Informing, simulating experience, or both: A field experiment on phishing risks

Autoři: Aurélien Baillon aff001;  Jeroen de Bruin aff001;  Aysil Emirmahmutoglu aff001;  Evelien van de Veer aff002;  Bram van Dijk aff002
Působiště autorů: Erasmus School of Economics, Erasmus University Rotterdam, Rotterdam, The Netherlands aff001;  Ministry of Economic Affairs and Climate Policy, The Hague, The Netherlands aff002
Vyšlo v časopise: PLoS ONE 14(12)
Kategorie: Research Article
doi: 10.1371/journal.pone.0224216


Cybersecurity cannot be ensured with mere technical solutions. Hackers often use fraudulent emails to simply ask people for their password to breach into organizations. This technique, called phishing, is a major threat for many organizations. A typical prevention measure is to inform employees but is there a better way to reduce phishing risks? Experience and feedback have often been claimed to be effective in helping people make better decisions. In a large field experiment involving more than 10,000 employees of a Dutch ministry, we tested the effect of information provision, simulated experience, and their combination to reduce the risks of falling into a phishing attack. Both approaches substantially reduced the proportion of employees giving away their password. Combining both interventions did not have a larger impact.

Klíčová slova:

Age groups – Behavior – Computer security – Employment – Experimental economics – Infographics – Labor economics – Sensory cues


1. Vishwanath A, Herath T, Chen R, Wang J, Rao HR. Why do people get phished? Testing individual differences in phishing vulnerability within an integrated, information processing model. Decision Support Systems. 2011; 51(3): 576–586. doi: 10.1016/j.dss.2011.03.002

2. Ramanathan V, Wechsler H. Phishing detection and impersonated entity discovery using Conditional Random Field and Latent Dirichlet Allocation. Computers & Security. 2013; 34: 123–139. doi: 10.1016/j.cose.2012.12.002

3. Blythe M, Petrie H, Clark JA. F for fake: Four studies on how we fall for phish. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. ACM; 2011. p. 3469–3478.

4. Berghel H. Phishing mongers and posers. Communications of the ACM. 2006; 49(4): 21–25.

5. Gupta Brij B and Arachchilage Nalin AG and Psannis Kostas E. Defending against phishing attacks: taxonomy of methods, current issues and future directions. Telecommunication Systems. 2018; 67(2): 247–267. doi: 10.1007/s11235-017-0334-z

6. Ransbotham S, Mitra S. Choice and chance: A conceptual model of paths to information security compromise. Information Systems Research. 2009; 20(1): 121–139. doi: 10.1287/isre.1080.0174

7. Bada M, Sasse A, Nurse JRC. Cyber Security Awareness Campaigns: Why do they fail to change behaviour? In: International Conference on Cyber Security for Sustainable Society; 2015. p. 118–131.

8. Pahnila S, Siponen M, Mahmood A. Employees’ behavior towards IS security policy compliance. In: System sciences, 2007. HICSS 2007. 40th Annual Hawaii International Conference on. IEEE; 2007. p. 156b–156b.

9. Vroom C, von Solms R. Towards information security behavioural compliance. Computers & Security. 2004; 23(3): 191–198. doi: 10.1016/j.cose.2004.01.012

10. Bulgurcu B, Cavusoglu H, Benbasat I. Information security policy compliance: An empirical study of rationality-based beliefs and information security awareness. MIS quarterly. 2010; 34(3): 523–548. doi: 10.2307/25750690

11. Whitman M, Mattord H. Principles of Information Security: Thompson Course Technology. Kennesaw State University. 2003.

12. Albrechtsen E. A qualitative study of users’ view on information security. Computers & security. 2007; 26(4): 276–289. doi: 10.1016/j.cose.2006.11.004

13. Cai J, Song C. Do disaster experience and knowledge affect insurance take-up decisions? Journal of Development Economics. 2017; 124: 83–94. doi: 10.1016/j.jdeveco.2016.08.007

14. Kumaraguru P, Rhee Y, Acquisti A, Cranor LF, Hong J, Nunge E. Protecting people from phishing: The design and evaluation of an embedded training email system. In: Proceedings of the SIGCHI conference on Human factors in computing systems. ACM; 2007. p. 905–914.

