The Effects of Group Discussion and Role-playing Training on Self-efficacy, Support-seeking, and Reporting Phishing Emails: Evidence from a Mixed-design Experiment

CHEN, Xiaowei; SACRE, Margault; LENZINI, Gabriele; GREIFF, Samuel; Distler Verena; SERGEEVA, Anastasia

doi:10.1145/3613904.3641943

Communication publiée dans un ouvrage (Colloques, congrès, conférences scientifiques et actes)

The Effects of Group Discussion and Role-playing Training on Self-efficacy, Support-seeking, and Reporting Phishing Emails: Evidence from a Mixed-design Experiment

CHEN, Xiaowei; SACRE, Margault; LENZINI, Gabriele et al.

2024 • In CHI 2024 - Proceedings of the 2024 CHI Conference on Human Factors in Computing Sytems

Peer reviewed Dataset

Permalien
https://hdl.handle.net/10993/61391

DOI
10.1145/3613904.3641943

arXiV
2402.11862v1

Documents (1)Envoyer vers Détails Statistiques Bibliographie Publications similaires

Documents

Texte intégral

chi24-56.pdf

Postprint Auteur (2.01 MB)

Licence Creative Commons - Attribution, Pas d'Utilisation Commerciale

Télécharger

Tous les documents dans ORBilu sont protégés par une licence d'utilisation.

Envoyer vers

RIS BibTex APA Chicago Permalink X Linkedin

Détails

Mots-clés :

Anti-phishing training; Group discussion; Mixed-design experiment; Phishing intervention; Report phishing emails; Role-playing training; Self-efficacy; Support-seeking; Anti-phishing; Design experiments; Group discussions; Phishing; Report phishing email; Role playing; Self efficacy; Human-Computer Interaction; Computer Graphics and Computer-Aided Design; Software; Computer Science - Human-Computer Interaction

Résumé :

[en] Organizations rely on phishing interventions to enhance employees' vigilance and safe responses to phishing emails that bypass technical solutions. While various resources are available to counteract phishing, studies emphasize the need for interactive and practical training approaches. To investigate the effectiveness of such an approach, we developed and delivered two anti-phishing trainings, group discussion and role-playing, at a European university. We conducted a pre-registered1 experiment (N = 105), incorporating repeated measures at three time points, a control group, and three in-situ phishing tests. Both trainings enhanced employees' antiphishing self-efficacy and support-seeking intention in within-group analyses. Only the role-playing training significantly improved support-seeking intention when compared to the control group.

Disciplines :

Sciences informatiques

Auteur, co-auteur :

CHEN, Xiaowei ; University of Luxembourg > Faculty of Humanities, Education and Social Sciences (FHSE) > Department of Behavioural and Cognitive Sciences (DBCS) > Cognitive Science and Assessment

SACRE, Margault ; University of Luxembourg > CRC > Office of the Vice Rector for Academic Affairs (Office of the Vice Rector for Academic A) > Media Center_Team Rectorat

LENZINI, Gabriele ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > IRiSC

GREIFF, Samuel ; University of Luxembourg > Faculty of Humanities, Education and Social Sciences > Department of Behavioural and Cognitive Sciences > Team Samuel GREIFF

Distler Verena ^✱; University of the Bundeswehr Munich > Usable Security and Privacy Group

SERGEEVA, Anastasia ^✱; University of Luxembourg > Faculty of Humanities, Education and Social Sciences (FHSE) > Department of Behavioural and Cognitive Sciences (DBCS) > Lifespan Development, Family and Culture

^✱ Ces auteurs ont contribué de façon équivalente à la publication.

Co-auteurs externes :

yes

Langue du document :

Anglais

Titre :

The Effects of Group Discussion and Role-playing Training on Self-efficacy, Support-seeking, and Reporting Phishing Emails: Evidence from a Mixed-design Experiment

Date de publication/diffusion :

11 mai 2024

Nom de la manifestation :

Proceedings of the CHI Conference on Human Factors in Computing Systems

Lieu de la manifestation :

Hybrid, Honolulu, Usa

Date de la manifestation :

11-05-2024 => 16-05-2024

Manifestation à portée :

International

Titre de l'ouvrage principal :

CHI 2024 - Proceedings of the 2024 CHI Conference on Human Factors in Computing Sytems

Maison d'édition :

Association for Computing Machinery, Honolulu, Etats-Unis

ISBN/EAN :

9798400703300

Pagination :

Peer reviewed :

Peer reviewed

URL complémentaire :

https://dl.acm.org/doi/pdf/10.1145/3613904.3641943

Intitulé du projet de recherche :

U-AGR-6035 - IAS AES Anti-phishing - SCHILTZ Christine

Organisme subsidiant :

Unilu - University of Luxembourg

Subventionnement (détails) :

Author 1 acknowledges the financial support of the Institute for Advanced Studies at the University of Luxembourg through a Young Academic Grant (2021).

