ABSTRACT:
Phishing is an increasing threat that causes billions in losses and damage to productivity, trade secrets, and reputations each year. This work explores how security gamification techniques can improve phishing reporting. We contextualized the cognitive evaluation theory (CET) as a kernel theory and constructed a prototype phishing reporting system. With three experiments in a simulated work setting, we tested gamification elements of validation, attribution, incentives, and public presentation for improvements in experiential (e.g., motivation) and instrumental outcomes (e.g., hits and false positives) in phishing reporting. Our findings suggest public attribution with rewards and punishments best balance the competing necessities of accuracy with widespread reporting. Furthermore, our results demonstrate the unique benefits of security gamification to phishing reporting over and above other phishing mitigation techniques (e.g., training and warnings). However, we also noted that unintended consequences in false alarms might arise from shifts in motivation resulting from public display of incentives. These findings suggest that carefully calibrated external incentives (rather than intrinsic rewards) are most likely to improve the ancillary task of phishing reporting.
Key words and phrases: Phishing, leaderboards, cognitive evaluation theory, online gamification, security gamification, phishing reporting, incentives