Employees' Attitude towards Phishing Simulations: "It's like when a child reaches onto the hot hob"
Abstract
E-mail phishing attacks remain one of the most significant challenges in IT security and are often used for initial access. Many organizations rely on phishing simulations to educate their staff to recognize suspicious e-mails. Previous studies have analyzed the effectiveness of these phishing simulations, with mixed findings. However, the perception of and attitudes towards phishing simulations among staff have received little to no attention.
This paper presents findings from a study that we carried out in cooperation with a multinational company that conducted phishing simulations over more than 12 months. We first conducted a quantitative survey involving 757 employees and then qualitative interviews with 22 participants to gain deeper insights into the perception of phishing simulations and the corresponding e-learning. We could not find evidence that employees feel attacked by their organisation as previous studies suspected. On the contrary, we found that a majority (86.9 %) have a positive or very positive attitude towards phishing simulations. The interviews revealed that some employees developed new routines for e-mail processing, but most describe themselves as having become more vigilant without concrete changes. Furthermore, we found evidence that phishing simulations create a false sense of security, as the employees feel protected by them. Additionally, lack of communication and feedback can negatively impact employees’ attitude and lead to adverse consequences. Finally, we show that only a small portion of the employees who clicked on the phishing website interacted with the interactive e-learning elements, which raises questions about its objective usefulness, although they are perceived as useful.
moreMehr zum Titel
| Titel | Employees' Attitude towards Phishing Simulations: "It's like when a child reaches onto the hot hob" |
|---|---|
| Medien | ACM Conference on Computer and Communications Security (CCS) 2024 |
| Verlag | --- |
| Heft | --- |
| Band | --- |
| ISBN | --- |
| Verfasser/Herausgeber | Katharina Schiller, Prof. Dr. Florian Adamsky, Christian Eichenmüller, Matthias Reimert, Dr. Zinaida Benenson |
| Seiten | --- |
| Veröffentlichungsdatum | 2024-08-30 |
| Projekttitel | --- |
| Zitation | Schiller, Katharina; Adamsky, Florian; Eichenmüller, Christian; Reimert, Matthias; Benenson, Zinaida (2024): Employees' Attitude towards Phishing Simulations: "It's like when a child reaches onto the hot hob". ACM Conference on Computer and Communications Security (CCS) 2024. DOI: 10.1145/3658644.3690212 |