Phishing Training: A Preliminary Look at the Effects of Different Types of Training

In this paper, we present the preliminary results of an experiment conducted to observe the impact of the different training techniques to increase the likelihood of participants identifying and reporting phishing messages. Three different training approaches were used – general video/quiz training, just-in-time training with simulated phishing emails, and a leaderboard, which awarded users points for forwarding correct phishing messages and penalized them for incorrect ones. The experiment emulated a normal working day of an executive assistant of a manager in an organization. Each participant was expected to accomplish work tasks and respond to work-related emails while watching for and reporting phishing messages. We observed that both general training and the presence of a leaderboard decreased the propensity to click on a phishing message, while we found no effect for different types of just-in-time training.

[1]  Matthew L. Jensen,et al.  Effects of Automated and Participative Decision Support in Computer-Aided Credibility Assessment , 2009, J. Manag. Inf. Syst..

[2]  Shin-Yuan Hung,et al.  The influence of intrinsic and extrinsic motivation on individuals' knowledge sharing behavior , 2011, Int. J. Hum. Comput. Stud..

[3]  Lorrie Faith Cranor,et al.  Protecting people from phishing: the design and evaluation of an embedded training email system , 2007, CHI.

[4]  Richard N. Landers,et al.  Casual Social Games as Serious Games: The Psychology of Gamification in Undergraduate Education and Employee Training , 2011, Serious Games and Edutainment Applications.

[5]  Linda Argote,et al.  Organizational Learning Curves: A Method for Investigating Intra-Plant Transfer of Knowledge Acquired Through Learning by Doing , 1991 .

[6]  Lennart E. Nacke,et al.  Gamification : Toward a Definition , 2022 .

[7]  Ryan T. Wright,et al.  The Influence of Experiential and Dispositional Factors in Phishing: An Empirical Investigation of the Deceived , 2010, J. Manag. Inf. Syst..

[8]  Jason Hong,et al.  The state of phishing attacks , 2012, Commun. ACM.

[9]  Ian Glover,et al.  Play As You Learn: Gamification as a Technique for Motivating Learners , 2013 .

[10]  Ryan T. Wright,et al.  Research Note - Influence Techniques in Phishing Attacks: An Examination of Vulnerability and Resistance , 2014, Inf. Syst. Res..

[11]  Mikko T. Siponen,et al.  Improving Employees' Compliance Through Information Systems Security Training: An Action Research Study , 2010, MIS Q..

[12]  Mikko T. Siponen,et al.  Motivating IS security compliance: Insights from Habit and Protection Motivation Theory , 2012, Inf. Manag..

[13]  Leonie Kohl,et al.  Constructivism And The Technology Of Instruction A Conversation , 2016 .