Content, Nudges and Incentives: A Study on the Effectiveness and Perception of Embedded Phishing Training
METADATA ONLY
Loading...
Author / Producer
Date
2024-12
Publication Type
Conference Paper
ETH Bibliography
yes
Citations
Altmetric
METADATA ONLY
Data
Rights / License
Abstract
A common form of phishing training in organizations is the use of simulated phishing emails to test employees' susceptibility to phishing attacks, and the immediate delivery of training material to those who fail the test. This widespread practice is dubbed embedded training; however, its effectiveness in decreasing the likelihood of employees falling for phishing again in the future is questioned by the contradictory findings of several recent field studies.
We investigate embedded phishing training in three aspects. First, we observe that the practice incorporates different components---knowledge gains from its content, nudges and reminders from the test itself, and the deterrent effect of potential consequences---our goal is to study which ones are more effective, if any. Second, we explore two potential improvements to training, namely its timing and the use of incentives. Third, we analyze employees' reception and perception of the practice. For this, we conducted a large-scale mixed-methods (quantitative and qualitative) study on the employees of a partner company.
Our study contributes several novel findings on the training practice: in particular, its effectiveness comes from its nudging effect, i.e., the periodic reminder of the threat rather than from its content, which is rarely consumed by employees due to lack of time and perceived usefulness. Further, delaying training to ease time pressure is as effective as currently established practices, while rewards do not improve secure behavior. Finally, some of our results support previous findings with increased ecological validity, e.g., that phishing is an attention problem, rather than a knowledge one, even for the most susceptible employees, and thus enforcing training does not help.
Permanent link
Publication status
published
External links
Editor
Book title
CCS '24: Proceedings of the 2024 ACM SIGSAC Conference on Computer and Communications Security
Journal / series
Volume
Pages / Article No.
4182 - 4196
Publisher
Association for Computing Machinery
Event
31st ACM SIGSAC Conference on Computer and Communications Security (CCS 2024)
Edition / version
Methods
Software
Geographic location
Date collected
Date created
Subject
Phishing; Phishing Training; Human-Centered Security
Organisational unit
03755 - Capkun, Srdan / Capkun, Srdan