Tag Archives: cybersecurity

Anatomy of Phishing Tactics and Susceptibility

Bera, Debalina, Gene Moo Lee, Dan J. Kim “Anatomy of Phishing Tactics and Susceptibility: An Investigation of the Dynamics of Phishing Tactics and Contextual Traits in Susceptibility,” Working Paper.

Phishing is a deceptive tactic to create a front of apparent credibility to fraudulently acquire sensitive personal or financial information from an unsuspecting user or espionage system by infiltrating malware or crimeware. Despite automated technological solutions and training interventions, recent phishing statistics show that specifically few phishing tactics are increasing users’ phishing susceptibility (PS). Further, assessing the moderating role of phishing contextual traits in the relationship between phishing tactics and PS indicates the importance of their trait differences. Based on theoretical postulation, employing a sequential mixed method design, and using two sets of data (simulated phishing penetration testing results and scenario-based experiments), we examine the effect of phishing tactics along with the moderating role of individual phishing contextual traits on PS. This study extends the theoretical boundary relevant to phishing tactics and provides practical guidance to identify the most dangerous phishing tactics that increase PS and phishing contextual traits that help to combat phishing attacks.

IS papers on Cybersecurity

Last update: Jan 18, 2022

In this post, I gathered recent IS publications (2010-current) on the topic of cybersecurity. It is by no means an exhaustive list of the topic. This does not cover other related topics such as privacy and ethics.

