Factors Affecting Employees’ Susceptibility to Cyber Attacks
Forthcoming in Journal of Information Systems
66 Pages Posted: 29 Apr 2022
Date Written: April 13, 2022
Abstract
We examine factors associated with employees’ susceptibility to phishing attacks in a
professional services firm and a financial services firm (bank). We measure three dimensions of
suspicion (skepticism, suspicion of hostility, and interpersonal trust), and three cognitive traits
(risk taking propensity, cognitive (inhibitory) control, and social cognition), while controlling for
demographic and work context factors. We find that these traits interact in complex ways in
determining individuals’ susceptibility to phishing attacks. Bank employees are more susceptible
to being phished than professional services firm employees, but within the bank, the employees
with professional certificates are less susceptible to phishing attacks than other bank employees.
Also, employees with self-reported responsibility for cybersecurity are less likely to be phished.
These findings could be used to create a screening tool for identifying which employees are
particularly susceptible to phishing attacks, to tailor training or redesign jobs to counter those
susceptibilities and reduce security risk.
Keywords: Cybersecurity, Phishing, Individual vulnerability, Personality traits, Cognitive traits, Risk-taking propensity, Cognitive (inhibitory) control, Social cognition, BART, STROOP, TASITE, Demographic factors, Work context
Suggested Citation: Suggested Citation