Paper Number



Phishing is a major threat to organizational information security, with the employee being a critical link in the security chain. Understanding why employees fall for phish is therefore crucial in order to design effective countermeasures. In this article, we investigate how (1) employees’ social networking site (SNS) use and (2) message involvement affects their susceptibility to phishing attacks. SNS use has been found to strongly influence users’ information processing, exacerbating proneness to heuristic decision-making, and hence making them easy prey for criminals’ influence techniques. We present a model to investigate the moderating role of SNS use in the relationship between message involvement and employees’ phishing susceptibility. In collaboration with IT-Seal, an information security training company specialized in phishing simulations, we conduct a randomized field experiment with 240 organizational employees and find that phishing messages employing message involvement (i.e., pretending to be of high relevance to the recipient) yield higher phishing success, and that employees’ SNS use moderates this effect. By revealing SNS users as a high-risk group for phishing attempts, our research hence provides helpful insights for information security practitioners.



When commenting on articles, please be friendly, welcoming, respectful and abide by the AIS eLibrary Discussion Thread Code of Conduct posted here.