Using phishing experiments and scenario-based surveys to understand security behaviours in practice

The objective of this study was manifold: first, to examine security behaviors in real-life scenarios by scrutinizing elements that might compel an individual to comply with a request made by an attacker; second, to assess whether including victim-specific information in an attack amplifies the attack’s success rate; and finally, to discern if a relationship exists between self-reported behaviors and observed behaviors. The findings showed that incorporating target-specific details in an attack heightened the odds of an organizational employee succumbing to such an attack. Furthermore, an individual’s trust and risk-taking behaviors considerably influenced their actual behaviors during the phishing experiment. The correlation between computer work experience, helpfulness, and gender (with females less likely to fall for a generic attack than males), and behaviors reported in the scenario-based survey was found to be significant. However, no correlation was found between the results from the scenario-based survey and the experiments.