Phishing email attacks have been around for fifteen years but they are still among the top security risks faced by organisations. The most common approach to mitigate these attacks is employees’ education and awareness. Employees’ awareness on phishing attacks is achieved by embedded training that educate employees when they fall for the attack. However, the effectiveness of embedded training in workplace settings is uncertain given the large number of employees that remain vulnerable to phishing email attacks. Similarly, the role of persuasion techniques in making employees vulnerable to phishing attacks is yet to be investigated in the workplace settings. Therefore, in this paper we investigate which persuasion technique between authority and urgency is more effective in making employees susceptible to phishing, the relation between employees’ susceptibility and their demographic data, and the effectiveness of embedded training in reducing employees’ susceptibility to phishing attacks. To this end, we conducted a real phishing study with 191 employees of an Italian company. We found that employees were more vulnerable to phishing attacks when urgency principle was exploited. The study also showed no significant effect of employees’ demographic data on susceptibility to phishing. Embedded training was perceived as effective by employees but it did not reduce their susceptibility to phishing.

A real world study on employees' susceptibility to phishing attacks

De Bona, Marco;Paci, Federica
2020-01-01

Abstract

Phishing email attacks have been around for fifteen years but they are still among the top security risks faced by organisations. The most common approach to mitigate these attacks is employees’ education and awareness. Employees’ awareness on phishing attacks is achieved by embedded training that educate employees when they fall for the attack. However, the effectiveness of embedded training in workplace settings is uncertain given the large number of employees that remain vulnerable to phishing email attacks. Similarly, the role of persuasion techniques in making employees vulnerable to phishing attacks is yet to be investigated in the workplace settings. Therefore, in this paper we investigate which persuasion technique between authority and urgency is more effective in making employees susceptible to phishing, the relation between employees’ susceptibility and their demographic data, and the effectiveness of embedded training in reducing employees’ susceptibility to phishing attacks. To this end, we conducted a real phishing study with 191 employees of an Italian company. We found that employees were more vulnerable to phishing attacks when urgency principle was exploited. The study also showed no significant effect of employees’ demographic data on susceptibility to phishing. Embedded training was perceived as effective by employees but it did not reduce their susceptibility to phishing.
2020
phishing, social engineering, susceptibility, education and training, user study
File in questo prodotto:
File Dimensione Formato  
ARES2020.pdf

accesso aperto

Licenza: Dominio pubblico
Dimensione 707.19 kB
Formato Adobe PDF
707.19 kB Adobe PDF Visualizza/Apri

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/11562/1146627
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 12
  • ???jsp.display-item.citation.isi??? ND
social impact