Jeu de données :

https://doi.org/10.1145/3613904.3641943

Commentaire :

The paper is published in ACM CHI Conference 2024

Disponible sur ORBilu :

depuis le 17 juin 2024

Statistiques

Nombre de vues

201 (dont 8 Unilu)

Nombre de téléchargements

158 (dont 3 Unilu)

Voir plus de statistiques

citations Scopus^®

citations Scopus^®
sans auto-citations

citations OpenAlex

Bibliographie

Eirik Albrechtsen and Jan Hovden. 2010. Improving information security awareness and behaviour through dialogue, participation and collective reflection. An intervention study. Computers & Security 29, 4 (2010), 432-445.
Ahmed Aleroud and Lina Zhou. 2017. Phishing environments, techniques, and countermeasures: A survey. Computers & Security 68 (2017), 160-196.
Kholoud Althobaiti, Adam DG Jenkins, and Kami Vaniea. 2021. A case study of phishing incident response in an educational organization. Proceedings of the ACM on Human-Computer Interaction 5, CSCW2 (2021), 1-32.
APWG. 2023. Phishing activity trends report. Retrieved July 30, 2023 from https://apwg.org/trendsreports/
Malak Baslyman and Sonia Chiasson. 2016. "Smells phishy?": An educational game about online phishing scams. In 2016 APWG Symposium on Electronic Crime Research (eCrime). IEEE, Toronto, Canada, 1-11.
Piers Bayl-Smith, Ronnie Taib, Kun Yu, and Mark Wiggins. 2022. Response to a phishing attack: persuasion and protection motivation in an organizational context. Information & Computer Security 30, 1 (2022), 63-78.
Kristian Beckers and Sebastian Pape. 2016. A serious game for eliciting social engineering security requirements. In 2016 IEEE 24th International Requirements Engineering Conference (RE). IEEE, Beijing, China, 16-25.
Nele Borgert, Luisa Jansen, Imke Böse, Jennifer Friedauer, M Angela Sasse, and Malte Elson. 2023. A Decade of Dividedness: A Preregistered Systematic Review of the Cybersecurity Self-Efficacy Methods. preprint submitted to Elsevier (2023), 1-21.
Nele Borgert, Oliver D. Reithmaier, Luisa Jansen, Larina Hillemann, Ian Hussey, and Malte Elson. 2023. Home Is Where the Smart Is: Development and Validation of the Cybersecurity Self-Efficacy in Smart Homes (CySESH) Scale. In Proceedings of the 2023 CHI Conference on Human Factors in Computing Systems (Hamburg, Germany) (CHI'23). Association for Computing Machinery, New York, NY, USA, Article 507, 15 pages. https://doi.org/10.1145/3544548.3580860
Lina Brunken, Annalina Buckmann, Jonas Hielscher, and M Angela Sasse. 2023. “To Do This Properly, You Need More Resources”: The Hidden Costs of Introducing Simulated Phishing Campaigns. In 32nd USENIX Security Symposium (USENIX Security 23). USENIX Association, Anaheim, USA, 4105-4122.
J Buckley, D Lottridge, JG Murphy, and PM Corballis. 2023. Indicators of employee phishing email behaviours: Intuition, elaboration, attention, and email typology. International Journal of Human-Computer Studies 172 (2023), 102996.
Barbara M Byrne. 2013. Structural equation modeling with Mplus: Basic concepts, applications, and programming. routledge, New York.
David C. 2022. Telling users to 'avoid clicking bad links' still isn't working. Retrieved November 18, 2023 from https://www.ncsc.gov.uk/blog-post/tellingusers-to-avoid-clicking-bad-links-still-isnt-working
Anthony Carella, Murat Kotsoev, and Traian Marius Truta. 2017. Impact of security awareness training on phishing click-through rates. In 2017 IEEE International Conference on Big Data (Big Data). IEEE, Boston, MA, USA, 4458-4466.
Gary Charness, Uri Gneezy, and Michael A Kuhn. 2012. Experimental methods: Between-subject and within-subject design. Journal of economic behavior & organization 81, 1 (2012), 1-8.
