Phishing for Long Tails: Examining Organizational Repeat Clickers and Protective Stewards

Canham, Matthew; Posey, Clay; Strickland, Delainey; Constantino, Michael J.

doi:10.1177/2158244021990656

Cited by 16 publications

(23 citation statements)

References 38 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…No significant interactions (in click-rates or report-rates) between the email template types and job role were observed. Overall, the click-rates were relatively low compared to previously observed campaigns (Canham et al, 2021). This might have been the result of a self-selected sample of participants with knowledge of their contest participation.…”

Section: Resultscontrasting

confidence: 68%

“…Complementing the research on human-detection capabilities, recent efforts have drawn attention to all potential employee behavioral responses to email phishing attacks (Canham et al, 2021). By analyzing the responses of more than 6,000 employees at a large U.S. university over the course of 20 phishing training campaigns and 19 months, this effort demonstrated that a small subset of users (6% of the total population of users) were responsible for repeated phishing training failures (i.e., "Repeat Clickers") and a larger subset (33%) of users ("Protective Stewards") were responsible for reporting these emails to the Information Security Office.…”

Section: Background On Phishingmentioning

confidence: 99%

“…Notwithstanding the importance of assessing the number of employees who fall victim to these mock attacks, it is important to note how employees can also have positive reactions to phishing attacks-reactions that alert organizational representatives to the potential threat (Canham et al, 2021). It is unfortunate that many of these positive reactions are often overshadowed by the failures (i.e., successful mock attacks) despite serving as an important warning signal or beacon to the organization that something could be wrong.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Phish Derby: Shoring the Human Shield Through Gamified Phishing Attacks

Canham¹,

Posey

Constantino

2022

Front. Educ.

Self Cite

View full text Add to dashboard Cite

To better understand employees’ reporting behaviors in relation to phishing emails, we gamified the phishing security awareness training process by creating and conducting a month-long “Phish Derby” competition at a large university in the U.S. The university’s Information Security Office challenged employees to prove they could detect phishing emails as part of the simulated phishing program currently in place. Employees volunteered to compete for prizes during this special event and were instructed to report suspicious emails as potential phishing attacks. Prior to the beginning of the competition, we collected demographics and data related to the concepts central to two theoretical foundations: the Big Five personality traits and goal orientation theory. We found several notable relationships between demographic variables and Phish Derby performance, which was operationalized from the number of phishing attacks reported and employee report speed. Several key findings emerged, including past performance on simulated phishing campaigns positively predicted Phish Derby performance; older participants performed better than their younger colleagues, but more educated participants performed poorer; and individuals who used a mix of PCs and Macs at work performed worse than those using a single platform. We also found that two of the Big Five personality dimensions, extraversion and agreeableness, were both associated with poorer performance in phishing detection and reporting. Likewise, individuals who were driven to perform well in the Phish Derby because they desired to learn from the experience (i.e., learning goal orientation) performed at a lower level than those driven by other goals. Interestingly, self-reported levels of computer skill and the perceived ability to detect phishing messages failed to exhibit a significant relationship with Phish Derby performance. We discuss these findings and describe how focusing on motivating the good in employee cyber behaviors is a necessary yet too often overlooked component in organizations whose training cyber cultures are rooted in employee click rates alone.

show abstract

Section: Resultscontrasting

confidence: 68%

Section: Background On Phishingmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Phish Derby: Shoring the Human Shield Through Gamified Phishing Attacks

Canham¹,

Posey

Constantino

2022

Front. Educ.

Self Cite

View full text Add to dashboard Cite

show abstract

“…In 2021, Canham et al 30 investigated phishing related behaviors at a southeastern university in the United States. The focus for this study was on determining employee cluster types for responses to phishing attacks based on positive and negative actions.…”

Section: Phishing Related Behaviorsmentioning

confidence: 99%

“…Canham et al noted that security training is "as expected" not perfect as even in the Beacon and Spectator clusters, around 3-4% of the employees fell victim. 30…”

Section: Phishing Related Behaviorsmentioning

confidence: 99%

Examining Factors Impacting the Effectiveness of Anti-Phishing Trainings

Sumner

Yuan

Anwar

et al. 2021

Journal of Computer Information Systems

View full text Add to dashboard Cite

Approximately 65% of the organizations in the United States have fallen victim to a successful phishing attack. Many organizations offer anti-phishing training to their employees to defend against phishing attacks. The purpose of this study is to examine factors impacting the effectiveness of anti-phishing training and study the relationship between personality traits and phishing susceptibility. Participants filled out pre-and post-training surveys that included questions on identifying phishing and legitimate URLs and questions to determine DISC (Dominant, Influence, Steadiness, and Conscientiousness) personality traits. An analysis of the survey data shows that the participants' average accuracy in detecting phishing URLs increased 8% (t = 2.144, p-value = 0.0374) and their confidence in their answer choices increased 6% (t = 2.032, p-value = 0.0464) from pretraining to post-training surveys. Before and after training, participants with the Influence personality trait had the lowest susceptibility while both Dominant and Steadiness personalities had the highest susceptibility before and after training respectively.

show abstract

Guidelines for Developers and Recommendations for Users to Mitigate Phishing Attacks: An Interdisciplinary Research Approach

Bukhsh

2023

Lecture Notes in Business Information Processing

View full text Add to dashboard Cite

Phishing for Long Tails: Examining Organizational Repeat Clickers and Protective Stewards

Cited by 16 publications

References 38 publications

Phish Derby: Shoring the Human Shield Through Gamified Phishing Attacks

Phish Derby: Shoring the Human Shield Through Gamified Phishing Attacks

Examining Factors Impacting the Effectiveness of Anti-Phishing Trainings

Guidelines for Developers and Recommendations for Users to Mitigate Phishing Attacks: An Interdisciplinary Research Approach

Contact Info

Product

Resources

About