Phishing email attacks have been around for fifteen years but they are still among the top security risks faced by organisations. The most common approach to mitigate these attacks is employees’ education and awareness. Employees’ awareness on phishing attacks is achieved by embedded training that educate employees when they fall for the attack. However, the effectiveness of embedded training in workplace settings is uncertain given the large number of employees that remain vulnerable to phishing email attacks. Similarly, the role of persuasion techniques in making employees vulnerable to phishing attacks is yet to be investigated in the workplace settings. Therefore, in this paper we investigate which persuasion technique between authority and urgency is more effective in making employees susceptible to phishing, the relation between employees’ susceptibility and their demographic data, and the effectiveness of embedded training in reducing employees’ susceptibility to phishing attacks. To this end, we conducted a real phishing study with 191 employees of an Italian company. We found that employees were more vulnerable to phishing attacks when urgency principle was exploited. The study also showed no significant effect of employees’ demographic data on susceptibility to phishing. Embedded training was perceived as effective by employees but it did not reduce their susceptibility to phishing.
A real world study on employees' susceptibility to phishing attacks
De Bona, Marco;Paci, Federica
2020-01-01
Abstract
Phishing email attacks have been around for fifteen years but they are still among the top security risks faced by organisations. The most common approach to mitigate these attacks is employees’ education and awareness. Employees’ awareness on phishing attacks is achieved by embedded training that educate employees when they fall for the attack. However, the effectiveness of embedded training in workplace settings is uncertain given the large number of employees that remain vulnerable to phishing email attacks. Similarly, the role of persuasion techniques in making employees vulnerable to phishing attacks is yet to be investigated in the workplace settings. Therefore, in this paper we investigate which persuasion technique between authority and urgency is more effective in making employees susceptible to phishing, the relation between employees’ susceptibility and their demographic data, and the effectiveness of embedded training in reducing employees’ susceptibility to phishing attacks. To this end, we conducted a real phishing study with 191 employees of an Italian company. We found that employees were more vulnerable to phishing attacks when urgency principle was exploited. The study also showed no significant effect of employees’ demographic data on susceptibility to phishing. Embedded training was perceived as effective by employees but it did not reduce their susceptibility to phishing.File | Dimensione | Formato | |
---|---|---|---|
ARES2020.pdf
accesso aperto
Licenza:
Dominio pubblico
Dimensione
707.19 kB
Formato
Adobe PDF
|
707.19 kB | Adobe PDF | Visualizza/Apri |
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.