Sunil Chaudhary, Vasileios Gkioulos, and Sokratis Katsikas. 2022. Developing metrics to assess the effectiveness of cybersecurity awareness program. Journal of Cybersecurity 8, 1 (2022), tyac006.
Gokul CJ, Sankalp Pandit, Sukanya Vaddepalli, Harshal Tupsamudre, Vijayanand Banahatti, and Sachin Lodha. 2018. PHISHY - A Serious Game to Train Enterprise Users on Phishing Awareness. In Proceedings of the 2018 Annual Symposium on Computer-Human Interaction in Play Companion Extended Abstracts (Melbourne, Australia) (CHI PLAY'18 Extended Abstracts). Association for Computing Machinery, New York, NY, USA, 169-181. https://doi.org/10.1145/3270316.3273042
Victoria Clarke and Virginia Braun. 2017. Thematic analysis. The journal of positive psychology 12, 3 (2017), 297-298.
Dan Conway, Ronnie Taib, Mitch Harris, Shlomo Berkovsky, Kun Yu, and Fang Chen. 2017. A Qualitative Investigation of Bank Employee Experiences of Information Security and Phishing. In Proceedings of the Thirteenth USENIX Conference on Usable Privacy and Security (Santa Clara, CA, USA) (SOUPS'17). USENIX Association, USA, 115-129.
Gregory W Corder and Dale I Foreman. 2011. Nonparametric statistics for non-statisticians.
Laila Dahabiyeh. 2021. Factors affecting organizational adoption and acceptance of computer-based security awareness training tools. Information & Computer Security 29, 5 (2021), 836-849.
Sauvik Das, Laura A. Dabbish, and Jason I. Hong. 2019. A Typology of Perceived Triggers for End-User Security and Privacy Behaviors. In Proceedings of the Fifteenth USENIX Conference on Usable Privacy and Security (Santa Clara, CA, USA) (SOUPS'19). USENIX Association, USA, 97-115.
Sanchari Das, Christena Nippert-Eng, and L Jean Camp. 2022. Evaluating user susceptibility to phishing attacks. Information & Computer Security 30, 1 (2022), 1-18.
Marco De Bona and Federica Paci. 2020. A Real World Study on Employees' Susceptibility to Phishing Attacks. In Proceedings of the 15th International Conference on Availability, Reliability and Security (Virtual Event, Ireland) (ARES'20). Association for Computing Machinery, New York, NY, USA, Article 4, 10 pages. https://doi.org/10.1145/3407023.3409179
Verena Distler. 2023. The Influence of Context on Response to Spear-Phishing Attacks: An In-Situ Deception Study. In Proceedings of the 2023 CHI Conference on Human Factors in Computing Systems (Hamburg, Germany) (CHI'23). Association for Computing Machinery, New York, NY, USA, Article 619, 18 pages. https://doi.org/10.1145/3544548.3581170
Verena Distler, Matthias Fassl, Hana Habib, Katharina Krombholz, Gabriele Lenzini, Carine Lallemand, Lorrie Faith Cranor, and Vincent Koenig. 2021. A Systematic Literature Review of Empirical Methods and Risk Representation in Usable Privacy and Security Research. ACM Transactions on Computer-Human Interaction 28, 6 (2021), 1-50.
Ronald C Dodge Jr, Curtis Carver, and Aaron J Ferguson. 2007. Phishing for user security awareness. computers & security 26, 1 (2007), 73-80.
Jose Esteves, Elisabete Ramalho, and Guillermo De Haro. 2017. To improve cybersecurity, think like a hacker. MIT Sloan Management Review 53, 3 (2017), 71-77.
Rubia Fatima, Affan Yasin, Lin Liu, and Jianmin Wang. 2019. How persuasive is a phishing email? A phishing game for phishing awareness. Journal of Computer Security 27, 6 (2019), 581-612.
FBI. 2023. Business Email Compromise: The $50 Billion Scam. Retrieved July 30, 2023 from https://www.ic3.gov/Media/Y2023/PSA230609
FBI. 2023. IC3Report 2023. Retrieved July 30, 2023 from https://www.ic3.gov/Media/PDF/AnnualReport/2022_IC3Report.pdf
Mike Fenton. 2016. Restoring executive confidence: Red Team operations. Network security 2016, 11 (2016), 5-7.
