IDEAS home Printed from https://ideas.repec.org/a/plo/pone00/0224216.html
   My bibliography  Save this article

Informing, simulating experience, or both: A field experiment on phishing risks

Author

Listed:
  • Aurélien Baillon
  • Jeroen de Bruin
  • Aysil Emirmahmutoglu
  • Evelien van de Veer
  • Bram van Dijk

Abstract

Cybersecurity cannot be ensured with mere technical solutions. Hackers often use fraudulent emails to simply ask people for their password to breach into organizations. This technique, called phishing, is a major threat for many organizations. A typical prevention measure is to inform employees but is there a better way to reduce phishing risks? Experience and feedback have often been claimed to be effective in helping people make better decisions. In a large field experiment involving more than 10,000 employees of a Dutch ministry, we tested the effect of information provision, simulated experience, and their combination to reduce the risks of falling into a phishing attack. Both approaches substantially reduced the proportion of employees giving away their password. Combining both interventions did not have a larger impact.

Suggested Citation

  • Aurélien Baillon & Jeroen de Bruin & Aysil Emirmahmutoglu & Evelien van de Veer & Bram van Dijk, 2019. "Informing, simulating experience, or both: A field experiment on phishing risks," PLOS ONE, Public Library of Science, vol. 14(12), pages 1-15, December.
    • Handle: RePEc:plo:pone00:0224216
    DOI: 10.1371/journal.pone.0224216
    as

    Download full text from publisher

    File URL: https://journals.plos.org/plosone/article?id=10.1371/journal.pone.0224216
    Download Restriction: no
    File URL: https://journals.plos.org/plosone/article/file?id=10.1371/journal.pone.0224216&type=printable
    Download Restriction: no
    File URL: https://libkey.io/10.1371/journal.pone.0224216?utm_source=ideas
    LibKey link: if access is restricted and if your library uses this service, LibKey will redirect you to where you can use your library subscription to access this item
    ---><---

    References listed on IDEAS

    as
    1. B. B. Gupta & Nalin A. G. Arachchilage & Kostas E. Psannis, 2018. "Defending against phishing attacks: taxonomy of methods, current issues and future directions," Telecommunication Systems: Modelling, Analysis, Design and Management, Springer, vol. 67(2), pages 247-267, February.
    2. Cai, Jing & Song, Changcheng, 2017. "Do disaster experience and knowledge affect insurance take-up decisions?," Journal of Development Economics, Elsevier, vol. 124(C), pages 83-94.
    3. Sam Ransbotham & Sabyasachi Mitra, 2009. "Choice and Chance: A Conceptual Model of Paths to Information Security Compromise," Information Systems Research, INFORMS, vol. 20(1), pages 121-139, March.
    Full references (including those not matched with items on IDEAS)

    Citations

    Citations are extracted by the CitEc Project, subscribe to its RSS feed for this item.
    as


    Cited by:

    1. Ahu Ergen & Ahmet Naci Ünal & Mehmet Sıtkı Saygili, 2021. "Is It Possible to Change the Cyber Security Behaviours of Employees? Barriers and Promoters," Academic Journal of Interdisciplinary Studies, Richtmann Publishing Ltd, vol. 10, July.
    2. David Gonzalez-Jimenez & Francesco Capozza & Thomas Dirkmaat & Evelien van de Veer & Amber van Druten & Aurélien Baillon, 2025. "Falling and failing (to learn) : Evidence from a nation-wide cybersecurity field experiment with SMEs," Post-Print hal-04875787, HAL.
    3. Keefer, Philip & Roseth, Benjamin & Santamaria, Julieth, 2024. "General Skills Training for Public Employees: Experimental Evidence on Cybersecurity Training in Argentina," IDB Publications (Working Papers) 13775, Inter-American Development Bank.

