PACIS 2019 Proceedings


Information security-related research is traditionally focused on technical aspects, while little attention is paid to user behavior and organizational management and employee behavior is often neglected. In many cases, employees intend to comply with policies, but they cannot avoid “unintentional” violation of information security policies, that is, they are unaware of the existence of deception. Even if the user’s intention to comply with the security policy is high and the behavior is toward compliance, it is still possible to have an information security violation in the case of “unawareness” or “mistrust,” resulting in organizational losses. This study uses situation awareness theory to explore how email social engineering attacks can deceive users either unconsciously or unintentionally and to explore using current and possible training methods to reduce the possibility of employees falling victim to a successful email engineering attack.