A Routine Activities Approach to Evidence-Based Risk Assessment: Findings From Two Simulated Phishing Attacks

Abstract

To assess the efficacy of routine activity theory (RAT) for explaining phishing victimization and guide evidence-based policy, we launched two phishing attacks via a university Listserv ( N = 25,875). The first email offered access to a pdf file; the second offered free concert tickets. Several interesting findings emerged demonstrating phishing victimization results from network users’ routine behaviors. Students were significantly less likely to open the phishing email sharing a pdf but more likely to open the email offering free concert tickets. Moreover, students were mor e likely to click the malicious link embedded within the phishing email in both studies, often using mobile devices. Conversely, employees were more likely to click the link while connected to the university network, thus exposing the network to greater levels of risk. Finally, the email offering concert tickets was opened at a frequency more than double the email containing the pdf. Theoretical and policy implications are discussed.