    Most related items

    These are the items that most often cite the same works as this one and are cited by the same works as this one.
    1. Joakim Kävrestad & Allex Hagberg & Marcus Nohlberg & Jana Rambusch & Robert Roos & Steven Furnell, 2022. "Evaluation of Contextual and Game-Based Training for Phishing Detection," Future Internet, MDPI, vol. 14(4), pages 1-16, March.
    2. Sanghyun Kim & Bora Kim & Minsoo Seo, 2020. "Impacts of Sustainable Information Technology Capabilities on Information Security Assimilation: The Moderating Effects of Policy—Technology Balance," Sustainability, MDPI, vol. 12(15), pages 1-24, July.
    3. Kjell Hausken, 2017. "Security Investment, Hacking, and Information Sharing between Firms and between Hackers," Games, MDPI, vol. 8(2), pages 1-23, May.
    4. Yonghua Ji & Subodha Kumar & Vijay Mookerjee, 2016. "When Being Hot Is Not Cool: Monitoring Hot Lists for Information Security," Information Systems Research, INFORMS, vol. 27(4), pages 897-918, December.
    5. Tim Philippi & Jörg Schiller, 2024. "Abandoning disaster relief and stimulating insurance demand through premium subsidies," Journal of Risk & Insurance, The American Risk and Insurance Association, vol. 91(2), pages 339-382, June.
    6. Luca Allodi & Fabio Massacci, 2017. "Security Events and Vulnerability Data for Cybersecurity Risk Estimation," Risk Analysis, John Wiley & Sons, vol. 37(8), pages 1606-1627, August.
    7. Xing Gao & Weijun Zhong & Shue Mei, 2014. "A game-theoretic analysis of information sharing and security investment for complementary firms," Journal of the Operational Research Society, Palgrave Macmillan;The OR Society, vol. 65(11), pages 1682-1691, November.
    8. Habib Ntwoku & Solomon Negash & Peter Meso, 2017. "ICT adoption in Cameroon SME: application of Bass diffusion model," Information Technology for Development, Taylor & Francis Journals, vol. 23(2), pages 296-317, April.
    9. Carol Hsu & Jae-Nam Lee & Detmar W. Straub, 2012. "Institutional Influences on Information Systems Security Innovations," Information Systems Research, INFORMS, vol. 23(3-part-2), pages 918-939, September.
    10. Ahmed Abbasi & David Dobolyi & Anthony Vance & Fatemeh Mariam Zahedi, 2021. "The Phishing Funnel Model: A Design Artifact to Predict User Susceptibility to Phishing Websites," Information Systems Research, INFORMS, vol. 32(2), pages 410-436, June.
    11. Robert Karamagi, 2022. "A Review of Factors Affecting the Effectiveness of Phishing," Computer and Information Science, Canadian Center of Science and Education, vol. 15(1), pages 1-20, February.
    12. Abdul Basit & Maham Zafar & Xuan Liu & Abdul Rehman Javed & Zunera Jalil & Kashif Kifayat, 2021. "A comprehensive survey of AI-enabled phishing attacks detection techniques," Telecommunication Systems: Modelling, Analysis, Design and Management, Springer, vol. 76(1), pages 139-154, January.
    13. Strobl, Renate, 2022. "Background risk, insurance and investment behaviour: Experimental evidence from Kenya," Journal of Economic Behavior & Organization, Elsevier, vol. 202(C), pages 34-68.
    14. Sarah Janzen & Nicholas Magnan & Conner Mullally & Soye Shin & I. Bailey Palmer & Judith Oduol & Karl Hughes, 2021. "Can Experiential Games and Improved Risk Coverage Raise Demand for Index Insurance? Evidence from Kenya," American Journal of Agricultural Economics, John Wiley & Sons, vol. 103(1), pages 338-361, January.
    15. Yuyuan Che & Hongli Feng & David A. Hennessy, 2020. "Recency effects and participation at the extensive and intensive margins in the U.S. Federal Crop Insurance Program," The Geneva Papers on Risk and Insurance - Issues and Practice, Palgrave Macmillan;The Geneva Association, vol. 45(1), pages 52-85, January.
    16. de Cornière, Alexandre & Taylor, Greg, 2021. "A Model of Information Security and Competition," TSE Working Papers 21-1285, Toulouse School of Economics (TSE).
    17. Xing Gao & Weijun Zhong, 2016. "A differential game approach to security investment and information sharing in a competitive environment," IISE Transactions, Taylor & Francis Journals, vol. 48(6), pages 511-526, June.
    18. Steinbart, Paul John & Raschke, Robyn L. & Gal, Graham & Dilla, William N., 2012. "The relationship between internal audit and information security: An exploratory investigation," International Journal of Accounting Information Systems, Elsevier, vol. 13(3), pages 228-243.
    19. John D’Arcy & Idris Adjerid & Corey M. Angst & Ante Glavas, 2020. "Too Good to Be True: Firm Social Performance and the Risk of Data Breach," Information Systems Research, INFORMS, vol. 31(4), pages 1200-1223, December.
    20. Jaime A. Teixeira da Silva & Aceil Al-Khatib & Panagiotis Tsigaris, 2020. "Spam emails in academia: issues and costs," Scientometrics, Springer;Akadémiai Kiadó, vol. 122(2), pages 1171-1188, February.

    More about this item

    Statistics

    Access and download statistics

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:plo:pone00:0224216. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a bibliographic reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: plosone (email available below). General contact details of provider: https://journals.plos.org/plosone/ .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.