Indicators of employee phishing email behaviours: Intuition, elaboration, attention, and email typology

Abstract

Employees’ behaviour to phishing emails can strengthen or undermine business organisations’ cyber security. This phishing simulation and survey study explored the relationship between sociodemographic, cyber security training, phishing email typology and information processing factors and risky and secure email response behaviours. Participants (N = 590) were employees of a large financial institution who received one of four types of phishing emails. Participants who engaged in risky cyber email behaviour clicked on the link in the phishing email whereas those who engaged in secure cyber email behaviour reported the email to the institutions cyber security team. Our findings show that the likelihood of clicking on a link in a phishing email was lower for participants who had greater faith in their intuition and paid more attention to the sender's email address. The likelihood of clicking on a link in a phishing email was greater for participants who received the ‘Undelivered package’ email relative to the ‘Received PDF’. The likelihood of reporting a phishing email was greater for participants who engaged in greater elaborative processing to evaluate the email than those who used less elaboration. Theoretical and practical implications as well as future directions are discussed.