Why Employees (Still) Click on Phishing Links: An Investigation in Hospitals

22 Pages Posted: 29 Jan 2019 Last revised: 22 Feb 2019

See all articles by Mohammad S. Jalali

Mohammad S. Jalali

Harvard University - Harvard Medical School

Maike Bruckes

University of Münster

Daniel Westmattelmann

University of Münster

Gerhard Schewe

University of Münster

Date Written: January 15, 2019

Abstract

Employees are considered the weakest link in information security; their compliance with security policies has been a major area of research. However, employees click on phishing links even after receiving training. In this study, we explore the factors that influence information security policy compliance, using the theory of planned behavior (TPB) and integrating trust theories. We conduct a survey in hospitals to investigate the components of compliance intention and match employees’ survey results with their actual clicking data from organizational phishing campaigns. Our analysis (N = 430) revealed that TPB factors (attitude, subjective norms, and perceived behavioral control), as well as collective felt trust and trust in information security technology, have positive effects on compliance intention. However, surprisingly, compliance intention does not predict compliance behavior. Of the variables we tested, only the level of employees’ workload shows a significant relationship to their actual behavior. This study contributes to the information systems literature by understanding factors influencing compliance behavior. Also, unlike studies that assess behavior through a questionnaire, our method was able to measure observable compliance behavior using clicking data. Our findings can help organizations augment employees’ compliance with their cybersecurity policies and reduce the likelihood of clicking on phishing links.

Keywords: Information security management, phishing emails, compliance, trust, theory of planned behavior

Suggested Citation

Jalali, Mohammad S. and Bruckes, Maike and Westmattelmann, Daniel and Schewe, Gerhard, Why Employees (Still) Click on Phishing Links: An Investigation in Hospitals (January 15, 2019). Available at SSRN: https://ssrn.com/abstract=3317498 or http://dx.doi.org/10.2139/ssrn.3317498

Mohammad S. Jalali (Contact Author)

Harvard University - Harvard Medical School ( email )

101 Merrimac St
Suite 1010
Boston, MA 02114
United States

HOME PAGE: http://scholar.harvard.edu/jalali

Maike Bruckes

University of Münster ( email )

Schlossplatz 2
Muenster, D-48149
Germany

Daniel Westmattelmann

University of Münster ( email )

Schlossplatz 2
Muenster, D-48149
Germany

Gerhard Schewe

University of Münster ( email )

Schlossplatz 2
Muenster, D-48149
Germany

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Downloads
164
Abstract Views
950
Rank
272,496
PlumX Metrics