Response to a phishing attack: persuasion and protection motivation in an organizational context

Bayl-Smith, P; Taib, R; Yu, K; Wiggins, M

Response to a phishing attack: persuasion and protection motivation in an organizational context

Bayl-Smith, P Taib, R Yu, K

Wiggins, M

Permalink

Publisher:: Emerald
Publication Type:: Journal Article
Citation:: Information and Computer Security, 2022, 30, (1), pp. 63-78
Issue Date:: 2022-01-31

Closed Access

	Filename	Description	Size
	Response to a phishing attack persuasion and protection motivation in an organizational context.pdf	Published version	187.17 kB	Adobe PDF	View/Open

Copyright Clearance Process

Recently Added
In Progress
Closed Access

This item is closed access and not available.

Full metadata record

Field	Value	Language
dc.contributor.author	Bayl-Smith, P
dc.contributor.author	Taib, R
dc.contributor.author	Yu, K https://orcid.org/0000-0001-5138-6749
dc.contributor.author	Wiggins, M
dc.date.accessioned	2023-03-29T04:03:22Z
dc.date.available	2023-03-29T04:03:22Z
dc.date.issued	2022-01-31
dc.identifier.citation	Information and Computer Security, 2022, 30, (1), pp. 63-78
dc.identifier.issn	2056-4961
dc.identifier.issn	2056-497X
dc.identifier.uri	http://hdl.handle.net/10453/168790
dc.description.abstract	Purpose: This study aims to examine the effect of cybersecurity threat and efficacy upon click-through, response to a phishing attack: persuasion and protection motivation in an organizational context. Design/methodology/approach: In a simulated field trial conducted in a financial institute, via PhishMe, employees were randomly sent one of five possible emails using a set persuasion strategy. Participants were then invited to complete an online survey to identify possible protective factors associated with clicking and reporting behavior (N = 2,918). The items of interest included perceived threat severity, threat susceptibility, response efficacy and personal efficacy. Findings: The results indicate that response behaviors vary significantly across different persuasion strategies. Perceptions of threat susceptibility increased the likelihood of reporting behavior beyond clicking behavior. Threat susceptibility and organizational response efficacy were also associated with increased odds of not responding to the simulated phishing email attack. Practical implications: This study again highlights human susceptibility to phishing attacks in the presence of social engineering strategies. The results suggest heightened awareness of phishing threats and responsibility to personal cybersecurity are key to ensuring secure business environments. Originality/value: The authors extend existing phishing literature by investigating not only click-through behavior, but also no-response and reporting behaviors. Furthermore, the authors observed the relative effectiveness of persuasion strategies used in phishing emails as they compete to manipulate unsafe email behavior.
dc.language	en
dc.publisher	Emerald
dc.relation.ispartof	Information and Computer Security
dc.relation.isbasedon	10.1108/ICS-02-2021-0021
dc.rights	info:eu-repo/semantics/closedAccess
dc.subject	0804 Data Format, 0806 Information Systems
dc.subject.classification	Information Systems
dc.title	Response to a phishing attack: persuasion and protection motivation in an organizational context
dc.type	Journal Article
utslib.citation.volume	30
utslib.for	0804 Data Format
utslib.for	0806 Information Systems
pubs.organisational-group	/University of Technology Sydney
pubs.organisational-group	/University of Technology Sydney/Faculty of Engineering and Information Technology
pubs.organisational-group	/University of Technology Sydney/Faculty of Engineering and Information Technology/A/DRsch The Data Science Institute
utslib.copyright.status	closed_access	*
dc.date.updated	2023-03-29T04:03:21Z
pubs.issue	1
pubs.publication-status	Published
pubs.volume	30
utslib.citation.issue	1

Abstract:

Purpose: This study aims to examine the effect of cybersecurity threat and efficacy upon click-through, response to a phishing attack: persuasion and protection motivation in an organizational context. Design/methodology/approach: In a simulated field trial conducted in a financial institute, via PhishMe, employees were randomly sent one of five possible emails using a set persuasion strategy. Participants were then invited to complete an online survey to identify possible protective factors associated with clicking and reporting behavior (N = 2,918). The items of interest included perceived threat severity, threat susceptibility, response efficacy and personal efficacy. Findings: The results indicate that response behaviors vary significantly across different persuasion strategies. Perceptions of threat susceptibility increased the likelihood of reporting behavior beyond clicking behavior. Threat susceptibility and organizational response efficacy were also associated with increased odds of not responding to the simulated phishing email attack. Practical implications: This study again highlights human susceptibility to phishing attacks in the presence of social engineering strategies. The results suggest heightened awareness of phishing threats and responsibility to personal cybersecurity are key to ensuring secure business environments. Originality/value: The authors extend existing phishing literature by investigating not only click-through behavior, but also no-response and reporting behaviors. Furthermore, the authors observed the relative effectiveness of persuasion strategies used in phishing emails as they compete to manipulate unsafe email behavior.

Please use this identifier to cite or link to this item:

http://hdl.handle.net/10453/168790