Why Employees (Still) Click on Phishing Links: An Investigation in Hospitals

22 Pages Posted: 29 Jan 2019 Last revised: 22 Feb 2019

See all articles by Mohammad Jalali

Mohammad Jalali

Massachusetts Institute of Technology (MIT) - Sloan School of Management; Harvard University - Harvard Medical School

Maike Bruckes

University of Muenster

Daniel Westmattelmann

University of Muenster

Gerhard Schewe

University of Muenster

Date Written: January 15, 2019

Abstract

Employees are considered the weakest link in information security; their compliance with security policies has been a major area of research. However, employees click on phishing links even after receiving training. In this study, we explore the factors that influence information security policy compliance, using the theory of planned behavior (TPB) and integrating trust theories. We conduct a survey in hospitals to investigate the components of compliance intention and match employees’ survey results with their actual clicking data from organizational phishing campaigns. Our analysis (N = 430) revealed that TPB factors (attitude, subjective norms, and perceived behavioral control), as well as collective felt trust and trust in information security technology, have positive effects on compliance intention. However, surprisingly, compliance intention does not predict compliance behavior. Of the variables we tested, only the level of employees’ workload shows a significant relationship to their actual behavior. This study contributes to the information systems literature by understanding factors influencing compliance behavior. Also, unlike studies that assess behavior through a questionnaire, our method was able to measure observable compliance behavior using clicking data. Our findings can help organizations augment employees’ compliance with their cybersecurity policies and reduce the likelihood of clicking on phishing links.

Keywords: Information security management, phishing emails, compliance, trust, theory of planned behavior

Suggested Citation

Jalali, Mohammad and Bruckes, Maike and Westmattelmann, Daniel and Schewe, Gerhard, Why Employees (Still) Click on Phishing Links: An Investigation in Hospitals (January 15, 2019). Available at SSRN: https://ssrn.com/abstract=3317498 or http://dx.doi.org/10.2139/ssrn.3317498

Mohammad Jalali (Contact Author)

Massachusetts Institute of Technology (MIT) - Sloan School of Management ( email )

77 Massachusetts Avenue
50 Memorial Drive
Cambridge, MA 02139-4307
United States

HOME PAGE: http://scholar.harvard.edu/jalali

Harvard University - Harvard Medical School ( email )

101 Merrimac St
Suite 1010
Boston, MA 02114
United States

HOME PAGE: http://scholar.harvard.edu/jalali

Maike Bruckes

University of Muenster ( email )

Schlossplatz 2
Muenster, D-48149
Germany

Daniel Westmattelmann

University of Muenster ( email )

Schlossplatz 2
Muenster, D-48149
Germany

Gerhard Schewe

University of Muenster ( email )

Schlossplatz 2
Muenster, D-48149
Germany

Register to save articles to
your library

Register

Paper statistics

Downloads
54
rank
368,357
Abstract Views
241
PlumX Metrics