Contextual drivers of employees' phishing susceptibility: Insights from a field study

摘要

Phishing attacks rate as one of the most prevalent security threats to contemporary organizations. Hence, managers strive heavily to apply security measures that keep their employees safe from these risks, thereby relying on insights from security researchers who have predominantly focused on recipient characteristics, message attributes, and interventions to explicate the phishing susceptibility of individuals. A theoretical lens yet to be explored is the discrete context in which individuals encounter phishing attacks. This paper presents a multi-dimensional model – comprising the three contextual components social, task, and physical – that explains why an employee is likely to fall for phishing emails or not. To empirically validate our model, we conducted a field study among 2302 employees of an internationally operating pharmaceutical company in the United States. By combining employees' behavioral responses to a phishing email, training data, and contextual data, like help desk reliance, job status or workspace, we find that context is key to a more thorough understanding of phishing susceptibility. Moreover, our study provides practical insights on how organizations can identify and support employees prone to phishing as well as tailor training programs to prevent their workforce from falling prey to cybercriminals.