Management Information Systems Quarterly
Abstract
Given the frequent occurrence of phishing attacks and their devastating consequences, organizations are increasingly deploying phishing simulation emails to quantify employee susceptibility (e.g., clicking within-email links) and investing in training programs to reduce such susceptibility. Interestingly, phishing simulations can also be turned into a training opportunity in themselves. A best practice in industry is “embedded training”—providing immediate feedback on landing pages to employees who fail the simulations. This intervention is intuitively appealing given its “just-in-time” nature. Although laboratory studies from the literature have offered broad support for its effectiveness in reducing employee susceptibility, studies conducted in field settings have observed weaker evidence or even a reversed effect that increased susceptibility. In this research, we recognize an inherent shortcoming of the real-world implementation of embedded training: limited reach. To address this practical challenge, we propose an alternative, novel intervention—“non-embedded training”—that decouples feedback from the failure action and sends delayed feedback to all the employees. Following an “empirics-first” approach, we conducted three randomized field experiments using a leading phishing simulation platform to explore the respective and combined effects of embedded and non-embedded training in reducing user vulnerability over time. This research contributes to the practice and literature on phishing and cybersecurity by challenging the assumed effectiveness of embedded training in practice and revealing how non-embedded training could be a more promising intervention.