Paper Number

1435

Paper Type

Complete

Abstract

Given the frequent occurrence and danger of phishing attacks for individuals and organizations, a growing literature has examined the antecedents of users’ phishing susceptibility and effective training interventions. In this research, we focus on feedback after phishing simulations as a novel training method to efficiently reduce user vulnerability without a requirement for their motivation or time to complete lengthy trainings. With a focus on feedback timing, we distinguish between immediate feedback for users who fail phishing simulations (so-called embedded training) and delayed feedback for all users, and we test their relative and combined effects on users’ phishing vulnerability over time via a randomized field experiment. This research contributes to the phishing and cybersecurity literature by verifying phishing simulations as a training opportunity in themselves, challenging the assumed effectiveness of embedded training, and distinguishing the impacts of two types of feedback interventions.

Comments

06-Security

Share

COinS
 
Dec 15th, 12:00 AM

Timing of Feedback After Phishing Simulations: Evidence from a Randomized Field Experiment

Given the frequent occurrence and danger of phishing attacks for individuals and organizations, a growing literature has examined the antecedents of users’ phishing susceptibility and effective training interventions. In this research, we focus on feedback after phishing simulations as a novel training method to efficiently reduce user vulnerability without a requirement for their motivation or time to complete lengthy trainings. With a focus on feedback timing, we distinguish between immediate feedback for users who fail phishing simulations (so-called embedded training) and delayed feedback for all users, and we test their relative and combined effects on users’ phishing vulnerability over time via a randomized field experiment. This research contributes to the phishing and cybersecurity literature by verifying phishing simulations as a training opportunity in themselves, challenging the assumed effectiveness of embedded training, and distinguishing the impacts of two types of feedback interventions.

When commenting on articles, please be friendly, welcoming, respectful and abide by the AIS eLibrary Discussion Thread Code of Conduct posted here.