Paper Number
1435
Paper Type
Complete
Abstract
Given the frequent occurrence and danger of phishing attacks for individuals and organizations, a growing literature has examined the antecedents of users’ phishing susceptibility and effective training interventions. In this research, we focus on feedback after phishing simulations as a novel training method to efficiently reduce user vulnerability without a requirement for their motivation or time to complete lengthy trainings. With a focus on feedback timing, we distinguish between immediate feedback for users who fail phishing simulations (so-called embedded training) and delayed feedback for all users, and we test their relative and combined effects on users’ phishing vulnerability over time via a randomized field experiment. This research contributes to the phishing and cybersecurity literature by verifying phishing simulations as a training opportunity in themselves, challenging the assumed effectiveness of embedded training, and distinguishing the impacts of two types of feedback interventions.
Recommended Citation
Yin, Dezhi; Mullarkey, Matthew T.; de Vreede, Gert-Jan; and Limayem, Moez, "Timing of Feedback After Phishing Simulations: Evidence from a Randomized Field Experiment" (2024). ICIS 2024 Proceedings. 2.
https://aisel.aisnet.org/icis2024/security/security/2
Timing of Feedback After Phishing Simulations: Evidence from a Randomized Field Experiment
Given the frequent occurrence and danger of phishing attacks for individuals and organizations, a growing literature has examined the antecedents of users’ phishing susceptibility and effective training interventions. In this research, we focus on feedback after phishing simulations as a novel training method to efficiently reduce user vulnerability without a requirement for their motivation or time to complete lengthy trainings. With a focus on feedback timing, we distinguish between immediate feedback for users who fail phishing simulations (so-called embedded training) and delayed feedback for all users, and we test their relative and combined effects on users’ phishing vulnerability over time via a randomized field experiment. This research contributes to the phishing and cybersecurity literature by verifying phishing simulations as a training opportunity in themselves, challenging the assumed effectiveness of embedded training, and distinguishing the impacts of two types of feedback interventions.
When commenting on articles, please be friendly, welcoming, respectful and abide by the AIS eLibrary Discussion Thread Code of Conduct posted here.
Comments
06-Security