Semantic attacks are efforts by others to steal valuable information by imitating electronic communications from a trustworthy source. A common example of a semantic attack is phishing where a phisher sends unsolicited messages to potential targets. When a targeted individual responds, the phisher then steals valuable information from the individual. Semantic attacks flow through established channels of communication (e.g., email, social media) and are difficult to distinguish from legitimate messages. While a great deal of attention has focused on training and sensitizing individuals to the risks of semantic attacks, little research has focused on strategies that organizations might use to coordinate defensive actions among organization members. This research integrates expertise in a project design that is theory-driven and uses multiple research methods, including surveys, interviewing, and experimentation to investigate how organizations can build a human firewall against semantic attacks.
The project holds strong promise for making new and important contributions to understanding how to develop organizational resistance to semantic attacks. To this end, the first stage of this research will employ a survey and series of interviews with industry practitioners to quantitatively and qualitatively assess the strategies that organizations currently employ to counter semantic attacks. In addition to generating important insights about the current state of the art in semantic attack defense, the findings will guide experimental studies during stages two and three. During stage two, strategies including crowdsourcing, gamification, and other strategies identified during stage one will be tested in a series of controlled experiments to examine their effectiveness in harnessing the abilities and attention of organization members to counter semantic attacks. The third stage of the project aims to examine the design and execution of promising strategies identified in stage two. The objective of this stage will be to learn how each strategy can be adopted and followed by the greatest number of people so as to solidify any protection the strategies offer. Again, controlled experimentation will be used during this stage and we will examine individual-level variables to understand how to encourage adoption. By leveraging an integrated, multi-method approach to the growing problem of semantic attacks, the series of studies outlined in our proposal will lead to new theories and models for future research and dissemination of lessons learned serving public interests.
Intellectual Merit: New knowledge will be developed by identifying and systematically testing the efficacy of organizational strategies for countering semantic attacks. The organization-wide strategies that rely on crowdsourcing and integrate gamificiation and other techniques to counter semantic attacks offer a novel approach to developing the human firewall where individuals fight these semantic attacks as a collective rather than as individuals. By examining shared explanations for effective strategies, we would contribute not only effective strategies but the underlying theory for their effectiveness, which would serve as the foundation of future innovations in organizational responses to security threats. The research framework developed here may also be relevant to studying the mitigation of other security threats in addition to semantic attacks.
Broader Impacts: Findings from this research are likely to also have a number of important practical implications for educating organizational leaders and the general public about strategies for countering semantic attacks. To disseminate findings from this research, we plan to hold two practitioner meetings and develop a public service website in which we will discuss the lessons learned during the project. Additionally, the website will provide base data, access to research reports, and educational programs produced by this project. The combination of theoretical and methodological backgrounds required to conduct the experiments will contribute immeasurably to the research training of graduate and undergraduate research assistants. Finally, project results will be shared through professional presentations and publications.