Ana Ferreira, Lynne Coventry, and Gabriele Lenzini. 2015. Principles of persuasion in social engineering and their use in phishing. In Human Aspects of Information Security, Privacy, and Trust: Third International Conference, HAS 2015, Held as Part of HCI International 2015, August 2-7, 2015. Proceedings 3. Springer, Los Angeles, CA, USA, 36-47.
Ana Ferreira and Gabriele Lenzini. 2015. An analysis of social engineering principles in effective phishing. In 2015 Workshop on Socio-Technical Aspects in Security and Trust. IEEE, Verona, Italy, 9-16.
Andy Field. 2013. Discovering statistics using IBM SPSS statistics. sage, Los Angeles.
Muriel Frank, Lennart Jaeger, and Lukas Manuel Ranft. 2022. Contextual drivers of employees' phishing susceptibility: Insights from a field study. Decision Support Systems 160 (2022), 113818.
Anjuli Franz, Verena Zimmermann, Gregor Albrecht, Katrin Hartwig, Christian Reuter, Alexander Benlian, and Joachim Vogt. 2021. {SoK}: Still Plenty of Phish in the Sea-A Taxonomy of {User-Oriented} Phishing Interventions and Avenues for Future Research. In Seventeenth Symposium on Usable Privacy and Security (SOUPS 2021). USENIX Association, Virtual Event, 339-358.
Diksha Goel and Ankit Kumar Jain. 2018. Mobile phishing attacks and defence mechanisms: State of art and open research challenges. computers & security 73 (2018), 519-544.
Shakthidhar Gopavaram, Jayati Dev, Marthie Grobler, DongInn Kim, Sanchari Das, and L Jean Camp. 2021. Cross-national study on phishing resilience. In Proceedings of the Workshop on Usable Security and Privacy (USEC). Internet Society, Auckland, New Zealand, 1-11.
Esther Greenglass, Ralf Schwarzer, Dagmara Jakubiec, Lisa Fiksenbaum, and Steffen Taubert. 1999. The proactive coping inventory (PCI): A multidimensional research instrument. In 20th international conference of the stress and anxiety research society (STAR), Vol. 12. FPUW, Cracow, Poland, 14.
Frank L Greitzer, Wanru Li, Kathryn B Laskey, James Lee, and Justin Purl. 2021. Experimental investigation of technical and human factors related to phishing susceptibility. ACM Transactions on Social Computing 4, 2 (2021), 1-48.
Erik Urdal Gundersen. 2022. Self-efficacy in organizations cybersecurity training. Master's thesis. University of Agder.
Marco Gutfleisch, Markus Schöps, Sibel Sayin, Frederic Wende, and Martina Angela Sasse. 2022. Putting Security on the Table: The Digitalisation of Security Tabletop Games and Its Challenging Aftertaste. In Proceedings of the ACM/IEEE 44th International Conference on Software Engineering: Software Engineering Education and Training (Pittsburgh, Pennsylvania) (ICSE-SEET'22). Association for Computing Machinery, New York, NY, USA, 217-222. https://doi.org/10.1145/3510456.3514139
Steffi Haag, Mikko Siponen, and Fufan Liu. 2021. Protection motivation theory in information systems security research: A review of the past and a road map for the future. ACM SIGMIS Database: the DATABASE for Advances in Information Systems 52, 2 (2021), 25-67.
Stephen Hart, Andrea Margheri, Federica Paci, and Vladimiro Sassone. 2020. Riskio: A serious game for cyber security awareness and education. Computers & Security 95 (2020), 101827.
Joseph M Hatfield. 2018. Social engineering in cybersecurity: The evolution of a concept. Computers & Security 73 (2018), 102-113.
Tejaswini Herath and H Raghav Rao. 2009. Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness. Decision Support Systems 47, 2 (2009), 154-165.
Tejaswini Herath and H Raghav Rao. 2009. Protection motivation and deterrence: a framework for security policy compliance in organisations. European Journal of information systems 18 (2009), 106-125.
