aG9yPkhpZ2dpbnMsIEMuIEEuPC9hdXRob3I+PC9hdXRob3JzPjwvY29udHJpYnV0b3JzPjx0aXRs
ZXM+PHRpdGxlPkFwcGxpY2F0aW9uIG9mIHNvY2lhbCBjb2duaXRpdmUgdGhlb3J5IHRvIHRyYWlu
aW5nIGZvciBjb21wdXRlciBza2lsbHM8L3RpdGxlPjxzZWNvbmRhcnktdGl0bGU+SW5mb3JtYXRp
b24gU3lzdGVtcyBSZXNlYXJjaDwvc2Vjb25kYXJ5LXRpdGxlPjwvdGl0bGVzPjxwZXJpb2RpY2Fs
PjxmdWxsLXRpdGxlPkluZm9ybWF0aW9uIFN5c3RlbXMgUmVzZWFyY2g8L2Z1bGwtdGl0bGU+PC9w
ZXJpb2RpY2FsPjxwYWdlcz4xMTgtMTQzPC9wYWdlcz48dm9sdW1lPjY8L3ZvbHVtZT48bnVtYmVy
PjI8L251bWJlcj48ZGF0ZXM+PHllYXI+MTk5NTwveWVhcj48L2RhdGVzPjx1cmxzPjwvdXJscz48
L3JlY29yZD48L0NpdGU+PENpdGU+PEF1dGhvcj5ZaTwvQXV0aG9yPjxZZWFyPjIwMDE8L1llYXI+
PFJlY051bT40Njk2PC9SZWNOdW0+PHJlY29yZD48cmVjLW51bWJlcj40Njk2PC9yZWMtbnVtYmVy
Pjxmb3JlaWduLWtleXM+PGtleSBhcHA9IkVOIiBkYi1pZD0ieHIwczBzcDB2cnBlNXplNXRldHh2
d3ducDV4ZDlhYWV6c2Q5IiB0aW1lc3RhbXA9IjEzOTgxODQ5NDciPjQ2OTY8L2tleT48L2ZvcmVp
Z24ta2V5cz48cmVmLXR5cGUgbmFtZT0iSm91cm5hbCBBcnRpY2xlIj4xNzwvcmVmLXR5cGU+PGNv
bnRyaWJ1dG9ycz48YXV0aG9ycz48YXV0aG9yPllpLCBNLiBZLjwvYXV0aG9yPjxhdXRob3I+RGF2
aXMsIEYuIEQuPC9hdXRob3I+PC9hdXRob3JzPjwvY29udHJpYnV0b3JzPjx0aXRsZXM+PHRpdGxl
PkltcHJvdmluZyBjb21wdXRlciB0cmFpbmluZyBlZmZlY3RpdmVuZXNzIGZvciBkZWNpc2lvbiB0
ZWNobm9sb2dpZXM6IEJlaGF2aW9yIG1vZGVsaW5nIGFuZCByZXRlbnRpb24gZW5oYW5jZW1lbnQ8
L3RpdGxlPjxzZWNvbmRhcnktdGl0bGU+RGVjaXNpb24gU2NpZW5jZXM8L3NlY29uZGFyeS10aXRs
ZT48L3RpdGxlcz48cGVyaW9kaWNhbD48ZnVsbC10aXRsZT5EZWNpc2lvbiBTY2llbmNlczwvZnVs
bC10aXRsZT48L3BlcmlvZGljYWw+PHBhZ2VzPjUyMS01NDQ8L3BhZ2VzPjx2b2x1bWU+MzI8L3Zv
bHVtZT48bnVtYmVyPjM8L251bWJlcj48ZGF0ZXM+PHllYXI+MjAwMTwveWVhcj48L2RhdGVzPjxp
c2JuPjE1NDAtNTkxNTwvaXNibj48dXJscz48L3VybHM+PC9yZWNvcmQ+PC9DaXRlPjxDaXRlPjxB
dXRob3I+Sm9obnNvbjwvQXV0aG9yPjxZZWFyPjIwMDA8L1llYXI+PFJlY051bT40Njk3PC9SZWNO
dW0+PHJlY29yZD48cmVjLW51bWJlcj40Njk3PC9yZWMtbnVtYmVyPjxmb3JlaWduLWtleXM+PGtl
eSBhcHA9IkVOIiBkYi1pZD0ieHIwczBzcDB2cnBlNXplNXRldHh2d3ducDV4ZDlhYWV6c2Q5IiB0
aW1lc3RhbXA9IjEzOTgxODQ5NDciPjQ2OTc8L2tleT48L2ZvcmVpZ24ta2V5cz48cmVmLXR5cGUg
bmFtZT0iSm91cm5hbCBBcnRpY2xlIj4xNzwvcmVmLXR5cGU+PGNvbnRyaWJ1dG9ycz48YXV0aG9y
cz48YXV0aG9yPkpvaG5zb24sIFIuIEQuPC9hdXRob3I+PGF1dGhvcj5NYXJha2FzLCBHLiBNLjwv
YXV0aG9yPjwvYXV0aG9ycz48L2NvbnRyaWJ1dG9ycz48dGl0bGVzPjx0aXRsZT5SZXNlYXJjaCBy
ZXBvcnQ6IHRoZSByb2xlIG9mIGJlaGF2aW9yYWwgbW9kZWxpbmcgaW4gY29tcHV0ZXIgc2tpbGxz
IGFjcXVpc2l0aW9uOiBUb3dhcmQgcmVmaW5lbWVudCBvZiB0aGUgbW9kZWw8L3RpdGxlPjxzZWNv
bmRhcnktdGl0bGU+SW5mb3JtYXRpb24gU3lzdGVtcyBSZXNlYXJjaDwvc2Vjb25kYXJ5LXRpdGxl
PjwvdGl0bGVzPjxwZXJpb2RpY2FsPjxmdWxsLXRpdGxlPkluZm9ybWF0aW9uIFN5c3RlbXMgUmVz
ZWFyY2g8L2Z1bGwtdGl0bGU+PC9wZXJpb2RpY2FsPjxwYWdlcz40MDItNDE3PC9wYWdlcz48dm9s
dW1lPjExPC92b2x1bWU+PG51bWJlcj40PC9udW1iZXI+PGRhdGVzPjx5ZWFyPjIwMDA8L3llYXI+
PC9kYXRlcz48aXNibj4xMDQ3LTcwNDc8L2lzYm4+PHVybHM+PC91cmxzPjwvcmVjb3JkPjwvQ2l0
ZT48Q2l0ZT48QXV0aG9yPlNpbW9uPC9BdXRob3I+PFllYXI+MTk5NjwvWWVhcj48UmVjTnVtPjQ2
OTQ8L1JlY051bT48cmVjb3JkPjxyZWMtbnVtYmVyPjQ2OTQ8L3JlYy1udW1iZXI+PGZvcmVpZ24t
a2V5cz48a2V5IGFwcD0iRU4iIGRiLWlkPSJ4cjBzMHNwMHZycGU1emU1dGV0eHZ3d25wNXhkOWFh
ZXpzZDkiIHRpbWVzdGFtcD0iMTM5ODE4NDk0NyI+NDY5NDwva2V5PjwvZm9yZWlnbi1rZXlzPjxy
ZWYtdHlwZSBuYW1lPSJKb3VybmFsIEFydGljbGUiPjE3PC9yZWYtdHlwZT48Y29udHJpYnV0b3Jz
PjxhdXRob3JzPjxhdXRob3I+U2ltb24sIFMuIEouPC9hdXRob3I+PGF1dGhvcj5Hcm92ZXIsIFYu
PC9hdXRob3I+PGF1dGhvcj5UZW5nLCBKLiA8L2F1dGhvcj48YXV0aG9yPldoaXRjb21iLCBLLjwv
YXV0aG9yPjwvYXV0aG9ycz48L2NvbnRyaWJ1dG9ycz48dGl0bGVzPjx0aXRsZT5UaGUgcmVsYXRp
b25zaGlwIG9mIGluZm9ybWF0aW9uIHN5c3RlbSB0cmFpbmluZyBtZXRob2RzIGFuZCBjb2duaXRp
dmUgYWJpbGl0eSB0byBlbmQtdXNlciBzYXRpc2ZhY3Rpb24sIGNvbXByZWhlbnNpb24sIGFuZCBz
a2lsbCB0cmFuc2ZlcjogQSBsb25naXR1ZGluYWwgZmllbGQgc3R1ZHk8L3RpdGxlPjxzZWNvbmRh
cnktdGl0bGU+SW5mb3JtYXRpb24gU3lzdGVtcyBSZXNlYXJjaDwvc2Vjb25kYXJ5LXRpdGxlPjwv
dGl0bGVzPjxwZXJpb2RpY2FsPjxmdWxsLXRpdGxlPkluZm9ybWF0aW9uIFN5c3RlbXMgUmVzZWFy
Y2g8L2Z1bGwtdGl0bGU+PC9wZXJpb2RpY2FsPjxwYWdlcz40NjYtNDkwPC9wYWdlcz48dm9sdW1l
Pjc8L3ZvbHVtZT48bnVtYmVyPjQ8L251bWJlcj48ZGF0ZXM+PHllYXI+MTk5NjwveWVhcj48L2Rh
dGVzPjxpc2JuPjEwNDctNzA0NzwvaXNibj48dXJscz48L3VybHM+PC9yZWNvcmQ+PC9DaXRlPjwv
RW5kTm90ZT5=
ADDIN EN.CITE PEVuZE5vdGU+PENpdGU+PEF1dGhvcj5Cb2x0PC9BdXRob3I+PFllYXI+MjAwMTwvWWVhcj48UmVj
TnVtPjQ2OTU8L1JlY051bT48RGlzcGxheVRleHQ+KEJvbHQgZXQgYWwuIDIwMDE7IENvbXBlYXUg
ZXQgYWwuIDE5OTVhOyBKb2huc29uIGV0IGFsLiAyMDAwOyBTaW1vbiBldCBhbC4gMTk5NjsgWWkg
ZXQgYWwuIDIwMDEpPC9EaXNwbGF5VGV4dD48cmVjb3JkPjxyZWMtbnVtYmVyPjQ2OTU8L3JlYy1u
dW1iZXI+PGZvcmVpZ24ta2V5cz48a2V5IGFwcD0iRU4iIGRiLWlkPSJ4cjBzMHNwMHZycGU1emU1
dGV0eHZ3d25wNXhkOWFhZXpzZDkiIHRpbWVzdGFtcD0iMTM5ODE4NDk0NyI+NDY5NTwva2V5Pjwv
Zm9yZWlnbi1rZXlzPjxyZWYtdHlwZSBuYW1lPSJKb3VybmFsIEFydGljbGUiPjE3PC9yZWYtdHlw
ZT48Y29udHJpYnV0b3JzPjxhdXRob3JzPjxhdXRob3I+Qm9sdCwgTS4gQS48L2F1dGhvcj48YXV0
aG9yPktpbGxvdWdoLCBMLiBOLjwvYXV0aG9yPjxhdXRob3I+S29oLCBILiBDLjwvYXV0aG9yPjwv
YXV0aG9ycz48L2NvbnRyaWJ1dG9ycz48dGl0bGVzPjx0aXRsZT5UZXN0aW5nIHRoZSBpbnRlcmFj
dGlvbiBlZmZlY3RzIG9mIHRhc2sgY29tcGxleGl0eSBpbiBjb21wdXRlciB0cmFpbmluZyB1c2lu
ZyB0aGUgc29jaWFsIGNvZ25pdGl2ZSBtb2RlbDwvdGl0bGU+PHNlY29uZGFyeS10aXRsZT5EZWNp
c2lvbiBTY2llbmNlczwvc2Vjb25kYXJ5LXRpdGxlPjwvdGl0bGVzPjxwZXJpb2RpY2FsPjxmdWxs
LXRpdGxlPkRlY2lzaW9uIFNjaWVuY2VzPC9mdWxsLXRpdGxlPjwvcGVyaW9kaWNhbD48cGFnZXM+
MS0yMDwvcGFnZXM+PHZvbHVtZT4zMjwvdm9sdW1lPjxudW1iZXI+MTwvbnVtYmVyPjxkYXRlcz48
eWVhcj4yMDAxPC95ZWFyPjwvZGF0ZXM+PGlzYm4+MTU0MC01OTE1PC9pc2JuPjx1cmxzPjwvdXJs
cz48L3JlY29yZD48L0NpdGU+PENpdGU+PEF1dGhvcj5Db21wZWF1PC9BdXRob3I+PFllYXI+MTk5
NTwvWWVhcj48UmVjTnVtPjY4NzwvUmVjTnVtPjxyZWNvcmQ+PHJlYy1udW1iZXI+Njg3PC9yZWMt
bnVtYmVyPjxmb3JlaWduLWtleXM+PGtleSBhcHA9IkVOIiBkYi1pZD0ieHIwczBzcDB2cnBlNXpl
NXRldHh2d3ducDV4ZDlhYWV6c2Q5IiB0aW1lc3RhbXA9IjEyNzEwOTcwOTIiPjY4Nzwva2V5Pjxr
ZXkgYXBwPSJFTldlYiIgZGItaWQ9IlVCTExpUXJ0cWdnQUFEdlV2U2MiPjQwNzwva2V5PjwvZm9y
ZWlnbi1rZXlzPjxyZWYtdHlwZSBuYW1lPSJKb3VybmFsIEFydGljbGUiPjE3PC9yZWYtdHlwZT48
Y29udHJpYnV0b3JzPjxhdXRob3JzPjxhdXRob3I+Q29tcGVhdSwgRC4gUi48L2F1dGhvcj48YXV0
aG9yPkhpZ2dpbnMsIEMuIEEuPC9hdXRob3I+PC9hdXRob3JzPjwvY29udHJpYnV0b3JzPjx0aXRs
ZXM+PHRpdGxlPkFwcGxpY2F0aW9uIG9mIHNvY2lhbCBjb2duaXRpdmUgdGhlb3J5IHRvIHRyYWlu
aW5nIGZvciBjb21wdXRlciBza2lsbHM8L3RpdGxlPjxzZWNvbmRhcnktdGl0bGU+SW5mb3JtYXRp
b24gU3lzdGVtcyBSZXNlYXJjaDwvc2Vjb25kYXJ5LXRpdGxlPjwvdGl0bGVzPjxwZXJpb2RpY2Fs
PjxmdWxsLXRpdGxlPkluZm9ybWF0aW9uIFN5c3RlbXMgUmVzZWFyY2g8L2Z1bGwtdGl0bGU+PC9w
ZXJpb2RpY2FsPjxwYWdlcz4xMTgtMTQzPC9wYWdlcz48dm9sdW1lPjY8L3ZvbHVtZT48bnVtYmVy
PjI8L251bWJlcj48ZGF0ZXM+PHllYXI+MTk5NTwveWVhcj48L2RhdGVzPjx1cmxzPjwvdXJscz48
L3JlY29yZD48L0NpdGU+PENpdGU+PEF1dGhvcj5ZaTwvQXV0aG9yPjxZZWFyPjIwMDE8L1llYXI+
PFJlY051bT40Njk2PC9SZWNOdW0+PHJlY29yZD48cmVjLW51bWJlcj40Njk2PC9yZWMtbnVtYmVy
Pjxmb3JlaWduLWtleXM+PGtleSBhcHA9IkVOIiBkYi1pZD0ieHIwczBzcDB2cnBlNXplNXRldHh2
d3ducDV4ZDlhYWV6c2Q5IiB0aW1lc3RhbXA9IjEzOTgxODQ5NDciPjQ2OTY8L2tleT48L2ZvcmVp
Z24ta2V5cz48cmVmLXR5cGUgbmFtZT0iSm91cm5hbCBBcnRpY2xlIj4xNzwvcmVmLXR5cGU+PGNv
bnRyaWJ1dG9ycz48YXV0aG9ycz48YXV0aG9yPllpLCBNLiBZLjwvYXV0aG9yPjxhdXRob3I+RGF2
aXMsIEYuIEQuPC9hdXRob3I+PC9hdXRob3JzPjwvY29udHJpYnV0b3JzPjx0aXRsZXM+PHRpdGxl
PkltcHJvdmluZyBjb21wdXRlciB0cmFpbmluZyBlZmZlY3RpdmVuZXNzIGZvciBkZWNpc2lvbiB0
ZWNobm9sb2dpZXM6IEJlaGF2aW9yIG1vZGVsaW5nIGFuZCByZXRlbnRpb24gZW5oYW5jZW1lbnQ8
L3RpdGxlPjxzZWNvbmRhcnktdGl0bGU+RGVjaXNpb24gU2NpZW5jZXM8L3NlY29uZGFyeS10aXRs
ZT48L3RpdGxlcz48cGVyaW9kaWNhbD48ZnVsbC10aXRsZT5EZWNpc2lvbiBTY2llbmNlczwvZnVs
bC10aXRsZT48L3BlcmlvZGljYWw+PHBhZ2VzPjUyMS01NDQ8L3BhZ2VzPjx2b2x1bWU+MzI8L3Zv
bHVtZT48bnVtYmVyPjM8L251bWJlcj48ZGF0ZXM+PHllYXI+MjAwMTwveWVhcj48L2RhdGVzPjxp
c2JuPjE1NDAtNTkxNTwvaXNibj48dXJscz48L3VybHM+PC9yZWNvcmQ+PC9DaXRlPjxDaXRlPjxB
dXRob3I+Sm9obnNvbjwvQXV0aG9yPjxZZWFyPjIwMDA8L1llYXI+PFJlY051bT40Njk3PC9SZWNO
dW0+PHJlY29yZD48cmVjLW51bWJlcj40Njk3PC9yZWMtbnVtYmVyPjxmb3JlaWduLWtleXM+PGtl
eSBhcHA9IkVOIiBkYi1pZD0ieHIwczBzcDB2cnBlNXplNXRldHh2d3ducDV4ZDlhYWV6c2Q5IiB0
aW1lc3RhbXA9IjEzOTgxODQ5NDciPjQ2OTc8L2tleT48L2ZvcmVpZ24ta2V5cz48cmVmLXR5cGUg
bmFtZT0iSm91cm5hbCBBcnRpY2xlIj4xNzwvcmVmLXR5cGU+PGNvbnRyaWJ1dG9ycz48YXV0aG9y
cz48YXV0aG9yPkpvaG5zb24sIFIuIEQuPC9hdXRob3I+PGF1dGhvcj5NYXJha2FzLCBHLiBNLjwv
YXV0aG9yPjwvYXV0aG9ycz48L2NvbnRyaWJ1dG9ycz48dGl0bGVzPjx0aXRsZT5SZXNlYXJjaCBy
ZXBvcnQ6IHRoZSByb2xlIG9mIGJlaGF2aW9yYWwgbW9kZWxpbmcgaW4gY29tcHV0ZXIgc2tpbGxz
IGFjcXVpc2l0aW9uOiBUb3dhcmQgcmVmaW5lbWVudCBvZiB0aGUgbW9kZWw8L3RpdGxlPjxzZWNv
bmRhcnktdGl0bGU+SW5mb3JtYXRpb24gU3lzdGVtcyBSZXNlYXJjaDwvc2Vjb25kYXJ5LXRpdGxl
PjwvdGl0bGVzPjxwZXJpb2RpY2FsPjxmdWxsLXRpdGxlPkluZm9ybWF0aW9uIFN5c3RlbXMgUmVz
ZWFyY2g8L2Z1bGwtdGl0bGU+PC9wZXJpb2RpY2FsPjxwYWdlcz40MDItNDE3PC9wYWdlcz48dm9s
dW1lPjExPC92b2x1bWU+PG51bWJlcj40PC9udW1iZXI+PGRhdGVzPjx5ZWFyPjIwMDA8L3llYXI+
PC9kYXRlcz48aXNibj4xMDQ3LTcwNDc8L2lzYm4+PHVybHM+PC91cmxzPjwvcmVjb3JkPjwvQ2l0
ZT48Q2l0ZT48QXV0aG9yPlNpbW9uPC9BdXRob3I+PFllYXI+MTk5NjwvWWVhcj48UmVjTnVtPjQ2
OTQ8L1JlY051bT48cmVjb3JkPjxyZWMtbnVtYmVyPjQ2OTQ8L3JlYy1udW1iZXI+PGZvcmVpZ24t
a2V5cz48a2V5IGFwcD0iRU4iIGRiLWlkPSJ4cjBzMHNwMHZycGU1emU1dGV0eHZ3d25wNXhkOWFh
ZXpzZDkiIHRpbWVzdGFtcD0iMTM5ODE4NDk0NyI+NDY5NDwva2V5PjwvZm9yZWlnbi1rZXlzPjxy
ZWYtdHlwZSBuYW1lPSJKb3VybmFsIEFydGljbGUiPjE3PC9yZWYtdHlwZT48Y29udHJpYnV0b3Jz
PjxhdXRob3JzPjxhdXRob3I+U2ltb24sIFMuIEouPC9hdXRob3I+PGF1dGhvcj5Hcm92ZXIsIFYu
PC9hdXRob3I+PGF1dGhvcj5UZW5nLCBKLiA8L2F1dGhvcj48YXV0aG9yPldoaXRjb21iLCBLLjwv
YXV0aG9yPjwvYXV0aG9ycz48L2NvbnRyaWJ1dG9ycz48dGl0bGVzPjx0aXRsZT5UaGUgcmVsYXRp
b25zaGlwIG9mIGluZm9ybWF0aW9uIHN5c3RlbSB0cmFpbmluZyBtZXRob2RzIGFuZCBjb2duaXRp
dmUgYWJpbGl0eSB0byBlbmQtdXNlciBzYXRpc2ZhY3Rpb24sIGNvbXByZWhlbnNpb24sIGFuZCBz
a2lsbCB0cmFuc2ZlcjogQSBsb25naXR1ZGluYWwgZmllbGQgc3R1ZHk8L3RpdGxlPjxzZWNvbmRh
cnktdGl0bGU+SW5mb3JtYXRpb24gU3lzdGVtcyBSZXNlYXJjaDwvc2Vjb25kYXJ5LXRpdGxlPjwv
dGl0bGVzPjxwZXJpb2RpY2FsPjxmdWxsLXRpdGxlPkluZm9ybWF0aW9uIFN5c3RlbXMgUmVzZWFy
Y2g8L2Z1bGwtdGl0bGU+PC9wZXJpb2RpY2FsPjxwYWdlcz40NjYtNDkwPC9wYWdlcz48dm9sdW1l
Pjc8L3ZvbHVtZT48bnVtYmVyPjQ8L251bWJlcj48ZGF0ZXM+PHllYXI+MTk5NjwveWVhcj48L2Rh
dGVzPjxpc2JuPjEwNDctNzA0NzwvaXNibj48dXJscz48L3VybHM+PC9yZWNvcmQ+PC9DaXRlPjwv
RW5kTm90ZT5=
ADDIN EN.CITE.DATA (Bolt et al. 2001; Compeau et al. 1995a; Johnson et al. 2000; Simon et al. 1996; Yi et al. 2001). In short, behavior modeling is “one of the most widely used, well-researched, and highly regarded psychologically based training interventions” ADDIN EN.CITE <EndNote><Cite><Author>Taylor</Author><Year>2005</Year><RecNum>4404</RecNum><Suffix> p. 693</Suffix><DisplayText>(Taylor et al. 2005 p. 693)</DisplayText><record><rec-number>4404</rec-number><foreign-keys><key app="EN" db-id="xr0s0sp0vrpe5ze5tetxvwwnp5xd9aaezsd9" timestamp="1347904597">4404</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Paul J. Taylor</author><author>Darlene F. Russ-Eft</author><author>Daniel W. L. Chan</author></authors></contributors><titles><title>A Meta-Analytic Review of Behavior Modeling Training</title><secondary-title>Journal of Applied Psychology</secondary-title></titles><periodical><full-title>Journal of Applied Psychology</full-title></periodical><pages>692-709</pages><volume>90</volume><number>4</number><dates><year>2005</year></dates><urls></urls></record></Cite></EndNote>(Taylor et al. 2005 p. 693). Behavior modeling, which has roots in social cognitive theory ADDIN EN.CITE <EndNote><Cite><Author>Bandura</Author><Year>1986</Year><RecNum>3915</RecNum><DisplayText>(Bandura 1986)</DisplayText><record><rec-number>3915</rec-number><foreign-keys><key app="EN" db-id="xr0s0sp0vrpe5ze5tetxvwwnp5xd9aaezsd9" timestamp="1347467311">3915</key></foreign-keys><ref-type name="Book">6</ref-type><contributors><authors><author>Bandura, A.</author></authors></contributors><titles><title>Social Foundations of Thought and Action</title></titles><dates><year>1986</year></dates><pub-location>Englewood Cliffs, NJ</pub-location><publisher>Prentice Hall</publisher><urls></urls></record></Cite></EndNote>(Bandura 1986), is based on the notion that users will adopt behaviors they believe they can perform and behaviors they believe will have a valuable outcome. Behavior modeling satisfies both of these prerequisites for training new behavior ADDIN EN.CITE <EndNote><Cite><Author>Compeau</Author><Year>1995</Year><RecNum>687</RecNum><DisplayText>(Compeau et al. 1995a)</DisplayText><record><rec-number>687</rec-number><foreign-keys><key app="EN" db-id="xr0s0sp0vrpe5ze5tetxvwwnp5xd9aaezsd9" timestamp="1271097092">687</key><key app="ENWeb" db-id="UBLLiQrtqggAADvUvSc">407</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Compeau, D. R.</author><author>Higgins, C. A.</author></authors></contributors><titles><title>Application of social cognitive theory to training for computer skills</title><secondary-title>Information Systems Research</secondary-title></titles><periodical><full-title>Information Systems Research</full-title></periodical><pages>118-143</pages><volume>6</volume><number>2</number><dates><year>1995</year></dates><urls></urls></record></Cite></EndNote>(Compeau et al. 1995a). When a user sees a demonstration of a desired behavior or decision model, the user will not only see how to accomplish the task, but will also learn what outcomes to expect. A rise in outcome expectations and self-efficacy, in turn, improve actual performance of the behavior because users will feel they know how to perform a valuable skill. While behavior modeling has shown repeated and robust effects in training individuals to adopt desired behaviors, there is some debate about level of conceptualization the behavior modeling should provide PEVuZE5vdGU+PENpdGU+PEF1dGhvcj5IYWxhc3o8L0F1dGhvcj48WWVhcj4xOTgyPC9ZZWFyPjxS
ZWNOdW0+NDY5ODwvUmVjTnVtPjxEaXNwbGF5VGV4dD4oR3VwdGEgZXQgYWwuIDIwMTA7IEhhbGFz
eiBldCBhbC4gMTk4MjsgU2VpbiBldCBhbC4gMTk4OSk8L0Rpc3BsYXlUZXh0PjxyZWNvcmQ+PHJl
Yy1udW1iZXI+NDY5ODwvcmVjLW51bWJlcj48Zm9yZWlnbi1rZXlzPjxrZXkgYXBwPSJFTiIgZGIt
aWQ9InhyMHMwc3AwdnJwZTV6ZTV0ZXR4dnd3bnA1eGQ5YWFlenNkOSIgdGltZXN0YW1wPSIxMzk4
MTg0OTQ4Ij40Njk4PC9rZXk+PC9mb3JlaWduLWtleXM+PHJlZi10eXBlIG5hbWU9IkNvbmZlcmVu
Y2UgUHJvY2VlZGluZ3MiPjEwPC9yZWYtdHlwZT48Y29udHJpYnV0b3JzPjxhdXRob3JzPjxhdXRo
b3I+SGFsYXN6LCBGLjwvYXV0aG9yPjxhdXRob3I+TW9yYW4sIFQuIFAuPC9hdXRob3I+PC9hdXRo
b3JzPjwvY29udHJpYnV0b3JzPjx0aXRsZXM+PHRpdGxlPkFuYWxvZ3kgY29uc2lkZXJlZCBoYXJt
ZnVsPC90aXRsZT48c2Vjb25kYXJ5LXRpdGxlPlByb2NlZWRpbmdzIG9mIHRoZSAxOTgyIGNvbmZl
cmVuY2Ugb24gSHVtYW4gZmFjdG9ycyBpbiBjb21wdXRpbmcgc3lzdGVtczwvc2Vjb25kYXJ5LXRp
dGxlPjwvdGl0bGVzPjxwYWdlcz4zODMtMzg2PC9wYWdlcz48ZGF0ZXM+PHllYXI+MTk4MjwveWVh
cj48L2RhdGVzPjxwdWItbG9jYXRpb24+TmV3IFlvcmssIE5ZPC9wdWItbG9jYXRpb24+PHB1Ymxp
c2hlcj5BQ008L3B1Ymxpc2hlcj48dXJscz48L3VybHM+PC9yZWNvcmQ+PC9DaXRlPjxDaXRlPjxB
dXRob3I+U2VpbjwvQXV0aG9yPjxZZWFyPjE5ODk8L1llYXI+PFJlY051bT40NjkxPC9SZWNOdW0+
PHJlY29yZD48cmVjLW51bWJlcj40NjkxPC9yZWMtbnVtYmVyPjxmb3JlaWduLWtleXM+PGtleSBh
cHA9IkVOIiBkYi1pZD0ieHIwczBzcDB2cnBlNXplNXRldHh2d3ducDV4ZDlhYWV6c2Q5IiB0aW1l
c3RhbXA9IjEzOTgxODQ5NDciPjQ2OTE8L2tleT48L2ZvcmVpZ24ta2V5cz48cmVmLXR5cGUgbmFt
ZT0iSm91cm5hbCBBcnRpY2xlIj4xNzwvcmVmLXR5cGU+PGNvbnRyaWJ1dG9ycz48YXV0aG9ycz48
YXV0aG9yPlNlaW4sIE0uIEsuPC9hdXRob3I+PGF1dGhvcj5Cb3N0cm9tLCBSLiBQLjwvYXV0aG9y
PjwvYXV0aG9ycz48L2NvbnRyaWJ1dG9ycz48dGl0bGVzPjx0aXRsZT5JbmRpdmlkdWFsIGRpZmZl
cmVuY2VzIGFuZCBjb25jZXB0dWFsIG1vZGVscyBpbiB0cmFpbmluZyBub3ZpY2UgdXNlcnM8L3Rp
dGxlPjxzZWNvbmRhcnktdGl0bGU+SHVtYW4tQ29tcHV0ZXIgSW50ZXJhY3Rpb248L3NlY29uZGFy
eS10aXRsZT48L3RpdGxlcz48cGVyaW9kaWNhbD48ZnVsbC10aXRsZT5IdW1hbi1Db21wdXRlciBJ
bnRlcmFjdGlvbjwvZnVsbC10aXRsZT48L3BlcmlvZGljYWw+PHBhZ2VzPjE5Ny0yMjk8L3BhZ2Vz
Pjx2b2x1bWU+NDwvdm9sdW1lPjxudW1iZXI+MzwvbnVtYmVyPjxkYXRlcz48eWVhcj4xOTg5PC95
ZWFyPjwvZGF0ZXM+PGlzYm4+MDczNy0wMDI0PC9pc2JuPjx1cmxzPjwvdXJscz48L3JlY29yZD48
L0NpdGU+PENpdGU+PEF1dGhvcj5HdXB0YTwvQXV0aG9yPjxZZWFyPjIwMTA8L1llYXI+PFJlY051
bT40NjgzPC9SZWNOdW0+PHJlY29yZD48cmVjLW51bWJlcj40NjgzPC9yZWMtbnVtYmVyPjxmb3Jl
aWduLWtleXM+PGtleSBhcHA9IkVOIiBkYi1pZD0ieHIwczBzcDB2cnBlNXplNXRldHh2d3ducDV4
ZDlhYWV6c2Q5IiB0aW1lc3RhbXA9IjEzOTgxODQ4MDkiPjQ2ODM8L2tleT48L2ZvcmVpZ24ta2V5
cz48cmVmLXR5cGUgbmFtZT0iSm91cm5hbCBBcnRpY2xlIj4xNzwvcmVmLXR5cGU+PGNvbnRyaWJ1
dG9ycz48YXV0aG9ycz48YXV0aG9yPkd1cHRhLCBTYXVyYWJoPC9hdXRob3I+PGF1dGhvcj5Cb3N0
cm9tLCBSb2JlcnQgUDwvYXV0aG9yPjxhdXRob3I+SHViZXIsIE1hcms8L2F1dGhvcj48L2F1dGhv
cnM+PC9jb250cmlidXRvcnM+PHRpdGxlcz48dGl0bGU+RW5kLXVzZXIgdHJhaW5pbmcgbWV0aG9k
czogd2hhdCB3ZSBrbm93LCBuZWVkIHRvIGtub3c8L3RpdGxlPjxzZWNvbmRhcnktdGl0bGU+QUNN
IFNJR01JUyBEYXRhYmFzZTwvc2Vjb25kYXJ5LXRpdGxlPjwvdGl0bGVzPjxwZXJpb2RpY2FsPjxm
dWxsLXRpdGxlPkFDTSBTSUdNSVMgRGF0YWJhc2U8L2Z1bGwtdGl0bGU+PC9wZXJpb2RpY2FsPjxw
YWdlcz45LTM5PC9wYWdlcz48dm9sdW1lPjQxPC92b2x1bWU+PG51bWJlcj40PC9udW1iZXI+PGRh
dGVzPjx5ZWFyPjIwMTA8L3llYXI+PC9kYXRlcz48aXNibj4wMDk1LTAwMzM8L2lzYm4+PHVybHM+
PC91cmxzPjwvcmVjb3JkPjwvQ2l0ZT48L0VuZE5vdGU+AG==
ADDIN EN.CITE PEVuZE5vdGU+PENpdGU+PEF1dGhvcj5IYWxhc3o8L0F1dGhvcj48WWVhcj4xOTgyPC9ZZWFyPjxS
ZWNOdW0+NDY5ODwvUmVjTnVtPjxEaXNwbGF5VGV4dD4oR3VwdGEgZXQgYWwuIDIwMTA7IEhhbGFz
eiBldCBhbC4gMTk4MjsgU2VpbiBldCBhbC4gMTk4OSk8L0Rpc3BsYXlUZXh0PjxyZWNvcmQ+PHJl
Yy1udW1iZXI+NDY5ODwvcmVjLW51bWJlcj48Zm9yZWlnbi1rZXlzPjxrZXkgYXBwPSJFTiIgZGIt
aWQ9InhyMHMwc3AwdnJwZTV6ZTV0ZXR4dnd3bnA1eGQ5YWFlenNkOSIgdGltZXN0YW1wPSIxMzk4
MTg0OTQ4Ij40Njk4PC9rZXk+PC9mb3JlaWduLWtleXM+PHJlZi10eXBlIG5hbWU9IkNvbmZlcmVu
Y2UgUHJvY2VlZGluZ3MiPjEwPC9yZWYtdHlwZT48Y29udHJpYnV0b3JzPjxhdXRob3JzPjxhdXRo
b3I+SGFsYXN6LCBGLjwvYXV0aG9yPjxhdXRob3I+TW9yYW4sIFQuIFAuPC9hdXRob3I+PC9hdXRo
b3JzPjwvY29udHJpYnV0b3JzPjx0aXRsZXM+PHRpdGxlPkFuYWxvZ3kgY29uc2lkZXJlZCBoYXJt
ZnVsPC90aXRsZT48c2Vjb25kYXJ5LXRpdGxlPlByb2NlZWRpbmdzIG9mIHRoZSAxOTgyIGNvbmZl
cmVuY2Ugb24gSHVtYW4gZmFjdG9ycyBpbiBjb21wdXRpbmcgc3lzdGVtczwvc2Vjb25kYXJ5LXRp
dGxlPjwvdGl0bGVzPjxwYWdlcz4zODMtMzg2PC9wYWdlcz48ZGF0ZXM+PHllYXI+MTk4MjwveWVh
cj48L2RhdGVzPjxwdWItbG9jYXRpb24+TmV3IFlvcmssIE5ZPC9wdWItbG9jYXRpb24+PHB1Ymxp
c2hlcj5BQ008L3B1Ymxpc2hlcj48dXJscz48L3VybHM+PC9yZWNvcmQ+PC9DaXRlPjxDaXRlPjxB
dXRob3I+U2VpbjwvQXV0aG9yPjxZZWFyPjE5ODk8L1llYXI+PFJlY051bT40NjkxPC9SZWNOdW0+
PHJlY29yZD48cmVjLW51bWJlcj40NjkxPC9yZWMtbnVtYmVyPjxmb3JlaWduLWtleXM+PGtleSBh
cHA9IkVOIiBkYi1pZD0ieHIwczBzcDB2cnBlNXplNXRldHh2d3ducDV4ZDlhYWV6c2Q5IiB0aW1l
c3RhbXA9IjEzOTgxODQ5NDciPjQ2OTE8L2tleT48L2ZvcmVpZ24ta2V5cz48cmVmLXR5cGUgbmFt
ZT0iSm91cm5hbCBBcnRpY2xlIj4xNzwvcmVmLXR5cGU+PGNvbnRyaWJ1dG9ycz48YXV0aG9ycz48
YXV0aG9yPlNlaW4sIE0uIEsuPC9hdXRob3I+PGF1dGhvcj5Cb3N0cm9tLCBSLiBQLjwvYXV0aG9y
PjwvYXV0aG9ycz48L2NvbnRyaWJ1dG9ycz48dGl0bGVzPjx0aXRsZT5JbmRpdmlkdWFsIGRpZmZl
cmVuY2VzIGFuZCBjb25jZXB0dWFsIG1vZGVscyBpbiB0cmFpbmluZyBub3ZpY2UgdXNlcnM8L3Rp
dGxlPjxzZWNvbmRhcnktdGl0bGU+SHVtYW4tQ29tcHV0ZXIgSW50ZXJhY3Rpb248L3NlY29uZGFy
eS10aXRsZT48L3RpdGxlcz48cGVyaW9kaWNhbD48ZnVsbC10aXRsZT5IdW1hbi1Db21wdXRlciBJ
bnRlcmFjdGlvbjwvZnVsbC10aXRsZT48L3BlcmlvZGljYWw+PHBhZ2VzPjE5Ny0yMjk8L3BhZ2Vz
Pjx2b2x1bWU+NDwvdm9sdW1lPjxudW1iZXI+MzwvbnVtYmVyPjxkYXRlcz48eWVhcj4xOTg5PC95
ZWFyPjwvZGF0ZXM+PGlzYm4+MDczNy0wMDI0PC9pc2JuPjx1cmxzPjwvdXJscz48L3JlY29yZD48
L0NpdGU+PENpdGU+PEF1dGhvcj5HdXB0YTwvQXV0aG9yPjxZZWFyPjIwMTA8L1llYXI+PFJlY051
bT40NjgzPC9SZWNOdW0+PHJlY29yZD48cmVjLW51bWJlcj40NjgzPC9yZWMtbnVtYmVyPjxmb3Jl
aWduLWtleXM+PGtleSBhcHA9IkVOIiBkYi1pZD0ieHIwczBzcDB2cnBlNXplNXRldHh2d3ducDV4
ZDlhYWV6c2Q5IiB0aW1lc3RhbXA9IjEzOTgxODQ4MDkiPjQ2ODM8L2tleT48L2ZvcmVpZ24ta2V5
cz48cmVmLXR5cGUgbmFtZT0iSm91cm5hbCBBcnRpY2xlIj4xNzwvcmVmLXR5cGU+PGNvbnRyaWJ1
dG9ycz48YXV0aG9ycz48YXV0aG9yPkd1cHRhLCBTYXVyYWJoPC9hdXRob3I+PGF1dGhvcj5Cb3N0
cm9tLCBSb2JlcnQgUDwvYXV0aG9yPjxhdXRob3I+SHViZXIsIE1hcms8L2F1dGhvcj48L2F1dGhv
cnM+PC9jb250cmlidXRvcnM+PHRpdGxlcz48dGl0bGU+RW5kLXVzZXIgdHJhaW5pbmcgbWV0aG9k
czogd2hhdCB3ZSBrbm93LCBuZWVkIHRvIGtub3c8L3RpdGxlPjxzZWNvbmRhcnktdGl0bGU+QUNN
IFNJR01JUyBEYXRhYmFzZTwvc2Vjb25kYXJ5LXRpdGxlPjwvdGl0bGVzPjxwZXJpb2RpY2FsPjxm
dWxsLXRpdGxlPkFDTSBTSUdNSVMgRGF0YWJhc2U8L2Z1bGwtdGl0bGU+PC9wZXJpb2RpY2FsPjxw
YWdlcz45LTM5PC9wYWdlcz48dm9sdW1lPjQxPC92b2x1bWU+PG51bWJlcj40PC9udW1iZXI+PGRh
dGVzPjx5ZWFyPjIwMTA8L3llYXI+PC9kYXRlcz48aXNibj4wMDk1LTAwMzM8L2lzYm4+PHVybHM+
PC91cmxzPjwvcmVjb3JkPjwvQ2l0ZT48L0VuZE5vdGU+AG==
ADDIN EN.CITE.DATA (Gupta et al. 2010; Halasz et al. 1982; Sein et al. 1989). On one hand behavior modeling is well-suited to demonstrate concrete anti-phishing actions that should be closely emulated in order to increase resistance to phishing attacks ADDIN EN.CITE <EndNote><Cite><Author>Kumaraguru</Author><Year>2010</Year><RecNum>7497</RecNum><Prefix>e.g.`, </Prefix><DisplayText>(e.g., Kumaraguru et al. 2010)</DisplayText><record><rec-number>7497</rec-number><foreign-keys><key app="EN" db-id="a9f2v2s03sv0soe5e52xwr9oas05vs059t2d" timestamp="1329863914">7497</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Kumaraguru, P.</author><author>Sheng, S.</author><author>Acquisti, A.</author><author>Cranor, L.F.</author><author>Hong, J.</author></authors></contributors><titles><title>Teaching johnny not to fall for phish</title><secondary-title>ACM Transactions on Internet Technology (TOIT)</secondary-title></titles><periodical><full-title>ACM Transactions on Internet Technology (TOIT)</full-title></periodical><pages>7</pages><volume>10</volume><number>2</number><dates><year>2010</year></dates><isbn>1533-5399</isbn><urls></urls></record></Cite></EndNote>(e.g., Kumaraguru et al. 2010). For example, one concrete action might include not opening any attachments from unknown senders and careful adherence to this rule should significantly reduce an individual’s susceptibility to phishing attacks. Behavior modeling of concrete actions transfers across similar tasks ADDIN EN.CITE <EndNote><Cite><Author>Mayer</Author><Year>1979</Year><RecNum>4699</RecNum><DisplayText>(Mayer 1979; Mayer et al. 1972)</DisplayText><record><rec-number>4699</rec-number><foreign-keys><key app="EN" db-id="xr0s0sp0vrpe5ze5tetxvwwnp5xd9aaezsd9" timestamp="1398184948">4699</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Mayer, R. E.</author></authors></contributors><titles><title>Can advance organizers influence meaningful learning?</title><secondary-title>Review of educational research</secondary-title></titles><periodical><full-title>Review of Educational Research</full-title></periodical><pages>371-383</pages><volume>49</volume><number>2</number><dates><year>1979</year></dates><isbn>0034-6543</isbn><urls></urls></record></Cite><Cite><Author>Mayer</Author><Year>1972</Year><RecNum>4700</RecNum><record><rec-number>4700</rec-number><foreign-keys><key app="EN" db-id="xr0s0sp0vrpe5ze5tetxvwwnp5xd9aaezsd9" timestamp="1398184948">4700</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Mayer, R. E.</author><author>Greeno, J. G.</author></authors></contributors><titles><title>Structural differences between outcomes produced by different instructional methods</title><secondary-title>Journal of educational psychology</secondary-title></titles><periodical><full-title>Journal of educational psychology</full-title></periodical><pages>165</pages><volume>63</volume><number>2</number><dates><year>1972</year></dates><isbn>1939-2176</isbn><urls></urls></record></Cite></EndNote>(Mayer 1979; Mayer et al. 1972), therefore concrete anti-phishing actions designed to thwart a specific attack should be relevant to similar attacks but may be less relevant to novel attacks. On the other hand, behavior modeling is also well-suited to a more abstract explication of desired behaviors where individuals form or alter their mental models concerning desired actions ADDIN EN.CITE <EndNote><Cite><Author>Santhanam</Author><Year>1994</Year><RecNum>4701</RecNum><Prefix>e.g.`, </Prefix><DisplayText>(e.g., Santhanam et al. 1994; Sein et al. 1989)</DisplayText><record><rec-number>4701</rec-number><foreign-keys><key app="EN" db-id="xr0s0sp0vrpe5ze5tetxvwwnp5xd9aaezsd9" timestamp="1398184948">4701</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Santhanam, R.</author><author>Sein, M. K.</author></authors></contributors><titles><title>Improving end-user proficiency: Effects of conceptual training and nature of interaction</title><secondary-title>Information Systems Research</secondary-title></titles><periodical><full-title>Information Systems Research</full-title></periodical><pages>378-399</pages><volume>5</volume><number>4</number><dates><year>1994</year></dates><isbn>1047-7047</isbn><urls></urls></record></Cite><Cite><Author>Sein</Author><Year>1989</Year><RecNum>4691</RecNum><record><rec-number>4691</rec-number><foreign-keys><key app="EN" db-id="xr0s0sp0vrpe5ze5tetxvwwnp5xd9aaezsd9" timestamp="1398184947">4691</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Sein, M. K.</author><author>Bostrom, R. P.</author></authors></contributors><titles><title>Individual differences and conceptual models in training novice users</title><secondary-title>Human-Computer Interaction</secondary-title></titles><periodical><full-title>Human-Computer Interaction</full-title></periodical><pages>197-229</pages><volume>4</volume><number>3</number><dates><year>1989</year></dates><isbn>0737-0024</isbn><urls></urls></record></Cite></EndNote>(e.g., Santhanam et al. 1994; Sein et al. 1989). For example, anti-phishing training could provide a general mental structure for allocating attention during the evaluation of emails. With more abstract behavior modeling, the training can focus on the mental representation of the evaluation, which then governs behavior. The abstract modeling approach has been shown to be relevant across a variety of tasks ADDIN EN.CITE <EndNote><Cite><Author>Mayer</Author><Year>1979</Year><RecNum>4699</RecNum><DisplayText>(Mayer 1979; Mayer et al. 1972)</DisplayText><record><rec-number>4699</rec-number><foreign-keys><key app="EN" db-id="xr0s0sp0vrpe5ze5tetxvwwnp5xd9aaezsd9" timestamp="1398184948">4699</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Mayer, R. E.</author></authors></contributors><titles><title>Can advance organizers influence meaningful learning?</title><secondary-title>Review of educational research</secondary-title></titles><periodical><full-title>Review of Educational Research</full-title></periodical><pages>371-383</pages><volume>49</volume><number>2</number><dates><year>1979</year></dates><isbn>0034-6543</isbn><urls></urls></record></Cite><Cite><Author>Mayer</Author><Year>1972</Year><RecNum>4700</RecNum><record><rec-number>4700</rec-number><foreign-keys><key app="EN" db-id="xr0s0sp0vrpe5ze5tetxvwwnp5xd9aaezsd9" timestamp="1398184948">4700</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Mayer, R. E.</author><author>Greeno, J. G.</author></authors></contributors><titles><title>Structural differences between outcomes produced by different instructional methods</title><secondary-title>Journal of educational psychology</secondary-title></titles><periodical><full-title>Journal of educational psychology</full-title></periodical><pages>165</pages><volume>63</volume><number>2</number><dates><year>1972</year></dates><isbn>1939-2176</isbn><urls></urls></record></Cite></EndNote>(Mayer 1979; Mayer et al. 1972), but it is less explicit about desired behaviors. HypothesesConcrete Behavior Modeling: Situation-Specific TrainingIn order for concrete phishing training to be relevant to the myriad contexts in which phishing occurs, researchers have developed training variants that teach users to identify cues in phishing emails or websites within a specific context (e.g., when accessing online financial information, confidential work documents, or personal information). We term this concrete training approach situation-specific because it prescribes specific courses of action (e.g., look for this visual or informational cue and follow this guideline) that decrease the likelihood of falling for a phishing attack within a specific context. Situation-specific training frames phishing prevention as an identification task and suggests that certain cues, if they are identified, or certain rules, if they are followed, will mitigate the risk posed by phishing. The situation specific training assumes that the rules are applied to a reasonably stable set of cues and that they serve as the basis for reliable heuristics that guide anti-phishing actions. As with other forms of concrete behavior modeling, learners using situation-specific training are introduced to the cues and rules, have a chance to practice identifying the cues or applying the rules, and through repetition and feedback acquire the experience and self-efficacy to apply the cues and rules effectively ADDIN EN.CITE <EndNote><Cite><Author>Kumaraguru</Author><Year>2010</Year><RecNum>7497</RecNum><DisplayText>(Kumaraguru et al. 2010)</DisplayText><record><rec-number>7497</rec-number><foreign-keys><key app="EN" db-id="a9f2v2s03sv0soe5e52xwr9oas05vs059t2d" timestamp="1329863914">7497</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Kumaraguru, P.</author><author>Sheng, S.</author><author>Acquisti, A.</author><author>Cranor, L.F.</author><author>Hong, J.</author></authors></contributors><titles><title>Teaching johnny not to fall for phish</title><secondary-title>ACM Transactions on Internet Technology (TOIT)</secondary-title></titles><periodical><full-title>ACM Transactions on Internet Technology (TOIT)</full-title></periodical><pages>7</pages><volume>10</volume><number>2</number><dates><year>2010</year></dates><isbn>1533-5399</isbn><urls></urls></record></Cite></EndNote>(Kumaraguru et al. 2010). The concrete approach is the predominate level of conceptualization in anti-phishing training and is employed across government, business, and community programs to train the general public about identifying phishing messages. Empirical testing of the approach has suggested it helps email users to identify phishing messages and avoid phishing attacks PEVuZE5vdGU+PENpdGU+PEF1dGhvcj5LdW1hcmFndXJ1PC9BdXRob3I+PFllYXI+MjAxMDwvWWVh
