Security awareness, decision style, knowledge, and phishing email detection: Moderated mediation analyses

Abstract

This study examines whether the negative relationship between email information security awareness and phishing email susceptibility is mediated by less intuitive decision-making when assessing emails, and whether this relationship is moderated by phishing email knowledge. Participants (N = 291) completed an online email sorting task, a measure of email use information security awareness, a measure of preference for intuitive decision-making with emails, and a measure of phishing email knowledge. Moderated mediation analyses indicated that information security awareness predicted positive behavioural intentions directly and indirectly through lower preference for intuitive decision-making, and these relationships were stronger when phishing email knowledge was lower. Further, both the direct and indirect relationships between information security awareness and sensitivity through intuitive decision styles were moderated by phishing email knowledge, with information security awareness positively predicting ability to discriminate phishing from genuine emails when phishing knowledge was average or high but not low. These findings suggest that in the absence of phishing knowledge, information security awareness and less intuitive decision styles reduce susceptibility to phishing attacks through increased caution. Further, the findings provide strong support for the proposition that some level of phishing knowledge is required before email security behaviours and decision-making processes aid in the detection of phishing emails. From an applied perspective, the outcomes suggest that focusing on a combination of awareness, knowledge, and decision-making processes could increase the effectiveness of anti-phishing and cybersecurity training programs.