Publication Details
![[Download PDF]](/pubdb/publications/images/pdf.png "Download PDF"){kind=small} Download |
Jasmin Schwab, Alexander Nussbaum, Anastasia Sergeeva, Florian Alt, Verena Distler
What Makes Phishing Simulation Campaigns (Un)Acceptable? A Vignette Experiment on the Acceptance and Manipulation Intention Related to Phishing Simulation Campaigns Available at SSRN. March 25, 2024. (bib) |
| Organizations depend on their employees' long-term cooperation to protect themselves from threats. The acceptance of cybersecurity training measures is thus crucial. Phishing attacks are the point of entry for harmful follow-up attacks, and many organizations use simulated phishing campaigns to train employees to adopt secure behaviors. We conducted a pre-registered vignette experiment (N=793), investigating the factors that make a simulated phishing campaign seem (un)acceptable, and their influence on intention to manipulate the campaign. In an online experiment, we varied whether employees gave prior consent, whether the phishing email promised a financial incentive and the consequences for employees who clicked on the phishing link. We found that employees' prior consent had a positive effect on the acceptance of a simulated phishing campaign. The consequences ``employee interview'' and ``termination of the work contract'' had a negative effect on acceptance. We found no statistically significant effects of consent, monetary incentive, and consequences on manipulation probability. Few participants described reasons for ``manipulating'' the campaign, mainly mentioning curiosity. Our results shed light on the factors influencing acceptance of simulated phishing campaigns and provide take-aways for future work in this space. |
