Timing of Feedback After Phishing Simulations: Evidence from a Randomized Field Experiment

Dezhi Yin; Matthew T. Mullarkey; Gert Jan de Vreede; Moez Limayem

Timing of Feedback After Phishing Simulations: Evidence from a Randomized Field Experiment

Dezhi Yin
, Matthew T. Mullarkey
, Gert Jan de Vreede
, Moez Limayem

School of Business

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

Abstract

Given the frequent occurrence and danger of phishing attacks for individuals and organizations, a growing literature has examined the antecedents of users' phishing susceptibility and effective training interventions. In this research, we focus on feedback after phishing simulations as a novel training method to efficiently reduce user vulnerability without a requirement for their motivation or time to complete lengthy trainings. With a focus on feedback timing, we distinguish between immediate feedback for users who fail phishing simulations (so-called embedded training) and delayed feedback for all users, and we test their relative and combined effects on users' phishing vulnerability over time via a randomized field experiment. This research contributes to the phishing and cybersecurity literature by verifying phishing simulations as a training opportunity in themselves, challenging the assumed effectiveness of embedded training, and distinguishing the impacts of two types of feedback interventions.

Original language	English
Title of host publication	45th International Conference on Information Systems, ICIS 2024
ISBN (Electronic)	9781958200131
State	Published - 2024
Event	45th International Conference on Information Systems, ICIS 2024 - Bangkok, Thailand Duration: 15 Dec 2024 → 18 Dec 2024

Publication series

Name	45th International Conference on Information Systems, ICIS 2024

Conference

Conference	45th International Conference on Information Systems, ICIS 2024
Country/Territory	Thailand
City	Bangkok
Period	15/12/24 → 18/12/24

Keywords

cyber security
delayed feedback
embedded training
feedback
Phishing attacks
phishing simulations
social engineering

Cite this

@inproceedings{bfb7ebd6b4ef4ca58e174fedb442ad48,

title = "Timing of Feedback After Phishing Simulations: Evidence from a Randomized Field Experiment",

abstract = "Given the frequent occurrence and danger of phishing attacks for individuals and organizations, a growing literature has examined the antecedents of users' phishing susceptibility and effective training interventions. In this research, we focus on feedback after phishing simulations as a novel training method to efficiently reduce user vulnerability without a requirement for their motivation or time to complete lengthy trainings. With a focus on feedback timing, we distinguish between immediate feedback for users who fail phishing simulations (so-called embedded training) and delayed feedback for all users, and we test their relative and combined effects on users' phishing vulnerability over time via a randomized field experiment. This research contributes to the phishing and cybersecurity literature by verifying phishing simulations as a training opportunity in themselves, challenging the assumed effectiveness of embedded training, and distinguishing the impacts of two types of feedback interventions.",

keywords = "cyber security, delayed feedback, embedded training, feedback, Phishing attacks, phishing simulations, social engineering",

author = "Dezhi Yin and Mullarkey, \{Matthew T.\} and \{de Vreede\}, \{Gert Jan\} and Moez Limayem",

note = "Publisher Copyright: {\textcopyright} 2024 International Conference on Information Systems. All Rights Reserved.; 45th International Conference on Information Systems, ICIS 2024 ; Conference date: 15-12-2024 Through 18-12-2024",

year = "2024",

language = "English",

series = "45th International Conference on Information Systems, ICIS 2024",

booktitle = "45th International Conference on Information Systems, ICIS 2024",

}

Yin, D, Mullarkey, MT, de Vreede, GJ & Limayem, M 2024, Timing of Feedback After Phishing Simulations: Evidence from a Randomized Field Experiment. in 45th International Conference on Information Systems, ICIS 2024. 45th International Conference on Information Systems, ICIS 2024, 45th International Conference on Information Systems, ICIS 2024, Bangkok, Thailand, 15/12/24.

Timing of Feedback After Phishing Simulations: Evidence from a Randomized Field Experiment. / Yin, Dezhi; Mullarkey, Matthew T.; de Vreede, Gert Jan et al.
45th International Conference on Information Systems, ICIS 2024. 2024. (45th International Conference on Information Systems, ICIS 2024).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Timing of Feedback After Phishing Simulations

T2 - 45th International Conference on Information Systems, ICIS 2024

AU - Yin, Dezhi

AU - Mullarkey, Matthew T.

AU - de Vreede, Gert Jan

AU - Limayem, Moez

PY - 2024

Y1 - 2024

N2 - Given the frequent occurrence and danger of phishing attacks for individuals and organizations, a growing literature has examined the antecedents of users' phishing susceptibility and effective training interventions. In this research, we focus on feedback after phishing simulations as a novel training method to efficiently reduce user vulnerability without a requirement for their motivation or time to complete lengthy trainings. With a focus on feedback timing, we distinguish between immediate feedback for users who fail phishing simulations (so-called embedded training) and delayed feedback for all users, and we test their relative and combined effects on users' phishing vulnerability over time via a randomized field experiment. This research contributes to the phishing and cybersecurity literature by verifying phishing simulations as a training opportunity in themselves, challenging the assumed effectiveness of embedded training, and distinguishing the impacts of two types of feedback interventions.

AB - Given the frequent occurrence and danger of phishing attacks for individuals and organizations, a growing literature has examined the antecedents of users' phishing susceptibility and effective training interventions. In this research, we focus on feedback after phishing simulations as a novel training method to efficiently reduce user vulnerability without a requirement for their motivation or time to complete lengthy trainings. With a focus on feedback timing, we distinguish between immediate feedback for users who fail phishing simulations (so-called embedded training) and delayed feedback for all users, and we test their relative and combined effects on users' phishing vulnerability over time via a randomized field experiment. This research contributes to the phishing and cybersecurity literature by verifying phishing simulations as a training opportunity in themselves, challenging the assumed effectiveness of embedded training, and distinguishing the impacts of two types of feedback interventions.

KW - cyber security

KW - delayed feedback

KW - embedded training

KW - feedback

KW - Phishing attacks

KW - phishing simulations

KW - social engineering

UR - https://www.scopus.com/pages/publications/105010824531

UR - https://www.scopus.com/pages/publications/105010824531#tab=citedBy

M3 - Conference contribution

AN - SCOPUS:105010824531

T3 - 45th International Conference on Information Systems, ICIS 2024

BT - 45th International Conference on Information Systems, ICIS 2024

Y2 - 15 December 2024 through 18 December 2024

ER -

Timing of Feedback After Phishing Simulations: Evidence from a Randomized Field Experiment

Abstract

Publication series

Conference

Keywords

Other files and links

Fingerprint

Cite this