cj48UmVjTnVtPjc0OTc8L1JlY051bT48RGlzcGxheVRleHQ+KENyYW5vciAyMDA4OyBLdW1hcmFn
dXJ1IGV0IGFsLiAyMDEwKTwvRGlzcGxheVRleHQ+PHJlY29yZD48cmVjLW51bWJlcj43NDk3PC9y
ZWMtbnVtYmVyPjxmb3JlaWduLWtleXM+PGtleSBhcHA9IkVOIiBkYi1pZD0iYTlmMnYyczAzc3Yw
c29lNWU1Mnh3cjlvYXMwNXZzMDU5dDJkIiB0aW1lc3RhbXA9IjEzMjk4NjM5MTQiPjc0OTc8L2tl
eT48L2ZvcmVpZ24ta2V5cz48cmVmLXR5cGUgbmFtZT0iSm91cm5hbCBBcnRpY2xlIj4xNzwvcmVm
LXR5cGU+PGNvbnRyaWJ1dG9ycz48YXV0aG9ycz48YXV0aG9yPkt1bWFyYWd1cnUsIFAuPC9hdXRo
b3I+PGF1dGhvcj5TaGVuZywgUy48L2F1dGhvcj48YXV0aG9yPkFjcXVpc3RpLCBBLjwvYXV0aG9y
PjxhdXRob3I+Q3Jhbm9yLCBMLkYuPC9hdXRob3I+PGF1dGhvcj5Ib25nLCBKLjwvYXV0aG9yPjwv
YXV0aG9ycz48L2NvbnRyaWJ1dG9ycz48dGl0bGVzPjx0aXRsZT5UZWFjaGluZyBqb2hubnkgbm90
IHRvIGZhbGwgZm9yIHBoaXNoPC90aXRsZT48c2Vjb25kYXJ5LXRpdGxlPkFDTSBUcmFuc2FjdGlv
bnMgb24gSW50ZXJuZXQgVGVjaG5vbG9neSAoVE9JVCk8L3NlY29uZGFyeS10aXRsZT48L3RpdGxl
cz48cGVyaW9kaWNhbD48ZnVsbC10aXRsZT5BQ00gVHJhbnNhY3Rpb25zIG9uIEludGVybmV0IFRl
Y2hub2xvZ3kgKFRPSVQpPC9mdWxsLXRpdGxlPjwvcGVyaW9kaWNhbD48cGFnZXM+NzwvcGFnZXM+
PHZvbHVtZT4xMDwvdm9sdW1lPjxudW1iZXI+MjwvbnVtYmVyPjxkYXRlcz48eWVhcj4yMDEwPC95
ZWFyPjwvZGF0ZXM+PGlzYm4+MTUzMy01Mzk5PC9pc2JuPjx1cmxzPjwvdXJscz48L3JlY29yZD48
L0NpdGU+PENpdGU+PEF1dGhvcj5DcmFub3I8L0F1dGhvcj48WWVhcj4yMDA4PC9ZZWFyPjxSZWNO
dW0+NDY5MzwvUmVjTnVtPjxyZWNvcmQ+PHJlYy1udW1iZXI+NDY5MzwvcmVjLW51bWJlcj48Zm9y
ZWlnbi1rZXlzPjxrZXkgYXBwPSJFTiIgZGItaWQ9InhyMHMwc3AwdnJwZTV6ZTV0ZXR4dnd3bnA1
eGQ5YWFlenNkOSIgdGltZXN0YW1wPSIxMzk4MTg0OTQ3Ij40NjkzPC9rZXk+PC9mb3JlaWduLWtl
eXM+PHJlZi10eXBlIG5hbWU9IkpvdXJuYWwgQXJ0aWNsZSI+MTc8L3JlZi10eXBlPjxjb250cmli
dXRvcnM+PGF1dGhvcnM+PGF1dGhvcj5DcmFub3IsIEwuIEYuPC9hdXRob3I+PC9hdXRob3JzPjwv
Y29udHJpYnV0b3JzPjx0aXRsZXM+PHRpdGxlPkNhbiBQaGlzaGluZyBCZSBGb2lsZWQ/PC90aXRs
ZT48c2Vjb25kYXJ5LXRpdGxlPlNjaWVudGlmaWMgQW1lcmljYW48L3NlY29uZGFyeS10aXRsZT48
L3RpdGxlcz48cGVyaW9kaWNhbD48ZnVsbC10aXRsZT5TY2llbnRpZmljIEFtZXJpY2FuPC9mdWxs
LXRpdGxlPjwvcGVyaW9kaWNhbD48cGFnZXM+MTA0LTExMDwvcGFnZXM+PHZvbHVtZT4yOTk8L3Zv
bHVtZT48bnVtYmVyPjY8L251bWJlcj48a2V5d29yZHM+PGtleXdvcmQ+Q09NUFVURVIgc2VjdXJp
dHkgLS0gUmVzZWFyY2g8L2tleXdvcmQ+PGtleXdvcmQ+UEhJU0hJTkc8L2tleXdvcmQ+PGtleXdv
cmQ+Q09NUFVURVIgc2VjdXJpdHkgc29mdHdhcmU8L2tleXdvcmQ+PGtleXdvcmQ+V0VCU0lURVMg
LS0gU2VjdXJpdHkgbWVhc3VyZXM8L2tleXdvcmQ+PGtleXdvcmQ+Q0FSTkVHSUUtTWVsbG9uIFVu
aXZlcnNpdHkgLS0gRmFjdWx0eTwva2V5d29yZD48a2V5d29yZD5DUkFOT1IsIExvcnJpZSBGYWl0
aDwva2V5d29yZD48L2tleXdvcmRzPjxkYXRlcz48eWVhcj4yMDA4PC95ZWFyPjwvZGF0ZXM+PHB1
Ymxpc2hlcj5TY2llbnRpZmljIEFtZXJpY2FuPC9wdWJsaXNoZXI+PGlzYm4+MDAzNjg3MzM8L2lz
Ym4+PGFjY2Vzc2lvbi1udW0+MzUxNTg3NzU8L2FjY2Vzc2lvbi1udW0+PHVybHM+PHJlbGF0ZWQt
dXJscz48dXJsPmh0dHA6Ly9saWJyYXJpZXMub3UuZWR1L2FjY2Vzcy5hc3B4P3VybD1odHRwOi8v
c2VhcmNoLmVic2NvaG9zdC5jb20vbG9naW4uYXNweD9kaXJlY3Q9dHJ1ZSZhbXA7ZGI9YXBoJmFt
cDtBTj0zNTE1ODc3NSZhbXA7c2l0ZT1lZHMtbGl2ZTwvdXJsPjwvcmVsYXRlZC11cmxzPjwvdXJs
cz48cmVtb3RlLWRhdGFiYXNlLW5hbWU+YXBoPC9yZW1vdGUtZGF0YWJhc2UtbmFtZT48cmVtb3Rl
LWRhdGFiYXNlLXByb3ZpZGVyPkVCU0NPaG9zdDwvcmVtb3RlLWRhdGFiYXNlLXByb3ZpZGVyPjwv
cmVjb3JkPjwvQ2l0ZT48L0VuZE5vdGU+AG==
ADDIN EN.CITE PEVuZE5vdGU+PENpdGU+PEF1dGhvcj5LdW1hcmFndXJ1PC9BdXRob3I+PFllYXI+MjAxMDwvWWVh
cj48UmVjTnVtPjc0OTc8L1JlY051bT48RGlzcGxheVRleHQ+KENyYW5vciAyMDA4OyBLdW1hcmFn
dXJ1IGV0IGFsLiAyMDEwKTwvRGlzcGxheVRleHQ+PHJlY29yZD48cmVjLW51bWJlcj43NDk3PC9y
ZWMtbnVtYmVyPjxmb3JlaWduLWtleXM+PGtleSBhcHA9IkVOIiBkYi1pZD0iYTlmMnYyczAzc3Yw
c29lNWU1Mnh3cjlvYXMwNXZzMDU5dDJkIiB0aW1lc3RhbXA9IjEzMjk4NjM5MTQiPjc0OTc8L2tl
eT48L2ZvcmVpZ24ta2V5cz48cmVmLXR5cGUgbmFtZT0iSm91cm5hbCBBcnRpY2xlIj4xNzwvcmVm
LXR5cGU+PGNvbnRyaWJ1dG9ycz48YXV0aG9ycz48YXV0aG9yPkt1bWFyYWd1cnUsIFAuPC9hdXRo
b3I+PGF1dGhvcj5TaGVuZywgUy48L2F1dGhvcj48YXV0aG9yPkFjcXVpc3RpLCBBLjwvYXV0aG9y
PjxhdXRob3I+Q3Jhbm9yLCBMLkYuPC9hdXRob3I+PGF1dGhvcj5Ib25nLCBKLjwvYXV0aG9yPjwv
YXV0aG9ycz48L2NvbnRyaWJ1dG9ycz48dGl0bGVzPjx0aXRsZT5UZWFjaGluZyBqb2hubnkgbm90
IHRvIGZhbGwgZm9yIHBoaXNoPC90aXRsZT48c2Vjb25kYXJ5LXRpdGxlPkFDTSBUcmFuc2FjdGlv
bnMgb24gSW50ZXJuZXQgVGVjaG5vbG9neSAoVE9JVCk8L3NlY29uZGFyeS10aXRsZT48L3RpdGxl
cz48cGVyaW9kaWNhbD48ZnVsbC10aXRsZT5BQ00gVHJhbnNhY3Rpb25zIG9uIEludGVybmV0IFRl
Y2hub2xvZ3kgKFRPSVQpPC9mdWxsLXRpdGxlPjwvcGVyaW9kaWNhbD48cGFnZXM+NzwvcGFnZXM+
PHZvbHVtZT4xMDwvdm9sdW1lPjxudW1iZXI+MjwvbnVtYmVyPjxkYXRlcz48eWVhcj4yMDEwPC95
ZWFyPjwvZGF0ZXM+PGlzYm4+MTUzMy01Mzk5PC9pc2JuPjx1cmxzPjwvdXJscz48L3JlY29yZD48
L0NpdGU+PENpdGU+PEF1dGhvcj5DcmFub3I8L0F1dGhvcj48WWVhcj4yMDA4PC9ZZWFyPjxSZWNO
dW0+NDY5MzwvUmVjTnVtPjxyZWNvcmQ+PHJlYy1udW1iZXI+NDY5MzwvcmVjLW51bWJlcj48Zm9y
ZWlnbi1rZXlzPjxrZXkgYXBwPSJFTiIgZGItaWQ9InhyMHMwc3AwdnJwZTV6ZTV0ZXR4dnd3bnA1
eGQ5YWFlenNkOSIgdGltZXN0YW1wPSIxMzk4MTg0OTQ3Ij40NjkzPC9rZXk+PC9mb3JlaWduLWtl
eXM+PHJlZi10eXBlIG5hbWU9IkpvdXJuYWwgQXJ0aWNsZSI+MTc8L3JlZi10eXBlPjxjb250cmli
dXRvcnM+PGF1dGhvcnM+PGF1dGhvcj5DcmFub3IsIEwuIEYuPC9hdXRob3I+PC9hdXRob3JzPjwv
Y29udHJpYnV0b3JzPjx0aXRsZXM+PHRpdGxlPkNhbiBQaGlzaGluZyBCZSBGb2lsZWQ/PC90aXRs
ZT48c2Vjb25kYXJ5LXRpdGxlPlNjaWVudGlmaWMgQW1lcmljYW48L3NlY29uZGFyeS10aXRsZT48
L3RpdGxlcz48cGVyaW9kaWNhbD48ZnVsbC10aXRsZT5TY2llbnRpZmljIEFtZXJpY2FuPC9mdWxs
LXRpdGxlPjwvcGVyaW9kaWNhbD48cGFnZXM+MTA0LTExMDwvcGFnZXM+PHZvbHVtZT4yOTk8L3Zv
bHVtZT48bnVtYmVyPjY8L251bWJlcj48a2V5d29yZHM+PGtleXdvcmQ+Q09NUFVURVIgc2VjdXJp
dHkgLS0gUmVzZWFyY2g8L2tleXdvcmQ+PGtleXdvcmQ+UEhJU0hJTkc8L2tleXdvcmQ+PGtleXdv
cmQ+Q09NUFVURVIgc2VjdXJpdHkgc29mdHdhcmU8L2tleXdvcmQ+PGtleXdvcmQ+V0VCU0lURVMg
LS0gU2VjdXJpdHkgbWVhc3VyZXM8L2tleXdvcmQ+PGtleXdvcmQ+Q0FSTkVHSUUtTWVsbG9uIFVu
aXZlcnNpdHkgLS0gRmFjdWx0eTwva2V5d29yZD48a2V5d29yZD5DUkFOT1IsIExvcnJpZSBGYWl0
aDwva2V5d29yZD48L2tleXdvcmRzPjxkYXRlcz48eWVhcj4yMDA4PC95ZWFyPjwvZGF0ZXM+PHB1
Ymxpc2hlcj5TY2llbnRpZmljIEFtZXJpY2FuPC9wdWJsaXNoZXI+PGlzYm4+MDAzNjg3MzM8L2lz
Ym4+PGFjY2Vzc2lvbi1udW0+MzUxNTg3NzU8L2FjY2Vzc2lvbi1udW0+PHVybHM+PHJlbGF0ZWQt
dXJscz48dXJsPmh0dHA6Ly9saWJyYXJpZXMub3UuZWR1L2FjY2Vzcy5hc3B4P3VybD1odHRwOi8v
c2VhcmNoLmVic2NvaG9zdC5jb20vbG9naW4uYXNweD9kaXJlY3Q9dHJ1ZSZhbXA7ZGI9YXBoJmFt
cDtBTj0zNTE1ODc3NSZhbXA7c2l0ZT1lZHMtbGl2ZTwvdXJsPjwvcmVsYXRlZC11cmxzPjwvdXJs
cz48cmVtb3RlLWRhdGFiYXNlLW5hbWU+YXBoPC9yZW1vdGUtZGF0YWJhc2UtbmFtZT48cmVtb3Rl
LWRhdGFiYXNlLXByb3ZpZGVyPkVCU0NPaG9zdDwvcmVtb3RlLWRhdGFiYXNlLXByb3ZpZGVyPjwv
cmVjb3JkPjwvQ2l0ZT48L0VuZE5vdGU+AG==
ADDIN EN.CITE.DATA (Cranor 2008; Kumaraguru et al. 2010). Hence, in a replication of previous research, we hypothesize that the concrete training approach will decrease the propensity of users to respond to phishing attacks. H1: The concrete training approach will decrease the likelihood that recipients will respond to phishing attacks.Abstract Behavior Modeling: Mindfulness TrainingRecent IS security research has suggested that individuals frequently process security risks using mindless information processing ADDIN EN.CITE <EndNote><Cite><Author>Vance</Author><Year>2008</Year><RecNum>7277</RecNum><Prefix>e.g.`, </Prefix><DisplayText>(e.g., Vance et al. 2008)</DisplayText><record><rec-number>7277</rec-number><foreign-keys><key app="EN" db-id="a9f2v2s03sv0soe5e52xwr9oas05vs059t2d" timestamp="0">7277</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Vance, A.</author><author>Elie-Dit-Cosaque, C.</author><author>Straub, D. W.</author></authors></contributors><titles><title>Examining trust in information technology artifacts: the effects of system quality and culture</title><secondary-title>Journal of Management Information Systems</secondary-title></titles><periodical><full-title>Journal of Management Information Systems</full-title></periodical><pages>73-100</pages><volume>24</volume><number>4</number><dates><year>2008</year></dates><isbn>0742-1222</isbn><urls></urls></record></Cite></EndNote>(e.g., Vance et al. 2008), meaning that individuals rely on simple decision rules, mental short-cuts, or habit when processing security risks and rarely contemplate the ramifications of their actions ADDIN EN.CITE <EndNote><Cite><Author>Kahneman</Author><Year>2011</Year><RecNum>4702</RecNum><Prefix>see </Prefix><DisplayText>(see Kahneman 2011)</DisplayText><record><rec-number>4702</rec-number><foreign-keys><key app="EN" db-id="xr0s0sp0vrpe5ze5tetxvwwnp5xd9aaezsd9" timestamp="1398184948">4702</key></foreign-keys><ref-type name="Book">6</ref-type><contributors><authors><author>Kahneman, D.</author></authors></contributors><titles><title>Thinking, fast and slow</title></titles><dates><year>2011</year></dates><pub-location>New York, NY</pub-location><publisher>Farrar, Straus and Giroux</publisher><isbn>0374275637</isbn><urls></urls></record></Cite></EndNote>(see Kahneman 2011). This tendency is especially prevalent and problematic when email users encounter a phishing message ADDIN EN.CITE <EndNote><Cite><Author>Dhamija</Author><Year>2006</Year><RecNum>7552</RecNum><DisplayText>(Dhamija et al. 2006; Vishwanath et al. 2011)</DisplayText><record><rec-number>7552</rec-number><foreign-keys><key app="EN" db-id="a9f2v2s03sv0soe5e52xwr9oas05vs059t2d" timestamp="1345738553">7552</key></foreign-keys><ref-type name="Conference Proceedings">10</ref-type><contributors><authors><author>Dhamija, R.</author><author>Tygar, J.D.</author><author>Hearst, M.</author></authors></contributors><titles><title>Why phishing works</title><secondary-title>Proceedings of the SIGCHI Conference on Human Factors in Computing Systems </secondary-title></titles><pages>581-590</pages><dates><year>2006</year></dates><pub-location>Montreal, Quebec</pub-location><publisher>ACM</publisher><isbn>1595933727</isbn><urls></urls></record></Cite><Cite><Author>Vishwanath</Author><Year>2011</Year><RecNum>7553</RecNum><record><rec-number>7553</rec-number><foreign-keys><key app="EN" db-id="a9f2v2s03sv0soe5e52xwr9oas05vs059t2d" timestamp="1345738770">7553</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Vishwanath, A.</author><author>Herath, T.</author><author>Chen, R.</author><author>Wang, J.</author><author>Rao, H.R.</author></authors></contributors><titles><title>Why do people get phished? Testing individual differences in phishing vulnerability within an integrated, information processing model</title><secondary-title>Decision Support Systems</secondary-title></titles><periodical><full-title>Decision Support Systems</full-title></periodical><pages>576-586</pages><volume>51</volume><number>3</number><dates><year>2011</year></dates><isbn>0167-9236</isbn><urls></urls></record></Cite></EndNote>(Dhamija et al. 2006; Vishwanath et al. 2011). Mindless processing may result in email users not devoting sufficient attention to scrutinizing emails, leading them to miss cues that distinguish legitimate from phishing email, neglecting actions that may safeguard them from phishing attacks, and failing to consider the consequences of responding to a phishing email. Phishers appear to understand this tendency and compose phishing messages which take advantage of these decision rules (e.g., by using legitimate-looking logos and message designs) or encourage mindless processing (e.g., by inducing time pressure on the recipient to respond). Such tactics by phishers have been shown to be highly effective in soliciting responses ADDIN EN.CITE <EndNote><Cite><Author>Dhamija</Author><Year>2006</Year><RecNum>7552</RecNum><DisplayText>(Dhamija et al. 2006; Vishwanath et al. 2011)</DisplayText><record><rec-number>7552</rec-number><foreign-keys><key app="EN" db-id="a9f2v2s03sv0soe5e52xwr9oas05vs059t2d" timestamp="1345738553">7552</key></foreign-keys><ref-type name="Conference Proceedings">10</ref-type><contributors><authors><author>Dhamija, R.</author><author>Tygar, J.D.</author><author>Hearst, M.</author></authors></contributors><titles><title>Why phishing works</title><secondary-title>Proceedings of the SIGCHI Conference on Human Factors in Computing Systems </secondary-title></titles><pages>581-590</pages><dates><year>2006</year></dates><pub-location>Montreal, Quebec</pub-location><publisher>ACM</publisher><isbn>1595933727</isbn><urls></urls></record></Cite><Cite><Author>Vishwanath</Author><Year>2011</Year><RecNum>7553</RecNum><record><rec-number>7553</rec-number><foreign-keys><key app="EN" db-id="a9f2v2s03sv0soe5e52xwr9oas05vs059t2d" timestamp="1345738770">7553</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Vishwanath, A.</author><author>Herath, T.</author><author>Chen, R.</author><author>Wang, J.</author><author>Rao, H.R.</author></authors></contributors><titles><title>Why do people get phished? Testing individual differences in phishing vulnerability within an integrated, information processing model</title><secondary-title>Decision Support Systems</secondary-title></titles><periodical><full-title>Decision Support Systems</full-title></periodical><pages>576-586</pages><volume>51</volume><number>3</number><dates><year>2011</year></dates><isbn>0167-9236</isbn><urls></urls></record></Cite></EndNote>(Dhamija et al. 2006; Vishwanath et al. 2011). Conversely, research investigating the actions of email users who successfully identify phishing attacks revealed they avoid mindless processing, but rather scrutinized and verified emails that requested private information ADDIN EN.CITE <EndNote><Cite><Author>Wright</Author><Year>2010</Year><RecNum>4703</RecNum><DisplayText>(Wright et al. 2010a)</DisplayText><record><rec-number>4703</rec-number><foreign-keys><key app="EN" db-id="xr0s0sp0vrpe5ze5tetxvwwnp5xd9aaezsd9" timestamp="1398184948">4703</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Wright, R.</author><author>Chakraborty, S.</author><author>Basoglu, A.</author><author>Marett, K.</author></authors></contributors><titles><title>Where did they go right? Understanding the deception in phishing communications</title><secondary-title>Group Decision and Negotiation</secondary-title></titles><periodical><full-title>Group Decision and Negotiation</full-title></periodical><pages>391-416</pages><volume>19</volume><number>4</number><dates><year>2010</year></dates><isbn>0926-2644</isbn><urls></urls></record></Cite></EndNote>(Wright et al. 2010a). In light of these recent findings, we argue that individuals’ mental models could be altered using abstract behavioral modeling to increase the level of scrutiny suspicious emails receive. Specifically, we present an abstract approach based on the notion of mindfulness, which teaches individuals to carefully evaluate incoming email requests and the intentions of their senders rather than rely on mindlessly applied mental shortcuts. Instead of treating anti-phishing training as an identification exercise and focusing on knowledge of numerous cues and rules, we frame training as an exercise intended to elevate the degree to which individuals scrutinize emailed requests. This training approach encourages mindfulness to promote systematic information processing of phishing e-mails ADDIN EN.CITE <EndNote><Cite><Author>Langer</Author><Year>1997</Year><RecNum>7555</RecNum><DisplayText>(Langer 1989; Langer 1997)</DisplayText><record><rec-number>7555</rec-number><foreign-keys><key app="EN" db-id="a9f2v2s03sv0soe5e52xwr9oas05vs059t2d" timestamp="1345745942">7555</key></foreign-keys><ref-type name="Book">6</ref-type><contributors><authors><author>Langer, E.J.</author></authors></contributors><titles><title>The power of mindful learning</title></titles><dates><year>1997</year></dates><pub-location>Reading, MA</pub-location><publisher>Addison-Wesley </publisher><isbn>0201488396</isbn><urls></urls></record></Cite><Cite><Author>Langer</Author><Year>1989</Year><RecNum>7556</RecNum><record><rec-number>7556</rec-number><foreign-keys><key app="EN" db-id="a9f2v2s03sv0soe5e52xwr9oas05vs059t2d" timestamp="1345746295">7556</key></foreign-keys><ref-type name="Book">6</ref-type><contributors><authors><author>Langer, E.J.</author></authors></contributors><titles><title>Mindfulness</title></titles><dates><year>1989</year></dates><pub-location>Reading, MA</pub-location><publisher>Addison-Wesley</publisher><urls></urls></record></Cite></EndNote>(Langer 1989; Langer 1997) and is intended to create new mental models concerning the allocation of attentional resources. Although some debate exists among researchers concerning the precise definition of mindfulness ADDIN EN.CITE <EndNote><Cite><Author>Brown</Author><Year>2007</Year><RecNum>7570</RecNum><DisplayText>(Brown et al. 2007; Lau et al. 2006)</DisplayText><record><rec-number>7570</rec-number><foreign-keys><key app="EN" db-id="a9f2v2s03sv0soe5e52xwr9oas05vs059t2d" timestamp="1345748955">7570</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Brown, K. W.</author><author>Ryan, R. M.</author><author>Creswell, J. D.</author></authors></contributors><titles><title>Mindfulness: Theoretical foundations and evidence for its salutary effects</title><secondary-title>Psychological Inquiry</secondary-title></titles><periodical><full-title>Psychological Inquiry</full-title></periodical><pages>211-237</pages><volume>18</volume><number>4</number><dates><year>2007</year></dates><urls></urls></record></Cite><Cite><Author>Lau</Author><Year>2006</Year><RecNum>4704</RecNum><record><rec-number>4704</rec-number><foreign-keys><key app="EN" db-id="xr0s0sp0vrpe5ze5tetxvwwnp5xd9aaezsd9" timestamp="1398184948">4704</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Lau, M. A.</author><author>Bishop, S. R.</author><author>Segal, Z. V.</author><author>Buis, T.</author><author>Anderson, N. D.</author><author>Carlson, L.</author><author>Shapiro, S.</author><author>Carmody, J.</author><author>Abbey, S.</author><author>Devins, G.</author></authors></contributors><titles><title>The Toronto Mindfulness Scale: Development and validation</title><secondary-title>Journal of Clinical Psychology</secondary-title></titles><periodical><full-title>Journal of Clinical Psychology</full-title></periodical><pages>1445-1467</pages><volume>62</volume><number>12</number><dates><year>2006</year></dates><urls></urls></record></Cite></EndNote>(Brown et al. 2007; Lau et al. 2006), most researchers agree that mindfulness is more than mere attention and awareness of context and environment; it indicates a higher quality of consciousness characterized by receptive attention to current surroundings and experiences ADDIN EN.CITE <EndNote><Cite><Author>Brown</Author><Year>2007</Year><RecNum>7570</RecNum><DisplayText>(Brown et al. 2007)</DisplayText><record><rec-number>7570</rec-number><foreign-keys><key app="EN" db-id="a9f2v2s03sv0soe5e52xwr9oas05vs059t2d" timestamp="1345748955">7570</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Brown, K. W.</author><author>Ryan, R. M.</author><author>Creswell, J. D.</author></authors></contributors><titles><title>Mindfulness: Theoretical foundations and evidence for its salutary effects</title><secondary-title>Psychological Inquiry</secondary-title></titles><periodical><full-title>Psychological Inquiry</full-title></periodical><pages>211-237</pages><volume>18</volume><number>4</number><dates><year>2007</year></dates><urls></urls></record></Cite></EndNote>(Brown et al. 2007). Mindfulness is conceptualized as possessing state and trait components ADDIN EN.CITE <EndNote><Cite><Author>Lau</Author><Year>2006</Year><RecNum>4704</RecNum><DisplayText>(Lau et al. 2006)</DisplayText><record><rec-number>4704</rec-number><foreign-keys><key app="EN" db-id="xr0s0sp0vrpe5ze5tetxvwwnp5xd9aaezsd9" timestamp="1398184948">4704</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Lau, M. A.</author><author>Bishop, S. R.</author><author>Segal, Z. V.</author><author>Buis, T.</author><author>Anderson, N. D.</author><author>Carlson, L.</author><author>Shapiro, S.</author><author>Carmody, J.</author><author>Abbey, S.</author><author>Devins, G.</author></authors></contributors><titles><title>The Toronto Mindfulness Scale: Development and validation</title><secondary-title>Journal of Clinical Psychology</secondary-title></titles><periodical><full-title>Journal of Clinical Psychology</full-title></periodical><pages>1445-1467</pages><volume>62</volume><number>12</number><dates><year>2006</year></dates><urls></urls></record></Cite></EndNote>(Lau et al. 2006) and those who demonstrate higher levels of mindfulness also exhibit stronger behavioral control and self-regulation ADDIN EN.CITE <EndNote><Cite><Author>Brown</Author><Year>2007</Year><RecNum>7570</RecNum><DisplayText>(Brown et al. 2007; Leary et al. 2006)</DisplayText><record><rec-number>7570</rec-number><foreign-keys><key app="EN" db-id="a9f2v2s03sv0soe5e52xwr9oas05vs059t2d" timestamp="1345748955">7570</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Brown, K. W.</author><author>Ryan, R. M.</author><author>Creswell, J. D.</author></authors></contributors><titles><title>Mindfulness: Theoretical foundations and evidence for its salutary effects</title><secondary-title>Psychological Inquiry</secondary-title></titles><periodical><full-title>Psychological Inquiry</full-title></periodical><pages>211-237</pages><volume>18</volume><number>4</number><dates><year>2007</year></dates><urls></urls></record></Cite><Cite><Author>Leary</Author><Year>2006</Year><RecNum>4705</RecNum><record><rec-number>4705</rec-number><foreign-keys><key app="EN" db-id="xr0s0sp0vrpe5ze5tetxvwwnp5xd9aaezsd9" timestamp="1398184948">4705</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Leary, M. R.</author><author>Adams, C. E.</author><author>Tate, E. B.</author></authors></contributors><titles><title>Hypo-egoic self-regulation: Exercising self-control by diminishing the influence of the self</title><secondary-title>Journal of Personality</secondary-title></titles><periodical><full-title>Journal of Personality</full-title></periodical><pages>1803-1831</pages><volume>74</volume><number>6</number><dates><year>2006</year></dates><urls></urls></record></Cite></EndNote>(Brown et al. 2007; Leary et al. 2006). Promoting mindfulness through training has served as the foundation for clinical interventions for reducing stress ADDIN EN.CITE <EndNote><Cite><Author>Shapiro</Author><Year>1998</Year><RecNum>4706</RecNum><DisplayText>(Grossman et al. 2004; Shapiro et al. 1998)</DisplayText><record><rec-number>4706</rec-number><foreign-keys><key app="EN" db-id="xr0s0sp0vrpe5ze5tetxvwwnp5xd9aaezsd9" timestamp="1398184948">4706</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Shapiro, S. L.</author><author>Schwartz, G. E.</author><author>Bonner, G.</author></authors></contributors><titles><title>Effects of mindfulness-based stress reduction on medical and premedical Students</title><secondary-title>Journal of Behavioral Medicine</secondary-title></titles><periodical><full-title>Journal of Behavioral Medicine</full-title></periodical><pages>581-599</pages><volume>21</volume><number>6</number><dates><year>1998</year></dates><urls></urls></record></Cite><Cite><Author>Grossman</Author><Year>2004</Year><RecNum>4707</RecNum><record><rec-number>4707</rec-number><foreign-keys><key app="EN" db-id="xr0s0sp0vrpe5ze5tetxvwwnp5xd9aaezsd9" timestamp="1398184949">4707</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Grossman, P.</author><author>Niemann, L.</author><author>Schmidt, S.</author><author>Walach, H.</author></authors></contributors><titles><title>Mindfulness-based stress reduction and health benefits: A meta-analysis</title><secondary-title>Journal of Psychosomatic Research</secondary-title></titles><periodical><full-title>Journal of Psychosomatic Research</full-title></periodical><pages>35-43</pages><volume>57</volume><number>1</number><dates><year>2004</year></dates><urls></urls></record></Cite></EndNote>(Grossman et al. 2004; Shapiro et al. 1998), depression ADDIN EN.CITE <EndNote><Cite><Author>Teasdale</Author><Year>2000</Year><RecNum>2713</RecNum><DisplayText>(Teasdale et al. 2000)</DisplayText><record><rec-number>2713</rec-number><foreign-keys><key app="EN" db-id="xr0s0sp0vrpe5ze5tetxvwwnp5xd9aaezsd9" timestamp="1297719448">2713</key><key app="ENWeb" db-id="UBLLiQrtqggAADvUvSc">1483</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>John D. Teasdale</author><author>J. Mark G. Williams</author><author>Judith M. Soulsby</author><author>Zindel V. Segal</author><author>Valerie A. Ridgeway</author><author>Mark A. Lau</author></authors></contributors><titles><title>Prevention of Relapse/Recurrance in Major Depression by Mindfulness-Based Cognitive Therapy</title><secondary-title>Journal of Consulting and Clinical Psychology</secondary-title></titles><periodical><full-title>Journal of Consulting and Clinical Psychology</full-title></periodical><pages>615-623</pages><volume>68</volume><number>4</number><dates><year>2000</year></dates><urls></urls></record></Cite></EndNote>(Teasdale et al. 2000) and other psychological problems ADDIN EN.CITE <EndNote><Cite><Author>Baer</Author><Year>2003</Year><RecNum>2714</RecNum><DisplayText>(Baer 2003)</DisplayText><record><rec-number>2714</rec-number><foreign-keys><key app="EN" db-id="xr0s0sp0vrpe5ze5tetxvwwnp5xd9aaezsd9" timestamp="1297719681">2714</key><key app="ENWeb" db-id="UBLLiQrtqggAADvUvSc">1484</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Ruth A. Baer</author></authors></contributors><titles><title>Mindfulness Training as a Clinical Intervention: A Conceptual and Empirical Review</title><secondary-title>Clinical Psychology: Science and Practice</secondary-title></titles><periodical><full-title>Clinical Psychology: Science and Practice</full-title></periodical><pages>125-143</pages><volume>10</volume><number>2</number><dates><year>2003</year></dates><urls></urls></record></Cite></EndNote>(Baer 2003). This novel training approach equips individuals with mental tools that increase mindfulness when inspecting an email. First, in line with a mindfulness perspective ADDIN EN.CITE <EndNote><Cite><Author>Langer</Author><Year>1997</Year><RecNum>7555</RecNum><DisplayText>(Langer 1989; Langer 1997)</DisplayText><record><rec-number>7555</rec-number><foreign-keys><key app="EN" db-id="a9f2v2s03sv0soe5e52xwr9oas05vs059t2d" timestamp="1345745942">7555</key></foreign-keys><ref-type name="Book">6</ref-type><contributors><authors><author>Langer, E.J.