Simulated Phishing and Employee Cybersecurity Behaviour (SPEC)

The risk of cyber-attacks to UK companies is bigger than ever. With 90% of cyber breaches involving phishing techniques, it is increasingly important for organisations to focus on this threat. For this reason, a number of organisations conduct simulated phishing exercises, in which employees are sent emails that simulate phishing attempts.

Using simulated phishing to deliver just-in-time training, an approach that gives employees training exactly when they fall for a phish, has shown promise in improving employee’s ability to detect phishing emails compared to security notices. However, simply raising awareness might not be sufficient to successfully protect an organisation, especially if such exercises carry any unintended, negative outcomes. For instance, simulated phishing exercises have been argued to undermine trust and create a hostile environment. However, some of these assertions have not been directly tested, and do not account for the different ways in which simulating phishing could be implemented, nor is it clear what proportion of organisations follow each of these implementations.

To this end, the proposed work will conduct two studies with differing approaches to investigate (i) how policies on simulated phishing emails are currently implemented and (ii) the impact of simulated phishing emails policies on employees’ cyber security awareness and their perceptions of key factors (organisational trust, procedural fairness, stress and perceived monitoring) through an experimental study.