Abstract

Employee reporting is critical for organizations to blunt phishing attacks, yet awareness-oriented training often improves only what people know about phishing more than what they do (i.e., reporting). We address this gap by theorizing the pathways through which an experiential anti-phishing training program can lead to enhanced employee phishing reporting. Using an interpretive single-case study of an embedded anti-phishing intervention in an IT-services organization, we reveal a learning-to-action sequence in which social interaction amplifies learning. These mechanisms yield two proximal outcomes: phishing-detection and reporting self-efficacy and organizational security commitment, which jointly strengthen intention to report. The study opens the training black box by specifying mechanisms that connect experiential practice to intention and by integrating knowledge–learning, rational–cognitive, and social–cultural perspectives from phishing reporting literature.

Download

Share

COinS