</author></authors></contributors><titles><title>The power of mindful learning</title></titles><dates><year>1997</year></dates><pub-location>Reading, MA</pub-location><publisher>Addison-Wesley </publisher><isbn>0201488396</isbn><urls></urls></record></Cite><Cite><Author>Langer</Author><Year>1989</Year><RecNum>7556</RecNum><record><rec-number>7556</rec-number><foreign-keys><key app="EN" db-id="a9f2v2s03sv0soe5e52xwr9oas05vs059t2d" timestamp="1345746295">7556</key></foreign-keys><ref-type name="Book">6</ref-type><contributors><authors><author>Langer, E.J.</author></authors></contributors><titles><title>Mindfulness</title></titles><dates><year>1989</year></dates><pub-location>Reading, MA</pub-location><publisher>Addison-Wesley</publisher><urls></urls></record></Cite></EndNote>(Langer 1989; Langer 1997), individuals are explicitly encouraged to pause and reflect on their environment (i.e., an email and the context in which the email was received). A mindfulness approach promotes receptivity to surroundings, helps users to break out of cursorily evaluating emails, and encourages users to actively consider what each email asks of them. A concrete situation-specific approach, in contrast, encourages users to continuously scan emails for static cues and to always apply a standard set of rules to identify phishing. With mindfulness training, emails with unusual requests, such as asking for personal information, requesting user credentials, or including an unexpected attachment, should trigger more active assessment by the email user. This component of training, while relatively simple, may induce a greater amount of email-focused scrutiny.Second, individuals are instructed to engage in a process of active questioning, where they are to consider several questions when evaluating actions requested in an email (e.g., click on a URL, download an attachment). A wide variety of cues may indicate an email is a phishing message; however, all phishing attacks require recipients to take some action that compromises their security and privacy. Posing questions that highlight the actions requested by phishing messages gives individuals guidance on how they can mindfully evaluate potentially harmful emails. During the process of active questioning, the user is encouraged to consider the email senders’ motivation, the email’s contents and the context in which the email was received. The evaluative focus on emailed requests is consistent with previous mindfulness interventions ADDIN EN.CITE <EndNote><Cite><Author>Mace</Author><Year>2007</Year><RecNum>4406</RecNum><Prefix>i.e.`, for mood`, problems relating to others`, self consciousness`, memory`; </Prefix><DisplayText>(i.e., for mood, problems relating to others, self consciousness, memory; Mace 2007; Mace 2008)</DisplayText><record><rec-number>4406</rec-number><foreign-keys><key app="EN" db-id="xr0s0sp0vrpe5ze5tetxvwwnp5xd9aaezsd9" timestamp="1347906105">4406</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Mace, Chris</author></authors></contributors><titles><title>Mindfulness in psychotherapy: an introduction</title><secondary-title>Advances in Psychiatric Treatment</secondary-title></titles><periodical><full-title>Advances in Psychiatric Treatment</full-title></periodical><pages>147-154</pages><volume>13</volume><number>2</number><dates><year>2007</year><pub-dates><date>March 1, 2007</date></pub-dates></dates><urls><related-urls><url> app="EN" db-id="xr0s0sp0vrpe5ze5tetxvwwnp5xd9aaezsd9" timestamp="1347906042">4405</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Chris Mace</author></authors></contributors><titles><title>Mindfulness and the future of psychotherapy</title><secondary-title>European Psychotherapy</secondary-title></titles><periodical><full-title>European Psychotherapy</full-title></periodical><pages>129-139</pages><volume>8</volume><number>1</number><dates><year>2008</year></dates><publisher>CIP-Medien</publisher><urls></urls></record></Cite></EndNote>(i.e., for mood, problems relating to others, self consciousness, memory; Mace 2007; Mace 2008) as the individual is able to concentrate on his or her own actions in response to requests rather than focusing on cues in the phishing email or website (which are controlled by the phisher). Finally, a central component of mindfulness is forestalling judgment to avoid improperly jumping to conclusions ADDIN EN.CITE <EndNote><Cite><Author>Baer</Author><Year>2004</Year><RecNum>4708</RecNum><DisplayText>(Baer et al. 2004)</DisplayText><record><rec-number>4708</rec-number><foreign-keys><key app="EN" db-id="xr0s0sp0vrpe5ze5tetxvwwnp5xd9aaezsd9" timestamp="1398184949">4708</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Baer, Ruth A.</author><author>Smith, Gregory T.</author><author>Allen, Kristin B.</author></authors></contributors><titles><title>Assessment of mindfulness by self-report: The Kentucky Inventory of Mindfulness Skills</title><secondary-title>Assessment</secondary-title></titles><periodical><full-title>Assessment</full-title></periodical><pages>191-206</pages><volume>11</volume><number>3</number><dates><year>2004</year></dates><urls></urls></record></Cite></EndNote>(Baer et al. 2004). When encountering deception in general, people are often suspicious of deceptive messages, but are hesitant to label the messages as deception for fear of the possibility that they could be legitimate ADDIN EN.CITE <EndNote><Cite><Author>Vrij</Author><Year>2006</Year><RecNum>4709</RecNum><DisplayText>(Vrij 2006)</DisplayText><record><rec-number>4709</rec-number><foreign-keys><key app="EN" db-id="xr0s0sp0vrpe5ze5tetxvwwnp5xd9aaezsd9" timestamp="1398184949">4709</key></foreign-keys><ref-type name="Book Section">5</ref-type><contributors><authors><author>Vrij, Aldert</author></authors><secondary-authors><author>Manusov, Valerie</author><author>Patterson, Miles L.</author></secondary-authors></contributors><titles><title>Nonverbal communication and deception</title><secondary-title>The Sage Handbook of Nonverbal Communication.</secondary-title></titles><pages>341-359</pages><keywords><keyword>nonverbal communication</keyword><keyword>nonverbal cues</keyword><keyword>deception</keyword><keyword>detecting deception</keyword><keyword>deception theories</keyword><keyword>lying</keyword><keyword>lies</keyword><keyword>Cues</keyword><keyword>Social Perception</keyword><keyword>Theories</keyword></keywords><dates><year>2006</year></dates><pub-location>Thousand Oaks, CA</pub-location><publisher>Sage Publications, Inc</publisher><isbn>1-4129-0404-8
9781412904049</isbn><urls><related-urls><url>;(Vrij 2006). This training encourages email users to attend to any suspicion they may feel about actions requested by incoming emails and to verify emails with trusted third parties (e.g., IT department) to ensure the requests are valid. This approach may reduce email users’ reluctance to address emails that seem suspicious or out of place but do not rise to the level of a blatant phishing attempt. H2: The abstract training approach will decrease the likelihood that recipients will respond to phishing attacks.The abstract approach offers several advantages over the concrete approach, which are summarized in REF _Ref386013494 \h Table 1. Both training approaches rely on behavioral modeling and offer similar first steps to describe the phenomenon as well as follow up steps of practicing and reinforcement; however, the provision of static rules and cues in situation-specific training may be ill-suited for phishing for three reasons. First, the concrete approach is only applicable when a phisher’s message contains recognizable cues or violates rules the recipient knows. In other words, in relying on situation-specific training, phishing recipients depend on phishers to make mistakes (e.g., using a poorly worded email message, suspicious email address, illegitimate website) in order for the training to be successful. Also, as recommendations and rules protecting email users against phishing become well known, successful phishers will seek to improve their tactics by designing messages that circumvent those rules. This risk is especially salient as information useful for phishing customization becomes more widespread. In a sense, phishers and security personnel are engaged in a game of cat and mouse: once security personnel identify and publicize a cue that enables users to recognize phishing, phishers may change their techniques to circumvent the rule. In contrast to a list of rules or cues, the abstract approach encourages close examination of any email that requests something protected, regardless of the potentially authentic nature of the email. By encouraging mindful evaluation of email, even when phishing emails become more sophisticated and customized, trainees will still take note of the actions requested by phishing emails and be less likely to respond.Table SEQ Table \* ARABIC 1 – Differences between Mindfulness and Situation-Specific Training ApproachesCharacteristicAbstractConcreteScopeHolisticContextualizedTraining ObjectiveElevate scrutiny of incoming emails containing requests for actionIncrease knowledge and use of numerous cues and rules to identify phishing messagesTheoretical UnderpinningMental model that guides the allocation of attention Behavioral model of cue recognition and rule implementationComplexity of TrainingSimple. Contains basic guidelines to determine which emails require more scrutiny Complex. Contains numerous cues and rules to identity phishing messagesApplicability of TrainingApplies to?phishing attacks that contain requests for actionApplies to phishing attacks where the message contains recognizable cues or violates rulesTrainee Resistance to PhishingEnables resistance to multiple types of phishing attacks through elevated scrutiny of requests for actionEnables resistance only when phishing cues are evident or when learned rules are violated.Second, there are many different types of phishing messages, and phishers try to take advantage of a variety of decision rules individuals use to evaluate emails ADDIN EN.CITE <EndNote><Cite><Author>Wright</Author><Year>Forthcoming</Year><RecNum>4677</RecNum><DisplayText>(Wright et al. Forthcoming)</DisplayText><record><rec-number>4677</rec-number><foreign-keys><key app="EN" db-id="xr0s0sp0vrpe5ze5tetxvwwnp5xd9aaezsd9" timestamp="1398182313">4677</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Ryan T. Wright</author><author>Matthew J. Jensen</author><author>Jason B. Thatcher</author><author>Michael Dinger</author><author>Kent Marett</author></authors></contributors><titles><title>Influence Techniques in Phishing Attacks: An Examination of Vulnerability and Resistance</title><secondary-title>Information Systems Research</secondary-title></titles><periodical><full-title>Information Systems Research</full-title></periodical><volume>Forthcoming</volume><dates><year>Forthcoming</year></dates><urls></urls></record></Cite></EndNote>(Wright et al. Forthcoming). As a result, a wide range of potential cues may indicate that an email or website is illegitimate and part of a phishing attack. In order for situation-specific training to be thorough, it must provide instruction on the myriad cues and rules relevant to thwarting variants of phishing attacks. Essentially, such training must account for every possible situation. Consequently, the instructions may be too complex and may overload users with too much information about phishing cues. For example, the helpful recommendations listed by a non-profit anti-phishing group consume several pages of text. Training complexity may make evaluation more difficult as a user must recall and consider relevant cues and rules upon receipt of every new email. Training complexity may have even more damaging effects if users short circuit their evaluation by selectively applying only a few cues and rules or avoid evaluation all together. In contrast, the abstract mindfulness approach is simple and encourages careful evaluation of only a few critical items in any email. For example: Is the email asking for something unusual, such as personal information or credentials? These simple points of assessment can be used by email users without a deep understanding of phishing in its many varieties. Further, if any suspicion is raised, the user is prompted to verify the email with a trusted third party rather than shoulder the entire load for identifying phishing messages. Third, the mindfulness training’s objective will likely be more diagnostic in separating phishing messages from legitimate messages. As discussed previously, all phishing messages encourage recipients to violate their own security and privacy. Therefore, a focus on the request in the phishing message will likely generalize across forms of phishing attacks to a greater degree than focusing on specific rules or cues which may or may not be applicable during a specific phishing attack. The concrete approach focuses on judging characteristics of the email, such as the sender’s email or the domain of linked websites. In contrast, the abstract approach highlights the purpose of the email. By focusing on the purpose of emails, users should more easily be able to identify emails that merit additional scrutiny and suspicion without having to carefully assess the cues of every email they receive. H3: The abstract training approach will be more effective than the concrete training approach in decreasing the likelihood that recipients will respond to phishing attacks. To provide a more robust test of the training approaches’ efficacy, we evaluated two types of delivery formats. MIS research has a rich tradition of studying the efficacy of computer-based presentation types ADDIN EN.CITE <EndNote><Cite><Author>Tractinsky</Author><Year>1999</Year><RecNum>4407</RecNum><Prefix>e.g.`, </Prefix><DisplayText>(e.g., Tractinsky et al. 1999)</DisplayText><record><rec-number>4407</rec-number><foreign-keys><key app="EN" db-id="xr0s0sp0vrpe5ze5tetxvwwnp5xd9aaezsd9" timestamp="1347907703">4407</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Noam Tractinsky</author><author>Joachim Meyer</author></authors></contributors><titles><title>Chartjunk or goldgraph? Effects of persenataion objectives and content desirability on information presentation: effects of presentation objectives and content desirability on information presentation</title><secondary-title>MIS Q.</secondary-title></titles><periodical><full-title>MIS Q.</full-title></periodical><pages>397-420</pages><volume>23</volume><number>3</number><dates><year>1999</year></dates><isbn>0276-7783</isbn><urls></urls><custom1>333736</custom1><electronic-resource-num>10.2307/249469</electronic-resource-num></record></Cite></EndNote>(e.g., Tractinsky et al. 1999). Research suggests that graphical presentation enhances overall information acquisition and decision making PEVuZE5vdGU+PENpdGU+PEF1dGhvcj5KYXJ2ZW5wYWE8L0F1dGhvcj48WWVhcj4xOTg5PC9ZZWFy
PjxSZWNOdW0+NDQwODwvUmVjTnVtPjxEaXNwbGF5VGV4dD4oSmFydmVucGFhIDE5ODk7IEphcnZl
bnBhYSBldCBhbC4gMTk4ODsgU3BlaWVyIDIwMDYpPC9EaXNwbGF5VGV4dD48cmVjb3JkPjxyZWMt
bnVtYmVyPjQ0MDg8L3JlYy1udW1iZXI+PGZvcmVpZ24ta2V5cz48a2V5IGFwcD0iRU4iIGRiLWlk
PSJ4cjBzMHNwMHZycGU1emU1dGV0eHZ3d25wNXhkOWFhZXpzZDkiIHRpbWVzdGFtcD0iMTM0Nzkw
ODEyNCI+NDQwODwva2V5PjwvZm9yZWlnbi1rZXlzPjxyZWYtdHlwZSBuYW1lPSJKb3VybmFsIEFy
dGljbGUiPjE3PC9yZWYtdHlwZT48Y29udHJpYnV0b3JzPjxhdXRob3JzPjxhdXRob3I+SmFydmVu
cGFhLCBTaXJra2EgTC48L2F1dGhvcj48L2F1dGhvcnM+PC9jb250cmlidXRvcnM+PHRpdGxlcz48
dGl0bGU+VGhlIEVmZmVjdCBvZiBUYXNrIERlbWFuZHMgYW5kIEdyYXBoaWNhbCBGb3JtYXQgb24g
SW5mb3JtYXRpb24gUHJvY2Vzc2luZyBTdHJhdGVnaWVzPC90aXRsZT48c2Vjb25kYXJ5LXRpdGxl
Pk1hbmFnZW1lbnQgU2NpZW5jZTwvc2Vjb25kYXJ5LXRpdGxlPjwvdGl0bGVzPjxwZXJpb2RpY2Fs
PjxmdWxsLXRpdGxlPk1hbmFnZW1lbnQgU2NpZW5jZTwvZnVsbC10aXRsZT48YWJici0xPk1hbmFn
ZS4gU2NpLjwvYWJici0xPjwvcGVyaW9kaWNhbD48cGFnZXM+Mjg1LTMwMzwvcGFnZXM+PHZvbHVt
ZT4zNTwvdm9sdW1lPjxudW1iZXI+MzwvbnVtYmVyPjxkYXRlcz48eWVhcj4xOTg5PC95ZWFyPjwv
ZGF0ZXM+PHB1Ymxpc2hlcj5JTkZPUk1TPC9wdWJsaXNoZXI+PGlzYm4+MDAyNTE5MDk8L2lzYm4+
PHVybHM+PHJlbGF0ZWQtdXJscz48dXJsPmh0dHA6Ly93d3cuanN0b3Iub3JnL3N0YWJsZS8yNjMx
OTczPC91cmw+PC9yZWxhdGVkLXVybHM+PC91cmxzPjwvcmVjb3JkPjwvQ2l0ZT48Q2l0ZT48QXV0
aG9yPkphcnZlbnBhYTwvQXV0aG9yPjxZZWFyPjE5ODg8L1llYXI+PFJlY051bT4xMDQ2PC9SZWNO
dW0+PHJlY29yZD48cmVjLW51bWJlcj4xMDQ2PC9yZWMtbnVtYmVyPjxmb3JlaWduLWtleXM+PGtl
eSBhcHA9IkVOIiBkYi1pZD0ieHIwczBzcDB2cnBlNXplNXRldHh2d3ducDV4ZDlhYWV6c2Q5IiB0
aW1lc3RhbXA9IjEyNzEwOTcxOTUiPjEwNDY8L2tleT48a2V5IGFwcD0iRU5XZWIiIGRiLWlkPSJV
QkxMaVFydHFnZ0FBRHZVdlNjIj42MTE8L2tleT48L2ZvcmVpZ24ta2V5cz48cmVmLXR5cGUgbmFt
ZT0iSm91cm5hbCBBcnRpY2xlIj4xNzwvcmVmLXR5cGU+PGNvbnRyaWJ1dG9ycz48YXV0aG9ycz48
YXV0aG9yPlMuIEwuIEphcnZlbnBhYTwvYXV0aG9yPjxhdXRob3I+Ry5XLiBEaWNrc29uPC9hdXRo
b3I+PC9hdXRob3JzPjwvY29udHJpYnV0b3JzPjx0aXRsZXM+PHRpdGxlPkdyYXBoaWNzIGFuZCBN
YW5hZ2VyaWFsIERlY2lzaW9uIE1ha2luZzogUmVzZWFyY2ggQmFzZWQgR3VpZGxpbmVzPC90aXRs
ZT48c2Vjb25kYXJ5LXRpdGxlPkNvbW11bmljYXRpb25zIG9mIHRoZSBBQ008L3NlY29uZGFyeS10
aXRsZT48L3RpdGxlcz48cGVyaW9kaWNhbD48ZnVsbC10aXRsZT5Db21tdW5pY2F0aW9ucyBvZiB0
aGUgQUNNPC9mdWxsLXRpdGxlPjwvcGVyaW9kaWNhbD48cGFnZXM+NzY0LTc3NDwvcGFnZXM+PHZv
bHVtZT4zMTwvdm9sdW1lPjxudW1iZXI+NjwvbnVtYmVyPjxkYXRlcz48eWVhcj4xOTg4PC95ZWFy
PjwvZGF0ZXM+PHVybHM+PC91cmxzPjwvcmVjb3JkPjwvQ2l0ZT48Q2l0ZT48QXV0aG9yPlNwZWll
cjwvQXV0aG9yPjxZZWFyPjIwMDY8L1llYXI+PFJlY051bT40Mzk3PC9SZWNOdW0+PHJlY29yZD48
cmVjLW51bWJlcj40Mzk3PC9yZWMtbnVtYmVyPjxmb3JlaWduLWtleXM+PGtleSBhcHA9IkVOIiBk
Yi1pZD0ieHIwczBzcDB2cnBlNXplNXRldHh2d3ducDV4ZDlhYWV6c2Q5IiB0aW1lc3RhbXA9IjEz
NDc0NjkyOTEiPjQzOTc8L2tleT48L2ZvcmVpZ24ta2V5cz48cmVmLXR5cGUgbmFtZT0iSm91cm5h
bCBBcnRpY2xlIj4xNzwvcmVmLXR5cGU+PGNvbnRyaWJ1dG9ycz48YXV0aG9ycz48YXV0aG9yPlNw
ZWllciwgQ2hlcmk8L2F1dGhvcj48L2F1dGhvcnM+PC9jb250cmlidXRvcnM+PHRpdGxlcz48dGl0
bGU+VGhlIGluZmx1ZW5jZSBvZiBpbmZvcm1hdGlvbiBwcmVzZW50YXRpb24gZm9ybWF0cyBvbiBj
b21wbGV4IHRhc2sgZGVjaXNpb24tbWFraW5nIHBlcmZvcm1hbmNlPC90aXRsZT48c2Vjb25kYXJ5
LXRpdGxlPkludGVybmF0aW9uYWwgSm91cm5hbCBvZiBIdW1hbi1Db21wdXRlciBTdHVkaWVzPC9z
ZWNvbmRhcnktdGl0bGU+PC90aXRsZXM+PHBlcmlvZGljYWw+PGZ1bGwtdGl0bGU+SW50ZXJuYXRp
b25hbCBKb3VybmFsIG9mIEh1bWFuLUNvbXB1dGVyIFN0dWRpZXM8L2Z1bGwtdGl0bGU+PC9wZXJp
b2RpY2FsPjxwYWdlcz4xMTE1LTExMzE8L3BhZ2VzPjx2b2x1bWU+NjQ8L3ZvbHVtZT48bnVtYmVy
PjExPC9udW1iZXI+PGtleXdvcmRzPjxrZXl3b3JkPkNvbXBsZXggdGFzazwva2V5d29yZD48a2V5
d29yZD5EZWNpc2lvbi1tYWtpbmc8L2tleXdvcmQ+PGtleXdvcmQ+SW5mb3JtYXRpb24gcHJlc2Vu
dGF0aW9uPC9rZXl3b3JkPjwva2V5d29yZHM+PGRhdGVzPjx5ZWFyPjIwMDY8L3llYXI+PHB1Yi1k
YXRlcz48ZGF0ZT4xMS8vPC9kYXRlPjwvcHViLWRhdGVzPjwvZGF0ZXM+PGlzYm4+MTA3MS01ODE5
PC9pc2JuPjx1cmxzPjxyZWxhdGVkLXVybHM+PHVybD5odHRwOi8vd3d3LnNjaWVuY2VkaXJlY3Qu
Y29tL3NjaWVuY2UvYXJ0aWNsZS9waWkvUzEwNzE1ODE5MDYwMDEwNDI8L3VybD48L3JlbGF0ZWQt
dXJscz48L3VybHM+PGVsZWN0cm9uaWMtcmVzb3VyY2UtbnVtPjEwLjEwMTYvai5pamhjcy4yMDA2
LjA2LjAwNzwvZWxlY3Ryb25pYy1yZXNvdXJjZS1udW0+PC9yZWNvcmQ+PC9DaXRlPjwvRW5kTm90
ZT4A
ADDIN EN.CITE PEVuZE5vdGU+PENpdGU+PEF1dGhvcj5KYXJ2ZW5wYWE8L0F1dGhvcj48WWVhcj4xOTg5PC9ZZWFy
PjxSZWNOdW0+NDQwODwvUmVjTnVtPjxEaXNwbGF5VGV4dD4oSmFydmVucGFhIDE5ODk7IEphcnZl
bnBhYSBldCBhbC4gMTk4ODsgU3BlaWVyIDIwMDYpPC9EaXNwbGF5VGV4dD48cmVjb3JkPjxyZWMt
bnVtYmVyPjQ0MDg8L3JlYy1udW1iZXI+PGZvcmVpZ24ta2V5cz48a2V5IGFwcD0iRU4iIGRiLWlk
PSJ4cjBzMHNwMHZycGU1emU1dGV0eHZ3d25wNXhkOWFhZXpzZDkiIHRpbWVzdGFtcD0iMTM0Nzkw
ODEyNCI+NDQwODwva2V5PjwvZm9yZWlnbi1rZXlzPjxyZWYtdHlwZSBuYW1lPSJKb3VybmFsIEFy
dGljbGUiPjE3PC9yZWYtdHlwZT48Y29udHJpYnV0b3JzPjxhdXRob3JzPjxhdXRob3I+SmFydmVu
cGFhLCBTaXJra2EgTC48L2F1dGhvcj48L2F1dGhvcnM+PC9jb250cmlidXRvcnM+PHRpdGxlcz48
dGl0bGU+VGhlIEVmZmVjdCBvZiBUYXNrIERlbWFuZHMgYW5kIEdyYXBoaWNhbCBGb3JtYXQgb24g
SW5mb3JtYXRpb24gUHJvY2Vzc2luZyBTdHJhdGVnaWVzPC90aXRsZT48c2Vjb25kYXJ5LXRpdGxl
Pk1hbmFnZW1lbnQgU2NpZW5jZTwvc2Vjb25kYXJ5LXRpdGxlPjwvdGl0bGVzPjxwZXJpb2RpY2Fs
PjxmdWxsLXRpdGxlPk1hbmFnZW1lbnQgU2NpZW5jZTwvZnVsbC10aXRsZT48YWJici0xPk1hbmFn
ZS4gU2NpLjwvYWJici0xPjwvcGVyaW9kaWNhbD48cGFnZXM+Mjg1LTMwMzwvcGFnZXM+PHZvbHVt
ZT4zNTwvdm9sdW1lPjxudW1iZXI+MzwvbnVtYmVyPjxkYXRlcz48eWVhcj4xOTg5PC95ZWFyPjwv
ZGF0ZXM+PHB1Ymxpc2hlcj5JTkZPUk1TPC9wdWJsaXNoZXI+PGlzYm4+MDAyNTE5MDk8L2lzYm4+
PHVybHM+PHJlbGF0ZWQtdXJscz48dXJsPmh0dHA6Ly93d3cuanN0b3Iub3JnL3N0YWJsZS8yNjMx
OTczPC91cmw+PC9yZWxhdGVkLXVybHM+PC91cmxzPjwvcmVjb3JkPjwvQ2l0ZT48Q2l0ZT48QXV0
aG9yPkphcnZlbnBhYTwvQXV0aG9yPjxZZWFyPjE5ODg8L1llYXI+PFJlY051bT4xMDQ2PC9SZWNO
dW0+PHJlY29yZD48cmVjLW51bWJlcj4xMDQ2PC9yZWMtbnVtYmVyPjxmb3JlaWduLWtleXM+PGtl
eSBhcHA9IkVOIiBkYi1pZD0ieHIwczBzcDB2cnBlNXplNXRldHh2d3ducDV4ZDlhYWV6c2Q5IiB0
aW1lc3RhbXA9IjEyNzEwOTcxOTUiPjEwNDY8L2tleT48a2V5IGFwcD0iRU5XZWIiIGRiLWlkPSJV
QkxMaVFydHFnZ0FBRHZVdlNjIj42MTE8L2tleT48L2ZvcmVpZ24ta2V5cz48cmVmLXR5cGUgbmFt
ZT0iSm91cm5hbCBBcnRpY2xlIj4xNzwvcmVmLXR5cGU+PGNvbnRyaWJ1dG9ycz48YXV0aG9ycz48
YXV0aG9yPlMuIEwuIEphcnZlbnBhYTwvYXV0aG9yPjxhdXRob3I+Ry5XLiBEaWNrc29uPC9hdXRo
b3I+PC9hdXRob3JzPjwvY29udHJpYnV0b3JzPjx0aXRsZXM+PHRpdGxlPkdyYXBoaWNzIGFuZCBN
YW5hZ2VyaWFsIERlY2lzaW9uIE1ha2luZzogUmVzZWFyY2ggQmFzZWQgR3VpZGxpbmVzPC90aXRs
ZT48c2Vjb25kYXJ5LXRpdGxlPkNvbW11bmljYXRpb25zIG9mIHRoZSBBQ008L3NlY29uZGFyeS10
aXRsZT48L3RpdGxlcz48cGVyaW9kaWNhbD48ZnVsbC10aXRsZT5Db21tdW5pY2F0aW9ucyBvZiB0
aGUgQUNNPC9mdWxsLXRpdGxlPjwvcGVyaW9kaWNhbD48cGFnZXM+NzY0LTc3NDwvcGFnZXM+PHZv
bHVtZT4zMTwvdm9sdW1lPjxudW1iZXI+NjwvbnVtYmVyPjxkYXRlcz48eWVhcj4xOTg4PC95ZWFy
PjwvZGF0ZXM+PHVybHM+PC91cmxzPjwvcmVjb3JkPjwvQ2l0ZT48Q2l0ZT48QXV0aG9yPlNwZWll
cjwvQXV0aG9yPjxZZWFyPjIwMDY8L1llYXI+PFJlY051bT40Mzk3PC9SZWNOdW0+PHJlY29yZD48
cmVjLW51bWJlcj40Mzk3PC9yZWMtbnVtYmVyPjxmb3JlaWduLWtleXM+PGtleSBhcHA9IkVOIiBk
Yi1pZD0ieHIwczBzcDB2cnBlNXplNXRldHh2d3ducDV4ZDlhYWV6c2Q5IiB0aW1lc3RhbXA9IjEz
NDc0NjkyOTEiPjQzOTc8L2tleT48L2ZvcmVpZ24ta2V5cz48cmVmLXR5cGUgbmFtZT0iSm91cm5h
bCBBcnRpY2xlIj4xNzwvcmVmLXR5cGU+PGNvbnRyaWJ1dG9ycz48YXV0aG9ycz48YXV0aG9yPlNw
ZWllciwgQ2hlcmk8L2F1dGhvcj48L2F1dGhvcnM+PC9jb250cmlidXRvcnM+PHRpdGxlcz48dGl0
bGU+VGhlIGluZmx1ZW5jZSBvZiBpbmZvcm1hdGlvbiBwcmVzZW50YXRpb24gZm9ybWF0cyBvbiBj
b21wbGV4IHRhc2sgZGVjaXNpb24tbWFraW5nIHBlcmZvcm1hbmNlPC90aXRsZT48c2Vjb25kYXJ5
LXRpdGxlPkludGVybmF0aW9uYWwgSm91cm5hbCBvZiBIdW1hbi1Db21wdXRlciBTdHVkaWVzPC9z
ZWNvbmRhcnktdGl0bGU+PC90aXRsZXM+PHBlcmlvZGljYWw+PGZ1bGwtdGl0bGU+SW50ZXJuYXRp
b25hbCBKb3VybmFsIG9mIEh1bWFuLUNvbXB1dGVyIFN0dWRpZXM8L2Z1bGwtdGl0bGU+PC9wZXJp
b2RpY2FsPjxwYWdlcz4xMTE1LTExMzE8L3BhZ2VzPjx2b2x1bWU+NjQ8L3ZvbHVtZT48bnVtYmVy
PjExPC9udW1iZXI+PGtleXdvcmRzPjxrZXl3b3JkPkNvbXBsZXggdGFzazwva2V5d29yZD48a2V5
d29yZD5EZWNpc2lvbi1tYWtpbmc8L2tleXdvcmQ+PGtleXdvcmQ+SW5mb3JtYXRpb24gcHJlc2Vu
dGF0aW9uPC9rZXl3b3JkPjwva2V5d29yZHM+PGRhdGVzPjx5ZWFyPjIwMDY8L3llYXI+PHB1Yi1k
YXRlcz48ZGF0ZT4xMS8vPC9kYXRlPjwvcHViLWRhdGVzPjwvZGF0ZXM+PGlzYm4+MTA3MS01ODE5
PC9pc2JuPjx1cmxzPjxyZWxhdGVkLXVybHM+PHVybD5odHRwOi8vd3d3LnNjaWVuY2VkaXJlY3Qu
Y29tL3NjaWVuY2UvYXJ0aWNsZS9waWkvUzEwNzE1ODE5MDYwMDEwNDI8L3VybD48L3JlbGF0ZWQt
dXJscz48L3VybHM+PGVsZWN0cm9uaWMtcmVzb3VyY2UtbnVtPjEwLjEwMTYvai5pamhjcy4yMDA2
LjA2LjAwNzwvZWxlY3Ryb25pYy1yZXNvdXJjZS1udW0+PC9yZWNvcmQ+PC9DaXRlPjwvRW5kTm90
ZT4A
ADDIN EN.CITE.DATA (Jarvenpaa 1989; Jarvenpaa et al. 1988; Speier 2006). Better cognitive fit between a graphical representation and the task has been the explanation offered for the improvement in performance PEVuZE5vdGU+PENpdGU+PEF1dGhvcj5EZW5uaXM8L0F1dGhvcj48WWVhcj4xOTk4PC9ZZWFyPjxS
ZWNOdW0+NDM5OTwvUmVjTnVtPjxEaXNwbGF5VGV4dD4oRGVubmlzIGV0IGFsLiAxOTk4OyBWZXNz
ZXkgZXQgYWwuIDE5OTEpPC9EaXNwbGF5VGV4dD48cmVjb3JkPjxyZWMtbnVtYmVyPjQzOTk8L3Jl
Yy1udW1iZXI+PGZvcmVpZ24ta2V5cz48a2V5IGFwcD0iRU4iIGRiLWlkPSJ4cjBzMHNwMHZycGU1
emU1dGV0eHZ3d25wNXhkOWFhZXpzZDkiIHRpbWVzdGFtcD0iMTM0NzQ2OTQxMSI+NDM5OTwva2V5
PjwvZm9yZWlnbi1rZXlzPjxyZWYtdHlwZSBuYW1lPSJKb3VybmFsIEFydGljbGUiPjE3PC9yZWYt
dHlwZT48Y29udHJpYnV0b3JzPjxhdXRob3JzPjxhdXRob3I+RGVubmlzLCBBbGFuIFIuPC9hdXRo
b3I+PGF1dGhvcj5DYXJ0ZSwgVHJhY2kgQS48L2F1dGhvcj48L2F1dGhvcnM+PC9jb250cmlidXRv
cnM+PHRpdGxlcz48dGl0bGU+VXNpbmcgR2VvZ3JhcGhpY2FsIEluZm9ybWF0aW9uIFN5c3RlbXMg
Zm9yIERlY2lzaW9uIE1ha2luZzogRXh0ZW5kaW5nIENvZ25pdGl2ZSBGaXQgVGhlb3J5IHRvIE1h
cC1CYXNlZCBQcmVzZW50YXRpb25zPC90aXRsZT48c2Vjb25kYXJ5LXRpdGxlPkluZm9ybWF0aW9u
IFN5c3RlbXMgUmVzZWFyY2g8L3NlY29uZGFyeS10aXRsZT48L3RpdGxlcz48cGVyaW9kaWNhbD48
ZnVsbC10aXRsZT5JbmZvcm1hdGlvbiBTeXN0ZW1zIFJlc2VhcmNoPC9mdWxsLXRpdGxlPjwvcGVy
aW9kaWNhbD48cGFnZXM+MTk0LTIwMzwvcGFnZXM+PHZvbHVtZT45PC92b2x1bWU+PG51bWJlcj4y
PC9udW1iZXI+PGtleXdvcmRzPjxrZXl3b3JkPklORk9STUFUSU9OIHJlc291cmNlczwva2V5d29y
ZD48a2V5d29yZD5QUk9CTEVNIHNvbHZpbmc8L2tleXdvcmQ+PGtleXdvcmQ+REVDSVNJT04gdGhl
b3J5PC9rZXl3b3JkPjxrZXl3b3JkPkRFQ0lTSU9OIG1ha2luZzwva2V5d29yZD48a2V5d29yZD5J
TkZPUk1BVElPTiBzdG9yYWdlICZhbXA7IHJldHJpZXZhbCBzeXN0ZW1zPC9rZXl3b3JkPjxrZXl3
b3JkPkdFT0dSQVBISUMgaW5mb3JtYXRpb24gc3lzdGVtczwva2V5d29yZD48a2V5d29yZD5Db2du
aXRpdmUgRml0PC9rZXl3b3JkPjxrZXl3b3JkPkdlb2dyYXBoaWNhbCBJbmZvcm1hdGlvbiBTeXN0
ZW1zPC9rZXl3b3JkPjxrZXl3b3JkPkdyYXBoaWNzPC9rZXl3b3JkPjxrZXl3b3JkPk1hcHM8L2tl
eXdvcmQ+PC9rZXl3b3Jkcz48ZGF0ZXM+PHllYXI+MTk5ODwveWVhcj48L2RhdGVzPjxwdWJsaXNo
ZXI+SU5GT1JNUzogSW5zdGl0dXRlIGZvciBPcGVyYXRpb25zIFJlc2VhcmNoPC9wdWJsaXNoZXI+
PGlzYm4+MTA0NzcwNDc8L2lzYm4+PGFjY2Vzc2lvbi1udW0+OTE1MjU5PC9hY2Nlc3Npb24tbnVt
Pjx3b3JrLXR5cGU+QXJ0aWNsZTwvd29yay10eXBlPjx1cmxzPjxyZWxhdGVkLXVybHM+PHVybD5o
dHRwOi8vc2lsay5saWJyYXJ5LnVtYXNzLmVkdS9sb2dpbj91cmw9aHR0cDovL3NlYXJjaC5lYnNj
b2hvc3QuY29tL2xvZ2luLmFzcHg/ZGlyZWN0PXRydWUmYW1wO2RiPWJ1aCZhbXA7QU49OTE1MjU5
JmFtcDtzaXRlPWVob3N0LWxpdmUmYW1wO3Njb3BlPXNpdGU8L3VybD48L3JlbGF0ZWQtdXJscz48
L3VybHM+PHJlbW90ZS1kYXRhYmFzZS1uYW1lPmJ1aDwvcmVtb3RlLWRhdGFiYXNlLW5hbWU+PHJl
bW90ZS1kYXRhYmFzZS1wcm92aWRlcj5FQlNDT2hvc3Q8L3JlbW90ZS1kYXRhYmFzZS1wcm92aWRl
cj48L3JlY29yZD48L0NpdGU+PENpdGU+PEF1dGhvcj5WZXNzZXk8L0F1dGhvcj48WWVhcj4xOTkx
PC9ZZWFyPjxSZWNOdW0+OTkzPC9SZWNOdW0+PHJlY29yZD48cmVjLW51bWJlcj45OTM8L3JlYy1u
dW1iZXI+PGZvcmVpZ24ta2V5cz48a2V5IGFwcD0iRU4iIGRiLWlkPSJ4cjBzMHNwMHZycGU1emU1
dGV0eHZ3d25wNXhkOWFhZXpzZDkiIHRpbWVzdGFtcD0iMTI3MTA5NzE4NiI+OTkzPC9rZXk+PGtl
eSBhcHA9IkVOV2ViIiBkYi1pZD0iVUJMTGlRcnRxZ2dBQUR2VXZTYyI+NTc1PC9rZXk+PC9mb3Jl
aWduLWtleXM+PHJlZi10eXBlIG5hbWU9IkpvdXJuYWwgQXJ0aWNsZSI+MTc8L3JlZi10eXBlPjxj
b250cmlidXRvcnM+PGF1dGhvcnM+PGF1dGhvcj5JcmlzIFZlc3NleTwvYXV0aG9yPjxhdXRob3I+
RGVubmlzIEdhbGxldHRhPC9hdXRob3I+PC9hdXRob3JzPjwvY29udHJpYnV0b3JzPjx0aXRsZXM+
PHRpdGxlPkNvZ25pdGl2ZSBGaXQ6IEFuIEVtcGlyaWNhbCBTdHVkeSBvZiBJbmZvcm1hdGlvbiBB
Y3F1aXNpdGlvbjwvdGl0bGU+PHNlY29uZGFyeS10aXRsZT5JbmZvcm1hdGlvbiBTeXN0ZW1zIFJl
c2VhcmNoPC9zZWNvbmRhcnktdGl0bGU+PC90aXRsZXM+PHBlcmlvZGljYWw+PGZ1bGwtdGl0bGU+
SW5mb3JtYXRpb24gU3lzdGVtcyBSZXNlYXJjaDwvZnVsbC10aXRsZT48L3BlcmlvZGljYWw+PHBh
Z2VzPjYzLTg0PC9wYWdlcz48dm9sdW1lPjI8L3ZvbHVtZT48bnVtYmVyPjE8L251bWJlcj48ZGF0
ZXM+PHllYXI+MTk5MTwveWVhcj48L2RhdGVzPjx1cmxzPjwvdXJscz48L3JlY29yZD48L0NpdGU+
PC9FbmROb3RlPn==
ADDIN EN.CITE PEVuZE5vdGU+PENpdGU+PEF1dGhvcj5EZW5uaXM8L0F1dGhvcj48WWVhcj4xOTk4PC9ZZWFyPjxS
ZWNOdW0+NDM5OTwvUmVjTnVtPjxEaXNwbGF5VGV4dD4oRGVubmlzIGV0IGFsLiAxOTk4OyBWZXNz
