Factors Affecting Employees' Susceptibility to Cyber-Attacks

IF 7.3 2区管理学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

European Journal of Information Systems Pub Date : 2022-07-28 DOI:10.2139/ssrn.4088873

J. Boritz, Chan Ge, Katharine Elizabeth Patterson

{"title":"Factors Affecting Employees' Susceptibility to Cyber-Attacks","authors":"J. Boritz, Chan Ge, Katharine Elizabeth Patterson","doi":"10.2139/ssrn.4088873","DOIUrl":null,"url":null,"abstract":"We examine factors associated with employees’ susceptibility to phishing attacks in a professional services firm and a financial services firm (bank). We measure three dimensions of suspicion (skepticism, suspicion of hostility, and interpersonal trust), and three cognitive traits (risk taking propensity, cognitive (inhibitory) control, and social cognition), while controlling for demographic and work context factors. We find that these traits interact in complex ways in determining individuals’ susceptibility to phishing attacks. Bank employees are more susceptible to being phished than professional services firm employees, but within the bank, the employees with professional certificates are less susceptible to phishing attacks than other bank employees. Also, employees with self-reported responsibility for cybersecurity are less likely to be phished. These findings could be used to create a screening tool for identifying which employees are particularly susceptible to phishing attacks, to tailor training or redesign jobs to counter those susceptibilities and reduce security risk.","PeriodicalId":50486,"journal":{"name":"European Journal of Information Systems","volume":"305 1","pages":"27-60"},"PeriodicalIF":7.3000,"publicationDate":"2022-07-28","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"1","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"European Journal of Information Systems","FirstCategoryId":"91","ListUrlMain":"https://doi.org/10.2139/ssrn.4088873","RegionNum":2,"RegionCategory":"管理学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 1

Abstract

We examine factors associated with employees’ susceptibility to phishing attacks in a professional services firm and a financial services firm (bank). We measure three dimensions of suspicion (skepticism, suspicion of hostility, and interpersonal trust), and three cognitive traits (risk taking propensity, cognitive (inhibitory) control, and social cognition), while controlling for demographic and work context factors. We find that these traits interact in complex ways in determining individuals’ susceptibility to phishing attacks. Bank employees are more susceptible to being phished than professional services firm employees, but within the bank, the employees with professional certificates are less susceptible to phishing attacks than other bank employees. Also, employees with self-reported responsibility for cybersecurity are less likely to be phished. These findings could be used to create a screening tool for identifying which employees are particularly susceptible to phishing attacks, to tailor training or redesign jobs to counter those susceptibilities and reduce security risk.

查看原文本刊更多论文

影响员工易受网络攻击的因素

我们研究了与专业服务公司和金融服务公司(银行)员工对网络钓鱼攻击的易感性相关的因素。我们测量了怀疑的三个维度(怀疑、敌意怀疑和人际信任)和三个认知特征(冒险倾向、认知(抑制)控制和社会认知)，同时控制了人口统计学和工作环境因素。我们发现，这些特征以复杂的方式相互作用，决定了个体对网络钓鱼攻击的易感性。银行员工比专业服务公司员工更容易受到网络钓鱼的攻击，但在银行内部，拥有专业证书的员工比其他银行员工更不容易受到网络钓鱼攻击。此外，自我报告对网络安全负责的员工不太可能受到网络钓鱼。这些发现可以用来创建一个筛选工具，以确定哪些员工特别容易受到网络钓鱼攻击，定制培训或重新设计工作，以应对这些脆弱性，降低安全风险。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

European Journal of Information Systems 工程技术-计算机：信息系统

CiteScore

23.10

自引率

4.20%

发文量

审稿时长

>12 weeks

期刊介绍： The European Journal of Information Systems offers a unique European perspective on the theory and practice of information systems for a global readership. We actively seek first-rate articles that offer a critical examination of information technology, covering its effects, development, implementation, strategy, management, and policy.