Jonas Hielscher, Uta Menges, Simon Parkin, Annette Kluge, and M Angela Sasse. 2023. “Employees Who Don't Accept the Time Security Takes Are Not Aware Enough”: The CISO View of Human-Centred Security. In 32st USENIX Security Symposium (USENIX Security 23). USENIX Association, Boston, MA, 2311-2328.
Doron Hillman, Yaniv Harel, and Eran Toch. 2023. Evaluating Organizational Phishing Awareness Training on an Enterprise Scale. Computers & Security 132 (2023), 103364.
David Michael Hull, Sebastian Walter Schuetz, and Paul Benjamin Lowry. 2023. Tell me a story: The effects that narratives exert on meaningful-engagement outcomes in antiphishing training. Computers & Security 129 (2023), 103252.
Microsoft Threat Intelligence. 2023. Midnight Blizzard conducts targeted social engineering over Microsoft Teams. Retrieved August 18, 2023 from https://www.microsoft.com/en-us/security/blog/2023/08/02/midnightblizzard-conducts-targeted-social-engineering-over-microsoft-teams/
Mohieddin Jafari and Naser Ansari-Pour. 2019. Why, when and how to adjust your P values? Cell Journal (Yakhteh) 20, 4 (2019), 604.
Daniel Jampen, Gürkan Gür, Thomas Sutter, and Bernhard Tellenbach. 2020. Don't click: towards an effective anti-phishing training. A comparative literature review. Human-centric Computing and Information Sciences 10, 1 (2020), 1-41.
K Jansson and Rossouw von Solms. 2013. Phishing for phishing awareness. Behaviour & information technology 32, 6 (2013), 584-593.
Matthew Jensen, Alexandra Durcikova, and Ryan Wright. 2017. Combating phishing attacks: A knowledge management approach. In Hawaii International Conference on System Sciences (HICSS). IEEE, Honolulu, USA, 4288-4297.
James S Jones. 1987. Participatory teaching methods in computer science. ACM SIGCSE Bulletin 19, 1 (1987), 155-160.
Karl G Jöreskog and Dag Sörbom. 1993. LISREL 8: Structural equation modeling with the SIMPLIS command language. Scientific software international, Skokie, USA.
Naurin Farooq Khan, Naveed Ikram, Hajra Murtaza, and Mehwish Javed. 2023. Evaluating protection motivation based cybersecurity awareness training on Kirkpatrick's Model. Computers & Security 125 (2023), 103049.
Rex B Kline. 2011. Principles and practice of structural equation modeling (3. Baskı). New York, NY: Guilford 14 (2011), 1497-1513.
Udo Kuckartz and Stefan Rädiker. 2019. Analyzing qualitative data with MAXQDA. Springer, Switzerland.
Ponnurangam Kumaraguru, Justin Cranshaw, Alessandro Acquisti, Lorrie Cranor, Jason Hong, Mary Ann Blair, and Theodore Pham. 2009. School of Phish: A Real-World Evaluation of Anti-Phishing Training. In Proceedings of the 5th Symposium on Usable Privacy and Security (Mountain View, California, USA) (SOUPS'09). Association for Computing Machinery, New York, NY, USA, Article 3, 12 pages. https://doi.org/10.1145/1572532.1572536
Ponnurangam Kumaraguru, Steve Sheng, Alessandro Acquisti, Lorrie Faith Cranor, and Jason Hong. 2008. Lessons from a real world evaluation of antiphishing training. In 2008 eCrime Researchers Summit. IEEE, Atlanta, USA, 1-12.
Ponnurangam Kumaraguru, Steve Sheng, Alessandro Acquisti, Lorrie Faith Cranor, and Jason Hong. 2010. Teaching Johnny not to fall for phish. ACM Transactions on Internet Technology (TOIT) 10, 2 (2010), 1-31.
Youngsun Kwak, Seyoung Lee, Amanda Damiano, and Arun Vishwanath. 2020. Why do users not report spear phishing emails? Telematics and Informatics 48 (2020), 101343.
Daniele Lain, Kari Kostiainen, and Srdjan Čapkun. 2022. Phishing in organizations: Findings from a large-scale and long-term study. In 2022 IEEE Symposium on Security and Privacy (SP). IEEE, San Francisco, USA, 842-859.
