Beyond Individuals: A Group Perspective of Phishing Susceptibility

Abstract

With billions of dollars in annual IT security-related damages, organizations are well aware of the critical need for protection from phishing attacks with IT security policies and best practices. However, after decades of academic research and industry interventions, phishing remains one of the top cybersecurity threats to organizations. This significant effort to combat phishing by both practitioners and academics has largely focused on three factors: 1) individual characteristics, 2) message characteristics, and 3) interventions. We advocate for moving beyond this predominant focus to encompass a context-driven understanding of phishing susceptibility. We develop a phishing susceptibility model that includes how contextual factors, including workgroup characteristics and an individual’s position in organizational social networks, can be used to predict susceptibility to phishing messages. We show the utility of this approach through a field study of the ability to detect deception email communication using a multi-wave phishing simulation in the finance division of a large university in the US. Our findings extend the understanding of phishing susceptibility through a model that incorporates variation in the workgroup and network-based factors. In addition, this research generates practical insights regarding how organizations may identify and support employees that are likely to be susceptible to phishing attacks.