ZXkgZXQgYWwuIDE5OTEpPC9EaXNwbGF5VGV4dD48cmVjb3JkPjxyZWMtbnVtYmVyPjQzOTk8L3Jl
Yy1udW1iZXI+PGZvcmVpZ24ta2V5cz48a2V5IGFwcD0iRU4iIGRiLWlkPSJ4cjBzMHNwMHZycGU1
emU1dGV0eHZ3d25wNXhkOWFhZXpzZDkiIHRpbWVzdGFtcD0iMTM0NzQ2OTQxMSI+NDM5OTwva2V5
PjwvZm9yZWlnbi1rZXlzPjxyZWYtdHlwZSBuYW1lPSJKb3VybmFsIEFydGljbGUiPjE3PC9yZWYt
dHlwZT48Y29udHJpYnV0b3JzPjxhdXRob3JzPjxhdXRob3I+RGVubmlzLCBBbGFuIFIuPC9hdXRo
b3I+PGF1dGhvcj5DYXJ0ZSwgVHJhY2kgQS48L2F1dGhvcj48L2F1dGhvcnM+PC9jb250cmlidXRv
cnM+PHRpdGxlcz48dGl0bGU+VXNpbmcgR2VvZ3JhcGhpY2FsIEluZm9ybWF0aW9uIFN5c3RlbXMg
Zm9yIERlY2lzaW9uIE1ha2luZzogRXh0ZW5kaW5nIENvZ25pdGl2ZSBGaXQgVGhlb3J5IHRvIE1h
cC1CYXNlZCBQcmVzZW50YXRpb25zPC90aXRsZT48c2Vjb25kYXJ5LXRpdGxlPkluZm9ybWF0aW9u
IFN5c3RlbXMgUmVzZWFyY2g8L3NlY29uZGFyeS10aXRsZT48L3RpdGxlcz48cGVyaW9kaWNhbD48
ZnVsbC10aXRsZT5JbmZvcm1hdGlvbiBTeXN0ZW1zIFJlc2VhcmNoPC9mdWxsLXRpdGxlPjwvcGVy
aW9kaWNhbD48cGFnZXM+MTk0LTIwMzwvcGFnZXM+PHZvbHVtZT45PC92b2x1bWU+PG51bWJlcj4y
PC9udW1iZXI+PGtleXdvcmRzPjxrZXl3b3JkPklORk9STUFUSU9OIHJlc291cmNlczwva2V5d29y
ZD48a2V5d29yZD5QUk9CTEVNIHNvbHZpbmc8L2tleXdvcmQ+PGtleXdvcmQ+REVDSVNJT04gdGhl
b3J5PC9rZXl3b3JkPjxrZXl3b3JkPkRFQ0lTSU9OIG1ha2luZzwva2V5d29yZD48a2V5d29yZD5J
TkZPUk1BVElPTiBzdG9yYWdlICZhbXA7IHJldHJpZXZhbCBzeXN0ZW1zPC9rZXl3b3JkPjxrZXl3
b3JkPkdFT0dSQVBISUMgaW5mb3JtYXRpb24gc3lzdGVtczwva2V5d29yZD48a2V5d29yZD5Db2du
aXRpdmUgRml0PC9rZXl3b3JkPjxrZXl3b3JkPkdlb2dyYXBoaWNhbCBJbmZvcm1hdGlvbiBTeXN0
ZW1zPC9rZXl3b3JkPjxrZXl3b3JkPkdyYXBoaWNzPC9rZXl3b3JkPjxrZXl3b3JkPk1hcHM8L2tl
eXdvcmQ+PC9rZXl3b3Jkcz48ZGF0ZXM+PHllYXI+MTk5ODwveWVhcj48L2RhdGVzPjxwdWJsaXNo
ZXI+SU5GT1JNUzogSW5zdGl0dXRlIGZvciBPcGVyYXRpb25zIFJlc2VhcmNoPC9wdWJsaXNoZXI+
PGlzYm4+MTA0NzcwNDc8L2lzYm4+PGFjY2Vzc2lvbi1udW0+OTE1MjU5PC9hY2Nlc3Npb24tbnVt
Pjx3b3JrLXR5cGU+QXJ0aWNsZTwvd29yay10eXBlPjx1cmxzPjxyZWxhdGVkLXVybHM+PHVybD5o
dHRwOi8vc2lsay5saWJyYXJ5LnVtYXNzLmVkdS9sb2dpbj91cmw9aHR0cDovL3NlYXJjaC5lYnNj
b2hvc3QuY29tL2xvZ2luLmFzcHg/ZGlyZWN0PXRydWUmYW1wO2RiPWJ1aCZhbXA7QU49OTE1MjU5
JmFtcDtzaXRlPWVob3N0LWxpdmUmYW1wO3Njb3BlPXNpdGU8L3VybD48L3JlbGF0ZWQtdXJscz48
L3VybHM+PHJlbW90ZS1kYXRhYmFzZS1uYW1lPmJ1aDwvcmVtb3RlLWRhdGFiYXNlLW5hbWU+PHJl
bW90ZS1kYXRhYmFzZS1wcm92aWRlcj5FQlNDT2hvc3Q8L3JlbW90ZS1kYXRhYmFzZS1wcm92aWRl
cj48L3JlY29yZD48L0NpdGU+PENpdGU+PEF1dGhvcj5WZXNzZXk8L0F1dGhvcj48WWVhcj4xOTkx
PC9ZZWFyPjxSZWNOdW0+OTkzPC9SZWNOdW0+PHJlY29yZD48cmVjLW51bWJlcj45OTM8L3JlYy1u
dW1iZXI+PGZvcmVpZ24ta2V5cz48a2V5IGFwcD0iRU4iIGRiLWlkPSJ4cjBzMHNwMHZycGU1emU1
dGV0eHZ3d25wNXhkOWFhZXpzZDkiIHRpbWVzdGFtcD0iMTI3MTA5NzE4NiI+OTkzPC9rZXk+PGtl
eSBhcHA9IkVOV2ViIiBkYi1pZD0iVUJMTGlRcnRxZ2dBQUR2VXZTYyI+NTc1PC9rZXk+PC9mb3Jl
aWduLWtleXM+PHJlZi10eXBlIG5hbWU9IkpvdXJuYWwgQXJ0aWNsZSI+MTc8L3JlZi10eXBlPjxj
b250cmlidXRvcnM+PGF1dGhvcnM+PGF1dGhvcj5JcmlzIFZlc3NleTwvYXV0aG9yPjxhdXRob3I+
RGVubmlzIEdhbGxldHRhPC9hdXRob3I+PC9hdXRob3JzPjwvY29udHJpYnV0b3JzPjx0aXRsZXM+
PHRpdGxlPkNvZ25pdGl2ZSBGaXQ6IEFuIEVtcGlyaWNhbCBTdHVkeSBvZiBJbmZvcm1hdGlvbiBB
Y3F1aXNpdGlvbjwvdGl0bGU+PHNlY29uZGFyeS10aXRsZT5JbmZvcm1hdGlvbiBTeXN0ZW1zIFJl
c2VhcmNoPC9zZWNvbmRhcnktdGl0bGU+PC90aXRsZXM+PHBlcmlvZGljYWw+PGZ1bGwtdGl0bGU+
SW5mb3JtYXRpb24gU3lzdGVtcyBSZXNlYXJjaDwvZnVsbC10aXRsZT48L3BlcmlvZGljYWw+PHBh
Z2VzPjYzLTg0PC9wYWdlcz48dm9sdW1lPjI8L3ZvbHVtZT48bnVtYmVyPjE8L251bWJlcj48ZGF0
ZXM+PHllYXI+MTk5MTwveWVhcj48L2RhdGVzPjx1cmxzPjwvdXJscz48L3JlY29yZD48L0NpdGU+
PC9FbmROb3RlPn==
ADDIN EN.CITE.DATA (Dennis et al. 1998; Vessey et al. 1991). Cognitive fit theory suggests that as a task increases in complexity, a user will rely more on and retain more information that is presented graphically ADDIN EN.CITE <EndNote><Cite><Author>Speier</Author><Year>2006</Year><RecNum>4397</RecNum><DisplayText>(Speier 2006)</DisplayText><record><rec-number>4397</rec-number><foreign-keys><key app="EN" db-id="xr0s0sp0vrpe5ze5tetxvwwnp5xd9aaezsd9" timestamp="1347469291">4397</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Speier, Cheri</author></authors></contributors><titles><title>The influence of information presentation formats on complex task decision-making performance</title><secondary-title>International Journal of Human-Computer Studies</secondary-title></titles><periodical><full-title>International Journal of Human-Computer Studies</full-title></periodical><pages>1115-1131</pages><volume>64</volume><number>11</number><keywords><keyword>Complex task</keyword><keyword>Decision-making</keyword><keyword>Information presentation</keyword></keywords><dates><year>2006</year><pub-dates><date>11//</date></pub-dates></dates><isbn>1071-5819</isbn><urls><related-urls><url>;(Speier 2006). In addition to work building on cognitive fit, social learning theory ADDIN EN.CITE <EndNote><Cite><Author>Mayer</Author><Year>2001</Year><RecNum>4710</RecNum><DisplayText>(Mayer 2001)</DisplayText><record><rec-number>4710</rec-number><foreign-keys><key app="EN" db-id="xr0s0sp0vrpe5ze5tetxvwwnp5xd9aaezsd9" timestamp="1398184949">4710</key></foreign-keys><ref-type name="Book">6</ref-type><contributors><authors><author>Mayer, R. E.</author></authors></contributors><titles><title>Multimedia Learning</title></titles><dates><year>2001</year></dates><pub-location>Cambridge</pub-location><publisher>Cambridge University Press</publisher><urls></urls></record></Cite></EndNote>(Mayer 2001) also predicts that instruction utilizing a graphics-based presentation format will be more effective because learners are more motivated to learn and the content is more memorable. Recent research in security and phishing training that builds on social learning ADDIN EN.CITE <EndNote><Cite><Author>Kumaraguru</Author><Year>2010</Year><RecNum>7497</RecNum><Prefix>e.g`, </Prefix><DisplayText>(e.g, Kumaraguru et al. 2010; Srikwan et al. 2008)</DisplayText><record><rec-number>7497</rec-number><foreign-keys><key app="EN" db-id="a9f2v2s03sv0soe5e52xwr9oas05vs059t2d" timestamp="1329863914">7497</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Kumaraguru, P.</author><author>Sheng, S.</author><author>Acquisti, A.</author><author>Cranor, L.F.</author><author>Hong, J.</author></authors></contributors><titles><title>Teaching johnny not to fall for phish</title><secondary-title>ACM Transactions on Internet Technology (TOIT)</secondary-title></titles><periodical><full-title>ACM Transactions on Internet Technology (TOIT)</full-title></periodical><pages>7</pages><volume>10</volume><number>2</number><dates><year>2010</year></dates><isbn>1533-5399</isbn><urls></urls></record></Cite><Cite><Author>Srikwan</Author><Year>2008</Year><RecNum>4711</RecNum><record><rec-number>4711</rec-number><foreign-keys><key app="EN" db-id="xr0s0sp0vrpe5ze5tetxvwwnp5xd9aaezsd9" timestamp="1398184949">4711</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Srikwan, S.</author><author>Jakobsson, M.</author></authors></contributors><titles><title>Using cartoons to teach internet security</title><secondary-title>Cryptologia</secondary-title></titles><periodical><full-title>Cryptologia</full-title></periodical><pages>137-154</pages><volume>32</volume><number>2</number><dates><year>2008</year></dates><isbn>0161-1194</isbn><urls></urls></record></Cite></EndNote>(e.g, Kumaraguru et al. 2010; Srikwan et al. 2008) has produced promising results in support of using graphics over text-only computer-based training. Therefore, we sought to extend this finding across multiple training approaches (i.e., concrete and abstract) in a more stringent, experimental test.H4: Training presented in a graphics-based format will be more effective in decreasing the likelihood that participants will respond to phishing attacks than training presented in a text-based format.CovariatesIn investigating the effects of training approach and training format on the likelihood that an individual will respond to a phishing attack, it is important to consider several relevant control variables. First, in order to isolate the effect of the abstract training approach and gauge its effectiveness, we captured and controlled for how mindful participants are in general when responding to email. This trait mindfulness scale was developed in accordance with Langer’s conceptualization of mindfulness ADDIN EN.CITE <EndNote><Cite><Author>Langer</Author><Year>1997</Year><RecNum>7555</RecNum><DisplayText>(Langer 1989; Langer 1997)</DisplayText><record><rec-number>7555</rec-number><foreign-keys><key app="EN" db-id="a9f2v2s03sv0soe5e52xwr9oas05vs059t2d" timestamp="1345745942">7555</key></foreign-keys><ref-type name="Book">6</ref-type><contributors><authors><author>Langer, E.J.</author></authors></contributors><titles><title>The power of mindful learning</title></titles><dates><year>1997</year></dates><pub-location>Reading, MA</pub-location><publisher>Addison-Wesley </publisher><isbn>0201488396</isbn><urls></urls></record></Cite><Cite><Author>Langer</Author><Year>1989</Year><RecNum>7556</RecNum><record><rec-number>7556</rec-number><foreign-keys><key app="EN" db-id="a9f2v2s03sv0soe5e52xwr9oas05vs059t2d" timestamp="1345746295">7556</key></foreign-keys><ref-type name="Book">6</ref-type><contributors><authors><author>Langer, E.J.</author></authors></contributors><titles><title>Mindfulness</title></titles><dates><year>1989</year></dates><pub-location>Reading, MA</pub-location><publisher>Addison-Wesley</publisher><urls></urls></record></Cite></EndNote>(Langer 1989; Langer 1997), but was specifically oriented to email usage. Trait mindfulness is a second-order factor with subcomponents: 1. alertness to distinctions, 2. orientation in the present, 3. awareness of multiple perspectives, and 4. openness to novelty. Alertness to distinction is the degree to which an email user identifies differences between her email practices and others’ practices. Orientation to the present refers to how individuals understand the context surrounding email usage or the “big picture.” Awareness of multiple perspectives refers to the ability of an individual to scan an environment and identify many points of view about proper email usage. Openness to novelty refers to an email user’s willingness to explore new features across various situations. All of the components are listed in Appendix A. In addition, we captured propensity to trust ADDIN EN.CITE <EndNote><Cite><Author>Pavlou</Author><Year>2004</Year><RecNum>4712</RecNum><DisplayText>(Pavlou et al. 2004)</DisplayText><record><rec-number>4712</rec-number><foreign-keys><key app="EN" db-id="xr0s0sp0vrpe5ze5tetxvwwnp5xd9aaezsd9" timestamp="1398184949">4712</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Pavlou, P. A.</author><author>Gefen, D.</author></authors></contributors><titles><title>Building effective online marketplaces with institution-based trust</title><secondary-title>Information Systems Research</secondary-title></titles><periodical><full-title>Information Systems Research</full-title></periodical><pages>37-59</pages><volume>15</volume><number>1</number><dates><year>2004</year></dates><urls></urls></record></Cite></EndNote>(Pavlou et al. 2004), perceived Internet risk ADDIN EN.CITE <EndNote><Cite><Author>Jarvenpaa</Author><Year>1999</Year><RecNum>4713</RecNum><DisplayText>(Jarvenpaa et al. 1999; Malhotra et al. 2004)</DisplayText><record><rec-number>4713</rec-number><foreign-keys><key app="EN" db-id="xr0s0sp0vrpe5ze5tetxvwwnp5xd9aaezsd9" timestamp="1398184949">4713</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Jarvenpaa, S.L.</author><author>Tractinsky, N.</author><author>Saarinen, L.</author></authors></contributors><titles><title>Consumer trust in an internet store: A cross-cultural validation</title><secondary-title>Journal of Computer‐Mediated Communication</secondary-title></titles><periodical><full-title>Journal of Computer‐Mediated Communication</full-title></periodical><volume>5</volume><number>2</number><dates><year>1999</year></dates><isbn>1083-6101</isbn><urls></urls></record></Cite><Cite><Author>Malhotra</Author><Year>2004</Year><RecNum>7650</RecNum><record><rec-number>7650</rec-number><foreign-keys><key app="EN" db-id="a9f2v2s03sv0soe5e52xwr9oas05vs059t2d" timestamp="1346782508">7650</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Malhotra, N.K.</author><author>Kim, S.S.</author><author>Agarwal, J.</author></authors></contributors><titles><title>Internet users' information privacy concerns (IUIPC): The construct, the scale, and a causal model</title><secondary-title>Information Systems Research</secondary-title></titles><periodical><full-title>Information Systems Research</full-title></periodical><pages>336-355</pages><volume>15</volume><number>4</number><dates><year>2004</year></dates><urls></urls></record></Cite></EndNote>(Jarvenpaa et al. 1999; Malhotra et al. 2004), and computer self-efficacy ADDIN EN.CITE <EndNote><Cite><Author>Compeau</Author><Year>1995</Year><RecNum>52</RecNum><DisplayText>(Compeau et al. 1995b)</DisplayText><record><rec-number>52</rec-number><foreign-keys><key app="EN" db-id="2epwwvtr1ffvzeeaxsaxftrxsaze5fvpdpx5">52</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Compeau, D. R.</author><author>Higgins, C. A.</author></authors></contributors><titles><title>Computer self-efficacy: Development of a measure and initial test</title><secondary-title>MIS Quarterly</secondary-title></titles><periodical><full-title>MIS Quarterly</full-title></periodical><pages>189-211</pages><volume>19</volume><number>2</number><dates><year>1995</year></dates><isbn>0276-7783</isbn><urls></urls></record></Cite></EndNote>(Compeau et al. 1995b) and self-reported expertise in identifying phishing messages as these variables have been examined in recent phishing research ADDIN EN.CITE <EndNote><Cite><Author>Wright</Author><Year>2010</Year><RecNum>4535</RecNum><Prefix>e.g.`, </Prefix><DisplayText>(e.g., Wright et al. 2010b)</DisplayText><record><rec-number>4535</rec-number><foreign-keys><key app="EN" db-id="xr0s0sp0vrpe5ze5tetxvwwnp5xd9aaezsd9" timestamp="1363276543">4535</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Wright, R.T.</author><author>Marett, K.</author></authors></contributors><titles><title>The influence of experiential and dispositional factors in phishing: An empirical investigation of the deceived</title><secondary-title>Journal of Management Information Systems</secondary-title></titles><periodical><full-title>Journal of Management Information Systems</full-title></periodical><pages>273-303</pages><volume>27</volume><number>1</number><dates><year>2010</year></dates><isbn>0742-1222</isbn><urls></urls></record></Cite></EndNote>(e.g., Wright et al. 2010b) and play an important role in training efficacy ADDIN EN.CITE <EndNote><Cite><Author>Yi</Author><Year>2001</Year><RecNum>4696</RecNum><Prefix>e.g.`, </Prefix><DisplayText>(e.g., Yi et al. 2001)</DisplayText><record><rec-number>4696</rec-number><foreign-keys><key app="EN" db-id="xr0s0sp0vrpe5ze5tetxvwwnp5xd9aaezsd9" timestamp="1398184947">4696</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Yi, M. Y.</author><author>Davis, F. D.</author></authors></contributors><titles><title>Improving computer training effectiveness for decision technologies: Behavior modeling and retention enhancement</title><secondary-title>Decision Sciences</secondary-title></titles><periodical><full-title>Decision Sciences</full-title></periodical><pages>521-544</pages><volume>32</volume><number>3</number><dates><year>2001</year></dates><isbn>1540-5915</isbn><urls></urls></record></Cite></EndNote>(e.g., Yi et al. 2001). Finally, since there were several disparities (e.g., age, education level) between groups in the organization we sampled (a university) we controlled for student, staff, and faculty status. MethodOverviewWe conducted a field experiment at a university to test our hypotheses of how training can mitigate the risk posed by phishing messages. In cooperation with university IT professionals, the institutional review board (IRB), and the university administration, we randomly assigned participants to treatment conditions, invited participants to join in anti-phishing training, and then conducted a phishing attack during which participants were directed to visit a fictitious website and entered their university usernames and passwords. Data were gathered by two primary means: 1. an online survey administered following the training and 2. participants’ actions related to the phishing attack. ParticipantsParticipants came from a university located in the United States. A total of 1048 participants were randomly assigned to experimental conditions and were invited to participate in a form of anti-phishing training. A total of 371 responded to the invitation to participate in the training; however, 16 of the participants did not complete the training and were excluded from analysis. This left 355 participants who completed the training to comprise the training sample (a 33.9% completion rate). The status of participants in each sample is reported in REF _Ref292333069 \h \* MERGEFORMAT Table 2. In return for participating in the phishing training, participants were entered into a drawing for an iPad or one of 5 gift cards for $50. Table SEQ Table \* ARABIC 2 – Participants descriptionAgePhishing ExperiencesPhishing Emails Per WeekStatus<2026%Knew someone who fell for an attack.54%None19%Faculty24%21-2929%Never personally fallen for an attack.70%1-559%Staff21%30-3915%Came close to falling for an attack.16%6-1515%Students56%40-4913%Personally fell for an attack.3%> 167%50-5912%Unsure if personally fallen for an attack.11%>605%Stimulus MaterialsTraining ApproachParticipants who underwent training were welcomed to the training by a message from the university CIO, which stressed the importance of the training and thanked them for their participation. Next, participants were told that the university was experiencing an increase in phishing attacks and were shown information about the adverse consequences of responding to a phishing attack (e.g., endangering personal and institutional resources, compromising confidential information). Then, participants were exposed to one of the training programs that were designed to test the competing training approaches: a concrete approach that encourages email users to follow several best practice recommendations for secure email use and an abstract approach that encourages email users to mindfully pause and reflect about the validity of requests they receive through email. These training programs and how they reflect the competing theoretical approaches are discussed in more detail below. Following training, participants were asked to practice identifying phishing emails and were instructed to identify two legitimate and two phishing emails. Correct answers and explanations consistent with the training approach (concrete or abstract) were provided immediately after participants submitted their answers. Training concluded with participants completing a knowledge test based on the specific training program that provided correct answers and explanations after the test was complete.The concrete training content was derived from anti-phishing recommendations found in academic, governmental, non-profit, and corporate sources. We first gathered recommendations for email users as set forth by previous anti-phishing researchers ADDIN EN.CITE <EndNote><Cite><Author>Kumaraguru</Author><Year>2010</Year><RecNum>7497</RecNum><DisplayText>(Kumaraguru et al. 2010)</DisplayText><record><rec-number>7497</rec-number><foreign-keys><key app="EN" db-id="a9f2v2s03sv0soe5e52xwr9oas05vs059t2d" timestamp="1329863914">7497</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Kumaraguru, P.</author><author>Sheng, S.</author><author>Acquisti, A.</author><author>Cranor, L.F.</author><author>Hong, J.</author></authors></contributors><titles><title>Teaching johnny not to fall for phish</title><secondary-title>ACM Transactions on Internet Technology (TOIT)</secondary-title></titles><periodical><full-title>ACM Transactions on Internet Technology (TOIT)</full-title></periodical><pages>7</pages><volume>10</volume><number>2</number><dates><year>2010</year></dates><isbn>1533-5399</isbn><urls></urls></record></Cite></EndNote>(Kumaraguru et al. 2010). We then reconciled this list with resources provided by the U.S. Federal Trade Commission, the non-profit group , and anti-phishing best practices suggested by an international bank. The combined list of recommendations from these sources was long and in some cases, was customized to specific types of interactions (e.g., online purchases or online banking). Across sources, we identified six consistent recommendations shown in REF _Ref334093612 \h Table 3. As a final check to determine the suitability of these recommendations for a university environment, we presented the recommendations to two independent IT security managers employed at two different universities. The security managers confirmed the recommendations to be highly relevant in a university environment and, if followed, would substantially reduce susceptibility to phishing attacks. Therefore, these six recommendations formed the content for the concrete anti-phishing training. Table 3 –Recommendations for avoiding phishing attacks using the concrete approachRecommendationsNever click on a link or open an attachment in an email from an unknown senderAccess a website by typing the web address yourselfDo not reply to emails asking for private informationReal organizations such as banks or employers will never ask for private information in an emailBe suspicious of a website that asks for private informationLook for cues such as HTTPS in the address bar or a lock icon in your browser to identify a fake websiteThe abstract training was developed using guidance drawn from clinical mindfulness research ADDIN EN.CITE <EndNote><Cite><Author>Langer</Author><Year>1997</Year><RecNum>2346</RecNum><DisplayText>(Langer 1997)</DisplayText><record><rec-number>2346</rec-number><foreign-keys><key app="EN" db-id="xr0s0sp0vrpe5ze5tetxvwwnp5xd9aaezsd9" timestamp="1271187576">2346</key><key app="ENWeb" db-id="UBLLiQrtqggAADvUvSc">1133</key></foreign-keys><ref-type name="Book">6</ref-type><contributors><authors><author>Ellen J. Langer</author></authors></contributors><titles><title>The Power of Mindful Learning</title></titles><dates><year>1997</year></dates><pub-location>Reading, MA</pub-location><publisher>Addison-Wesley</publisher><urls></urls></record></Cite></EndNote>(Langer 1997) that focuses on enabling individuals to be aware of their actions and the potential consequences of their actions ADDIN EN.CITE <EndNote><Cite><Author>Langer</Author><Year>1987</Year><RecNum>57</RecNum><DisplayText>(Langer et al. 1987)</DisplayText><record><rec-number>57</rec-number><foreign-keys><key app="EN" db-id="2epwwvtr1ffvzeeaxsaxftrxsaze5fvpdpx5">57</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Langer, E.J.</author><author>Piper, A.</author></authors></contributors><titles><title>The Prevention of Mindlessness</title><secondary-title>Journal of Personality and Social Psychology</secondary-title></titles><periodical><full-title>Journal of Personality and Social Psychology</full-title></periodical><pages>280-287</pages><volume>53</volume><dates><year>1987</year></dates><urls></urls></record></Cite></EndNote>(Langer et al. 1987). In translating these findings to anti-phishing training, we created content to encourage email users to pause and consider their responses to emailed requests. In past mindfulness research ADDIN EN.CITE <EndNote><Cite><Author>Brown</Author><Year>2007</Year><RecNum>7570</RecNum><Prefix>e.g.`, </Prefix><DisplayText>(e.g., Brown et al. 2007)</DisplayText><record><rec-number>7570</rec-number><foreign-keys><key app="EN" db-id="a9f2v2s03sv0soe5e52xwr9oas05vs059t2d" timestamp="1345748955">7570</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Brown, K. W.</author><author>Ryan, R. M.</author><author>Creswell, J. D.</author></authors></contributors><titles><title>Mindfulness: Theoretical foundations and evidence for its salutary effects</title><secondary-title>Psychological Inquiry</secondary-title></titles><periodical><full-title>Psychological Inquiry</full-title></periodical><pages>211-237</pages><volume>18</volume><number>4</number><dates><year>2007</year></dates><urls></urls></record></Cite></EndNote>(e.g., Brown et al. 2007), reflecting before taking action was shown to predict self-regulation. Therefore, our mindfulness training cautioned email users against quickly responding to email requests and encouraged them to stop, consider what emails ask them to do, and then take appropriate action. Consistent with the hypothesized reasoning for mindfulness training’s effectiveness, it was designed around three key tasks that are easy to remember and apply: 1. Stop! 2. Think… 3. Check. The first step, Stop!, is intended to be a trigger for individuals to pause any time an email contains a request (e.g., download an attachment, click on a link). These requests come with some risk and the Stop! stage encourages individuals to pause to examine these risks and avoid automatic, or routinized replies when email requests are made. The second step, Think…, encourages the individuals to scrutinize actions they are asked to perform and consider the sender’s motivation and context for the request. The questions individuals were instructed to ask themselves while considering the legitimacy of an emailed request are shown in REF _Ref334093836 \h Table 4. These questions were designed to be short and easy to remember, but at the same time promote reflection and receptive attention concerning the emailed request. Finally, individuals were instructed to Check. If, during the process of evaluation, any suspicion was raised, individuals were instructed to check with a trusted third party. In the case of this training program, the local IT help desk was provided as a point of contact that would assist email users in distinguishing legitimate email requests from fraudulent ones. The contents and screen shots for both the situation-specific and mindfulness training approaches are presented in Appendix B.Table 4 – Recommendations for avoiding phishing attacks using the abstract approachRecommendations Stop!Think…Does the request ask for private or proprietary information?Is the request unexpected or rushed?Does the request make sense?Why would the sender need me to do this?Check.To determine if the participants felt the two training approaches were helpful and effective, we examined the results of the phishing identification practice and knowledge test, which was administered as part of the training. Upon completion of the training, we also asked the participants if the training helped them learn how to identify phishing messages. Participants using the concrete approach performed well on the phishing identification practice and knowledge test with average scores of 3.27 (SD = .70) and 3.36 (SD = .80), respectively. They reported that the training was very helpful (M=4.10; SD = .85). Likewise, participants using the abstract approach did well on the phishing identification practice and knowledge test with average scores of 3.18 (SD = .81) and 3.53 (SD = .82), respectively. They also reported the training was very helpful (M=4.18; SD = .76). Independent samples t-tests revealed no differences between the training approaches. These results suggest that subjects felt that the training approaches were equally successful and perceived them as valuable.Training FormatThe method of training delivery was also manipulated such that some participants received training in a text-only format while others received training through a graphics-based format. With the graphics-based format, we attempted to replicate the successful approach taken by other phishing researchers ADDIN EN.CITE <EndNote><Cite><Author>Kumaraguru</Author><Year>2009</Year><RecNum>4714</RecNum><Prefix>e.g.