Ling Li, Wu He, Li Xu, Ivan Ash, Mohd Anwar, and Xiaohong Yuan. 2019. Investigating the impact of cybersecurity policy awareness on employees' cybersecurity behavior. International Journal of Information Management 45 (2019), 13-24.
Steve Mansfield-Devine. 2017. Raising awareness: People are your last line of defence. Computer Fraud & Security 2017, 11 (2017), 10-14.
Ioana Andreea Marin, Pavlo Burda, Nicola Zannone, and Luca Allodi. 2023. The Influence of Human Factors on the Intention to Report Phishing Emails. In Proceedings of the 2023 CHI Conference on Human Factors in Computing Systems (Hamburg, Germany) (CHI'23). Association for Computing Machinery, New York, NY, USA, Article 620, 18 pages. https://doi.org/10.1145/3544548.3580985
John Marsden, Zachary Albrecht, Paula Berggren, Jessica Halbert, Kyle Lemons, Anthony Moncivais, and Matthew Thompson. 2020. Facts and Stories in Phishing Training: A Replication and Extension. In Extended Abstracts of the 2020 CHI Conference on Human Factors in Computing Systems (Honolulu, USA) (CHI EA'20). Association for Computing Machinery, New York, NY, USA, 1-6. https://doi.org/10.1145/3334480.3381435
Philip Menard, Gregory J Bott, and Robert E Crossler. 2017. User motivations in protecting information security: Protection motivation theory versus self-determination theory. Journal of Management Information Systems 34, 4 (2017), 1203-1230.
Boon-Yuen Ng, Atreyi Kankanhalli, and Yunjie Calvin Xu. 2009. Studying users' computer security behavior: A health belief perspective. Decision Support Systems 46, 4 (2009), 815-825.
NIST. 2023. Phishing. Retrieved July 30, 2023 from https://www.nist.gov/itl/smallbusinesscyber/guidance-topic/phishing
Emilee Rader, Rick Wash, and Brandon Brooks. 2012. Stories as Informal Lessons about Security. In Proceedings of the Eighth Symposium on Usable Privacy and Security (Washington, D.C.) (SOUPS'12). Association for Computing Machinery, New York, NY, USA, Article 6, 17 pages. https://doi.org/10.1145/2335356.2335364
Ellen M Raineri and Jessica Resig. 2020. Evaluating Self-Efficacy Pertaining to Cybersecurity for Small Businesses. Journal of Applied Business & Economics 22, 12 (2020), 13-23.
Benjamin Reinheimer, Lukas Aldag, Peter Mayer, Mattia Mossano, Reyhan Duezguen, Bettina Lofthouse, Tatiana Von Landesberger, and Melanie Volkamer. 2020. An investigation of phishing awareness and education over time: When and how to best remind users. In Sixteenth Symposium on Usable Privacy and Security (SOUPS 2020). USENIX Association, Virtual Event, USA, 259-284.
Karen Renaud, Rosalind Searle, and Marc Dupuis. 2021. Shame in cyber security: effective behavior modification tool or counterproductive foil?. In New Security Paradigms Workshop (NSPW'21). Association for Computing Machinery, Virtual Event, USA, 70-87.
David B Resnik and Peter R Finn. 2018. Ethics and phishing experiments. Science and engineering ethics 24 (2018), 1241-1252.
Hyeun-Suk Rhee, Cheongtag Kim, and Young U Ryu. 2009. Self-efficacy in information security: Its influence on end users' information security practice behavior. Computers & security 28, 8 (2009), 816-826.
Fabio Rizzoni, Sabina Magalini, Alessandra Casaroli, Pasquale Mari, Matt Dixon, and Lynne Coventry. 2022. Phishing simulation exercise in a large hospital: A case study. Digital Health 8 (2022), 20552076221081716.
Nader Sohrabi Safa, Rossouw Von Solms, and Lynn Futcher. 2016. Human aspects of information security in organisations. Computer Fraud & Security 2016, 2 (2016), 15-18.
M Angela Sasse, Jonas Hielscher, Jennifer Friedauer, and Annalina Buckmann. 2022. Rebooting IT Security Awareness-How Organisations Can Encourage and Sustain Secure Behaviours. In European Symposium on Research in Computer Security. Springer, Copenhagen, Denmark, 248-265.
