Ryan T. Wright is an assistant professor at University of Massachusetts Amherst. Previously, he was an assistant professor at the University of San Francisco. He holds a Ph.D. from Washington State University in Management Information Systems and an MBA and Bachelor of Science in Business from the University of Montana. His research interests take a behavioral approach to understanding how current technologies can be used to enable secure and efficient e-business transactions. He has published in the MIS Quarterly, Journal of MIS, Communications of the AIS, and other peer-reviewed publications. In addition to academic achievements, his professional experiences include tenure as CTO of a successful startup, time in management at Amoco Oil (now BP), consulting projects for the US Department of Commerce and expert testimony on IS
privacy and security. He is, currently, an Associate Editor for the European Journal of Information Systems and Information & Management.
Despite 15-20 years of research, phishing, in its many forms, remains a major threat to the security of Internet users and corporations. Most phishing research focuses on detecting phishing websites, or determining if a website is legitimate or not. This presentation will outline a complementary stream of research on online deception that focuses on the messages rather than the websites. Dr. Wright and several collaborators, started investigating phishing email messages in 2006, which has yielded several novel concepts and papers on the topic. The research team is now investigating social phishing and mobile threats. The presentation will focus on a theory of persuasion in deception and also present a mindfulness approach to mitigating these security threats. In doing so, a theory driven model is developed that connects persuasion tactics in phishing emails (e.g., liking, reciprocity, social proof, consistency, authority, and scarcity) to successful deception of Internet users (e.g., disclosure of actual logins and passwords). Subsequently, the mindfulness training approach was developed to combat these persuasion methods by encouraging users to move from heuristic-driven assessments of information contained in an email to carefully scrutinizing the actions called for by emails. To evaluate the approach’s effectiveness, we developed two anti-phishing training programs: an innovative mindfulness program and a traditional, situation-specific training program. Results from this and several other experiments will be discussed.