Relation to the Principles of the Social Sciences:
Firstly, this study requires the principle of ethical neutrality to be recognized and kept in mind when performing the study. The article states that the study was “approved by a government ethics board as well as by each participating organization” (Sommestad, T., Karlzén, H., 2024). Each participant was given informed consent information that a kind of deception would be attempted, but the kind was not specified to maintain the integrity of the study.
Initial Study Hypotheses:
Three hypotheses were presented in this study, which were the following (Sommestad, T., Karlzén, H., 2024):
Hypothesis 1: Susceptibility to phishing emails is influenced by the scam represented in the email.
Hypothesis 2: Susceptibility to phishing emails is influenced by the number of adaptations added to personalize the email to the recipient.
Hypothesis 3: Suesceptibility to phishing emails is influenced by the number of influence techniques added to the email.
Research Methods, Data, and Overall Analysis:
In this study, the susceptibility of 102 participating individuals over a 16-month period was measured by using simulated phishing emails. These emails were to the participant’s work email during work hours. Some themes present in these emails were missed chat messages, suspicious user activities, and private matters. These simulated emails would ask the user to do a number of different actions, a couple examples being to open or run an attachment or click on a link. Any successful simulated phishing attack was counted as one recipient that was susceptible.
Results supported the first hypothesis, partially supported the second, and did not support the third. The duration of the study, and other factors that would potentially lower susceptibility were identified, but it was concluded that it was most likely that no other bias was presented.
Class Concept Relation:
Different principles of social science can be identified in this study, as done in a previous section, which relates back to Module 2, “Principles of Social Sciences and Cybersecurity”. In Module 3, “Strategies to Study Cybersecurity Through an Interdisciplinary Social Sciences Lens”, different research methods are identified and discussed. This case is a field study, which is discussed in that module. Lastly, this study attempts to measure the level of susceptibility to phishing scams, which could be a result of certain psychological factors. This is discussed and can be related back to Module 4, “Cybersecurity and Human Factors”.
Societal Impact of the Study:
Using the information presented in field studies like these, improvements can be made to current cybersecurity awareness training, targeting the methods most successful. This furthermore gives an opportunity for an organization to improve their cybersecurity policies and regulations as a whole. Another impact from these studies is the ability to highlight and improve upon current phishing detection technology in use.
Conclusion:
A field study was conducted by sending simulated phishing emails to participants to measure how susceptibility is influenced by the contents of the scam in the email. The study found that susceptibility was influenced by the type of scam represented in the email and was partially influenced by the number of adaptations made to the scam to personalize it to the participant. The hypothesis that susceptibility is influenced by the number of influence techniques added to the email was not supported. Data presented by studies like the one reviewed here can help improve an organization’s cybersecurity awareness training and overall cybersecurity policies and regulations. Gaps identified in phishing detection tools can also be highlighted and improved upon.
References:
Sommestad, T., & Karlzén, H. (2024, November 14). The unpredictability of phishing susceptibility: Results from a repeated measures experiment. OUP Academic. https://academic.oup.com/cybersecurity/article/10/1/tyae021/7900092?searchresult=1