`, </Prefix><DisplayText>(e.g., Kumaraguru et al. 2009; Kumaraguru et al. 2010)</DisplayText><record><rec-number>4714</rec-number><foreign-keys><key app="EN" db-id="xr0s0sp0vrpe5ze5tetxvwwnp5xd9aaezsd9" timestamp="1398184949">4714</key></foreign-keys><ref-type name="Conference Proceedings">10</ref-type><contributors><authors><author>Kumaraguru, P.</author><author>Cranshaw, J.</author><author>Acquisti, A.</author><author>Cranor, L.</author><author>Hong, J.</author><author>Blair, M.A.</author><author>Pham, T.</author></authors></contributors><titles><title>School of phish: A real-world evaluation of anti-phishing training</title><secondary-title>SOUPS '09 Proceedings of the 5th Symposium on Usable Privacy and Security</secondary-title></titles><pages>3</pages><dates><year>2009</year></dates><pub-location>Mountain View, CA</pub-location><publisher>ACM</publisher><isbn>1605587362</isbn><urls></urls></record></Cite><Cite><Author>Kumaraguru</Author><Year>2010</Year><RecNum>7497</RecNum><record><rec-number>7497</rec-number><foreign-keys><key app="EN" db-id="a9f2v2s03sv0soe5e52xwr9oas05vs059t2d" timestamp="1329863914">7497</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Kumaraguru, P.</author><author>Sheng, S.</author><author>Acquisti, A.</author><author>Cranor, L.F.</author><author>Hong, J.</author></authors></contributors><titles><title>Teaching johnny not to fall for phish</title><secondary-title>ACM Transactions on Internet Technology (TOIT)</secondary-title></titles><periodical><full-title>ACM Transactions on Internet Technology (TOIT)</full-title></periodical><pages>7</pages><volume>10</volume><number>2</number><dates><year>2010</year></dates><isbn>1533-5399</isbn><urls></urls></record></Cite></EndNote>(e.g., Kumaraguru et al. 2009; Kumaraguru et al. 2010) and developed a four panel, comic-strip-like format with three characters (an email user, a mentor, and a phisher) demonstrating how phishing works and how one can avoid phishing attacks. The instructional portion where concrete or abstract training approaches were used was presented in the second panel. The text-only format contained the same content, but only the text was provided to the participants. The formats for the concrete and abstract training approaches are presented in the Appendix B. Phishing EmailIn coordination with the university IT department, we created a legitimate employee email account for a fictitious person. We then spoofed the legitimate account when sending the phishing email, which is a common practice among actual phishers. We created the account for several reasons: first, we wanted to recreate as closely as possible an actual phishing attack and needed a legitimate email address to spoof. Second, we didn’t want to direct backlash for the phishing message at an actual university employee. Finally, we wanted control over the account to monitor correspondence (i.e., verification attempts) from university email users. A total of 19 individuals attempted to contact the fictitious employee to inquire about the phishing email and we did not respond to the inquiries. Four individuals made repeated inquiries.Although email addresses were publically available through the online university directory, we received participants’ university email addresses from the university administration. Further, the IT department agreed not to block the phishing emails or the phishing website. We used customizable mass-emailing software to manage the email distribution and tracked the number of emails that were returned as undeliverable or that bounced because of participants’ email client settings. The mass emailing-software spoofed the email address of the fictitious employee and sent the phishing email to a randomly selected block of university students, staff, and faculty addresses every 10 minutes. It was not feasible to send all emails at once, because doing so would have caused the spam filter to catch the messages.The content of the phishing message was in two conditions: 1. Generic, and 2. Customized. The generic email invited participants to log in to a fictitious web portal that supposedly supplied several services to individuals affiliated with the university and displayed an out of town contact number for the supposed sender. The customized email included the same invitation, but also listed the name of the university several times (sometimes in an abbreviation), the university mascot, displayed a local phone number, and was customized to each recipient based on their role at the university (e.g., student, staff, or faculty). These customizations are consistent with previous phishing experiments executed in higher education environments ADDIN EN.CITE <EndNote><Cite><Author>Wright</Author><Year>2010</Year><RecNum>4703</RecNum><DisplayText>(Wright et al. 2010a; Wright et al. 2010b)</DisplayText><record><rec-number>4703</rec-number><foreign-keys><key app="EN" db-id="xr0s0sp0vrpe5ze5tetxvwwnp5xd9aaezsd9" timestamp="1398184948">4703</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Wright, R.</author><author>Chakraborty, S.</author><author>Basoglu, A.</author><author>Marett, K.</author></authors></contributors><titles><title>Where did they go right? Understanding the deception in phishing communications</title><secondary-title>Group Decision and Negotiation</secondary-title></titles><periodical><full-title>Group Decision and Negotiation</full-title></periodical><pages>391-416</pages><volume>19</volume><number>4</number><dates><year>2010</year></dates><isbn>0926-2644</isbn><urls></urls></record></Cite><Cite><Author>Wright</Author><Year>2010</Year><RecNum>4535</RecNum><record><rec-number>4535</rec-number><foreign-keys><key app="EN" db-id="xr0s0sp0vrpe5ze5tetxvwwnp5xd9aaezsd9" timestamp="1363276543">4535</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Wright, R.T.</author><author>Marett, K.</author></authors></contributors><titles><title>The influence of experiential and dispositional factors in phishing: An empirical investigation of the deceived</title><secondary-title>Journal of Management Information Systems</secondary-title></titles><periodical><full-title>Journal of Management Information Systems</full-title></periodical><pages>273-303</pages><volume>27</volume><number>1</number><dates><year>2010</year></dates><isbn>0742-1222</isbn><urls></urls></record></Cite></EndNote>(Wright et al. 2010a; Wright et al. 2010b). Both emails contained a URL to the phishing website in plain text and a URL that contained a tracking number (e.g., ?p1234) that allowed us to track visits to the phishing website in addition to logins. No attempt was made to conceal the URL because it was top level .org domain that contained the acronym for the university. The text of the generic and customized phishing messages is shown in REF _Ref334094720 \h . Phishing WebsiteParticipants who clicked on links in the phishing emails or typed the phishing URL in their browsers were directed to a fictitious website ( REF _Ref334094761 \h Figure 1) that was designed by the research team to mimic legitimate university websites. To preserve privacy, logos and text identifying the university have been redacted from the website. When participants typed their usernames and passwords and clicked the Login button, the password was immediately deleted and was not transmitted or stored by the website. Only usernames were transmitted and recorded by the website. After participants logged in to the fictitious website, they were informed that website content was still being populated and that they should log in at a later date to view the content. Figure 1 – Fraudulent phishing websiteTable SEQ Table \* ARABIC 5 – Generic and customized phishing emailsGeneric Phishing Email Customized Phishing EmailThe university is planning a big upgrade to a new custom web portal. We value your input and invite you to test the new portal out. The new portal will allow you to:? Access all university services online ? Purchase discounted software? See what capital projects the university is working on? Contact colleagues and friends in real-time? And much more…Please go to [Phishing Site] by 5pm on April 26th to register and login to your beta account. You can also access your account directly by going to [Phishing Site with Tracking Numbera]. You may have to copy and paste the URL into your web browser. Sincerely,[Fictitious Employee][Phishing Site] Administrator[Phishing Site] [Out of City Telephone Number]Dear [University Name] Community Member, As a [student, staff, faculty] community member, you are an essential part of the [University Name]. The university is planning a big upgrade to a new custom web portal. We value your input as a [student, staff member, faculty member] and invite you to test the new portal out. The new [University Name] portal will allow you to:? Access all university services online ? Purchase discounted software? See what capital projects the university is working on? Contact colleagues and friends in real-time? And much more…Please go to [Phishing Site] by 5pm on April 26th to register and login to your beta account. You can also access your account directly by going to [Phishing Site with Tracking Numbera]. You may have to copy and paste the URL into your web browser. Go [University Mascot]![Fictitious Employee][Phishing Site] Administrator[Phishing Site] [Local Telephone Number]aThe tracking number (e.g., ?p1234) allowed us to track visits to the phishing website in addition to logins.ProcedureOur experiment adhered to established guidelines for designing ethical phishing experiments ADDIN EN.CITE <EndNote><Cite><Author>Finn</Author><Year>2008</Year><RecNum>821</RecNum><DisplayText>(Finn et al. 2008)</DisplayText><record><rec-number>821</rec-number><foreign-keys><key app="EN" db-id="xr0s0sp0vrpe5ze5tetxvwwnp5xd9aaezsd9" timestamp="1271097122">821</key><key app="ENWeb" db-id="UBLLiQrtqggAADvUvSc">487</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Peter Finn</author><author>Markus Jakobsson</author></authors></contributors><titles><title>Designing and conducting phishing experiments</title><secondary-title>IEEE Technology and Society</secondary-title></titles><periodical><full-title>IEEE Technology and Society</full-title></periodical><pages>66-68</pages><volume>6</volume><number>2</number><dates><year>2008</year></dates><urls></urls></record></Cite></EndNote>(Finn et al. 2008) (see Appendix C). We worked closely with the university administration (president’s office, legal counsel), IT department (chief information officer, support staff), and the IRB to minimize risk to the institution and participants and ensure relevant laws were followed. Participants were randomly assigned to training conditions. Random assignment took place within roles so approximately equal groups of students, staff, and faculty were assigned to each condition. Before beginning the training, participants reported their level of expertise in identifying phishing email and were asked for their university username so they would be entered in a drawing for prizes. The participants then completed all sections of the training, then they completed a questionnaire capturing the other covariates (trait mindfulness, propensity to trust, propensity to take risks, computer self-efficacy). Finally, the participants recorded their attitudes about the effectiveness of the training. To maintain proper experimental design, participants in one condition only filled out the covariate survey and did not actually receive the training. This design allowed us to isolate the effect of the training, independent of any priming effects resulting from the survey. The participants who only filled out the covariate survey were told that the IT department was interested in attitudes about phishing and that the survey would help them understand current attitudes about phishing. REF _Ref334094789 \h Table 6 presents the total number of participants in each condition for both the training and no training samples. Table 6 – Assignment of participants to experimental conditionsConditionsGeneric Phishing MessageCustom Phishing MessageSurvey Only3340ConcreteText3440Graphics3342AbstractText4032Graphics2734Ten days following the training, participants were sent phishing emails. Prior to sending emails, we met with employees at the IT help desk to inform them of what we were doing and provide them with a script that they could use when responding to inquiries from email users. The script instructed email users not to respond to the suspicious email, to forward the email to the help desk employees, and to wait while the IT help desk investigated. We did this to mitigate the risk of users receiving actual phishing messages during the course of the experiment and to track the number of inquiries made by the participants. The help desk received 5 emails. Participant usernames were collected for approximately four days before an astute staff member notified the entire campus via email of the phishing attack. This length of time for an active phishing attack is longer than the 62 hours that typical phishing attacks are active ADDIN EN.CITE <EndNote><Cite><Author>Moore</Author><Year>2007</Year><RecNum>7644</RecNum><DisplayText>(Moore et al. 2007)</DisplayText><record><rec-number>7644</rec-number><foreign-keys><key app="EN" db-id="a9f2v2s03sv0soe5e52xwr9oas05vs059t2d" timestamp="1346284845">7644</key></foreign-keys><ref-type name="Conference Proceedings">10</ref-type><contributors><authors><author>Moore, T.</author><author>Clayton, R.</author></authors></contributors><titles><title>Examining the impact of website take-down on phishing</title><secondary-title>Proceedings of the anti-phishing working groups 2nd annual eCrime researchers summit</secondary-title></titles><pages>1-13</pages><dates><year>2007</year></dates><publisher>ACM</publisher><isbn>1595939393</isbn><urls></urls></record></Cite></EndNote>(Moore et al. 2007) and is likely the result of the IT department’s cooperation. After the phishing attack was uncovered, we sent an email to all the participants disclosing our involvement, the purpose of the research, and protections that safeguarded their privacy. We also shared the training programs we developed with all university members. We received only one complaint from a staff member who, after the phishing attack was uncovered, needed to change passwords. Usernames collected during training were then matched with usernames collected by the phishing website by a researcher unaffiliated with the university where the phishing took place. The data were then anonymized and all links to participant identities were destroyed. MeasurementA measurement model was constructed to evaluate our scales’ reliability, convergent and discriminant validities. Consistent with the conceptualization of trait mindfulness as a second-order factor, we followed recommendations provided by Polites et al. ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Polites</Author><Year>2012</Year><RecNum>2719</RecNum><DisplayText>(2012)</DisplayText><record><rec-number>2719</rec-number><foreign-keys><key app="EN" db-id="xr0s0sp0vrpe5ze5tetxvwwnp5xd9aaezsd9" timestamp="1298681002">2719</key><key app="ENWeb" db-id="UBLLiQrtqggAADvUvSc">1489</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Greta Polites</author><author>Nick Roberts</author><author>Jason Thatcher</author></authors></contributors><titles><title>Conceptualizing Models Using Multidimensional Constructs: A Conceptual Review and Guidelines for their Use</title><secondary-title>European Journal of Information Systems</secondary-title></titles><periodical><full-title>European Journal of Information Systems</full-title></periodical><pages>22-48</pages><volume>21</volume><number>1</number><dates><year>2012</year></dates><urls></urls></record></Cite></EndNote>(2012) in generating the factor scores. We used the process outlined by Wright et al. ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Wright</Author><Year>2012</Year><RecNum>3337</RecNum><DisplayText>(2012)</DisplayText><record><rec-number>3337</rec-number><foreign-keys><key app="EN" db-id="xr0s0sp0vrpe5ze5tetxvwwnp5xd9aaezsd9" timestamp="1338336889">3337</key><key app="ENWeb" db-id="UBLLiQrtqggAADvUvSc">2102</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Wright, R.T.</author><author>Campbell, D.E.</author><author>Thatcher, J.B.</author><author>Roberts, N. </author></authors></contributors><titles><title>Operationalizing Multidimensional Constructs in Structural Equation Modeling: Recommendations for IS Research</title><secondary-title>Communications of the Association for Information Systems</secondary-title></titles><periodical><full-title>Communications of the Association for Information Systems</full-title></periodical><pages>367-412</pages><volume>40</volume><dates><year>2012</year></dates><urls></urls></record></Cite></EndNote>(2012) to construct a second-order confirmatory factor analysis using Mplus 6.1. A reliability analysis was then performed using Cronbach’s alpha and composite reliability scores ADDIN EN.CITE <EndNote><Cite><Author>Gefen</Author><Year>2011</Year><RecNum>2884</RecNum><DisplayText>(Gefen et al. 2011; Werts et al. 1974)</DisplayText><record><rec-number>2884</rec-number><foreign-keys><key app="EN" db-id="xr0s0sp0vrpe5ze5tetxvwwnp5xd9aaezsd9" timestamp="1316296937">2884</key><key app="ENWeb" db-id="UBLLiQrtqggAADvUvSc">1649</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Gefen, D</author><author>Straub, Detmar W.</author><author>Rigdon, Edward E.</author></authors></contributors><titles><title>An Update and Extension to SEM Guidelines for Admnistrative and Social Science Research</title><secondary-title>MIS Quarterly</secondary-title></titles><periodical><full-title>MIS Quarterly</full-title></periodical><pages>iii-xiv</pages><volume>35</volume><number>2</number><dates><year>2011</year></dates><urls></urls></record></Cite><Cite><Author>Werts</Author><Year>1974</Year><RecNum>1192</RecNum><record><rec-number>1192</rec-number><foreign-keys><key app="EN" db-id="xr0s0sp0vrpe5ze5tetxvwwnp5xd9aaezsd9" timestamp="1271097211">1192</key><key app="ENWeb" db-id="UBLLiQrtqggAADvUvSc">655</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>C. E. Werts</author><author>R. L. Linn</author><author>K. Joreskog</author></authors></contributors><titles><title>Interclass Reliability Estimates: Testing Structural Assumptions</title><secondary-title>Educational and Psychological Measurement</secondary-title></titles><periodical><full-title>Educational and Psychological Measurement</full-title></periodical><pages>25-33</pages><volume>34</volume><number>1</number><dates><year>1974</year></dates><urls></urls></record></Cite></EndNote>(Gefen et al. 2011; Werts et al. 1974). The Cronbach’s alpha scores were all above 0.72 which meet the recommendation that this score be above .70 ADDIN EN.CITE <EndNote><Cite><Author>Hair</Author><Year>1998</Year><RecNum>142</RecNum><DisplayText>(Hair et al. 1998)</DisplayText><record><rec-number>142</rec-number><foreign-keys><key app="EN" db-id="rzdsdaefrztdr0e5a9ip0wvszpeevta25vf2">142</key></foreign-keys><ref-type name="Book">6</ref-type><contributors><authors><author>Hair, J. F., Jr. </author><author>Anderson, R. E.</author><author>Tatham, R. L.</author><author>Black, W. C.</author></authors></contributors><titles><title>Multivariate Data Analysis with Readings</title></titles><edition>5th</edition><dates><year>1998</year></dates><pub-location>Englewood Cliffs, NJ</pub-location><publisher>Prentice Hall</publisher><urls></urls></record></Cite></EndNote>(Hair et al. 1998). Likewise, all composite reliability scores were also greater than the recommended .70 threshold ADDIN EN.CITE <EndNote><Cite><Author>Hair</Author><Year>1998</Year><RecNum>142</RecNum><DisplayText>(Hair et al. 1998)</DisplayText><record><rec-number>142</rec-number><foreign-keys><key app="EN" db-id="rzdsdaefrztdr0e5a9ip0wvszpeevta25vf2">142</key></foreign-keys><ref-type name="Book">6</ref-type><contributors><authors><author>Hair, J. F., Jr. </author><author>Anderson, R. E.</author><author>Tatham, R. L.</author><author>Black, W. C.</author></authors></contributors><titles><title>Multivariate Data Analysis with Readings</title></titles><edition>5th</edition><dates><year>1998</year></dates><pub-location>Englewood Cliffs, NJ</pub-location><publisher>Prentice Hall</publisher><urls></urls></record></Cite></EndNote>(Hair et al. 1998). In the convergent validity tests, all factor loadings indicated compliance with the prescribed criteria of .70 ADDIN EN.CITE <EndNote><Cite><Author>Hair</Author><Year>1998</Year><RecNum>142</RecNum><DisplayText>(Hair et al. 1998; Segars 1997)</DisplayText><record><rec-number>142</rec-number><foreign-keys><key app="EN" db-id="rzdsdaefrztdr0e5a9ip0wvszpeevta25vf2">142</key></foreign-keys><ref-type name="Book">6</ref-type><contributors><authors><author>Hair, J. F., Jr. </author><author>Anderson, R. E.</author><author>Tatham, R. L.</author><author>Black, W. C.</author></authors></contributors><titles><title>Multivariate Data Analysis with Readings</title></titles><edition>5th</edition><dates><year>1998</year></dates><pub-location>Englewood Cliffs, NJ</pub-location><publisher>Prentice Hall</publisher><urls></urls></record></Cite><Cite><Author>Segars</Author><Year>1997</Year><RecNum>2308</RecNum><record><rec-number>2308</rec-number><foreign-keys><key app="EN" db-id="xr0s0sp0vrpe5ze5tetxvwwnp5xd9aaezsd9" timestamp="1271097678">2308</key><key app="ENWeb" db-id="UBLLiQrtqggAADvUvSc">1098</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Segars, A.</author></authors></contributors><titles><title>Assessing the Unidimensionality of Measurement: A Paradigm and Illustration Within the Context of Information Systems Research</title><secondary-title>Omega</secondary-title></titles><periodical><full-title>Omega</full-title></periodical><pages>107-121</pages><volume>25</volume><number>1</number><dates><year>1997</year></dates><urls></urls></record></Cite></EndNote>(Hair et al. 1998; Segars 1997). Convergent validity was further tested using the Average Variance Extracted (AVE) for each factor. Prior literature recommends that any factor should have an AVE above .50 ADDIN EN.CITE <EndNote><Cite><Author>Fornell</Author><Year>1981</Year><RecNum>126</RecNum><DisplayText>(Fornell et al. 1981)</DisplayText><record><rec-number>126</rec-number><foreign-keys><key app="EN" db-id="xr0s0sp0vrpe5ze5tetxvwwnp5xd9aaezsd9" timestamp="1271096815">126</key><key app="ENWeb" db-id="UBLLiQrtqggAADvUvSc">87</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Fornell, C.</author><author>Larcker, D.F.</author></authors></contributors><titles><title>Evaluating Structural Equations Models with Unobservable Variables and Measurement Error</title><secondary-title>Journal of Marketing Research</secondary-title></titles><periodical><full-title>Journal of Marketing Research</full-title></periodical><pages>39-50</pages><volume>18</volume><number>1</number><dates><year>1981</year></dates><urls></urls></record></Cite></EndNote>(Fornell et al. 1981) and AVE values for all of the factors were above this cutoff. AVE values were also used to assess discriminant validity, which allows for the evaluation of whether factors are statistically distinct from one another. The square-root AVE value for each factor was compared with the correlation with each of the other factors and consistent with previous recommendations, the square-root AVE was greater in every case ADDIN EN.CITE <EndNote><Cite><Author>Segars</Author><Year>1997</Year><RecNum>2308</RecNum><DisplayText>(Segars 1997)</DisplayText><record><rec-number>2308</rec-number><foreign-keys><key app="EN" db-id="xr0s0sp0vrpe5ze5tetxvwwnp5xd9aaezsd9" timestamp="1271097678">2308</key><key app="ENWeb" db-id="UBLLiQrtqggAADvUvSc">1098</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Segars, A.</author></authors></contributors><titles><title>Assessing the Unidimensionality of Measurement: A Paradigm and Illustration Within the Context of Information Systems Research</title><secondary-title>Omega</secondary-title></titles><periodical><full-title>Omega</full-title></periodical><pages>107-121</pages><volume>25</volume><number>1</number><dates><year>1997</year></dates><urls></urls></record></Cite></EndNote>(Segars 1997). These results provide evidence of convergent and divergent validity (even among the first-order components of trait mindfulness). See Appendix A for a detailed summary of tests of the measurement model.Model SpecificationLogistic regression was used to test the hypotheses. Logistic regression is intended for dichotomous dependent variables and permits categorical and continuous explanatory variables. The model for the training sample takes the following form:Pr(Responding to Phishing Attack) = β0 + β1*Student Status + β2*Faculty Status + β3*Trait Mindfulness + β4*Propensity to Trust + β5*Propensity to Take Risks + β6*Computer Self Efficacy + β7* Phishing Identification Expertise + β8*Phishing Customization + β9*Situation-Specific Training Approach + β10*Mindfulness Training Approach + β11*Graphical Training Format (2)The participant status was recoded from a three-value categorical variable (i.e., student, staff, faculty) to two dichotomous dummy variables (student status, faculty status). This model also examines the effect of phishing email customization, training approach, and training format on the likelihood of responding to a phishing attack and is the central analysis of this research. Factor scores were calculated via a confirmatory factor analysis (CFA) using MPlus 6.1 and utilized in the model. This procedure provided participants’ mean-centered, composite score for each covariate.ResultsForty-seven participants in the training sample (including the survey-only condition) logged in to the fictitious website, resulting in a response rate of 13.2 percent. Descriptive statistics showing the number of participant responses and response rate in each condition are shown in REF _Ref334094807 \h \* MERGEFORMAT Table 7. These findings are consistent with past industry reports on phishing response rates which indicate between a 10-15 percent rate of response for novice individuals ADDIN EN.CITE <EndNote><Cite><Author>Cisco Systems</Author><Year>2011</Year><RecNum>62</RecNum><DisplayText>(Cisco Systems 2011)</DisplayText><record><rec-number>62</rec-number><foreign-keys><key app="EN" db-id="2epwwvtr1ffvzeeaxsaxftrxsaze5fvpdpx5">62</key></foreign-keys><ref-type name="Web Page">12</ref-type><contributors><authors><author>Cisco Systems, </author></authors></contributors><titles><title>Email attacks: This time it's personal</title></titles><dates><year>2011</year></dates><pub-location>San Jose, CA</pub-location><publisher>;(Cisco Systems 2011). REF _Ref335815943 \h Figure 2 displays the timing of the responses to the phishing attack during the first four 24 hour periods after the first email was sent (10:00 AM). The attack generated the greatest response on the first day and decreased sharply on subsequent days. During the first 36 hours, responses were greatest in the evening when participants were most likely at home. Table 7 – Participant responses to phishing emailConditionsGeneric Phishing MessageaCustom Phishing MessageaSurvey Only8 (24.2%)9 (22.5%)ConcreteText4 (11.8%)6 (15.0%)Graphics5 (15.2%)5 (11.9%)AbstractText3 (7.5%)4 (12.5%)Graphics2 (7.4%)1 (2.9%)a The number of responses is shown in absolute numbers and in percentages for each condition. Percentages are in parentheses Figure 2 – A) Responses to the phishing attack during first 4 24 hour periods; B) Responses to the phishing attack while attack by hours.The sample size recommendation for logistic regression is that P + 1 be less than n0/10, where P is the number of explanatory variables in the model and n0 is the number of less frequent events (i.e., participants responding to the phishing email) ADDIN EN.CITE <EndNote><Cite><Author>Hosmer</Author><Year>2000</Year><RecNum>4715</RecNum><DisplayText>(Hosmer et al. 2000)</DisplayText><record><rec-number>4715</rec-number><foreign-keys><key app="EN" db-id="xr0s0sp0vrpe5ze5tetxvwwnp5xd9aaezsd9" timestamp="1398184950">4715</key></foreign-keys><ref-type name="Book">6</ref-type><contributors><authors><author>Hosmer, D. W. </author><author>Lemeshow, S.