Simulated Phishing and Employee Cybersecurity Behaviour (SPEC)

The risk of cyber-attacks to UK companies is bigger than ever. With 90% of cyber breaches involving phishing techniques, it is increasingly important for organisations to identify ways to increase awareness of phishing attacks whilst maintaining positive relationships with employees. Not only is it important for organisations to know who is susceptible to what kinds of phishing attacks, but they also need to prevent such incidents from occurring. For this reason, a number of organisations conduct simulated phishing exercises, in which employees are sent emails that simulate phishing attempts. Organisations can use simulated phishing to test which employees are susceptible to what kinds of phishing attacks, provide instant feedback and timely, ‘just-in-time’ training when links are clicked, and form the basis of repercussions for individuals who click phishing links.

Using simulated phishing to deliver just-in-time training, an approach that gives employees training exactly when they fall for a phish, has shown promise in improving employee’s ability to detect phishing emails compared to security notices, even in cases in which users are only told they clicked on a phishing email, but not provided any training material.

However, simply raising awareness might not be sufficient to successfully protect an organisation, especially if such exercises carry any unintended, negative outcomes. For instance, maintaining trust between employees and organisations is a vital component of compliance with security policies. Simulated phishing exercises have been argued to undermine this trust, and create a hostile environment, whereby employees are blamed or actively punished for slip-ups, ultimately reducing long-term reporting. However, some of these assertions have not been directly tested, and do not account for the different ways in which simulating phishing could be implemented (e.g., to provide feedback, training or punishment to those falling victim), nor is it clear what proportion of organisations follow each of these implementations.

To this end, this project will conduct two studies with differing approaches to investigate (i) how policies on simulated phishing emails are currently implemented in organisations using a cross-sectional survey and (ii) the impact of simulated phishing emails policies on employees’ cyber security awareness and their perceptions of key factors (organisational trust, procedural fairness, stress and perceived monitoring) through an experimental study.

Principal Investigator

Dr John Blythe

Institution

CybSafe (lead)
University of Bath

People

Dr Emily Collins