Response to a phishing attack: persuasion and protection motivation in an organizational context

PurposeThis study aims to examine the effect of cybersecurity threat and efficacy upon click-through, response to a phishing attack: persuasion and protection motivation in an organizational context.Design/methodology/approachIn a simulated field trial conducted in a financial institute, via PhishMe...

Full description

Saved in:
Bibliographic Details
Published inInformation and computer security Vol. 30; no. 1; pp. 63 - 78
Main Authors Bayl-Smith, Piers, Taib, Ronnie, Yu, Kun, Wiggins, Mark
Format Journal Article
LanguageEnglish
Published Bingley Emerald Group Publishing Limited 31.01.2022
Subjects
Behavior
Cognition & reasoning
Compliance
Context
Cybercrime
Cybersecurity
Electronic mail
Electronic mail systems
Employees
Engineering
Heuristic
Motivation
Organizational aspects
Perceptions
Persuasion
Phishing
Self-efficacy
Threats
User behavior
Australia
United States > US
Online AccessGet full text
ISSN2056-4961
2056-497X
DOI10.1108/ICS-02-2021-0021

Cover

More Information
Summary:PurposeThis study aims to examine the effect of cybersecurity threat and efficacy upon click-through, response to a phishing attack: persuasion and protection motivation in an organizational context.Design/methodology/approachIn a simulated field trial conducted in a financial institute, via PhishMe, employees were randomly sent one of five possible emails using a set persuasion strategy. Participants were then invited to complete an online survey to identify possible protective factors associated with clicking and reporting behavior (N = 2,918). The items of interest included perceived threat severity, threat susceptibility, response efficacy and personal efficacy.FindingsThe results indicate that response behaviors vary significantly across different persuasion strategies. Perceptions of threat susceptibility increased the likelihood of reporting behavior beyond clicking behavior. Threat susceptibility and organizational response efficacy were also associated with increased odds of not responding to the simulated phishing email attack.Practical implicationsThis study again highlights human susceptibility to phishing attacks in the presence of social engineering strategies. The results suggest heightened awareness of phishing threats and responsibility to personal cybersecurity are key to ensuring secure business environments.Originality/valueThe authors extend existing phishing literature by investigating not only click-through behavior, but also no-response and reporting behaviors. Furthermore, the authors observed the relative effectiveness of persuasion strategies used in phishing emails as they compete to manipulate unsafe email behavior.
Bibliography:ObjectType-Article-1
SourceType-Scholarly Journals-1
ObjectType-Feature-2
content type line 14
ISSN:2056-4961
2056-497X
DOI:10.1108/ICS-02-2021-0021