</author></authors></contributors><titles><title>Applied logistic regression</title></titles><dates><year>2000</year></dates><pub-location>New York, NY</pub-location><publisher>Wiley</publisher><urls></urls></record></Cite></EndNote>(Hosmer et al. 2000). However, due to the completion rate of those invited to participate in the training and the number of covariates considered, the size of training sample was less than the recommendation for full power. We chose to sacrifice power and include covariates for three reasons; first, including covariates at the expense of power is a conservative analysis approach ADDIN EN.CITE <EndNote><Cite><Author>Jo</Author><Year>2002</Year><RecNum>64</RecNum><DisplayText>(Jo 2002)</DisplayText><record><rec-number>64</rec-number><foreign-keys><key app="EN" db-id="2epwwvtr1ffvzeeaxsaxftrxsaze5fvpdpx5">64</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Jo, B.</author></authors></contributors><titles><title>Statistical power in randomized intervention studies with noncompliance</title><secondary-title>Psychological Methods</secondary-title></titles><periodical><full-title>Psychological Methods</full-title></periodical><pages>178-193</pages><volume>7</volume><number>2</number><dates><year>2002</year></dates><isbn>1939-1463</isbn><urls></urls></record></Cite></EndNote>(Jo 2002). Second, theory mandates the presence of some covariates (e.g., trait mindfulness, computer self-efficacy) in the analysis. Finally, by including covariates, we rule out plausible alternative explanations for our findings. In Appendix D, we report the analysis without covariates. This analysis is consistent with sample size recommendations ADDIN EN.CITE <EndNote><Cite><Author>Hosmer</Author><Year>2000</Year><RecNum>4715</RecNum><DisplayText>(Hosmer et al. 2000)</DisplayText><record><rec-number>4715</rec-number><foreign-keys><key app="EN" db-id="xr0s0sp0vrpe5ze5tetxvwwnp5xd9aaezsd9" timestamp="1398184950">4715</key></foreign-keys><ref-type name="Book">6</ref-type><contributors><authors><author>Hosmer, D. W. </author><author>Lemeshow, S.</author></authors></contributors><titles><title>Applied logistic regression</title></titles><dates><year>2000</year></dates><pub-location>New York, NY</pub-location><publisher>Wiley</publisher><urls></urls></record></Cite></EndNote>(Hosmer et al. 2000) and the findings are unchanged. Consistent with past MIS research ADDIN EN.CITE <EndNote><Cite><Author>Zmud</Author><Year>2010</Year><RecNum>4716</RecNum><Prefix>e.g.`, </Prefix><DisplayText>(e.g., Zmud et al. 2010)</DisplayText><record><rec-number>4716</rec-number><foreign-keys><key app="EN" db-id="xr0s0sp0vrpe5ze5tetxvwwnp5xd9aaezsd9" timestamp="1398184950">4716</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Zmud, R. W.</author><author>Shaft, T.</author><author>Zheng, W.</author><author>Croes, H.</author></authors></contributors><titles><title>Systematic differences in firm’s information technology signaling: Implications for research design</title><secondary-title>Journal of the Association for Information Systems</secondary-title></titles><periodical><full-title>Journal of the Association for Information Systems</full-title></periodical><pages>1</pages><volume>11</volume><number>3</number><dates><year>2010</year></dates><urls></urls></record></Cite></EndNote>(e.g., Zmud et al. 2010), we evaluated competing models to assess model fit for the training and no training samples. Fit was evaluated using Akaike’s Information Criterion (AIC), which penalizes unnecessary model complexity ADDIN EN.CITE <EndNote><Cite><Author>Akaike</Author><Year>1973</Year><RecNum>4717</RecNum><DisplayText>(Akaike 1973)</DisplayText><record><rec-number>4717</rec-number><foreign-keys><key app="EN" db-id="xr0s0sp0vrpe5ze5tetxvwwnp5xd9aaezsd9" timestamp="1398184950">4717</key></foreign-keys><ref-type name="Book Section">5</ref-type><contributors><authors><author>Akaike, H.</author></authors><secondary-authors><author>Petrov, B. N.</author><author>Csaki, F.</author></secondary-authors></contributors><titles><title>Information theory and an extension of the maximum likelihood principle</title><secondary-title>Proceedings of the Second International Symposium on Information Theory</secondary-title></titles><pages>267–281</pages><dates><year>1973</year></dates><pub-location>Budapest</pub-location><publisher>Akademiai Kiado</publisher><urls></urls></record></Cite></EndNote>(Akaike 1973). A smaller value of the AIC indicates a better model fit. REF _Ref334094853 \h Table 8 provides the competing models for the training sample. The first model includes only the intercept and control variables (Model 1; REF _Ref334094853 \h Table 8) and the second contains the hypothesized model (Model 2; REF _Ref334094853 \h Table 8). The third model (Model 2; REF _Ref334094853 \h Table 8) contains a fully specified model complete with interactions. Based on the AIC, the hypothesized model (Model 2; REF _Ref334094853 \h Table 8) offers the best fit. In addition, all of the significant coefficients revealed in Model 2; REF _Ref334094853 \h Table 8 remain significant in Model 3; REF _Ref334094853 \h Table 8. Consistent with recent research using logistic regression ADDIN EN.CITE <EndNote><Cite><Author>Hoetker</Author><Year>2007</Year><RecNum>4718</RecNum><DisplayText>(Hoetker 2007)</DisplayText><record><rec-number>4718</rec-number><foreign-keys><key app="EN" db-id="xr0s0sp0vrpe5ze5tetxvwwnp5xd9aaezsd9" timestamp="1398184950">4718</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Hoetker, G.</author></authors></contributors><titles><title>The use of logit and probit models in strategic management research: Critical issues</title><secondary-title>Strategic Management Journal</secondary-title></titles><periodical><full-title>Strategic Management Journal</full-title></periodical><pages>331-343</pages><volume>28</volume><number>4</number><dates><year>2007</year></dates><isbn>0143-2095</isbn><urls></urls></record></Cite></EndNote>(Hoetker 2007), we interpret significant findings by the magnitude of their marginal effects ADDIN EN.CITE <EndNote><Cite><Author>Kaufman</Author><Year>1996</Year><RecNum>4719</RecNum><Prefix>also see </Prefix><DisplayText>(also see Kaufman 1996; Norton et al. 2004)</DisplayText><record><rec-number>4719</rec-number><foreign-keys><key app="EN" db-id="xr0s0sp0vrpe5ze5tetxvwwnp5xd9aaezsd9" timestamp="1398184950">4719</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Kaufman, R. L.</author></authors></contributors><titles><title>Comparing the effects of dichotomous logistic regression: A variety of standardized coefficients</title><secondary-title>Social Science Quarterly</secondary-title></titles><periodical><full-title>Social Science Quarterly</full-title></periodical><pages>90-109</pages><volume>77</volume><number>1</number><dates><year>1996</year></dates><urls></urls></record></Cite><Cite><Author>Norton</Author><Year>2004</Year><RecNum>4720</RecNum><record><rec-number>4720</rec-number><foreign-keys><key app="EN" db-id="xr0s0sp0vrpe5ze5tetxvwwnp5xd9aaezsd9" timestamp="1398184950">4720</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Norton, E. C.</author><author>Wang, H.</author><author>Ai, C.</author></authors></contributors><titles><title>Computing interaction effects and standard errors in logit and probit models</title><secondary-title>The Stata Journal</secondary-title></titles><periodical><full-title>The Stata Journal</full-title></periodical><pages>154-167</pages><volume>4</volume><number>2</number><dates><year>2004</year></dates><urls></urls></record></Cite></EndNote>(also see Kaufman 1996; Norton et al. 2004) rather than odds ratios. In a logistic regression model, explanatory variables do not have do not have a consistent, linear effect on the predicted outcome of the dependent variable; rather, the effect of an explanatory variable depends on the values of all the other explanatory variables in the logistic function ADDIN EN.CITE <EndNote><Cite><Author>Hoetker</Author><Year>2007</Year><RecNum>4718</RecNum><DisplayText>(Hoetker 2007)</DisplayText><record><rec-number>4718</rec-number><foreign-keys><key app="EN" db-id="xr0s0sp0vrpe5ze5tetxvwwnp5xd9aaezsd9" timestamp="1398184950">4718</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Hoetker, G.</author></authors></contributors><titles><title>The use of logit and probit models in strategic management research: Critical issues</title><secondary-title>Strategic Management Journal</secondary-title></titles><periodical><full-title>Strategic Management Journal</full-title></periodical><pages>331-343</pages><volume>28</volume><number>4</number><dates><year>2007</year></dates><isbn>0143-2095</isbn><urls></urls></record></Cite></EndNote>(Hoetker 2007). Therefore, to clearly see the effect of a significant explanatory variable, the marginal effect ADDIN EN.CITE <EndNote><Cite><Author>Petersen</Author><Year>1985</Year><RecNum>4721</RecNum><Prefix>as shown by </Prefix><DisplayText>(as shown by Petersen 1985)</DisplayText><record><rec-number>4721</rec-number><foreign-keys><key app="EN" db-id="xr0s0sp0vrpe5ze5tetxvwwnp5xd9aaezsd9" timestamp="1398184950">4721</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Petersen, T.</author></authors></contributors><titles><title>A comment on presenting results from logit and probit models</title><secondary-title>American Sociological Review</secondary-title></titles><periodical><full-title>American Sociological Review</full-title></periodical><pages>130-131</pages><volume>50</volume><number>1</number><dates><year>1985</year></dates><urls></urls></record></Cite></EndNote>(as shown by Petersen 1985) was calculated while holding the other explanatory variables constant. Table 8 – Test of Model Effects for Training SampleModel FactorsModel 1 (Controls Only)Model 2 (Hypothesized)Model 3 (Full)B (SE)WaldSig.B (SE)WaldSig.B (SE)WaldSig.Intercept-2.032 (.403)25.44<.001-1.133 (.545)4.33.037-.924 (.655)1.99.397Student Status-.542 (.451)1.44.230-.121 (.490).06.806-.072 (.492).02.883Faculty Status-1.247 (.640)3.80.051-1.45 (.693)4.41.036-1.441 (.699)4.25.039Trait Mindfulness-4.665 (.886)27.73<.001-5.14 (.959)28.68<.001-5.232 (.981)28.44<.001Propensity to Trust-.342 (.233)2.15.143-.305 (.246)1.53.216-.302 (.250)1.46.227Perceived Internet Risk-.576 (.258)5.00.025-.670 (.276)5.89.015-.696 (.282)6.08.014Computer Self-Efficacy.297 (.285)1.08.298.378 (.306)1.53.216.391 (.317)1.53.217Phishing Identification Expertise-.131 (.167).613.434-.103 (.170).37.545-.086 (.174).245.621Phishing Customization-.664 (.393)2.85.092-1.062 (.747)2.02.155Concrete Training Approach-.419 (.513).67.415-.821 (.847).94.332Abstract Training Approach-1.51 (.568)7.06.008-2.096 (.880)5.68.017Graphical Training Format-.519 (.464)1.25.263-.379 (.875).19.665Phishing Customization * Concrete Training Approach.666 (1.097).37.544Phishing Customization * Abstract Training Approach1.142 (1.166).96.327Phishing Customization * Graphical Training Format-.251 (1.156).05.828Abstract Training Approach * Graphical Training Formata.674 (1.379).24.625Phishing Customization * Abstract Training Approach * Graphical Training Formata-1.562 (2.016).60.438Model SummaryOmnibus Test of Model Coefficients<.001<.001<.001-2 Log Likelihood 205.29191.76190.01Cox and Snell R2 / Nagelkerke R2.184 / .339.215 / .396.219 / .403Hosmer and Lemeshow Test.837.069.122Goodness of Fit CriteriaAIC219.29213.76224.01a Since graphical training was crossed only with concrete and abstract training (see REF _Ref334094789 \h \* MERGEFORMAT Table 6), the Concrete Training Approach * Graphical Training Format and Phishing Customization * Concrete Training Approach * Graphical Training Format interactions are redundant and are not included in the fully specified model. Although the effect from concrete training was in the hypothesized direction, the effect failed to reach significance. Thus, the results failed to support H1. Further, the format of the training did not exert a significant impact on participants’ likelihood to respond to phishing messages. This finding fails to support H4. However, the results concerning the abstract approach to training (H2 and H3) demonstrated significant results. In support of H2, the abstract mindfulness approach to training significantly reduced the likelihood that people responded to the phishing attack. This effect persisted when controlling for trait mindfulness and other covariates. Participants who reported high mindfulness and high levels of perceptions of Internet risk were less likely to respond to the phishing attack. Also, members of faculty were less likely to respond to the phishing attack. To illustrate the impact of the abstract approach on training, we present the marginal effect of introducing mindfulness training on the probability that a participant will respond to a phishing email ( REF _Ref334095050 \h Table 9). As significant covariates impact the marginal effect of the abstract training approach, we display the marginal effect at the mean value and plus or minus one standard deviation from the mean for trait mindfulness and propensity to take risks. We also display the marginal impact of the mindfulness training for faculty and non-faculty.Table 9 – Marginal effect of introducing abstract training Covariate ValuesConditionsProbability of RespondingMarginal Effect of Abstract TrainingaTrait MindfulnessbLow Mindfulness (mean – 1 StDev = -.33)Survey Only.444-.294ConcreteText.345-.240Graphics.238-.174AbstractText.150Graphics.095Mean Mindfulness (mean = .00)Survey Only.128-.097ConcreteText.088-.067Graphics.054-.042AbstractText.031Graphics.019High Mindfulness (mean + 1 StDev = .33)Survey Only.026-.020ConcreteText.017-.014Graphics.010-.008AbstractText.006Graphics.004Table 11 (continued) – Marginal effect of introducing abstract trainingPerceptions of Internet Risk cLow Internet Risk (mean – 1 StDev = -.75)Survey Only.430-.287ConcreteText.331-.233Graphics.228-.167AbstractText.143Graphics.090Mean Internet Risk (mean = .00)Survey Only.313-.222ConcreteText.231-.169Graphics.151-.114AbstractText.092Graphics.057High Internet Risk (mean + 1 StDev = .75)Survey Only.216-.159ConcreteText.154-.115Graphics.097-.074AbstractText.058Graphics.035University Status dFacultySurvey Only.107-.081ConcreteText.073-.056Graphics.045-.035AbstractText.026Graphics.016StaffSurvey Only.340-.238ConcreteText.253-.183Graphics.168-.125AbstractText.102Graphics.063StudentsSurvey Only.313-.222ConcreteText.231-.169Graphics.151-.114AbstractText.092Graphics.057a Marginal effects are shown in terms of probabilitiesb In calculating the marginal impact of abstract training, phishing customization and a student population are assumed. Mean values for propensity to trust, perceived Internet risk, computer self-efficacy and phishing identification expertise are also assumed.c In calculating the marginal impact of abstract training, phishing customization and a student population are assumed. Mean values for trait mindfulness, propensity to trust, computer self-efficacy and phishing identification expertise are also assumed.d In calculating the marginal impact of abstract training, phishing customization is assumed. Mean values for trait mindfulness, propensity to trust, perceived Internet risk, computer self-efficacy and phishing identification expertise are also assumed.To test H4, the hypothesized model (Model 2; REF _Ref334094853 \h \* MERGEFORMAT Table 8) was tested again but participants who only completed the covariate survey were excluded from the analysis. This collapsed the training approach to a single variable with two values (concrete approach = 0 and abstract approach = 1) and permitted a direct comparison between the concrete and abstract approaches. A significant, negative coefficient would indicate that the abstract approach reduced phishing response above the effect from the situation-specific approach. As Table 12 illustrates, our finding supports H4. Table 10 – Test of model effects comparing abstract to concrete approaches Model FactorsModel 1B (SE)WaldSig.Intercept-1.204 (.555)4.70.030Student Status-.442 (.545).66.417Faculty Status-2.321 (1.124)4.27.039Trait Mindfulness-3.497 (.990)12.46<.001Propensity to Trust-.215 (.272).62.429Perception of Internet Risk-.325 (.308)1.31.253Computer Self-Efficacy.356 (.345)1.06.303Phishing Identification Expertise-.238 (.194)1.51.219Phishing Customization-.400 (.441).82.365Training Approach-.978 (.467)4.39.036Graphical Training Format-.417 (.446).88.349Model SummaryOmnibus Test of Model Coefficients<.001-2 Log Likelihood 149.05Cox and Snell R2.139Nagelkerke R2.282Hosmer and Lemeshow Test.871Model Fit CriteriaAIC207.77DiscussionThis research advances understanding of phishing and how people can be trained to resist phishing attacks. Our findings confirm past phishing research and advance them by introducing a novel abstract training approach. Specifically, we confirmed that training mitigated a phisher’s ability to elicit private information from e-mail users PEVuZE5vdGU+PENpdGU+PEF1dGhvcj5BbG5hamltPC9BdXRob3I+PFllYXI+MjAwOTwvWWVhcj48
UmVjTnVtPjQ0MDk8L1JlY051bT48UHJlZml4PnNlZSA8L1ByZWZpeD48RGlzcGxheVRleHQ+KHNl
ZSBBbG5hamltIGV0IGFsLiAyMDA5OyBLdW1hcmFndXJ1IGV0IGFsLiAyMDA3OyBTYW50aGFuYW0g
ZXQgYWwuIDIwMDgpPC9EaXNwbGF5VGV4dD48cmVjb3JkPjxyZWMtbnVtYmVyPjQ0MDk8L3JlYy1u
dW1iZXI+PGZvcmVpZ24ta2V5cz48a2V5IGFwcD0iRU4iIGRiLWlkPSJ4cjBzMHNwMHZycGU1emU1
dGV0eHZ3d25wNXhkOWFhZXpzZDkiIHRpbWVzdGFtcD0iMTM0NzkwOTA5NiI+NDQwOTwva2V5Pjwv
Zm9yZWlnbi1rZXlzPjxyZWYtdHlwZSBuYW1lPSJDb25mZXJlbmNlIFByb2NlZWRpbmdzIj4xMDwv
cmVmLXR5cGU+PGNvbnRyaWJ1dG9ycz48YXV0aG9ycz48YXV0aG9yPkFsbmFqaW0sIEEuPC9hdXRo
b3I+PGF1dGhvcj5NdW5ybywgTS48L2F1dGhvcj48L2F1dGhvcnM+PC9jb250cmlidXRvcnM+PHRp
dGxlcz48dGl0bGU+QW4gQW50aS1QaGlzaGluZyBBcHByb2FjaCB0aGF0IFVzZXMgVHJhaW5pbmcg
SW50ZXJ2ZW50aW9uIGZvciBQaGlzaGluZyBXZWJzaXRlcyBEZXRlY3Rpb248L3RpdGxlPjxzZWNv
bmRhcnktdGl0bGU+SW5mb3JtYXRpb24gVGVjaG5vbG9neTogTmV3IEdlbmVyYXRpb25zLCAyMDA5
LiBJVE5HICZhcG9zOzA5LiBTaXh0aCBJbnRlcm5hdGlvbmFsIENvbmZlcmVuY2Ugb248L3NlY29u
ZGFyeS10aXRsZT48YWx0LXRpdGxlPkluZm9ybWF0aW9uIFRlY2hub2xvZ3k6IE5ldyBHZW5lcmF0
aW9ucywgMjAwOS4gSVRORyAmYXBvczswOS4gU2l4dGggSW50ZXJuYXRpb25hbCBDb25mZXJlbmNl
IG9uPC9hbHQtdGl0bGU+PC90aXRsZXM+PHBhZ2VzPjQwNS00MTA8L3BhZ2VzPjxrZXl3b3Jkcz48
a2V5d29yZD5XZWIgc2l0ZXM8L2tleXdvcmQ+PGtleXdvcmQ+ZWxlY3Ryb25pYyBjb21tZXJjZTwv
a2V5d29yZD48a2V5d29yZD5zZWN1cml0eSBvZiBkYXRhPC9rZXl3b3JkPjxrZXl3b3JkPmFudGlw
aGlzaGluZyBhcHByb2FjaDwva2V5d29yZD48a2V5d29yZD5lLWNvbW1lcmNlPC9rZXl3b3JkPjxr
ZXl3b3JkPm9ubGluZSBiYW5raW5nPC9rZXl3b3JkPjxrZXl3b3JkPnBoaXNoaW5nIFdlYnNpdGVz
IGRldGVjdGlvbjwva2V5d29yZD48L2tleXdvcmRzPjxkYXRlcz48eWVhcj4yMDA5PC95ZWFyPjxw
dWItZGF0ZXM+PGRhdGU+MjctMjkgQXByaWwgMjAwOTwvZGF0ZT48L3B1Yi1kYXRlcz48L2RhdGVz
Pjx1cmxzPjwvdXJscz48ZWxlY3Ryb25pYy1yZXNvdXJjZS1udW0+MTAuMTEwOS9JVE5HLjIwMDku
MTA5PC9lbGVjdHJvbmljLXJlc291cmNlLW51bT48L3JlY29yZD48L0NpdGU+PENpdGU+PEF1dGhv
cj5LdW1hcmFndXJ1PC9BdXRob3I+PFllYXI+MjAwNzwvWWVhcj48UmVjTnVtPjc2NzwvUmVjTnVt
PjxyZWNvcmQ+PHJlYy1udW1iZXI+NzY3PC9yZWMtbnVtYmVyPjxmb3JlaWduLWtleXM+PGtleSBh
cHA9IkVOIiBkYi1pZD0ieHIwczBzcDB2cnBlNXplNXRldHh2d3ducDV4ZDlhYWV6c2Q5IiB0aW1l
c3RhbXA9IjEyNzEwOTcxMDUiPjc2Nzwva2V5PjxrZXkgYXBwPSJFTldlYiIgZGItaWQ9IlVCTExp
UXJ0cWdnQUFEdlV2U2MiPjQ3Mzwva2V5PjwvZm9yZWlnbi1rZXlzPjxyZWYtdHlwZSBuYW1lPSJD
b25mZXJlbmNlIFByb2NlZWRpbmdzIj4xMDwvcmVmLXR5cGU+PGNvbnRyaWJ1dG9ycz48YXV0aG9y
cz48YXV0aG9yPlAuIEt1bWFyYWd1cnU8L2F1dGhvcj48YXV0aG9yPlkuIFJoZWU8L2F1dGhvcj48
YXV0aG9yPkEuIEFjcXVpc3RpPC9hdXRob3I+PGF1dGhvcj5MLiBDcmFub3I8L2F1dGhvcj48YXV0
aG9yPkouIEhvbmc8L2F1dGhvcj48YXV0aG9yPkUuIE51bmdlPC9hdXRob3I+PC9hdXRob3JzPjwv
Y29udHJpYnV0b3JzPjx0aXRsZXM+PHRpdGxlPlByb3RlY3RpbmcgUGVvcGxlIGZyb20gUGhpc2hp
bmc6IFRoZSBEZXNpZ24gYW5kIEV2YWxhdXRpb24gb2YgYW4gRW1iZWRkZWQgVHJhaW5pbmcgRW1h
aWwgU3lzdGVtczwvdGl0bGU+PHNlY29uZGFyeS10aXRsZT5Db21wdXRlciBIdW1hbiBJbnRlcmFj
dGlvbiAoQ0hJKTwvc2Vjb25kYXJ5LXRpdGxlPjwvdGl0bGVzPjxkYXRlcz48eWVhcj4yMDA3PC95
ZWFyPjwvZGF0ZXM+PHB1Yi1sb2NhdGlvbj5TYW4gSm9zZSwgQ0E8L3B1Yi1sb2NhdGlvbj48cHVi
bGlzaGVyPkFDTSBQcmVzczwvcHVibGlzaGVyPjx1cmxzPjwvdXJscz48L3JlY29yZD48L0NpdGU+
PENpdGU+PEF1dGhvcj5TYW50aGFuYW08L0F1dGhvcj48WWVhcj4yMDA4PC9ZZWFyPjxSZWNOdW0+
NzQ0PC9SZWNOdW0+PHJlY29yZD48cmVjLW51bWJlcj43NDQ8L3JlYy1udW1iZXI+PGZvcmVpZ24t
a2V5cz48a2V5IGFwcD0iRU4iIGRiLWlkPSJ4cjBzMHNwMHZycGU1emU1dGV0eHZ3d25wNXhkOWFh
ZXpzZDkiIHRpbWVzdGFtcD0iMTI3MTA5NzA5MiI+NzQ0PC9rZXk+PGtleSBhcHA9IkVOV2ViIiBk
Yi1pZD0iVUJMTGlRcnRxZ2dBQUR2VXZTYyI+NDUzPC9rZXk+PC9mb3JlaWduLWtleXM+PHJlZi10
eXBlIG5hbWU9IkpvdXJuYWwgQXJ0aWNsZSI+MTc8L3JlZi10eXBlPjxjb250cmlidXRvcnM+PGF1
dGhvcnM+PGF1dGhvcj5SYWRoaWthIFNhbnRoYW5hbTwvYXV0aG9yPjxhdXRob3I+U2hhcmF0aCBT
YXNpZGhhcmFuPC9hdXRob3I+PGF1dGhvcj5KYW5lIFdlYnN0ZXI8L2F1dGhvcj48L2F1dGhvcnM+
PC9jb250cmlidXRvcnM+PHRpdGxlcz48dGl0bGU+VXNpbmcgc2VsZi1yZWd1bGF0b3J5IGxlYXJu
aW5nIHRvIGVuaGFuY2UgZS1sZWFybmluZy1iYXNlZCBpbmZvcm1hdGlvbiB0ZWNobm9sb2d5IHRy
YWluaW5nPC90aXRsZT48c2Vjb25kYXJ5LXRpdGxlPkluZm9ybWF0aW9uIFN5c3RlbXMgUmVzZWFy
Y2g8L3NlY29uZGFyeS10aXRsZT48L3RpdGxlcz48cGVyaW9kaWNhbD48ZnVsbC10aXRsZT5JbmZv
cm1hdGlvbiBTeXN0ZW1zIFJlc2VhcmNoPC9mdWxsLXRpdGxlPjwvcGVyaW9kaWNhbD48cGFnZXM+
MjYtNDc8L3BhZ2VzPjx2b2x1bWU+MTk8L3ZvbHVtZT48bnVtYmVyPjE8L251bWJlcj48ZGF0ZXM+
PHllYXI+MjAwODwveWVhcj48L2RhdGVzPjx1cmxzPjwvdXJscz48L3JlY29yZD48L0NpdGU+PC9F
bmROb3RlPgB=
ADDIN EN.CITE PEVuZE5vdGU+PENpdGU+PEF1dGhvcj5BbG5hamltPC9BdXRob3I+PFllYXI+MjAwOTwvWWVhcj48
UmVjTnVtPjQ0MDk8L1JlY051bT48UHJlZml4PnNlZSA8L1ByZWZpeD48RGlzcGxheVRleHQ+KHNl
ZSBBbG5hamltIGV0IGFsLiAyMDA5OyBLdW1hcmFndXJ1IGV0IGFsLiAyMDA3OyBTYW50aGFuYW0g
ZXQgYWwuIDIwMDgpPC9EaXNwbGF5VGV4dD48cmVjb3JkPjxyZWMtbnVtYmVyPjQ0MDk8L3JlYy1u
dW1iZXI+PGZvcmVpZ24ta2V5cz48a2V5IGFwcD0iRU4iIGRiLWlkPSJ4cjBzMHNwMHZycGU1emU1
dGV0eHZ3d25wNXhkOWFhZXpzZDkiIHRpbWVzdGFtcD0iMTM0NzkwOTA5NiI+NDQwOTwva2V5Pjwv
Zm9yZWlnbi1rZXlzPjxyZWYtdHlwZSBuYW1lPSJDb25mZXJlbmNlIFByb2NlZWRpbmdzIj4xMDwv
cmVmLXR5cGU+PGNvbnRyaWJ1dG9ycz48YXV0aG9ycz48YXV0aG9yPkFsbmFqaW0sIEEuPC9hdXRo
b3I+PGF1dGhvcj5NdW5ybywgTS48L2F1dGhvcj48L2F1dGhvcnM+PC9jb250cmlidXRvcnM+PHRp
dGxlcz48dGl0bGU+QW4gQW50aS1QaGlzaGluZyBBcHByb2FjaCB0aGF0IFVzZXMgVHJhaW5pbmcg
SW50ZXJ2ZW50aW9uIGZvciBQaGlzaGluZyBXZWJzaXRlcyBEZXRlY3Rpb248L3RpdGxlPjxzZWNv
bmRhcnktdGl0bGU+SW5mb3JtYXRpb24gVGVjaG5vbG9neTogTmV3IEdlbmVyYXRpb25zLCAyMDA5
LiBJVE5HICZhcG9zOzA5LiBTaXh0aCBJbnRlcm5hdGlvbmFsIENvbmZlcmVuY2Ugb248L3NlY29u
ZGFyeS10aXRsZT48YWx0LXRpdGxlPkluZm9ybWF0aW9uIFRlY2hub2xvZ3k6IE5ldyBHZW5lcmF0
aW9ucywgMjAwOS4gSVRORyAmYXBvczswOS4gU2l4dGggSW50ZXJuYXRpb25hbCBDb25mZXJlbmNl
IG9uPC9hbHQtdGl0bGU+PC90aXRsZXM+PHBhZ2VzPjQwNS00MTA8L3BhZ2VzPjxrZXl3b3Jkcz48
a2V5d29yZD5XZWIgc2l0ZXM8L2tleXdvcmQ+PGtleXdvcmQ+ZWxlY3Ryb25pYyBjb21tZXJjZTwv
a2V5d29yZD48a2V5d29yZD5zZWN1cml0eSBvZiBkYXRhPC9rZXl3b3JkPjxrZXl3b3JkPmFudGlw
aGlzaGluZyBhcHByb2FjaDwva2V5d29yZD48a2V5d29yZD5lLWNvbW1lcmNlPC9rZXl3b3JkPjxr
ZXl3b3JkPm9ubGluZSBiYW5raW5nPC9rZXl3b3JkPjxrZXl3b3JkPnBoaXNoaW5nIFdlYnNpdGVz
IGRldGVjdGlvbjwva2V5d29yZD48L2tleXdvcmRzPjxkYXRlcz48eWVhcj4yMDA5PC95ZWFyPjxw
dWItZGF0ZXM+PGRhdGU+MjctMjkgQXByaWwgMjAwOTwvZGF0ZT48L3B1Yi1kYXRlcz48L2RhdGVz
Pjx1cmxzPjwvdXJscz48ZWxlY3Ryb25pYy1yZXNvdXJjZS1udW0+MTAuMTEwOS9JVE5HLjIwMDku
MTA5PC9lbGVjdHJvbmljLXJlc291cmNlLW51bT48L3JlY29yZD48L0NpdGU+PENpdGU+PEF1dGhv
cj5LdW1hcmFndXJ1PC9BdXRob3I+PFllYXI+MjAwNzwvWWVhcj48UmVjTnVtPjc2NzwvUmVjTnVt
PjxyZWNvcmQ+PHJlYy1udW1iZXI+NzY3PC9yZWMtbnVtYmVyPjxmb3JlaWduLWtleXM+PGtleSBh
cHA9IkVOIiBkYi1pZD0ieHIwczBzcDB2cnBlNXplNXRldHh2d3ducDV4ZDlhYWV6c2Q5IiB0aW1l
c3RhbXA9IjEyNzEwOTcxMDUiPjc2Nzwva2V5PjxrZXkgYXBwPSJFTldlYiIgZGItaWQ9IlVCTExp
UXJ0cWdnQUFEdlV2U2MiPjQ3Mzwva2V5PjwvZm9yZWlnbi1rZXlzPjxyZWYtdHlwZSBuYW1lPSJD
b25mZXJlbmNlIFByb2NlZWRpbmdzIj4xMDwvcmVmLXR5cGU+PGNvbnRyaWJ1dG9ycz48YXV0aG9y
cz48YXV0aG9yPlAuIEt1bWFyYWd1cnU8L2F1dGhvcj48YXV0aG9yPlkuIFJoZWU8L2F1dGhvcj48
YXV0aG9yPkEuIEFjcXVpc3RpPC9hdXRob3I+PGF1dGhvcj5MLiBDcmFub3I8L2F1dGhvcj48YXV0
aG9yPkouIEhvbmc8L2F1dGhvcj48YXV0aG9yPkUuIE51bmdlPC9hdXRob3I+PC9hdXRob3JzPjwv
Y29udHJpYnV0b3JzPjx0aXRsZXM+PHRpdGxlPlByb3RlY3RpbmcgUGVvcGxlIGZyb20gUGhpc2hp
bmc6IFRoZSBEZXNpZ24gYW5kIEV2YWxhdXRpb24gb2YgYW4gRW1iZWRkZWQgVHJhaW5pbmcgRW1h
aWwgU3lzdGVtczwvdGl0bGU+PHNlY29uZGFyeS10aXRsZT5Db21wdXRlciBIdW1hbiBJbnRlcmFj
dGlvbiAoQ0hJKTwvc2Vjb25kYXJ5LXRpdGxlPjwvdGl0bGVzPjxkYXRlcz48eWVhcj4yMDA3PC95
ZWFyPjwvZGF0ZXM+PHB1Yi1sb2NhdGlvbj5TYW4gSm9zZSwgQ0E8L3B1Yi1sb2NhdGlvbj48cHVi
bGlzaGVyPkFDTSBQcmVzczwvcHVibGlzaGVyPjx1cmxzPjwvdXJscz48L3JlY29yZD48L0NpdGU+
PENpdGU+PEF1dGhvcj5TYW50aGFuYW08L0F1dGhvcj48WWVhcj4yMDA4PC9ZZWFyPjxSZWNOdW0+
NzQ0PC9SZWNOdW0+PHJlY29yZD48cmVjLW51bWJlcj43NDQ8L3JlYy1udW1iZXI+PGZvcmVpZ24t
a2V5cz48a2V5IGFwcD0iRU4iIGRiLWlkPSJ4cjBzMHNwMHZycGU1emU1dGV0eHZ3d25wNXhkOWFh
ZXpzZDkiIHRpbWVzdGFtcD0iMTI3MTA5NzA5MiI+NzQ0PC9rZXk+PGtleSBhcHA9IkVOV2ViIiBk
Yi1pZD0iVUJMTGlRcnRxZ2dBQUR2VXZTYyI+NDUzPC9rZXk+PC9mb3JlaWduLWtleXM+PHJlZi10
eXBlIG5hbWU9IkpvdXJuYWwgQXJ0aWNsZSI+MTc8L3JlZi10eXBlPjxjb250cmlidXRvcnM+PGF1
dGhvcnM+PGF1dGhvcj5SYWRoaWthIFNhbnRoYW5hbTwvYXV0aG9yPjxhdXRob3I+U2hhcmF0aCBT
YXNpZGhhcmFuPC9hdXRob3I+PGF1dGhvcj5KYW5lIFdlYnN0ZXI8L2F1dGhvcj48L2F1dGhvcnM+
PC9jb250cmlidXRvcnM+PHRpdGxlcz48dGl0bGU+VXNpbmcgc2VsZi1yZWd1bGF0b3J5IGxlYXJu
aW5nIHRvIGVuaGFuY2UgZS1sZWFybmluZy1iYXNlZCBpbmZvcm1hdGlvbiB0ZWNobm9sb2d5IHRy
YWluaW5nPC90aXRsZT48c2Vjb25kYXJ5LXRpdGxlPkluZm9ybWF0aW9uIFN5c3RlbXMgUmVzZWFy
Y2g8L3NlY29uZGFyeS10aXRsZT48L3RpdGxlcz48cGVyaW9kaWNhbD48ZnVsbC10aXRsZT5JbmZv
cm1hdGlvbiBTeXN0ZW1zIFJlc2VhcmNoPC9mdWxsLXRpdGxlPjwvcGVyaW9kaWNhbD48cGFnZXM+
MjYtNDc8L3BhZ2VzPjx2b2x1bWU+MTk8L3ZvbHVtZT48bnVtYmVyPjE8L251bWJlcj48ZGF0ZXM+
