Human factors in phishing: Understanding susceptibility and resilience

IF 4.1 2区计算机科学 Q1 COMPUTER SCIENCE, HARDWARE & ARCHITECTURE

Computer Standards & Interfaces Pub Date : 2025-04-22 DOI:10.1016/j.csi.2025.104014

Ufuk Oner, Orcun Cetin, Erkay Savas

{"title":"Human factors in phishing: Understanding susceptibility and resilience","authors":"Ufuk Oner, Orcun Cetin, Erkay Savas","doi":"10.1016/j.csi.2025.104014","DOIUrl":null,"url":null,"abstract":"<div><div>This study examines the demographic and organizational factors influencing phishing susceptibility and incident reporting behaviors among employees in a large European financial organization following realistic phishing simulations and how these factors correlate with susceptibility to phishing attacks. In the phishing simulations campaign with 8,102 participants, unannounced, monthly phishing emails with different templates are sent during regular work hours over a duration of 2 years, and the reactions (clicking the link and reporting the phishing email) are collected. The results are combined with demographic and relevant organizational data such as age, gender, level of education, department type, tenure, and job level. Multivariate logistic regression models are developed to analyze the relationship between these variables and phishing behaviors.</div><div>The analysis reveals significant differences in susceptibility to and resilience against phishing attacks across various demographic and organizational groups. Older employees are more susceptible to phishing, while males show lower vulnerability to phishing attacks. Additionally, our results revealed that higher-level employees often under report phishing emails. These findings highlight the necessity for targeted anti-phishing training tailored to different demographics and departments within the organization and the importance of fostering a culture of incident reporting. Recommendations include customized cyber awareness training programs, regular awareness sessions, and incentivizing reporting.</div><div>Future research is encouraged to prioritize investigating the root causes of phishing behaviors and evaluating the effectiveness of training programs.</div></div>","PeriodicalId":50635,"journal":{"name":"Computer Standards & Interfaces","volume":"94 ","pages":"Article 104014"},"PeriodicalIF":4.1000,"publicationDate":"2025-04-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computer Standards & Interfaces","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0920548925000431","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, HARDWARE & ARCHITECTURE","Score":null,"Total":0}

引用次数: 0

Abstract

This study examines the demographic and organizational factors influencing phishing susceptibility and incident reporting behaviors among employees in a large European financial organization following realistic phishing simulations and how these factors correlate with susceptibility to phishing attacks. In the phishing simulations campaign with 8,102 participants, unannounced, monthly phishing emails with different templates are sent during regular work hours over a duration of 2 years, and the reactions (clicking the link and reporting the phishing email) are collected. The results are combined with demographic and relevant organizational data such as age, gender, level of education, department type, tenure, and job level. Multivariate logistic regression models are developed to analyze the relationship between these variables and phishing behaviors.

The analysis reveals significant differences in susceptibility to and resilience against phishing attacks across various demographic and organizational groups. Older employees are more susceptible to phishing, while males show lower vulnerability to phishing attacks. Additionally, our results revealed that higher-level employees often under report phishing emails. These findings highlight the necessity for targeted anti-phishing training tailored to different demographics and departments within the organization and the importance of fostering a culture of incident reporting. Recommendations include customized cyber awareness training programs, regular awareness sessions, and incentivizing reporting.

Future research is encouraged to prioritize investigating the root causes of phishing behaviors and evaluating the effectiveness of training programs.

查看原文本刊更多论文

网络钓鱼中的人为因素：理解易感性和弹性

本研究考察了影响一家大型欧洲金融机构员工网络钓鱼易感性和事件报告行为的人口统计学和组织因素，并对这些因素与网络钓鱼攻击易感性之间的关系进行了分析。在8102名参与者参与的网络钓鱼模拟活动中，在2年的时间里，在正常工作时间内，每月发送带有不同模板的未经通知的网络钓鱼邮件，并收集反应（点击链接并报告网络钓鱼邮件）。结果与人口统计和相关组织数据（如年龄、性别、教育水平、部门类型、任期和工作级别）相结合。建立了多元逻辑回归模型来分析这些变量与网络钓鱼行为之间的关系。分析显示，在不同的人口统计和组织群体中，对网络钓鱼攻击的易感性和弹性存在显著差异。年龄较大的员工更容易受到网络钓鱼的攻击，而男性员工则更容易受到网络钓鱼的攻击。此外，我们的调查结果显示，高层员工经常举报网络钓鱼邮件。这些发现强调了针对组织内不同的人口统计和部门进行有针对性的反网络钓鱼培训的必要性，以及培养事件报告文化的重要性。建议包括定制的网络意识培训计划、定期意识会议和激励性报告。鼓励未来的研究优先调查网络钓鱼行为的根本原因和评估培训计划的有效性。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Computer Standards & Interfaces 工程技术-计算机：软件工程

CiteScore

11.90

自引率

16.00%

发文量

审稿时长

6 months

期刊介绍： The quality of software, well-defined interfaces (hardware and software), the process of digitalisation, and accepted standards in these fields are essential for building and exploiting complex computing, communication, multimedia and measuring systems. Standards can simplify the design and construction of individual hardware and software components and help to ensure satisfactory interworking. Computer Standards & Interfaces is an international journal dealing specifically with these topics. The journal • Provides information about activities and progress on the definition of computer standards, software quality, interfaces and methods, at national, European and international levels • Publishes critical comments on standards and standards activities • Disseminates user''s experiences and case studies in the application and exploitation of established or emerging standards, interfaces and methods • Offers a forum for discussion on actual projects, standards, interfaces and methods by recognised experts • Stimulates relevant research by providing a specialised refereed medium.