15. Sheng S, Magnien B, Kumaraguru P, Acquisti A, Cranor LF, Hong J, et al. Anti-phishing phil: The design and evaluation of a game that teaches people not to fall for phish. In: Proceedings of the 3rd symposium on Usable privacy and security. ACM; 2007. p. 88–99.

16. Sheng S, Holbrook M, Kumaraguru P, Cranor LF, Downs J. Who falls for phish?: A demographic analysis of phishing susceptibility and effectiveness of interventions. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. ACM; 2010. p. 373–382.

17. Downs JS, Holbrook MB, Cranor LF. Decision strategies and susceptibility to phishing. In: Proceedings of the second symposium on Usable privacy and security. ACM; 2006. p. 79–90.

18. Wright RT, Marett K. The influence of experiential and dispositional factors in phishing: An empirical investigation of the deceived. Journal of Management Information Systems. 2010; 27(1): 273–303. doi: 10.2753/MIS0742-1222270111

19. Bowen BM, Devarajan R, Stolfo S. Measuring the human factor of cyber security. In: Technologies for Homeland Security (HST), 2011 IEEE International Conference on. IEEE; 2011. p. 230–235.

20. Burns MB, Durcikova A, Jenkins JL. What kind of interventions can help users from falling for phishing attempts: A research proposal for examining stage-appropriate interventions. In: System Sciences (HICSS), 2013 46th Hawaii International Conference on. IEEE; 2013. p. 4023–4032.

21. Mohebzada J, El Zarka A, BHojani AH, Darwish A. Phishing in a university community: Two large scale phishing experiments. In: Innovations in Information Technology (IIT), 2012 International Conference on. IEEE; 2012. p. 249–254.

22. Williams Emma J., Hinds Joanne, and Joinson Adam N. Exploring susceptibility to phishing in the workplace. International Journal of Human-Computer Studies. 2018; 120: 1–13. doi: 10.1016/j.ijhcs.2018.06.004

23. Silic M, Back A. The dark side of social networking sites: Understanding phishing risks. Computers in Human Behavior. 2016;60:35–43. doi: 10.1016/j.chb.2016.02.050

24. Halevi T, Memon N, Nov O. Spear-phishing in the wild: A real-world study of personality, phishing self-efficacy and vulnerability to spear-phishing attacks. 2015;

25. Siadati H, Palka S, Siegel A, McCoy D. Measuring the Effectiveness of Embedded Phishing Exercises. In: 10th USENIX Workshop on Cyber Security Experimentation and Test (CSET 17). USENIX Association; 2017.

26. Kleitman Sabina and Law Marvin KH and Kay Judy. It’s the deceiver and the receiver: Individual differences in phishing susceptibility and false positives with item profiling. PloS one. 2018; 13(10): e0205089. doi: 10.1371/journal.pone.0205089 30365492

27. Vishwanath Arun, Harrison Brynne, and Yu Jie Ng. Suspicion, cognition, and automaticity model of phishing susceptibility. Communication Research. 2018; 45(8): 1146–1166. doi: 10.1177/0093650215627483

28. Musuva Paula MW and Getao Katherine W and Chepken Christopher K. A new approach to modelling the effects of cognitive processing and threat detection on phishing susceptibility. Computers in Human Behavior. 2019; 94: 154–175. doi: 10.1016/j.chb.2018.12.036

29. Zigmont Jason J., and Kappus Liana J., and Sudikoff Stephanie N. Theoretical foundations of learning through simulation. Seminars in perinatology. 2011; 35(2): 47–51. doi: 10.1053/j.semperi.2011.01.002 21440810

30. Xiong Aiping and Proctor Robert W and Yang Weining and Li Ninghui. Embedding Training Within Warnings Improves Skills of Identifying Phishing Webpages. Human factors. 2019; 61(4): 577–595. doi: 10.1177/0018720818810942 30526089

31. Arachchilage N. A. G., and Love S. Security awareness of computer users: A phishing threat avoidance perspective. Computers in Human Behavior. 2014; 38: 304–312. doi: 10.1016/j.chb.2014.05.046

32. Alsharnouby M., Alaca F., and Chiasson S. Why phishing still works: User strategies for combating phishing attacks. International Journal of Human-Computer Studies. 2015; 82: 69–82. doi: 10.1016/j.ijhcs.2015.05.005

Článek vyšel v časopise


2019 Číslo 12