Contextual drivers of employees' phishing susceptibility: Insights from a field study

作者:

Highlights:

• An employee's phishing susceptibility is shaped by context.

• Social context of employees' helpdesk reliance is negatively associated with susceptibility.

• Social context of team size is positively associated with susceptibility.

• Task contexts of job experience and job status are positively associated with susceptibility.

• Physical context of working in regions with medium phishing attack severity is positively associated with susceptibility.

摘要

Phishing attacks rate as one of the most prevalent security threats to contemporary organizations. Hence, managers strive heavily to apply security measures that keep their employees safe from these risks, thereby relying on insights from security researchers who have predominantly focused on recipient characteristics, message attributes, and interventions to explicate the phishing susceptibility of individuals. A theoretical lens yet to be explored is the discrete context in which individuals encounter phishing attacks. This paper presents a multi-dimensional model – comprising the three contextual components social, task, and physical – that explains why an employee is likely to fall for phishing emails or not. To empirically validate our model, we conducted a field study among 2302 employees of an internationally operating pharmaceutical company in the United States. By combining employees' behavioral responses to a phishing email, training data, and contextual data, like help desk reliance, job status or workspace, we find that context is key to a more thorough understanding of phishing susceptibility. Moreover, our study provides practical insights on how organizations can identify and support employees prone to phishing as well as tailor training programs to prevent their workforce from falling prey to cybercriminals.

论文关键词:Phishing susceptibility,Contextual theory,Field study,Social context,Task context,Physical context

论文评审过程:Received 3 September 2021, Revised 24 April 2022, Accepted 31 May 2022, Available online 7 June 2022, Version of Record 15 July 2022.

论文官网地址:https://doi.org/10.1016/j.dss.2022.113818