Phishing is a serious threat to, in particular, public organizations like municipalities, causing disruption of operations and potential data leakage. This paper discusses the understanding of risk profiles of phishing within a Dutch municipality and how these risks can be reduced by voluntary e-learning. An experiment was conducted where employees in two test phishing emails were exposed to a type of risk, of which one group was randomly selected for voluntary microlearning regarding phishing.

Theory and Prior Research:

Phishing is a fraud technique that scales through impersonation, a classic elicitation approach, usually embedded in e-mail messages. Demographic characteristics, context, personality traits, and digital literacy influence the susceptibility to phishing attacks. Given that effective mitigation requires a multi-layered approach, technical measures go with organizational norms and individual training.

Research Set-Up:

The case was conducted within one of the 15 largest municipalities in the Netherlands, hence needs cautious generalization of results. This design was included as an embedded experiment, with two test phishing emails. In this way, simulated situations would be provided for the cases. Data was anonymized at this stage. Already from the first phishing email, there were stark differences in vulnerability related to age, years of service, and contract type, all replicated with the second email. High-risk groups included full-time staff aged 40-70 years. Only 28.3% of the invited had completed the microlearning, with older employees and longer-serving ones exhibiting a greater response to participation. Participants of the microlearning showed less phishing victimization.

This paper more clearly delineates the need for tailored, out-of-band training for resilience against phishing. Although effective, voluntary microlearning was utilized in the present research; overall, the experimental design provides a general framework for the detection of high-risk groups and targeted development of training programs. Future research should further specify the behaviors of “never-clickers” and further validate the human-as-solution approach in phishing mitigation.

Principles of Social Science:

Some of the major factors that easily expose one to phishing include age, years of service, and contract type—a clear indication of the value of individual differences. The experimental design of the study sent two test phishing emails to employees, after which the data was pseudonymized so that results could be solely driven by actual behaviors and not self-reported measures. It has also challenged the very value of voluntary online training, in so far as there was low participation in the microlearning program; yet evidence of a significant decrease in phishing victimization did occur. This indicates that alternative training methods should be needed.

Research Question:

The primary research question of the study is as follows: “How effective is a voluntary microlearning program in reducing phishing susceptibility among employees of a Dutch municipality?” The data was collected for this study from two test phishing email campaigns and participation in the voluntary microlearning program. The analysis consisted of the comparison of phishing susceptibility before and after the microlearning intervention, making out risk profiles according to demographic factors, and evaluating the rate of participation and the effectiveness of microlearning.

Relation to Class Concepts:

The study brings out how human factors, such as age and years of service, play a role in susceptibility to phishing. The place of psychological nature of phishing and the efficiency of educational interventions is shown. It indirectly discusses how some of the behaviors or characteristics of employees make them vulnerable to phishing. Again, the study reveals that the basic needs of security among employees must be dealt with through effective training so as to prevent phishings. It shows how risks of phishing can be reduced by decreasing opportunity and increasing employees’ awareness.

Challenges, Concerns, and Contributions of Marginalized Groups:

Marginalized groups are less exposed to resources on training, leading to them becoming an easy prey for phishing attacks. Although the study’s main focus is on one demographic and lacks solutions to certain problems more specific to marginalized groups, it does provide useful results that can help counter phishing in all groups. The research supports inclusive training with the need for representing diverse employees. 

Overall Societal Contributions:

The findings of this work further raise awareness about phishing risks and the necessity for specialized training programs, improving general cyber security awareness. The research may be useful for policymakers and other heads of organizations in order to establish a more efficient fight against phishing, making public institutions safer.

Analysis Summary:

The paper contributes insight into phishing susceptibility at a Dutch municipality and underlines how effective tailored training programs can be. Principles of relativism, objectivity, and skepticism may yield subtlety in gaining insight into the risks of phishing and targeted educational interventions. Future studies should support these findings with a view to developing coherent strategies for phishing prevention in public organizations.

Reference

Spithoven, R., & Drenth, A. (2024b). Who will take the bait? Using an embedded, experimental study to chart organization-specific phishing risk profiles and the effect of a voluntary microlearning among employees of a Dutch municipality. Journal of Cybersecurity, 10(1). https://doi.org/10.1093/cybsec/tyae010