PHllYXI+MjAwODwveWVhcj48L2RhdGVzPjx1cmxzPjwvdXJscz48L3JlY29yZD48L0NpdGU+PC9F
bmROb3RlPgB=
ADDIN EN.CITE.DATA (see Alnajim et al. 2009; Kumaraguru et al. 2007; Santhanam et al. 2008). We extended this body of work by demonstrating that a training approach’s theoretical underpinning and level of conceptualization affect its efficacy. Next, we outline the implications of our work for theory and practice.Implications for TheoryCritical to understanding the efficacy of training methods in general is an understanding each method’s theoretical foundations. We found that participants who completed training based on an abstract approach were significantly less likely to respond to customized and generic phishing attacks than participants who completed no training or those who completed training using a concrete approach. This finding has several theoretical implications for phishing research, security research, and training in general. First, consistent with past research ADDIN EN.CITE <EndNote><Cite><Author>Vance</Author><Year>2008</Year><RecNum>7277</RecNum><Prefix>e.g.`, </Prefix><DisplayText>(e.g., Vance et al. 2008)</DisplayText><record><rec-number>7277</rec-number><foreign-keys><key app="EN" db-id="a9f2v2s03sv0soe5e52xwr9oas05vs059t2d" timestamp="0">7277</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Vance, A.</author><author>Elie-Dit-Cosaque, C.</author><author>Straub, D. W.</author></authors></contributors><titles><title>Examining trust in information technology artifacts: the effects of system quality and culture</title><secondary-title>Journal of Management Information Systems</secondary-title></titles><periodical><full-title>Journal of Management Information Systems</full-title></periodical><pages>73-100</pages><volume>24</volume><number>4</number><dates><year>2008</year></dates><isbn>0742-1222</isbn><urls></urls></record></Cite></EndNote>(e.g., Vance et al. 2008), our results support the notion that people respond to phishing attacks out of habit and cursory, heuristic processing of emailed requests. We show that a training approach directly focused on reducing the tendency to respond out of habit has a much greater effect on phishing mitigation than instructing email users in cues and rules that can be used to avoid phishing attacks. These findings elevate the alteration of mental models to govern mindless information processing as a critical step in anti-phishing and security training. Next, in referent literatures, there has been debate about the efficacy of abstract mindfulness training and whether or not someone can be trained to be mindful ADDIN EN.CITE <EndNote><Cite><Author>Baer</Author><Year>2003</Year><RecNum>2714</RecNum><DisplayText>(Baer 2003)</DisplayText><record><rec-number>2714</rec-number><foreign-keys><key app="EN" db-id="xr0s0sp0vrpe5ze5tetxvwwnp5xd9aaezsd9" timestamp="1297719681">2714</key><key app="ENWeb" db-id="UBLLiQrtqggAADvUvSc">1484</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Ruth A. Baer</author></authors></contributors><titles><title>Mindfulness Training as a Clinical Intervention: A Conceptual and Empirical Review</title><secondary-title>Clinical Psychology: Science and Practice</secondary-title></titles><periodical><full-title>Clinical Psychology: Science and Practice</full-title></periodical><pages>125-143</pages><volume>10</volume><number>2</number><dates><year>2003</year></dates><urls></urls></record></Cite></EndNote>(Baer 2003). Our findings suggest that one can teach mindfulness techniques, and that individuals who receive such training go beyond mere awareness or problem identification to engaging in more secure behaviors. Both the concrete condition, which was based on the current state of the art PEVuZE5vdGU+PENpdGU+PEF1dGhvcj5BbG5hamltPC9BdXRob3I+PFllYXI+MjAwOTwvWWVhcj48
UmVjTnVtPjQ0MDk8L1JlY051bT48UHJlZml4PnNlZSA8L1ByZWZpeD48RGlzcGxheVRleHQ+KHNl
ZSBBbG5hamltIGV0IGFsLiAyMDA5OyBLdW1hcmFndXJ1IGV0IGFsLiAyMDA5OyBLdW1hcmFndXJ1
IGV0IGFsLiAyMDA3OyBTYW50aGFuYW0gZXQgYWwuIDIwMDgpPC9EaXNwbGF5VGV4dD48cmVjb3Jk
PjxyZWMtbnVtYmVyPjQ0MDk8L3JlYy1udW1iZXI+PGZvcmVpZ24ta2V5cz48a2V5IGFwcD0iRU4i
IGRiLWlkPSJ4cjBzMHNwMHZycGU1emU1dGV0eHZ3d25wNXhkOWFhZXpzZDkiIHRpbWVzdGFtcD0i
MTM0NzkwOTA5NiI+NDQwOTwva2V5PjwvZm9yZWlnbi1rZXlzPjxyZWYtdHlwZSBuYW1lPSJDb25m
ZXJlbmNlIFByb2NlZWRpbmdzIj4xMDwvcmVmLXR5cGU+PGNvbnRyaWJ1dG9ycz48YXV0aG9ycz48
YXV0aG9yPkFsbmFqaW0sIEEuPC9hdXRob3I+PGF1dGhvcj5NdW5ybywgTS48L2F1dGhvcj48L2F1
dGhvcnM+PC9jb250cmlidXRvcnM+PHRpdGxlcz48dGl0bGU+QW4gQW50aS1QaGlzaGluZyBBcHBy
b2FjaCB0aGF0IFVzZXMgVHJhaW5pbmcgSW50ZXJ2ZW50aW9uIGZvciBQaGlzaGluZyBXZWJzaXRl
cyBEZXRlY3Rpb248L3RpdGxlPjxzZWNvbmRhcnktdGl0bGU+SW5mb3JtYXRpb24gVGVjaG5vbG9n
eTogTmV3IEdlbmVyYXRpb25zLCAyMDA5LiBJVE5HICZhcG9zOzA5LiBTaXh0aCBJbnRlcm5hdGlv
bmFsIENvbmZlcmVuY2Ugb248L3NlY29uZGFyeS10aXRsZT48YWx0LXRpdGxlPkluZm9ybWF0aW9u
IFRlY2hub2xvZ3k6IE5ldyBHZW5lcmF0aW9ucywgMjAwOS4gSVRORyAmYXBvczswOS4gU2l4dGgg
SW50ZXJuYXRpb25hbCBDb25mZXJlbmNlIG9uPC9hbHQtdGl0bGU+PC90aXRsZXM+PHBhZ2VzPjQw
NS00MTA8L3BhZ2VzPjxrZXl3b3Jkcz48a2V5d29yZD5XZWIgc2l0ZXM8L2tleXdvcmQ+PGtleXdv
cmQ+ZWxlY3Ryb25pYyBjb21tZXJjZTwva2V5d29yZD48a2V5d29yZD5zZWN1cml0eSBvZiBkYXRh
PC9rZXl3b3JkPjxrZXl3b3JkPmFudGlwaGlzaGluZyBhcHByb2FjaDwva2V5d29yZD48a2V5d29y
ZD5lLWNvbW1lcmNlPC9rZXl3b3JkPjxrZXl3b3JkPm9ubGluZSBiYW5raW5nPC9rZXl3b3JkPjxr
ZXl3b3JkPnBoaXNoaW5nIFdlYnNpdGVzIGRldGVjdGlvbjwva2V5d29yZD48L2tleXdvcmRzPjxk
YXRlcz48eWVhcj4yMDA5PC95ZWFyPjxwdWItZGF0ZXM+PGRhdGU+MjctMjkgQXByaWwgMjAwOTwv
ZGF0ZT48L3B1Yi1kYXRlcz48L2RhdGVzPjx1cmxzPjwvdXJscz48ZWxlY3Ryb25pYy1yZXNvdXJj
ZS1udW0+MTAuMTEwOS9JVE5HLjIwMDkuMTA5PC9lbGVjdHJvbmljLXJlc291cmNlLW51bT48L3Jl
Y29yZD48L0NpdGU+PENpdGU+PEF1dGhvcj5LdW1hcmFndXJ1PC9BdXRob3I+PFllYXI+MjAwNzwv
WWVhcj48UmVjTnVtPjc2NzwvUmVjTnVtPjxyZWNvcmQ+PHJlYy1udW1iZXI+NzY3PC9yZWMtbnVt
YmVyPjxmb3JlaWduLWtleXM+PGtleSBhcHA9IkVOIiBkYi1pZD0ieHIwczBzcDB2cnBlNXplNXRl
dHh2d3ducDV4ZDlhYWV6c2Q5IiB0aW1lc3RhbXA9IjEyNzEwOTcxMDUiPjc2Nzwva2V5PjxrZXkg
YXBwPSJFTldlYiIgZGItaWQ9IlVCTExpUXJ0cWdnQUFEdlV2U2MiPjQ3Mzwva2V5PjwvZm9yZWln
bi1rZXlzPjxyZWYtdHlwZSBuYW1lPSJDb25mZXJlbmNlIFByb2NlZWRpbmdzIj4xMDwvcmVmLXR5
cGU+PGNvbnRyaWJ1dG9ycz48YXV0aG9ycz48YXV0aG9yPlAuIEt1bWFyYWd1cnU8L2F1dGhvcj48
YXV0aG9yPlkuIFJoZWU8L2F1dGhvcj48YXV0aG9yPkEuIEFjcXVpc3RpPC9hdXRob3I+PGF1dGhv
cj5MLiBDcmFub3I8L2F1dGhvcj48YXV0aG9yPkouIEhvbmc8L2F1dGhvcj48YXV0aG9yPkUuIE51
bmdlPC9hdXRob3I+PC9hdXRob3JzPjwvY29udHJpYnV0b3JzPjx0aXRsZXM+PHRpdGxlPlByb3Rl
Y3RpbmcgUGVvcGxlIGZyb20gUGhpc2hpbmc6IFRoZSBEZXNpZ24gYW5kIEV2YWxhdXRpb24gb2Yg
YW4gRW1iZWRkZWQgVHJhaW5pbmcgRW1haWwgU3lzdGVtczwvdGl0bGU+PHNlY29uZGFyeS10aXRs
ZT5Db21wdXRlciBIdW1hbiBJbnRlcmFjdGlvbiAoQ0hJKTwvc2Vjb25kYXJ5LXRpdGxlPjwvdGl0
bGVzPjxkYXRlcz48eWVhcj4yMDA3PC95ZWFyPjwvZGF0ZXM+PHB1Yi1sb2NhdGlvbj5TYW4gSm9z
ZSwgQ0E8L3B1Yi1sb2NhdGlvbj48cHVibGlzaGVyPkFDTSBQcmVzczwvcHVibGlzaGVyPjx1cmxz
PjwvdXJscz48L3JlY29yZD48L0NpdGU+PENpdGU+PEF1dGhvcj5TYW50aGFuYW08L0F1dGhvcj48
WWVhcj4yMDA4PC9ZZWFyPjxSZWNOdW0+NzQ0PC9SZWNOdW0+PHJlY29yZD48cmVjLW51bWJlcj43
NDQ8L3JlYy1udW1iZXI+PGZvcmVpZ24ta2V5cz48a2V5IGFwcD0iRU4iIGRiLWlkPSJ4cjBzMHNw
MHZycGU1emU1dGV0eHZ3d25wNXhkOWFhZXpzZDkiIHRpbWVzdGFtcD0iMTI3MTA5NzA5MiI+NzQ0
PC9rZXk+PGtleSBhcHA9IkVOV2ViIiBkYi1pZD0iVUJMTGlRcnRxZ2dBQUR2VXZTYyI+NDUzPC9r
ZXk+PC9mb3JlaWduLWtleXM+PHJlZi10eXBlIG5hbWU9IkpvdXJuYWwgQXJ0aWNsZSI+MTc8L3Jl
Zi10eXBlPjxjb250cmlidXRvcnM+PGF1dGhvcnM+PGF1dGhvcj5SYWRoaWthIFNhbnRoYW5hbTwv
YXV0aG9yPjxhdXRob3I+U2hhcmF0aCBTYXNpZGhhcmFuPC9hdXRob3I+PGF1dGhvcj5KYW5lIFdl
YnN0ZXI8L2F1dGhvcj48L2F1dGhvcnM+PC9jb250cmlidXRvcnM+PHRpdGxlcz48dGl0bGU+VXNp
bmcgc2VsZi1yZWd1bGF0b3J5IGxlYXJuaW5nIHRvIGVuaGFuY2UgZS1sZWFybmluZy1iYXNlZCBp
bmZvcm1hdGlvbiB0ZWNobm9sb2d5IHRyYWluaW5nPC90aXRsZT48c2Vjb25kYXJ5LXRpdGxlPklu
Zm9ybWF0aW9uIFN5c3RlbXMgUmVzZWFyY2g8L3NlY29uZGFyeS10aXRsZT48L3RpdGxlcz48cGVy
aW9kaWNhbD48ZnVsbC10aXRsZT5JbmZvcm1hdGlvbiBTeXN0ZW1zIFJlc2VhcmNoPC9mdWxsLXRp
dGxlPjwvcGVyaW9kaWNhbD48cGFnZXM+MjYtNDc8L3BhZ2VzPjx2b2x1bWU+MTk8L3ZvbHVtZT48
bnVtYmVyPjE8L251bWJlcj48ZGF0ZXM+PHllYXI+MjAwODwveWVhcj48L2RhdGVzPjx1cmxzPjwv
dXJscz48L3JlY29yZD48L0NpdGU+PENpdGU+PEF1dGhvcj5LdW1hcmFndXJ1PC9BdXRob3I+PFll
YXI+MjAwOTwvWWVhcj48UmVjTnVtPjQ3MTQ8L1JlY051bT48cmVjb3JkPjxyZWMtbnVtYmVyPjQ3
MTQ8L3JlYy1udW1iZXI+PGZvcmVpZ24ta2V5cz48a2V5IGFwcD0iRU4iIGRiLWlkPSJ4cjBzMHNw
MHZycGU1emU1dGV0eHZ3d25wNXhkOWFhZXpzZDkiIHRpbWVzdGFtcD0iMTM5ODE4NDk0OSI+NDcx
NDwva2V5PjwvZm9yZWlnbi1rZXlzPjxyZWYtdHlwZSBuYW1lPSJDb25mZXJlbmNlIFByb2NlZWRp
bmdzIj4xMDwvcmVmLXR5cGU+PGNvbnRyaWJ1dG9ycz48YXV0aG9ycz48YXV0aG9yPkt1bWFyYWd1
cnUsIFAuPC9hdXRob3I+PGF1dGhvcj5DcmFuc2hhdywgSi48L2F1dGhvcj48YXV0aG9yPkFjcXVp
c3RpLCBBLjwvYXV0aG9yPjxhdXRob3I+Q3Jhbm9yLCBMLjwvYXV0aG9yPjxhdXRob3I+SG9uZywg
Si48L2F1dGhvcj48YXV0aG9yPkJsYWlyLCBNLkEuPC9hdXRob3I+PGF1dGhvcj5QaGFtLCBULjwv
YXV0aG9yPjwvYXV0aG9ycz48L2NvbnRyaWJ1dG9ycz48dGl0bGVzPjx0aXRsZT5TY2hvb2wgb2Yg
cGhpc2g6IEEgcmVhbC13b3JsZCBldmFsdWF0aW9uIG9mIGFudGktcGhpc2hpbmcgdHJhaW5pbmc8
L3RpdGxlPjxzZWNvbmRhcnktdGl0bGU+U09VUFMgJmFwb3M7MDkgUHJvY2VlZGluZ3Mgb2YgdGhl
IDV0aCBTeW1wb3NpdW0gb24gVXNhYmxlIFByaXZhY3kgYW5kIFNlY3VyaXR5PC9zZWNvbmRhcnkt
dGl0bGU+PC90aXRsZXM+PHBhZ2VzPjM8L3BhZ2VzPjxkYXRlcz48eWVhcj4yMDA5PC95ZWFyPjwv
ZGF0ZXM+PHB1Yi1sb2NhdGlvbj5Nb3VudGFpbiBWaWV3LCBDQTwvcHViLWxvY2F0aW9uPjxwdWJs
aXNoZXI+QUNNPC9wdWJsaXNoZXI+PGlzYm4+MTYwNTU4NzM2MjwvaXNibj48dXJscz48L3VybHM+
PC9yZWNvcmQ+PC9DaXRlPjwvRW5kTm90ZT5=
ADDIN EN.CITE PEVuZE5vdGU+PENpdGU+PEF1dGhvcj5BbG5hamltPC9BdXRob3I+PFllYXI+MjAwOTwvWWVhcj48
UmVjTnVtPjQ0MDk8L1JlY051bT48UHJlZml4PnNlZSA8L1ByZWZpeD48RGlzcGxheVRleHQ+KHNl
ZSBBbG5hamltIGV0IGFsLiAyMDA5OyBLdW1hcmFndXJ1IGV0IGFsLiAyMDA5OyBLdW1hcmFndXJ1
IGV0IGFsLiAyMDA3OyBTYW50aGFuYW0gZXQgYWwuIDIwMDgpPC9EaXNwbGF5VGV4dD48cmVjb3Jk
PjxyZWMtbnVtYmVyPjQ0MDk8L3JlYy1udW1iZXI+PGZvcmVpZ24ta2V5cz48a2V5IGFwcD0iRU4i
IGRiLWlkPSJ4cjBzMHNwMHZycGU1emU1dGV0eHZ3d25wNXhkOWFhZXpzZDkiIHRpbWVzdGFtcD0i
MTM0NzkwOTA5NiI+NDQwOTwva2V5PjwvZm9yZWlnbi1rZXlzPjxyZWYtdHlwZSBuYW1lPSJDb25m
ZXJlbmNlIFByb2NlZWRpbmdzIj4xMDwvcmVmLXR5cGU+PGNvbnRyaWJ1dG9ycz48YXV0aG9ycz48
YXV0aG9yPkFsbmFqaW0sIEEuPC9hdXRob3I+PGF1dGhvcj5NdW5ybywgTS48L2F1dGhvcj48L2F1
dGhvcnM+PC9jb250cmlidXRvcnM+PHRpdGxlcz48dGl0bGU+QW4gQW50aS1QaGlzaGluZyBBcHBy
b2FjaCB0aGF0IFVzZXMgVHJhaW5pbmcgSW50ZXJ2ZW50aW9uIGZvciBQaGlzaGluZyBXZWJzaXRl
cyBEZXRlY3Rpb248L3RpdGxlPjxzZWNvbmRhcnktdGl0bGU+SW5mb3JtYXRpb24gVGVjaG5vbG9n
eTogTmV3IEdlbmVyYXRpb25zLCAyMDA5LiBJVE5HICZhcG9zOzA5LiBTaXh0aCBJbnRlcm5hdGlv
bmFsIENvbmZlcmVuY2Ugb248L3NlY29uZGFyeS10aXRsZT48YWx0LXRpdGxlPkluZm9ybWF0aW9u
IFRlY2hub2xvZ3k6IE5ldyBHZW5lcmF0aW9ucywgMjAwOS4gSVRORyAmYXBvczswOS4gU2l4dGgg
SW50ZXJuYXRpb25hbCBDb25mZXJlbmNlIG9uPC9hbHQtdGl0bGU+PC90aXRsZXM+PHBhZ2VzPjQw
NS00MTA8L3BhZ2VzPjxrZXl3b3Jkcz48a2V5d29yZD5XZWIgc2l0ZXM8L2tleXdvcmQ+PGtleXdv
cmQ+ZWxlY3Ryb25pYyBjb21tZXJjZTwva2V5d29yZD48a2V5d29yZD5zZWN1cml0eSBvZiBkYXRh
PC9rZXl3b3JkPjxrZXl3b3JkPmFudGlwaGlzaGluZyBhcHByb2FjaDwva2V5d29yZD48a2V5d29y
ZD5lLWNvbW1lcmNlPC9rZXl3b3JkPjxrZXl3b3JkPm9ubGluZSBiYW5raW5nPC9rZXl3b3JkPjxr
ZXl3b3JkPnBoaXNoaW5nIFdlYnNpdGVzIGRldGVjdGlvbjwva2V5d29yZD48L2tleXdvcmRzPjxk
YXRlcz48eWVhcj4yMDA5PC95ZWFyPjxwdWItZGF0ZXM+PGRhdGU+MjctMjkgQXByaWwgMjAwOTwv
ZGF0ZT48L3B1Yi1kYXRlcz48L2RhdGVzPjx1cmxzPjwvdXJscz48ZWxlY3Ryb25pYy1yZXNvdXJj
ZS1udW0+MTAuMTEwOS9JVE5HLjIwMDkuMTA5PC9lbGVjdHJvbmljLXJlc291cmNlLW51bT48L3Jl
Y29yZD48L0NpdGU+PENpdGU+PEF1dGhvcj5LdW1hcmFndXJ1PC9BdXRob3I+PFllYXI+MjAwNzwv
WWVhcj48UmVjTnVtPjc2NzwvUmVjTnVtPjxyZWNvcmQ+PHJlYy1udW1iZXI+NzY3PC9yZWMtbnVt
YmVyPjxmb3JlaWduLWtleXM+PGtleSBhcHA9IkVOIiBkYi1pZD0ieHIwczBzcDB2cnBlNXplNXRl
dHh2d3ducDV4ZDlhYWV6c2Q5IiB0aW1lc3RhbXA9IjEyNzEwOTcxMDUiPjc2Nzwva2V5PjxrZXkg
YXBwPSJFTldlYiIgZGItaWQ9IlVCTExpUXJ0cWdnQUFEdlV2U2MiPjQ3Mzwva2V5PjwvZm9yZWln
bi1rZXlzPjxyZWYtdHlwZSBuYW1lPSJDb25mZXJlbmNlIFByb2NlZWRpbmdzIj4xMDwvcmVmLXR5
cGU+PGNvbnRyaWJ1dG9ycz48YXV0aG9ycz48YXV0aG9yPlAuIEt1bWFyYWd1cnU8L2F1dGhvcj48
YXV0aG9yPlkuIFJoZWU8L2F1dGhvcj48YXV0aG9yPkEuIEFjcXVpc3RpPC9hdXRob3I+PGF1dGhv
cj5MLiBDcmFub3I8L2F1dGhvcj48YXV0aG9yPkouIEhvbmc8L2F1dGhvcj48YXV0aG9yPkUuIE51
bmdlPC9hdXRob3I+PC9hdXRob3JzPjwvY29udHJpYnV0b3JzPjx0aXRsZXM+PHRpdGxlPlByb3Rl
Y3RpbmcgUGVvcGxlIGZyb20gUGhpc2hpbmc6IFRoZSBEZXNpZ24gYW5kIEV2YWxhdXRpb24gb2Yg
YW4gRW1iZWRkZWQgVHJhaW5pbmcgRW1haWwgU3lzdGVtczwvdGl0bGU+PHNlY29uZGFyeS10aXRs
ZT5Db21wdXRlciBIdW1hbiBJbnRlcmFjdGlvbiAoQ0hJKTwvc2Vjb25kYXJ5LXRpdGxlPjwvdGl0
bGVzPjxkYXRlcz48eWVhcj4yMDA3PC95ZWFyPjwvZGF0ZXM+PHB1Yi1sb2NhdGlvbj5TYW4gSm9z
ZSwgQ0E8L3B1Yi1sb2NhdGlvbj48cHVibGlzaGVyPkFDTSBQcmVzczwvcHVibGlzaGVyPjx1cmxz
PjwvdXJscz48L3JlY29yZD48L0NpdGU+PENpdGU+PEF1dGhvcj5TYW50aGFuYW08L0F1dGhvcj48
WWVhcj4yMDA4PC9ZZWFyPjxSZWNOdW0+NzQ0PC9SZWNOdW0+PHJlY29yZD48cmVjLW51bWJlcj43
NDQ8L3JlYy1udW1iZXI+PGZvcmVpZ24ta2V5cz48a2V5IGFwcD0iRU4iIGRiLWlkPSJ4cjBzMHNw
MHZycGU1emU1dGV0eHZ3d25wNXhkOWFhZXpzZDkiIHRpbWVzdGFtcD0iMTI3MTA5NzA5MiI+NzQ0
PC9rZXk+PGtleSBhcHA9IkVOV2ViIiBkYi1pZD0iVUJMTGlRcnRxZ2dBQUR2VXZTYyI+NDUzPC9r
ZXk+PC9mb3JlaWduLWtleXM+PHJlZi10eXBlIG5hbWU9IkpvdXJuYWwgQXJ0aWNsZSI+MTc8L3Jl
Zi10eXBlPjxjb250cmlidXRvcnM+PGF1dGhvcnM+PGF1dGhvcj5SYWRoaWthIFNhbnRoYW5hbTwv
YXV0aG9yPjxhdXRob3I+U2hhcmF0aCBTYXNpZGhhcmFuPC9hdXRob3I+PGF1dGhvcj5KYW5lIFdl
YnN0ZXI8L2F1dGhvcj48L2F1dGhvcnM+PC9jb250cmlidXRvcnM+PHRpdGxlcz48dGl0bGU+VXNp
bmcgc2VsZi1yZWd1bGF0b3J5IGxlYXJuaW5nIHRvIGVuaGFuY2UgZS1sZWFybmluZy1iYXNlZCBp
bmZvcm1hdGlvbiB0ZWNobm9sb2d5IHRyYWluaW5nPC90aXRsZT48c2Vjb25kYXJ5LXRpdGxlPklu
Zm9ybWF0aW9uIFN5c3RlbXMgUmVzZWFyY2g8L3NlY29uZGFyeS10aXRsZT48L3RpdGxlcz48cGVy
aW9kaWNhbD48ZnVsbC10aXRsZT5JbmZvcm1hdGlvbiBTeXN0ZW1zIFJlc2VhcmNoPC9mdWxsLXRp
dGxlPjwvcGVyaW9kaWNhbD48cGFnZXM+MjYtNDc8L3BhZ2VzPjx2b2x1bWU+MTk8L3ZvbHVtZT48
bnVtYmVyPjE8L251bWJlcj48ZGF0ZXM+PHllYXI+MjAwODwveWVhcj48L2RhdGVzPjx1cmxzPjwv
dXJscz48L3JlY29yZD48L0NpdGU+PENpdGU+PEF1dGhvcj5LdW1hcmFndXJ1PC9BdXRob3I+PFll
YXI+MjAwOTwvWWVhcj48UmVjTnVtPjQ3MTQ8L1JlY051bT48cmVjb3JkPjxyZWMtbnVtYmVyPjQ3
MTQ8L3JlYy1udW1iZXI+PGZvcmVpZ24ta2V5cz48a2V5IGFwcD0iRU4iIGRiLWlkPSJ4cjBzMHNw
MHZycGU1emU1dGV0eHZ3d25wNXhkOWFhZXpzZDkiIHRpbWVzdGFtcD0iMTM5ODE4NDk0OSI+NDcx
NDwva2V5PjwvZm9yZWlnbi1rZXlzPjxyZWYtdHlwZSBuYW1lPSJDb25mZXJlbmNlIFByb2NlZWRp
bmdzIj4xMDwvcmVmLXR5cGU+PGNvbnRyaWJ1dG9ycz48YXV0aG9ycz48YXV0aG9yPkt1bWFyYWd1
cnUsIFAuPC9hdXRob3I+PGF1dGhvcj5DcmFuc2hhdywgSi48L2F1dGhvcj48YXV0aG9yPkFjcXVp
c3RpLCBBLjwvYXV0aG9yPjxhdXRob3I+Q3Jhbm9yLCBMLjwvYXV0aG9yPjxhdXRob3I+SG9uZywg
Si48L2F1dGhvcj48YXV0aG9yPkJsYWlyLCBNLkEuPC9hdXRob3I+PGF1dGhvcj5QaGFtLCBULjwv
YXV0aG9yPjwvYXV0aG9ycz48L2NvbnRyaWJ1dG9ycz48dGl0bGVzPjx0aXRsZT5TY2hvb2wgb2Yg
cGhpc2g6IEEgcmVhbC13b3JsZCBldmFsdWF0aW9uIG9mIGFudGktcGhpc2hpbmcgdHJhaW5pbmc8
L3RpdGxlPjxzZWNvbmRhcnktdGl0bGU+U09VUFMgJmFwb3M7MDkgUHJvY2VlZGluZ3Mgb2YgdGhl
IDV0aCBTeW1wb3NpdW0gb24gVXNhYmxlIFByaXZhY3kgYW5kIFNlY3VyaXR5PC9zZWNvbmRhcnkt
dGl0bGU+PC90aXRsZXM+PHBhZ2VzPjM8L3BhZ2VzPjxkYXRlcz48eWVhcj4yMDA5PC95ZWFyPjwv
ZGF0ZXM+PHB1Yi1sb2NhdGlvbj5Nb3VudGFpbiBWaWV3LCBDQTwvcHViLWxvY2F0aW9uPjxwdWJs
aXNoZXI+QUNNPC9wdWJsaXNoZXI+PGlzYm4+MTYwNTU4NzM2MjwvaXNibj48dXJscz48L3VybHM+
PC9yZWNvcmQ+PC9DaXRlPjwvRW5kTm90ZT5=
ADDIN EN.CITE.DATA (see Alnajim et al. 2009; Kumaraguru et al. 2009; Kumaraguru et al. 2007; Santhanam et al. 2008), and the survey-only condition induced awareness of phishing in the participants. Yet, participants who completed training based on mindfulness were less likely to respond to a phishing attack than participants in the other conditions. This finding suggests that, as we hypothesized, the abstract mindfulness approach altered how participants responded to incoming email and improved the quality of attention. Thus, not only can mindfulness be taught, but it can be taught via computer-based training. This finding opens the door to additional research that examines how to increase mindfulness through computer-based training (e.g., clinical psychological interventions).Our findings illuminate a paradox for phishing training research that while trainees felt equipped to protect themselves; in fact, their behavior suggested that they were not. We note that participants in the survey-only and concrete training conditions believed that they were well-equipped to counter phishing attacks. They reported that they knew what a phishing message looked like (M = 3.55; SD = 1.30) and were confident in their ability to detect them (M = 3.54; SD = 1.28). Had participants followed the guidance provided in the concrete training (e.g., Never click on a link or open an attachment in an email from an unknown sender; Be suspicious of a website that asks for private information), they would have avoided both the customized and generic phishing attacks. Nevertheless, many participants in the concrete training condition responded to the phishing attack. These findings highlight a distinct danger facing anti-phishing efforts: individuals may think they know how to respond to a phishing message, but not all of them do and whole organizations could be imperiled as a result. Participants in the abstract condition also reported a high level of expertise (M = 3.52; SD = 1.31) and confidence (M = 3.47; SD = 1.29) in identifying phishing messages. Yet in contrast to the results from the concrete and survey-only training conditions, participants in the abstract training condition showed lower susceptibility to phishing attacks. This finding suggests that the abstract approach may provide the additional benefit of reaching email users who already think they are capable of identifying phishing messages, but may not be.Our work offers a theoretical framework upon which future researchers can build to elevate mindfulness in order to combat phishing or other information security threats. As we hypothesized, mindfulness can be increased in others by encouraging them to 1. pause; 2. observe the environment (perhaps with the direction of questions intended to promote deeper consideration of the environment); 3. focus on actions being requested; 4. forestall judgment if suspicion is raised and take action to verify the suspicion. These actions, when applied to the phishing context, elevated the participants’ quality of attention and reduced the response rate to the phishing attack. This framework for elevating mindfulness may also be effective in reducing the risk of other forms of social engineering that defy a completely automated solution and may improve adherence to seemingly prosaic company security policies. Additionally, training programs that suffer from similar difficulties as concrete phishing training (i.e. participants thinking their expertise is high, when, in fact, it is not) may benefit from an abstract mindfulness approach. If the ultimate goal of training is to shape habitual behavior PEVuZE5vdGU+PENpdGU+PEF1dGhvcj5Db21wZWF1PC9BdXRob3I+PFllYXI+MTk5NTwvWWVhcj48
UmVjTnVtPjY4NzwvUmVjTnVtPjxQcmVmaXg+ZS5nLmAsIDwvUHJlZml4PjxEaXNwbGF5VGV4dD4o
ZS5nLiwgQ29tcGVhdSBldCBhbC4gMTk5NWE7IFNpbW9uIGV0IGFsLiAxOTk2OyBUYXlsb3IgZXQg
YWwuIDIwMDUpPC9EaXNwbGF5VGV4dD48cmVjb3JkPjxyZWMtbnVtYmVyPjY4NzwvcmVjLW51bWJl
cj48Zm9yZWlnbi1rZXlzPjxrZXkgYXBwPSJFTiIgZGItaWQ9InhyMHMwc3AwdnJwZTV6ZTV0ZXR4
dnd3bnA1eGQ5YWFlenNkOSIgdGltZXN0YW1wPSIxMjcxMDk3MDkyIj42ODc8L2tleT48a2V5IGFw
cD0iRU5XZWIiIGRiLWlkPSJVQkxMaVFydHFnZ0FBRHZVdlNjIj40MDc8L2tleT48L2ZvcmVpZ24t
a2V5cz48cmVmLXR5cGUgbmFtZT0iSm91cm5hbCBBcnRpY2xlIj4xNzwvcmVmLXR5cGU+PGNvbnRy
aWJ1dG9ycz48YXV0aG9ycz48YXV0aG9yPkNvbXBlYXUsIEQuIFIuPC9hdXRob3I+PGF1dGhvcj5I
aWdnaW5zLCBDLiBBLjwvYXV0aG9yPjwvYXV0aG9ycz48L2NvbnRyaWJ1dG9ycz48dGl0bGVzPjx0
aXRsZT5BcHBsaWNhdGlvbiBvZiBzb2NpYWwgY29nbml0aXZlIHRoZW9yeSB0byB0cmFpbmluZyBm
b3IgY29tcHV0ZXIgc2tpbGxzPC90aXRsZT48c2Vjb25kYXJ5LXRpdGxlPkluZm9ybWF0aW9uIFN5
c3RlbXMgUmVzZWFyY2g8L3NlY29uZGFyeS10aXRsZT48L3RpdGxlcz48cGVyaW9kaWNhbD48ZnVs
bC10aXRsZT5JbmZvcm1hdGlvbiBTeXN0ZW1zIFJlc2VhcmNoPC9mdWxsLXRpdGxlPjwvcGVyaW9k
aWNhbD48cGFnZXM+MTE4LTE0MzwvcGFnZXM+PHZvbHVtZT42PC92b2x1bWU+PG51bWJlcj4yPC9u
dW1iZXI+PGRhdGVzPjx5ZWFyPjE5OTU8L3llYXI+PC9kYXRlcz48dXJscz48L3VybHM+PC9yZWNv
cmQ+PC9DaXRlPjxDaXRlPjxBdXRob3I+VGF5bG9yPC9BdXRob3I+PFllYXI+MjAwNTwvWWVhcj48
UmVjTnVtPjQ0MDQ8L1JlY051bT48cmVjb3JkPjxyZWMtbnVtYmVyPjQ0MDQ8L3JlYy1udW1iZXI+
PGZvcmVpZ24ta2V5cz48a2V5IGFwcD0iRU4iIGRiLWlkPSJ4cjBzMHNwMHZycGU1emU1dGV0eHZ3
d25wNXhkOWFhZXpzZDkiIHRpbWVzdGFtcD0iMTM0NzkwNDU5NyI+NDQwNDwva2V5PjwvZm9yZWln
bi1rZXlzPjxyZWYtdHlwZSBuYW1lPSJKb3VybmFsIEFydGljbGUiPjE3PC9yZWYtdHlwZT48Y29u
dHJpYnV0b3JzPjxhdXRob3JzPjxhdXRob3I+UGF1bCBKLiBUYXlsb3I8L2F1dGhvcj48YXV0aG9y
PkRhcmxlbmUgRi4gUnVzcy1FZnQ8L2F1dGhvcj48YXV0aG9yPkRhbmllbCBXLiBMLiBDaGFuPC9h
dXRob3I+PC9hdXRob3JzPjwvY29udHJpYnV0b3JzPjx0aXRsZXM+PHRpdGxlPkEgTWV0YS1BbmFs
eXRpYyBSZXZpZXcgb2YgQmVoYXZpb3IgTW9kZWxpbmcgVHJhaW5pbmc8L3RpdGxlPjxzZWNvbmRh
cnktdGl0bGU+Sm91cm5hbCBvZiBBcHBsaWVkIFBzeWNob2xvZ3k8L3NlY29uZGFyeS10aXRsZT48
L3RpdGxlcz48cGVyaW9kaWNhbD48ZnVsbC10aXRsZT5Kb3VybmFsIG9mIEFwcGxpZWQgUHN5Y2hv
bG9neTwvZnVsbC10aXRsZT48L3BlcmlvZGljYWw+PHBhZ2VzPjY5Mi03MDk8L3BhZ2VzPjx2b2x1
bWU+OTA8L3ZvbHVtZT48bnVtYmVyPjQ8L251bWJlcj48ZGF0ZXM+PHllYXI+MjAwNTwveWVhcj48
L2RhdGVzPjx1cmxzPjwvdXJscz48L3JlY29yZD48L0NpdGU+PENpdGU+PEF1dGhvcj5TaW1vbjwv
QXV0aG9yPjxZZWFyPjE5OTY8L1llYXI+PFJlY051bT40Njk0PC9SZWNOdW0+PHJlY29yZD48cmVj
LW51bWJlcj40Njk0PC9yZWMtbnVtYmVyPjxmb3JlaWduLWtleXM+PGtleSBhcHA9IkVOIiBkYi1p
ZD0ieHIwczBzcDB2cnBlNXplNXRldHh2d3ducDV4ZDlhYWV6c2Q5IiB0aW1lc3RhbXA9IjEzOTgx
ODQ5NDciPjQ2OTQ8L2tleT48L2ZvcmVpZ24ta2V5cz48cmVmLXR5cGUgbmFtZT0iSm91cm5hbCBB
cnRpY2xlIj4xNzwvcmVmLXR5cGU+PGNvbnRyaWJ1dG9ycz48YXV0aG9ycz48YXV0aG9yPlNpbW9u
LCBTLiBKLjwvYXV0aG9yPjxhdXRob3I+R3JvdmVyLCBWLjwvYXV0aG9yPjxhdXRob3I+VGVuZywg
Si4gPC9hdXRob3I+PGF1dGhvcj5XaGl0Y29tYiwgSy48L2F1dGhvcj48L2F1dGhvcnM+PC9jb250
cmlidXRvcnM+PHRpdGxlcz48dGl0bGU+VGhlIHJlbGF0aW9uc2hpcCBvZiBpbmZvcm1hdGlvbiBz
eXN0ZW0gdHJhaW5pbmcgbWV0aG9kcyBhbmQgY29nbml0aXZlIGFiaWxpdHkgdG8gZW5kLXVzZXIg
c2F0aXNmYWN0aW9uLCBjb21wcmVoZW5zaW9uLCBhbmQgc2tpbGwgdHJhbnNmZXI6IEEgbG9uZ2l0
dWRpbmFsIGZpZWxkIHN0dWR5PC90aXRsZT48c2Vjb25kYXJ5LXRpdGxlPkluZm9ybWF0aW9uIFN5
c3RlbXMgUmVzZWFyY2g8L3NlY29uZGFyeS10aXRsZT48L3RpdGxlcz48cGVyaW9kaWNhbD48ZnVs
bC10aXRsZT5JbmZvcm1hdGlvbiBTeXN0ZW1zIFJlc2VhcmNoPC9mdWxsLXRpdGxlPjwvcGVyaW9k
aWNhbD48cGFnZXM+NDY2LTQ5MDwvcGFnZXM+PHZvbHVtZT43PC92b2x1bWU+PG51bWJlcj40PC9u
dW1iZXI+PGRhdGVzPjx5ZWFyPjE5OTY8L3llYXI+PC9kYXRlcz48aXNibj4xMDQ3LTcwNDc8L2lz
Ym4+PHVybHM+PC91cmxzPjwvcmVjb3JkPjwvQ2l0ZT48L0VuZE5vdGU+AG==
ADDIN EN.CITE PEVuZE5vdGU+PENpdGU+PEF1dGhvcj5Db21wZWF1PC9BdXRob3I+PFllYXI+MTk5NTwvWWVhcj48
UmVjTnVtPjY4NzwvUmVjTnVtPjxQcmVmaXg+ZS5nLmAsIDwvUHJlZml4PjxEaXNwbGF5VGV4dD4o
ZS5nLiwgQ29tcGVhdSBldCBhbC4gMTk5NWE7IFNpbW9uIGV0IGFsLiAxOTk2OyBUYXlsb3IgZXQg
YWwuIDIwMDUpPC9EaXNwbGF5VGV4dD48cmVjb3JkPjxyZWMtbnVtYmVyPjY4NzwvcmVjLW51bWJl
cj48Zm9yZWlnbi1rZXlzPjxrZXkgYXBwPSJFTiIgZGItaWQ9InhyMHMwc3AwdnJwZTV6ZTV0ZXR4
dnd3bnA1eGQ5YWFlenNkOSIgdGltZXN0YW1wPSIxMjcxMDk3MDkyIj42ODc8L2tleT48a2V5IGFw
cD0iRU5XZWIiIGRiLWlkPSJVQkxMaVFydHFnZ0FBRHZVdlNjIj40MDc8L2tleT48L2ZvcmVpZ24t
a2V5cz48cmVmLXR5cGUgbmFtZT0iSm91cm5hbCBBcnRpY2xlIj4xNzwvcmVmLXR5cGU+PGNvbnRy
aWJ1dG9ycz48YXV0aG9ycz48YXV0aG9yPkNvbXBlYXUsIEQuIFIuPC9hdXRob3I+PGF1dGhvcj5I
aWdnaW5zLCBDLiBBLjwvYXV0aG9yPjwvYXV0aG9ycz48L2NvbnRyaWJ1dG9ycz48dGl0bGVzPjx0
aXRsZT5BcHBsaWNhdGlvbiBvZiBzb2NpYWwgY29nbml0aXZlIHRoZW9yeSB0byB0cmFpbmluZyBm
b3IgY29tcHV0ZXIgc2tpbGxzPC90aXRsZT48c2Vjb25kYXJ5LXRpdGxlPkluZm9ybWF0aW9uIFN5
c3RlbXMgUmVzZWFyY2g8L3NlY29uZGFyeS10aXRsZT48L3RpdGxlcz48cGVyaW9kaWNhbD48ZnVs
bC10aXRsZT5JbmZvcm1hdGlvbiBTeXN0ZW1zIFJlc2VhcmNoPC9mdWxsLXRpdGxlPjwvcGVyaW9k
aWNhbD48cGFnZXM+MTE4LTE0MzwvcGFnZXM+PHZvbHVtZT42PC92b2x1bWU+PG51bWJlcj4yPC9u
dW1iZXI+PGRhdGVzPjx5ZWFyPjE5OTU8L3llYXI+PC9kYXRlcz48dXJscz48L3VybHM+PC9yZWNv
cmQ+PC9DaXRlPjxDaXRlPjxBdXRob3I+VGF5bG9yPC9BdXRob3I+PFllYXI+MjAwNTwvWWVhcj48
UmVjTnVtPjQ0MDQ8L1JlY051bT48cmVjb3JkPjxyZWMtbnVtYmVyPjQ0MDQ8L3JlYy1udW1iZXI+
PGZvcmVpZ24ta2V5cz48a2V5IGFwcD0iRU4iIGRiLWlkPSJ4cjBzMHNwMHZycGU1emU1dGV0eHZ3
d25wNXhkOWFhZXpzZDkiIHRpbWVzdGFtcD0iMTM0NzkwNDU5NyI+NDQwNDwva2V5PjwvZm9yZWln
bi1rZXlzPjxyZWYtdHlwZSBuYW1lPSJKb3VybmFsIEFydGljbGUiPjE3PC9yZWYtdHlwZT48Y29u
dHJpYnV0b3JzPjxhdXRob3JzPjxhdXRob3I+UGF1bCBKLiBUYXlsb3I8L2F1dGhvcj48YXV0aG9y
PkRhcmxlbmUgRi4gUnVzcy1FZnQ8L2F1dGhvcj48YXV0aG9yPkRhbmllbCBXLiBMLiBDaGFuPC9h
dXRob3I+PC9hdXRob3JzPjwvY29udHJpYnV0b3JzPjx0aXRsZXM+PHRpdGxlPkEgTWV0YS1BbmFs
eXRpYyBSZXZpZXcgb2YgQmVoYXZpb3IgTW9kZWxpbmcgVHJhaW5pbmc8L3RpdGxlPjxzZWNvbmRh
cnktdGl0bGU+Sm91cm5hbCBvZiBBcHBsaWVkIFBzeWNob2xvZ3k8L3NlY29uZGFyeS10aXRsZT48
L3RpdGxlcz48cGVyaW9kaWNhbD48ZnVsbC10aXRsZT5Kb3VybmFsIG9mIEFwcGxpZWQgUHN5Y2hv
bG9neTwvZnVsbC10aXRsZT48L3BlcmlvZGljYWw+PHBhZ2VzPjY5Mi03MDk8L3BhZ2VzPjx2b2x1
bWU+OTA8L3ZvbHVtZT48bnVtYmVyPjQ8L251bWJlcj48ZGF0ZXM+PHllYXI+MjAwNTwveWVhcj48
L2RhdGVzPjx1cmxzPjwvdXJscz48L3JlY29yZD48L0NpdGU+PENpdGU+PEF1dGhvcj5TaW1vbjwv
QXV0aG9yPjxZZWFyPjE5OTY8L1llYXI+PFJlY051bT40Njk0PC9SZWNOdW0+PHJlY29yZD48cmVj
LW51bWJlcj40Njk0PC9yZWMtbnVtYmVyPjxmb3JlaWduLWtleXM+PGtleSBhcHA9IkVOIiBkYi1p
ZD0ieHIwczBzcDB2cnBlNXplNXRldHh2d3ducDV4ZDlhYWV6c2Q5IiB0aW1lc3RhbXA9IjEzOTgx
ODQ5NDciPjQ2OTQ8L2tleT48L2ZvcmVpZ24ta2V5cz48cmVmLXR5cGUgbmFtZT0iSm91cm5hbCBB
cnRpY2xlIj4xNzwvcmVmLXR5cGU+PGNvbnRyaWJ1dG9ycz48YXV0aG9ycz48YXV0aG9yPlNpbW9u
LCBTLiBKLjwvYXV0aG9yPjxhdXRob3I+R3JvdmVyLCBWLjwvYXV0aG9yPjxhdXRob3I+VGVuZywg
Si4gPC9hdXRob3I+PGF1dGhvcj5XaGl0Y29tYiwgSy48L2F1dGhvcj48L2F1dGhvcnM+PC9jb250
cmlidXRvcnM+PHRpdGxlcz48dGl0bGU+VGhlIHJlbGF0aW9uc2hpcCBvZiBpbmZvcm1hdGlvbiBz
eXN0ZW0gdHJhaW5pbmcgbWV0aG9kcyBhbmQgY29nbml0aXZlIGFiaWxpdHkgdG8gZW5kLXVzZXIg
c2F0aXNmYWN0aW9uLCBjb21wcmVoZW5zaW9uLCBhbmQgc2tpbGwgdHJhbnNmZXI6IEEgbG9uZ2l0
dWRpbmFsIGZpZWxkIHN0dWR5PC90aXRsZT48c2Vjb25kYXJ5LXRpdGxlPkluZm9ybWF0aW9uIFN5
c3RlbXMgUmVzZWFyY2g8L3NlY29uZGFyeS10aXRsZT48L3RpdGxlcz48cGVyaW9kaWNhbD48ZnVs
bC10aXRsZT5JbmZvcm1hdGlvbiBTeXN0ZW1zIFJlc2VhcmNoPC9mdWxsLXRpdGxlPjwvcGVyaW9k
aWNhbD48cGFnZXM+NDY2LTQ5MDwvcGFnZXM+PHZvbHVtZT43PC92b2x1bWU+PG51bWJlcj40PC9u
dW1iZXI+PGRhdGVzPjx5ZWFyPjE5OTY8L3llYXI+PC9kYXRlcz48aXNibj4xMDQ3LTcwNDc8L2lz
Ym4+PHVybHM+PC91cmxzPjwvcmVjb3JkPjwvQ2l0ZT48L0VuZE5vdGU+AG==
