Paper Type
Complete
Abstract
Phishing remains a persistent cybersecurity threat, with attackers continuously refining their techniques to evade detection. This study applies Risk Homeostasis Theory (RHT) to understand employee behavior in response to phishing attacks within a large organization. Through a 2x2 between-subjects field experiment involving 400 employees, we assess the impact of cybersecurity training and phishing incident reports on phishing susceptibility. Our findings suggest that general cybersecurity training alone does not immediately reduce phishing risk, but phishing-specific training significantly improves employee susceptibility. Regular phishing incident reports initially enhance risk awareness and reduce susceptibility; however, this effect diminishes over time. Interestingly, combining training and reports does not yield significant improvements, raising questions about the effect of combined interventions. This study provides the first empirical insights into RHT’s application in cybersecurity and highlights the importance of targeted interventions to enhance organizational resilience against phishing threats.
Paper Number
1347
Recommended Citation
Hobbensiefken, Katharina; Balk, Bryan; Peter, Andreas; and Staudt, Philipp, "An Organizational Field Experiment on Phishing and Cybersecurity Risk Homeostasis Theory" (2025). AMCIS 2025 Proceedings. 49.
https://aisel.aisnet.org/amcis2025/sig_sec/sig_sec/49
An Organizational Field Experiment on Phishing and Cybersecurity Risk Homeostasis Theory
Phishing remains a persistent cybersecurity threat, with attackers continuously refining their techniques to evade detection. This study applies Risk Homeostasis Theory (RHT) to understand employee behavior in response to phishing attacks within a large organization. Through a 2x2 between-subjects field experiment involving 400 employees, we assess the impact of cybersecurity training and phishing incident reports on phishing susceptibility. Our findings suggest that general cybersecurity training alone does not immediately reduce phishing risk, but phishing-specific training significantly improves employee susceptibility. Regular phishing incident reports initially enhance risk awareness and reduce susceptibility; however, this effect diminishes over time. Interestingly, combining training and reports does not yield significant improvements, raising questions about the effect of combined interventions. This study provides the first empirical insights into RHT’s application in cybersecurity and highlights the importance of targeted interventions to enhance organizational resilience against phishing threats.
When commenting on articles, please be friendly, welcoming, respectful and abide by the AIS eLibrary Discussion Thread Code of Conduct posted here.
Comments
SIGSEC