To read this content please select one of the options below:

Using phishing experiments and scenario-based surveys to understand security behaviours in practice

Waldo Rocha Flores (Department of Industrial Information and Control Systems, Royal Institute of Technology, Stockholm, Sweden)
Hannes Holm (Department of Industrial Information and Control Systems, Royal Institute of Technology, Stockholm, Sweden)
Gustav Svensson (Department of Industrial Information and Control Systems, Royal Institute of Technology, Stockholm, Sweden)
Göran Ericsson (Swedish National Grid, Stockholm, Sweden)

Information Management & Computer Security

ISSN: 0968-5227

Article publication date: 7 October 2014

1689

Abstract

Purpose

The purpose of the study was threefold: to understand security behaviours in practice by investigating factors that may cause an individual to comply with a request posed by a perpetrator; to investigate if adding information about the victim to an attack increases the probability of the attack being successful; and, finally, to investigate if there is a correlation between self-reported and observed behaviour.

Design/methodology/approach

Factors for investigation were identified based on a review of existing literature. Data were collected through a scenario-based survey, phishing experiments, journals and follow-up interviews in three organisations.

Findings

The results from the experiment revealed that the degree of target information in an attack increased the likelihood that an organisational employee falls victim to an actual attack. Further, an individual’s trust and risk behaviour significantly affected the actual behaviour during the phishing experiment. Computer experience at work, helpfulness and gender (females tend to be less susceptible to a generic attack than men), had a significant correlation with behaviour reported by respondents in the scenario-based survey. No correlation between the results from the scenario-based survey and the experiments was found.

Research limitations/implications

One limitation is that the scenario-based survey may have been interpreted differently by the participants. Another is that controlling how the participants reacted when receiving the phishing mail, and what actually triggered each and every participant to click on the attached link, was not possible. Data were however collected to capture these aspects during and after the experiments. In conclusion, the results do not imply that one or the other method should be ruled out, as they have both advantages and disadvantages which should be considered in the context of collecting data in the critical domain of information security.

Originality/value

Two different methods to collect data to understand security behaviours have rarely been used in previous research. Studies that add target information to understand if such information could increase the probability of attack success is sparse. This paper includes both approaches.

Keywords

Citation

Rocha Flores, W., Holm, H., Svensson, G. and Ericsson, G. (2014), "Using phishing experiments and scenario-based surveys to understand security behaviours in practice", Information Management & Computer Security, Vol. 22 No. 4, pp. 393-406. https://doi.org/10.1108/IMCS-11-2013-0083

Publisher

:

Emerald Group Publishing Limited

Copyright © 2014, Emerald Group Publishing Limited

Related articles