ADDIN EN.CITE.DATA (e.g., Compeau et al. 1995a; Simon et al. 1996; Taylor et al. 2005), an abstract mindfulness approach to training provides a new area that merits additional attention. Our findings suggest that content, not format, contributes to anti-phishing training’s effectiveness. In addition to comparing two training paradigms, we evaluated whether their effectiveness varied with training format. The content for each training approach (concrete and abstract) was presented in two different formats: text-only and graphics-based. Building on concepts drawn from social learning theory ADDIN EN.CITE <EndNote><Cite><Author>Mayer</Author><Year>2001</Year><RecNum>4710</RecNum><DisplayText>(Mayer 2001)</DisplayText><record><rec-number>4710</rec-number><foreign-keys><key app="EN" db-id="xr0s0sp0vrpe5ze5tetxvwwnp5xd9aaezsd9" timestamp="1398184949">4710</key></foreign-keys><ref-type name="Book">6</ref-type><contributors><authors><author>Mayer, R. E.</author></authors></contributors><titles><title>Multimedia Learning</title></titles><dates><year>2001</year></dates><pub-location>Cambridge</pub-location><publisher>Cambridge University Press</publisher><urls></urls></record></Cite></EndNote>(Mayer 2001) and cognitive fit ADDIN EN.CITE <EndNote><Cite><Author>Speier</Author><Year>2006</Year><RecNum>4397</RecNum><DisplayText>(Speier 2006)</DisplayText><record><rec-number>4397</rec-number><foreign-keys><key app="EN" db-id="xr0s0sp0vrpe5ze5tetxvwwnp5xd9aaezsd9" timestamp="1347469291">4397</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Speier, Cheri</author></authors></contributors><titles><title>The influence of information presentation formats on complex task decision-making performance</title><secondary-title>International Journal of Human-Computer Studies</secondary-title></titles><periodical><full-title>International Journal of Human-Computer Studies</full-title></periodical><pages>1115-1131</pages><volume>64</volume><number>11</number><keywords><keyword>Complex task</keyword><keyword>Decision-making</keyword><keyword>Information presentation</keyword></keywords><dates><year>2006</year><pub-dates><date>11//</date></pub-dates></dates><isbn>1071-5819</isbn><urls><related-urls><url>;(Speier 2006), we hypothesized that a graphics-based training format would be more memorable and more effective in teaching users how to recognize and respond to phishing. We found that training via a text-only or graphics-based format were equally effective. Our finding is inconsistent with existing phishing research ADDIN EN.CITE <EndNote><Cite><Author>Kumaraguru</Author><Year>2010</Year><RecNum>7497</RecNum><Prefix>e.g`, </Prefix><DisplayText>(e.g, Kumaraguru et al. 2010; Srikwan et al. 2008)</DisplayText><record><rec-number>7497</rec-number><foreign-keys><key app="EN" db-id="a9f2v2s03sv0soe5e52xwr9oas05vs059t2d" timestamp="1329863914">7497</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Kumaraguru, P.</author><author>Sheng, S.</author><author>Acquisti, A.</author><author>Cranor, L.F.</author><author>Hong, J.</author></authors></contributors><titles><title>Teaching johnny not to fall for phish</title><secondary-title>ACM Transactions on Internet Technology (TOIT)</secondary-title></titles><periodical><full-title>ACM Transactions on Internet Technology (TOIT)</full-title></periodical><pages>7</pages><volume>10</volume><number>2</number><dates><year>2010</year></dates><isbn>1533-5399</isbn><urls></urls></record></Cite><Cite><Author>Srikwan</Author><Year>2008</Year><RecNum>4711</RecNum><record><rec-number>4711</rec-number><foreign-keys><key app="EN" db-id="xr0s0sp0vrpe5ze5tetxvwwnp5xd9aaezsd9" timestamp="1398184949">4711</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Srikwan, S.</author><author>Jakobsson, M.</author></authors></contributors><titles><title>Using cartoons to teach internet security</title><secondary-title>Cryptologia</secondary-title></titles><periodical><full-title>Cryptologia</full-title></periodical><pages>137-154</pages><volume>32</volume><number>2</number><dates><year>2008</year></dates><isbn>0161-1194</isbn><urls></urls></record></Cite></EndNote>(e.g, Kumaraguru et al. 2010; Srikwan et al. 2008) which showed better resistance to phishing attacks when training was presented graphically. Our findings imply that cognitive fit is roughly equivalent and the content was equally memorable between the text-only and graphics-based formats. Additionally, our finding implies that other facets of training (e.g., whether the training is based on a concrete or abstract approach) are much more important to training success than presentation format. Finally, our findings illuminate the nomological network that shapes responses to phishing. Our analysis of covariates suggests that a population can segmented to identify those individuals who are most likely to respond to a phishing attack. Not surprisingly, participants who were low in trait mindfulness were highly susceptible to the phishing attack. Next, status at the university significantly influenced the probability that an individual would respond to a phishing message. These findings are consistent with past research which indicated age or education assists individuals in appropriately responding to phishing ADDIN EN.CITE <EndNote><Cite><Author>Hong</Author><Year>2012</Year><RecNum>7535</RecNum><DisplayText>(Hong 2012)</DisplayText><record><rec-number>7535</rec-number><foreign-keys><key app="EN" db-id="a9f2v2s03sv0soe5e52xwr9oas05vs059t2d" timestamp="1343426670">7535</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Hong, J.</author></authors></contributors><titles><title>The state of phishing attacks</title><secondary-title>Communications of the ACM</secondary-title></titles><periodical><full-title>Communications of the ACM</full-title></periodical><pages>74-81</pages><volume>55</volume><number>1</number><dates><year>2012</year></dates><isbn>0001-0782</isbn><urls></urls></record></Cite></EndNote>(Hong 2012). Finally and also not surprisingly, individuals who perceived a low level of risk from performing tasks on the Internet were more likely to fall for phishing attacks. Fortunately, our findings also suggest that training using an abstract approach dramatically reduces the susceptibility of these vulnerable groups. For example, as shown in Table 11, for untrained students who exhibit low trait mindfulness, training can reduce the probability of responding to a phishing attack by 29.4 percent. Implications for PracticeOur results have several implications for practice. First, this study reinforces the importance of training users on how to respond to suspected phishing attacks. Email users’ ability to identify and avoid phishing attacks is an important, and perhaps critical, line of defense against phishing. However, while our results suggest that abstract mindfulness training may result in fewer security breaches, managers should be realistic with their expectations about phishing training. Even a mindfulness approach to training, as our results demonstrate, does not drive phishing response rates down to zero. Therefore, training is best positioned as part of a layered set of defenses that includes both technology-based (e.g., phishing site removals, automated warnings, filtering, and so on) and training components.Second, results show that the theoretical approach that underpins a training program is crucial. The more effective training approach encouraged an active, mindful consideration of email messages. Further, individuals will not all benefit to the same degree from training using the abstract approach. Individuals who are young and inexperienced, low in trait mindfulness, low in perceptions of Internet risk will benefit disproportionally from the training while those who are older and more experienced, high in trait mindfulness, and high in perceptions of Internet risk will not derive as much benefit. Therefore, when allocating training resources, those charged with managing organizational security should consider not only the approach to training, but also the demographics of their employee population, when seeking to maximize the overall security of the organization. Third, in this experiment, we delivered the training through relatively brief, online training sessions. Therefore, managers could potentially create and distribute anti-phishing training electronically to a large number of users. Our results imply that the presentation of the training need not be complex or costly. Results show that training consisting of only text was just as effective as training shown via a graphics-based presentation method. Additionally, given that the content for abstract mindfulness training is relatively simple, it could easily be adapted for other presentation methods, such as in a classroom or via video. What is important, as security specialists develop training programs, is that they direct attention to sets of behaviors that place organizations at risk (e.g., poor information processing practices), rather than complicated, ever changing, sets of cues that indicate an e-mail is from a phisher.Fourth, the mindfulness approach we have applied offers significant benefits to users of anti-phishing training. We offer detailed explanations and illustration of our training materials in Appendix B and invite researchers and practitioners to use, modify, and expand these training materials to improve phishing mitigation efforts. Limitations and Future ResearchThere are several limitations of this research, which provide opportunities for future research. First, the analysis is underpowered due to the high number of covariates included in the analysis and the small number of people who completed the training and responded to the phishing message. When tested without covariates, the significant findings did not change (see Appendix D); however, readers should interpret the non-significant findings with caution. Additionally, we acknowledge that our sample is vulnerable to selection bias because participants were recruited through email. While demonstrating effectiveness of training for individuals who respond to email solicitations is a valuable improvement, the participants may not reflect the practices of the general population. Hence, as is common for research on training, our study needs replication in diverse contexts. Second, future research should investigate other training formats that may further increase the effectiveness of abstract training. We were able to successfully train users to be more mindful in how they deal with email through a simple, online format. Future work should consider how an interactive training format, such as an in-person training session, interactive software or creating teachable moments ADDIN EN.CITE <EndNote><Cite><Author>Cranor</Author><Year>2008</Year><RecNum>4693</RecNum><Prefix>see </Prefix><DisplayText>(see Cranor 2008)</DisplayText><record><rec-number>4693</rec-number><foreign-keys><key app="EN" db-id="xr0s0sp0vrpe5ze5tetxvwwnp5xd9aaezsd9" timestamp="1398184947">4693</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Cranor, L. F.</author></authors></contributors><titles><title>Can Phishing Be Foiled?</title><secondary-title>Scientific American</secondary-title></titles><periodical><full-title>Scientific American</full-title></periodical><pages>104-110</pages><volume>299</volume><number>6</number><keywords><keyword>COMPUTER security -- Research</keyword><keyword>PHISHING</keyword><keyword>COMPUTER security software</keyword><keyword>WEBSITES -- Security measures</keyword><keyword>CARNEGIE-Mellon University -- Faculty</keyword><keyword>CRANOR, Lorrie Faith</keyword></keywords><dates><year>2008</year></dates><publisher>Scientific American</publisher><isbn>00368733</isbn><accession-num>35158775</accession-num><urls><related-urls><url>;(see Cranor 2008), might enhance user learning. Additionally, future research may investigate how a concrete approach might be integrated with an abstract approach. In certain training contexts (e.g., financial services), training may be required to explicitly cover certain topics in a situation-specific manner. Therefore, some merging of a concrete approach and mindfulness approach may be necessary. Understanding how a concrete approach can work in tandem with an abstract approach may yield further training gains.Finally, an abstract mindfulness approach to training may be helpful in many other contexts aside from phishing. Since mindfulness encourages active awareness of context and surroundings, mindfulness training could easily be adapted to encourage appropriate behavior in other security settings. Furthermore, mindfulness training could be used to encourage better decision making in a variety of settings, such as employee behavior in social media. Employees could be trained to stop, and think about whether their behavior in a ‘public’ setting, like Twitter, Facebook or even company forums, could be construed as inappropriate. With this paper we have laid out the approach we have taken and hope that this approach may be useful to other researchers who wish to explore contexts other than phishing. ConclusionDue to the limitations of technical anti-phishing techniques, this study introduced an abstract mindfulness anti-phishing training approach as an additional layer of defense against phishing attacks. Through a rigorous field test that compared the effectiveness of abstract and concrete approaches, we found that when individuals were taught to stop, think, and check the legitimacy of an email, they were far less likely to disclose private information than when exposed to concrete training. It is our hope that by improving the approach and contents of training, phishing will become less of a threat to the security of individuals and organizations. References ADDIN EN.REFLIST Akaike, H. 1973. "Information theory and an extension of the maximum likelihood principle," in Proceedings of the Second International Symposium on Information Theory, B. N. Petrov and F. Csaki (eds.), Akademiai Kiado: Budapest, pp. 267–281.Almomani, A., Gupta, B., Atawneh, S., Meulenberg, A., and Almomani, E. 2013. "A Survey of Phishing Email Filtering Techniques," IEEE Communications Surveys & Tutorials (15:4), pp 2070-2090.Alnajim, A., and Munro, M. Year. "An Anti-Phishing Approach that Uses Training Intervention for Phishing Websites Detection," Information Technology: New Generations, 2009. ITNG '09. Sixth International Conference on2009, pp. 405-410.Baer, R. A. 2003. "Mindfulness Training as a Clinical Intervention: A Conceptual and Empirical Review," Clinical Psychology: Science and Practice (10:2), pp 125-143.Baer, R. A., Smith, G. T., and Allen, K. B. 2004. "Assessment of mindfulness by self-report: The Kentucky Inventory of Mindfulness Skills," Assessment (11:3), pp 191-206.Bandura, A. 1986. Social Foundations of Thought and Action, (Prentice Hall: Englewood Cliffs, NJ.Bjorhus, J. 2014. "Target breach started as an e-mail phishing expedition.," StarTribune.Bolt, M. A., Killough, L. N., and Koh, H. C. 2001. "Testing the interaction effects of task complexity in computer training using the social cognitive model," Decision Sciences (32:1), pp 1-20.Bostrom, R. P., Olfman, L., and Sein, M. K. 1990. "The importance of learning style in end-user training," MIS Quarterly (14:1).Brown, K. W., Ryan, R. M., and Creswell, J. D. 2007. "Mindfulness: Theoretical foundations and evidence for its salutary effects," Psychological Inquiry (18:4), pp 211-237.Cisco Systems 2011. "Email attacks: This time it's personal," : San Jose, peau, D. R., and Higgins, C. A. 1995a. "Application of social cognitive theory to training for computer skills," Information Systems Research (6:2), pp 118-peau, D. R., and Higgins, C. A. 1995b. "Computer self-efficacy: Development of a measure and initial test," MIS Quarterly (19:2), pp 189-211.Cranor, L. F. 2008. "Can Phishing Be Foiled?," Scientific American (299:6), pp 104-110.Dave, P. 2013. "Email 'phishing' attacks by hackers growing in number, intensity.," LA Times.Dennis, A. R., and Carte, T. A. 1998. "Using Geographical Information Systems for Decision Making: Extending Cognitive Fit Theory to Map-Based Presentations," Information Systems Research (9:2), pp 194-203.Dhamija, R., Tygar, J. D., and Hearst, M. Year. "Why phishing works," Proceedings of the SIGCHI Conference on Human Factors in Computing Systems ACM, Montreal, Quebec, 2006, pp. 581-590.Federal Bureau of Investigation 2009. "Spear phishers: Angling to steal your financial info."Finn, P., and Jakobsson, M. 2008. "Designing and conducting phishing experiments," IEEE Technology and Society (6:2), pp 66-68.Fornell, C., and Larcker, D. F. 1981. "Evaluating Structural Equations Models with Unobservable Variables and Measurement Error," Journal of Marketing Research (18:1), pp 39-50.Gefen, D., Straub, D. W., and Rigdon, E. E. 2011. "An Update and Extension to SEM Guidelines for Admnistrative and Social Science Research," MIS Quarterly (35:2), pp iii-xiv.Grossman, P., Niemann, L., Schmidt, S., and Walach, H. 2004. "Mindfulness-based stress reduction and health benefits: A meta-analysis," Journal of Psychosomatic Research (57:1), pp 35-43.Grow, B., Epstein, K., and Tschang, C. 2008. "The New E-spionage Threat," , S., Bostrom, R. P., and Huber, M. 2010. "End-user training methods: what we know, need to know," ACM SIGMIS Database (41:4), pp 9-39.Hair, J. F., Jr. , Anderson, R. E., Tatham, R. L., and Black, W. C. 1998. Multivariate Data Analysis with Readings, (5th ed.) Prentice Hall: Englewood Cliffs, NJ.Halasz, F., and Moran, T. P. Year. "Analogy considered harmful," Proceedings of the 1982 conference on Human factors in computing systems, ACM, New York, NY, 1982, pp. 383-386.Hesseldahl, A. 2011. "Lockheed Martin confirms it came under attack," , G. 2007. "The use of logit and probit models in strategic management research: Critical issues," Strategic Management Journal (28:4), pp 331-343.Hong, J. 2012. "The state of phishing attacks," Communications of the ACM (55:1), pp 74-81.Hosmer, D. W., and Lemeshow, S. 2000. Applied logistic regression, (Wiley: New York, NY.Jackson, C., Simon, D., Tan, D., and Barth, A. 2007. "An evaluation of extended validation and picture-in-picture phishing attacks," in Financial Cryptography and Data Security, S. Dietrich and R. Dhamija (eds.), Springer Berlin / Heidelberg, pp. 281-293.Jagatic, T. N., Johnson, N. A., Jakobsson, M., and Menczer, F. 2007. "Social Phishing," Communications of the ACM (50:10), pp 94-100.Jarvenpaa, S. L. 1989. "The Effect of Task Demands and Graphical Format on Information Processing Strategies," Management Science (35:3), pp 285-303.Jarvenpaa, S. L., and Dickson, G. W. 1988. "Graphics and Managerial Decision Making: Research Based Guidlines," Communications of the ACM (31:6), pp 764-774.Jarvenpaa, S. L., Tractinsky, N., and Saarinen, L. 1999. "Consumer trust in an internet store: A cross-cultural validation," Journal of Computer‐Mediated Communication (5:2).Jo, B. 2002. "Statistical power in randomized intervention studies with noncompliance," Psychological Methods (7:2), pp 178-193.Johnson, R. D., and Marakas, G. M. 2000. "Research report: the role of behavioral modeling in computer skills acquisition: Toward refinement of the model," Information Systems Research (11:4), pp 402-417.Kahneman, D. 2011. Thinking, fast and slow, (Farrar, Straus and Giroux: New York, NY.Kaufman, R. L. 1996. "Comparing the effects of dichotomous logistic regression: A variety of standardized coefficients," Social Science Quarterly (77:1), pp 90-109.Kumaraguru, P., Cranshaw, J., Acquisti, A., Cranor, L., Hong, J., Blair, M. A., and Pham, T. Year. "School of phish: A real-world evaluation of anti-phishing training," SOUPS '09 Proceedings of the 5th Symposium on Usable Privacy and Security, ACM, Mountain View, CA, 2009, p. 3.Kumaraguru, P., Rhee, Y., Acquisti, A., Cranor, L., Hong, J., and Nunge, E. Year. "Protecting People from Phishing: The Design and Evalaution of an Embedded Training Email Systems," Computer Human Interaction (CHI), ACM Press, San Jose, CA, 2007.Kumaraguru, P., Sheng, S., Acquisti, A., Cranor, L. F., and Hong, J. 2010. "Teaching johnny not to fall for phish," ACM Transactions on Internet Technology (TOIT) (10:2), p 7.Langer, E. J. 1989. Mindfulness, (Addison-Wesley: Reading, MA.Langer, E. J. 1997. The power of mindful learning, (Addison-Wesley Reading, MA.Langer, E. J., and Piper, A. 1987. "The Prevention of Mindlessness," Journal of Personality and Social Psychology (53), pp 280-287.Lau, M. A., Bishop, S. R., Segal, Z. V., Buis, T., Anderson, N. D., Carlson, L., Shapiro, S., Carmody, J., Abbey, S., and Devins, G. 2006. "The Toronto Mindfulness Scale: Development and validation," Journal of Clinical Psychology (62:12), pp 1445-1467.Leary, M. R., Adams, C. E., and Tate, E. B. 2006. "Hypo-egoic self-regulation: Exercising self-control by diminishing the influence of the self," Journal of Personality (74:6), pp 1803-1831.Liu, W., Deng, X., Huang, G., and Fu, A. Y. 2006. "An antiphishing strategy based on visual similarity assessment," IEEE Internet Computing (10:2), pp 58-65.Mace, C. 2007. "Mindfulness in psychotherapy: an introduction," Advances in Psychiatric Treatment (13:2) March 1, 2007, pp 147-154.Mace, C. 2008. "Mindfulness and the future of psychotherapy," European Psychotherapy (8:1), pp 129-139.Malhotra, N. K., Kim, S. S., and Agarwal, J. 2004. "Internet users' information privacy concerns (IUIPC): The construct, the scale, and a causal model," Information Systems Research (15:4), pp 336-355.Markoff, J. 2008. "Larger prey are targets of phishing," in New York Times, : New York, NY.Mayer, R. E. 1979. "Can advance organizers influence meaningful learning?," Review of educational research (49:2), pp 371-383.Mayer, R. E. 2001. Multimedia Learning, (Cambridge University Press: Cambridge.Mayer, R. E., and Greeno, J. G. 1972. "Structural differences between outcomes produced by different instructional methods," Journal of educational psychology (63:2), p 165.Moore, T., and Clayton, R. Year. "Examining the impact of website take-down on phishing," Proceedings of the anti-phishing working groups 2nd annual eCrime researchers summit, ACM2007, pp. 1-13.Myers, S. 2007. "Introduction to phishing," in Phishing and Countermeasures: Understanding the Increasing Problem of Electronic Identity Theft, M. Jakobsson and S. Myers (eds.), Wiley: Hoboken, NJ, pp. 1-29.Norton, E. C., Wang, H., and Ai, C. 2004. "Computing interaction effects and standard errors in logit and probit models," The Stata Journal (4:2), pp 154-167.Pavlou, P. A., and Gefen, D. 2004. "Building effective online marketplaces with institution-based trust," Information Systems Research (15:1), pp 37-59.Perlroth, N. 2012. "That was fast: Criminals exploit linkedIn breach for phishing attacks."Petersen, T. 1985. "A comment on presenting results from logit and probit models," American Sociological Review (50:1), pp 130-131.Polites, G., Roberts, N., and Thatcher, J. 2012. "Conceptualizing Models Using Multidimensional Constructs: A Conceptual Review and Guidelines for their Use," European Journal of Information Systems (21:1), pp 22-48.Santhanam, R., Mun, Y., Sasidharan, S., and Park, S. in press. "Toward an integrative understanding of information technology training research across information systems and human computer interaction: A comprehensive review," AIS Transaction on Human-Computer Interaction).Santhanam, R., Sasidharan, S., and Webster, J. 2008. "Using self-regulatory learning to enhance e-learning-based information technology training," Information Systems Research (19:1), pp 26-47.Santhanam, R., and Sein, M. K. 1994. "Improving end-user proficiency: Effects of conceptual training and nature of interaction," Information Systems Research (5:4), pp 378-399.Segars, A. 1997. "Assessing the Unidimensionality of Measurement: A Paradigm and Illustration Within the Context of Information Systems Research," Omega (25:1), pp 107-121.Sein, M. K., and Bostrom, R. P. 1989. "Individual differences and conceptual models in training novice users," Human-Computer Interaction (4:3), pp 197-229.Shapiro, S. L., Schwartz, G. E., and Bonner, G. 1998. "Effects of mindfulness-based stress reduction on medical and premedical Students," Journal of Behavioral Medicine (21:6), pp 581-599.Simon, S. J., Grover, V., Teng, J., and Whitcomb, K. 1996. "The relationship of information system training methods and cognitive ability to end-user satisfaction, comprehension, and skill transfer: A longitudinal field study," Information Systems Research (7:4), pp 466-490.Speier, C. 2006. "The influence of information presentation formats on complex task decision-making performance," International Journal of Human-Computer Studies (64:11) 11//, pp 1115-1131.Srikwan, S., and Jakobsson, M. 2008. "Using cartoons to teach internet security," Cryptologia (32:2), pp 137-154.Symantec. 2014. "Internet Security Threat Report 2014. Volume 189," Symantec.Taylor, P. J., Russ-Eft, D. F., and Chan, D. W. L. 2005. "A Meta-Analytic Review of Behavior Modeling Training," Journal of Applied Psychology (90:4), pp 692-709.Teasdale, J. D., Williams, J. M. G., Soulsby, J. M., Segal, Z. V., Ridgeway, V. A., and Lau, M. A. 2000. "Prevention of Relapse/Recurrance in Major Depression by Mindfulness-Based Cognitive Therapy," Journal of Consulting and Clinical Psychology (68:4), pp 615-623.Tractinsky, N., and Meyer, J. 1999. "Chartjunk or goldgraph? Effects of persenataion objectives and content desirability on information presentation: effects of presentation objectives and content desirability on information presentation," MIS Q. (23:3), pp 397-420.Vance, A., Elie-Dit-Cosaque, C., and Straub, D. W. 2008. "Examining trust in information technology artifacts: the effects of system quality and culture," Journal of Management Information Systems (24:4), pp 73-100.Vessey, I., and Galletta, D. 1991. "Cognitive Fit: An Empirical Study of Information Acquisition," Information Systems Research (2:1), pp 63-84.Vishwanath, A., Herath, T., Chen, R., Wang, J., and Rao, H. R. 2011. "Why do people get phished? Testing individual differences in phishing vulnerability within an integrated, information processing model," Decision Support Systems (51:3), pp 576-586.Vrij, A. 2006. "Nonverbal communication and deception," in The Sage Handbook of Nonverbal Communication., V. Manusov and M. L. Patterson (eds.), Sage Publications, Inc: Thousand Oaks, CA, pp. 341-359.Webber, C., Lima, M. d. F. W. d. P., and Hepp, F. 2012. "Testing phishing detection criteria and methods " in Frontiers in Computer Education, S. Sambath and E. Zhu (eds.), Springer Berlin / Heidelberg, pp. 853-858.Werts, C. E., Linn, R. L., and Joreskog, K. 1974. "Interclass Reliability Estimates: Testing Structural Assumptions," Educational and Psychological Measurement (34:1), pp 25-33.Wright, R., Chakraborty, S., Basoglu, A., and Marett, K. 2010a. "Where did they go right? Understanding the deception in phishing communications," Group Decision and Negotiation (19:4), pp 391-416.Wright, R. T., Campbell, D. E., Thatcher, J. B., and Roberts, N. 2012. "Operationalizing Multidimensional Constructs in Structural Equation Modeling: Recommendations for IS Research," Communications of the Association for Information Systems (40), pp 367-412.Wright, R. T., Jensen, M. J., Thatcher, J. B., Dinger, M., and Marett, K. Forthcoming. "Influence Techniques in Phishing Attacks: An Examination of Vulnerability and Resistance," Information Systems Research (Forthcoming).Wright, R. T., and Marett, K. 2010b. "The influence of experiential and dispositional factors in phishing: An empirical investigation of the deceived," Journal of Management Information Systems (27:1), pp 273-303.Yi, M. Y., and Davis, F. D. 2001. "Improving computer training effectiveness for decision technologies: Behavior modeling and retention enhancement," Decision Sciences (32:3), pp 521-544.Zmud, R. W., Shaft, T., Zheng, W., and Croes, H. 2010. "Systematic differences in firm’s information technology signaling: Implications for research design," Journal of the Association for Information Systems (11:3), p 1. ................
................
In order to avoid copyright disputes, this page is only a partial summary.
To fulfill the demand for quickly locating and searching documents.
It is intelligent file search solution for home and business.
Related searches
- how to find the percentage of something
- how to get the percentage of numbers
- how to calculate the average of numbers
- equation to summarize the process of photosynthesis
- how to calculate the line of regression
- how to find the measurement of angles
- how to calculate the number of moles
- how to find the molarity of solution
- how to find the percent of change
- how to find the percentile of temperature
- how to find the percentage of decrease
- how to find the coefficient of correlation