  1. Jacob Haislip, Jee-Hae Lim, Robert Pinsker (2021) The Impact of Executives’ IT Expertise on Reported Data Security Breaches. Information Systems Research 32(2):318-334.
  2. Ahmed Abbasi, David Dobolyi, Anthony Vance, Fatemeh Mariam Zahedi (2021) The Phishing Funnel Model: A Design Artifact to Predict User Susceptibility to Phishing Websites. Information Systems Research 32(2):410-436.
  3. Yunhui Zhuang, Yunsik Choi, Shu He, Alvin Chung Man Leung, Gene Moo Lee & Andrew Whinston (2020) Understanding Security Vulnerability Awareness, Firm Incentives, and ICT Development in Pan-Asia, Journal of Management Information Systems, 37:3, 668-693.
  4. Qian Tang & Andrew B. Whinston (2020) Do Reputational Sanctions Deter Negligence in Information Security Management? A Field Quasi‐Experiment, Production and Operations Management 29(2):410-427.
  5. Yoo, Chul & Goo, Jahyun & Rao, Raghav. (2020). Is Cybersecurity a Team Sport? A Multilevel Examination of Workgroup Information Security Effectiveness. MIS Quarterly. 44. 907-931.
  6. Mohammadreza Ebrahimi, Jay F. Nunamaker Jr. & Hsinchun Chen (2020) Semi-Supervised Cyber Threat Identification in Dark Net Markets: A Transductive and Deep Learning Approach, Journal of Management Information Systems, 37:3, 694-722
  7. Sebastian W. Schuetz, Paul Benjamin Lowry, Daniel A. Pienta & Jason Bennett Thatcher (2020) The Effectiveness of Abstract Versus Concrete Fear Appeals in Information Security, Journal of Management Information Systems, 37:3, 723-757.
  8. Che-Wei Liu, Peng Huang & Henry C. Lucas Jr. (2020) Centralized IT Decision Making and Cybersecurity Breaches: Evidence from U.S. Higher Education Institutions, Journal of Management Information Systems, 37:3, 758-787.
  9. Ravi Sen, Ajay Verma & Gregory R. Heim (2020) Impact of Cyberattacks by Malicious Hackers on the Competition in Software Markets, Journal of Management Information Systems, 37:1, 191-216
  10. John D’Arcy, Idris Adjerid, Corey M. Angst, Ante Glavas (2020) Too Good to Be True: Firm Social Performance and the Risk of Data Breach. Information Systems Research 31(4):1200-1223.
  11. Zan Zhang, Guofang Nan, Yong Tan (2020) Cloud Services vs. On-Premises Software: Competition Under Security Risk and Product Customization. Information Systems Research 31(3):848-864.
  12. Terrence August, Duy Dao, Kihoon Kim (2019) Market Segmentation and Software Security: Pricing Patching Rights. Management Science 65(10):4575-4597.
  13. Seung Hyun Kim, Juhee Kwon (2019) How Do EHRs and a Meaningful Use Initiative Affect Breaches of Patient Information?. Information Systems Research 30(4):1184-1202.
  14. Kai-Lung Hui, Ping Fan Ke, Yuxi Yao, Wei T. Yue (2019) Bilateral Liability-Based Contracts in Information Security Outsourcing. Information Systems Research 30(2):411-429.
  15. Victor Benjamin, Joseph S. Valacich, and Hsinchun Chen (2019) DICE-E: a framework for conducting darknet identification, collection, evaluation with ethics. MIS Quarterly 43(1):1–22.
  16. Indranil Bose and Alvin Chung Man Leung (2019) Adoption of identity theft countermeasures and its short- and long-term impact on firm value. MIS Quarterly 43(1):313–328.
  17. Corey M. Angst, Emily S. Block, John D’Arcy, and Ken Kelley (2017) When do IT security investments matter? Accounting for the influence of institutional factors in the context of healthcare data breaches. MIS Quarterly 41(3):893–916.
  18. Orcun Temizkan, Sungjune Park, Cem Saydam (2017) Software Diversity for Improved Network Security: Optimal Distribution of Software-Based Shared Vulnerabilities. Information Systems Research 28(4):828-849.
  19. Shu He, Gene Moo Lee, Sukjin Han, Andrew B. Whinston (2016) How Would Information Disclosure Influence Organizations’ Outbound Spam Volume? Evidence from a Field Experiment. Journal of Cybersecurity 2(1), pp. 99-118.
  20. Yonghua Ji, Subodha Kumar, Vijay Mookerjee (2016) When Being Hot Is Not Cool: Monitoring Hot Lists for Information Security. Information Systems Research 27(4):897-918.
  21. Karthik Kannan, Mohammad S. Rahman, Mohit Tawarmalani (2016) Economic and Policy Implications of Restricted Patch Distribution. Management Science 62(11):3161-3182.
  22. Chul Ho Lee, Xianjun Geng, Srinivasan Raghunathan (2016) Mandatory Standards and Organizational Information Security. Information Systems Research 27(1):70-86.
  23. Jingguo Wang, Manish Gupta, and H. Raghav Rao (2015) Insider threats in a financial institution: Analysis of attack-proneness of information systems applications. MIS Quarterly 39(1):91–112.
  24. Jingguo Wang, Nan Xiao, H. Raghav Rao (2015) Research Note—An Exploration of Risk Characteristics of Information Security Threats and Related Public Information Search Behavior. Information Systems Research 26(3):619-633.
  25. Sabyasachi Mitra, Sam Ransbotham (2015) Information Disclosure and the Diffusion of Information Security Attacks. Information Systems Research 26(3):565-584.
  26. Debabrata Dey, Atanu Lahiri, and Guoying Zhang (2014) Quality competition and market segmentation in the security software market. MIS Quarterly 38(2):589–606.
  27. Seung Hyun Kim and Byung Cho Kim (2014) Differential effects of prior experience on the malware resolution process. MIS Quarterly 38(3):655–678.
  28. Ryan T. Wright, Matthew L. Jensen, Jason Bennett Thatcher, Michael Dinger, Kent Marett (2014) Research Note—Influence Techniques in Phishing Attacks: An Examination of Vulnerability and Resistance. Information Systems Research 25(2):385-400.
  29. Asunur Cezar, Huseyin Cavusoglu, Srinivasan Raghunathan (2013) Outsourcing Information Security: Contracting Issues and Security Implications. Management Science 60(3):638-657.
  30. Xia Zhao, Ling Xue & Andrew B. Whinston (2013) Managing Interdependent Information Security Risks: Cyberinsurance, Managed Security Services, and Risk Pooling Arrangements, Journal of Management Information Systems, 30:1, 123-152.
  31. Chul Ho Lee, Xianjun Geng, Srinivasan Raghunathan, (2012) Contracting Information Security in the Presence of Double Moral Hazard. Information Systems Research 24(2):295-311.
  32. Ransbotham, S., Mitra, S., & Ramsey, J. (2012). Are Markets for Vulnerabilities Effective? MIS Quarterly36(1), 43–64.
  33. Gupta, A., & Zhdanov, D. (2012). Growth and Sustainability of Managed Security Services Networks: An Economic Perspective. MIS Quarterly36(4), 1109–1130.
  34. Kai-Lung Hui, Wendy Hui & Wei T. Yue (2012) Information Security Outsourcing with System Interdependency and Mandatory Security Requirement, Journal of Management Information Systems, 29:3, 117-156.
  35. Caliendo, M., Clement, M., Papies, D., & Scheel-Kopeinig, S. (2012). Research Note: The Cost Impact of Spam Filters: Measuring the Effect of Information System Technologies in Organizations. Information Systems Research23(3), 1068–1080.
  36. August, T., & Tunca, T. I. (2011). Who Should Be Responsible for Software Security? A Comparative Analysis of Liability Policies in Network Environments. Management Science57(5), 934–959.
  37. Chen, P., Kataria, G., & Krishnan, R. (2011). Correlated Failures, Diversification, and Information Security Risk Management. MIS Quarterly35(2), 397–422.
  38. Mookerjee, V., Mookerjee, R., Bensoussan, A., & Yue, W. T. (2011). When Hackers Talk: Managing Information Security Under Variable Attack Rates and Knowledge Dissemination. Information Systems Research22(3), 606–623.
  39. Galbreth, M. R., & Shor, M. (2010). The Impact of Malicious Agents on the Enterprise Software Industry. MIS Quarterly34(3), 595–612.
  40. Mahmood, M. A., Siponen, M., Straub, D., Rao, H. R., & Raghu, T. S. (2010). Moving Toward Black Hat Research in Information Systems Security: An Editorial Introduction to the Special Issue. MIS Quarterly34(3), 431–433.

