Does Anti-phishing Training Protect Against Organizational Cyber Attacks?: An Empirical Assessment of Training Methods and Employee Readiness

Abstract

Phishing has become a preferred method among cyber criminals looking to gain access to confidential information. Although most businesses and governmental organizations provide employees with some sort of cyber security training, there is a lack of research examining whether such training methods work to actually reduce susceptibility to phishing—resulting in a sense of uncertainty surrounding a large portion of annual training dollars spent. Furthermore, while evidence suggests that the behavioral elements of the Susceptibility, Cognition, Automaticity Model (SCAM) provide the framework to predict susceptibility to phishing attacks, the current training methods being used in the workplace neglect to incorporate such information. The present study provides a thorough examination of the training methods that are currently used in organizational and governmental entities and empirically tests their ability to prepare employees for phishing attacks using a national, US-based wealth management firm. Results indicate that traditional cyber security training methods do not influence employee victimization to phishing attacks, nor do they actuate the SCAM. The author suggests and provides rationale for using the SCAM to develop a new, behavioral-based training program to better prepare employees for phishing attacks.