Abstract:
Modern technology has transformed people’s lives for the better, but it also provides an attractive landscape for cyber criminals. Cyber criminals use phishing, a semantic attack, to coerce unknowing individuals into installing malware, sharing sensitive information, or initiating fraudulent transactions. This is a key concern for organisations whose duty it is to protect sensitive customer and company information. The aim of the current research was to identify the factors that are associated with susceptibility to phishing attacks. We sought to answer two questions: what factors predict individual susceptibility to phishing attacks? And what factors promote cyber resilience and protect against susceptibility? We sent a simulated phishing email to more than 4,500 employees from a New Zealand-based financial institution and recorded their responses to the email. A between-subjects factorial design was used to investigate whether email type, gender, job grade, previous simulation participation, click rate in previous simulations, completion of an online training module, and recency of completion of the online training module significantly predicted the participants’ email response behaviours. In a research first, the results showed that Managers were more susceptible to phishing attacks. Employees who had been phished in previous phishing simulations were more likely to be phished again. Increased participation in phishing simulations decreased the likelihood that employees would click, and increased the likelihood employees would report the phishing emails. An increase in reporting was also seen for employees who had been phished in prior simulations, which is important in building cyber resilience. Finally, the type of email received by employees affected how participants responded. The results suggest that some employees are more susceptible to phishing attacks than others, while culture, simulationbased training, and reporting tools can reduce employee susceptibility and build cyber resiliency. The research provides actionable insights for organisations to improve their cyber security strategies and suggests a number of areas of interest for further exploration.