A Multi-Level Contextualized View of Phishing Susceptibility

60 Pages Posted: 1 Jul 2020 Last revised: 20 Aug 2020

See all articles by Ryan Wright

Ryan Wright

University of Virginia - McIntire School of Commerce

Steven L. Johnson

University of Virginia - McIntire School of Commerce

Brent Kitchens

University of Virginia - McIntire School of Commerce

Date Written: August 20, 2020

Abstract

With billions of dollars in annual IT security-related damages, organizations are well aware of the critical need for protection from phishing attacks with IT security policies and best practices. However, after decades of academic research and industry interventions, phishing remains one of the top cybersecurity threats to organizations. This significant effort to combat phishing by both practitioners and academics has largely focused on three factors: 1) individual characteristics, 2) message characteristics, and 3) interventions. We advocate for moving beyond this predominant focus to encompass a context-driven understanding of phishing susceptibility. We develop a phishing susceptibility model that includes how contextual factors, including workgroup characteristics and an individual’s position in organizational social networks, can be used to predict susceptibility to phishing messages. We show the utility of this approach through a field study of the ability to detect deception email communication using a multi-wave phishing simulation in the finance division of a large university in the US. Our findings extend the understanding of phishing susceptibility through a model that incorporates variation in the workgroup and network-based factors. In addition, this research generates practical insights regarding how organizations may identify and support employees that are likely to be susceptible to phishing attacks.

Keywords: Cybersecurity, Phishing, Phishing Susceptibility, Information Security, Contextual theory, Social Network Analysis, multi-level model

Suggested Citation

Wright, Ryan and Johnson, Steven L. and Kitchens, Brent, A Multi-Level Contextualized View of Phishing Susceptibility (August 20, 2020). Available at SSRN: https://ssrn.com/abstract=3622310

Ryan Wright (Contact Author)

University of Virginia - McIntire School of Commerce ( email )

P.O. Box 400173
Charlottesville, VA 22904-4173
United States

Steven L. Johnson

University of Virginia - McIntire School of Commerce ( email )

P.O. Box 400173
Charlottesville, VA 22904-4173
United States

Brent Kitchens

University of Virginia - McIntire School of Commerce ( email )

P.O. Box 400173
Charlottesville, VA 22904-4173
United States

Here is the Coronavirus
related research on SSRN

Paper statistics

Downloads
38
Abstract Views
237
PlumX Metrics