Understanding Security Vulnerability Awareness, Firm Incentives, and ICT Development in Pan-Asia (JMIS 2020)

Zhuang, Yunhui, Yunsik Choi, Shu He, Alvin Chung Man Leung, Gene Moo Lee, Andrew B. Whinston (2020) Understanding Security Vulnerability Awareness, Firm Incentives, and ICT Development in Pan-Asia. Journal of Management Information Systems, 37(3): 668-693.

This paper investigates how the awareness of a security vulnerability index affects firms’ security protection strategy and how the information awareness effect interacts with firm incentives and country-wide IT development level. The security index is constructed based on outgoing spams and phishing website hosting, which may serve as an indicator of a firm’s security controls. To study whether security vulnerability awareness causes firms to improve their security, we conducted a randomized field experiment on 1,262 firms in six Pan-Asian countries and regions. Among 631 randomly selected treated firms, we alerted them of their security vulnerability index and their relative rankings compared to their peers via advisory emails and websites. Difference-in-differences analyses show that compared with the controls, the treated firms improve their security over time, with a statistically significant reduction of outgoing spam volume according to one of the data sources but not phishing website hosting. However, a statistically significant reduction in phishing website hosting was observed among non-web hosting firms, suggesting that firms’ underlying incentives play an important role in the treatment effect. Lastly, exploiting the multi-country nature of the data, we found that firms in countries with high information and communications technology (ICT) development are more responsive to our intervention because they have higher IT capabilities and more resources to resolve security issues. Our study provides cybersecurity policymakers with useful insights on how firm incentives and ICT environments play roles in firms’ security measure adoption.

Security Defense against Long-term and Stealthy Cyberattacks (DSS 2023)

Kookyoung Han, Choi, Jin Hyuk, Yun-Sik Choi, Gene Moo Lee, Andrew B. Whinston (2023) Security Defense against Long-term and Stealthy Cyberattacks. Decision Support Systems, 166: 113912.

  • Funded by NSF (Award #1718600) and UNIST
  • Best Paper Award at KrAIS 2017
  • Presented at UT Austin (2017), UNIST (2017), INFORMS (Houston, TX 2017), CIST (Houston, TX 2017), WITS (Seoul, Korea 2017), and KrAIS (Seoul, Korea 2017)
  • Previous titles: “Misinformation and Optimal Time to Detect”, “Optimal Stopping and Strategic Espionage”, “To Disconnect or Not: A Cybersecurity Game”

Modern cyberattacks such as advanced persistent threats have become sophisticated. Hackers can stay undetected for an extended time and defenders do not have sufficient countermeasures to prevent advanced cyberattacks. Reflecting on this phenomenon, we propose a game-theoretic model to analyze strategic decisions made by a hacker and a defender in equilibrium. In our game model, the hacker launches stealthy cyberattacks for a long time and the defender decides when to disable a suspicious user based on noisy observations of the user’s activities. Damages caused by the hacker can be enormous if the defender does not immediately ban a suspicious user under certain circumstances, which can explain the emerging sophisticated cyberattacks with detrimental consequences. Our model also predicts that the hacker may opt to be behavioral to avoid worst cases. This is because behavioral cyberattacks are less threatening and the defender decides not to immediately block a suspicious user to reduce cost of false detection.

    How would information disclosure influence organizations’ outbound spam volume? Evidence from a field experiment (J. Cybersecurity 2016)

    He, Shu*, Gene Moo Lee*, Sukjin Han, Andrew B. Whinston (2016) How Would Information Disclosure Influence Organizations’ Outbound Spam Volume? Evidence from a Field ExperimentJournal of Cybersecurity 2(1), pp. 99-118. (* equal contribution)

    Cyber-insecurity is a serious threat in the digital world. In the present paper, we argue that a suboptimal cybersecurity environment is partly due to organizations’ underinvestment on security and a lack of suitable policies. The motivation for this paper stems from a related policy question: how to design policies for governments and other organizations that can ensure a sufficient level of cybersecurity. We address the question by exploring a policy devised to alleviate information asymmetry and to achieve transparency in cybersecurity information sharing practice. We propose a cybersecurity evaluation agency along with regulations on information disclosure. To empirically evaluate the effectiveness of such an institution, we conduct a large-scale randomized field experiment on 7919 US organizations. Specifically, we generate organizations’ security reports based on their outbound spam relative to the industry peers, then share the reports with the subjects in either private or public ways. Using models for heterogeneous treatment effects and machine learning techniques, we find evidence from this experiment that the security information sharing combined with publicity treatment has significant effects on spam reduction for original large spammers. Moreover, significant peer effects are observed among industry peers after the experiment.