Thomas A Schmitt, Daniel A Sass, Wayne Chappelle, and William Thompson. 2018. Selecting the “best” factor structure and moving measurement validation forward: An illustration. Journal of personality assessment 100, 4 (2018), 345-362.
Anastasia Sergeeva, Björn Rohles, Verena Distler, and Vincent Koenig. 2023. “We Need a Big Revolution in Email Advertising”: Users' Perception of Persuasion in Permission-Based Advertising Emails. In Proceedings of the 2023 CHI Conference on Human Factors in Computing Systems (Hamburg, Germany) (CHI'23). Association for Computing Machinery, New York, NY, USA, Article 652, 21 pages. https://doi.org/10.1145/3544548.3581163
Steve Sheng, Bryant Magnien, Ponnurangam Kumaraguru, Alessandro Acquisti, Lorrie Faith Cranor, Jason Hong, and Elizabeth Nunge. 2007. Anti-Phishing Phil: The Design and Evaluation of a Game That Teaches People Not to Fall for Phish. In Proceedings of the 3rd Symposium on Usable Privacy and Security (Pittsburgh, Pennsylvania, USA) (SOUPS'07). Association for Computing Machinery, New York, NY, USA, 88-99. https://doi.org/10.1145/1280680.1280692
Mario Silic and Paul Benjamin Lowry. 2020. Using design-science based gamification to improve organizational security training and compliance. Journal of management information systems 37, 1 (2020), 129-161.
VERBI Software. 2022. MAXQDA.
IBM SPSS Statistics. 2020. Transforming different Likert scales to a common scale.
Michelle Steves, Kristen Greene, and Mary Theofanos. 2020. Categorizing human phishing difficulty: a Phish Scale. Journal of Cybersecurity 6, 1 (2020), tyaa009.
Simon Stockhardt, Benjamin Reinheimer, Melanie Volkamer, Peter Mayer, Alexandra Kunz, Philipp Rack, and Daniel Lehmann. 2016. Teaching phishing-security: which way is best?. In ICT Systems Security and Privacy Protection: 31st IFIP TC 11 International Conference, SEC 2016, Ghent, Belgium, May 30-June 1, 2016, Proceedings 31. Springer, Ghent, Belgium, 135-149.
Alex Sumner, Xiaohong Yuan, Mohd Anwar, and Maranda McBride. 2022. Examining factors impacting the effectiveness of anti-phishing trainings. Journal of Computer Information Systems 62, 5 (2022), 975-997.
Anne Clara Tally, Jacob Abbott, Ashley M Bochner, Sanchari Das, and Christena Nippert-Eng. 2023. Tips, Tricks, and Training: Supporting Anti-Phishing Awareness among Mid-Career Office Workers Based on Employees' Current Practices. In Proceedings of the 2023 CHI Conference on Human Factors in Computing Systems (Hamburg, Germany) (CHI'23). Association for Computing Machinery, New York, NY, USA, Article 621, 13 pages. https://doi.org/10.1145/3544548.3580650
Alireza Tamjidyamcholo, Mohd Sapiyan Bin Baba, Nor Liyana Mohd Shuib, and Vala Ali Rohani. 2014. Evaluation model for knowledge sharing in information security professional virtual community. Computers & Security 43 (2014), 19-34.
Anthony Vance, Mikko Siponen, and Seppo Pahnila. 2012. Motivating IS security compliance: Insights from habit and protection motivation theory. Information & Management 49, 3-4 (2012), 190-198.
Silas Formunyuy Verkijika. 2019. “If you know what to do, will you take action to avoid mobile phishing attacks”: Self-efficacy, anticipated regret, and gender. Computers in Human Behavior 101 (2019), 286-296.
Melanie Volkamer, Martina Angela Sasse, and Franziska Boehm. 2020. Analysing simulated phishing campaigns for staff. In Computer Security: ESORICS 2020 International Workshops, DETIPS, DeSECSys, MPS, and SPOSE, September 17-18, 2020, Revised Selected Papers 25. Springer, Guildford, UK, 312-328. https://doi.org/10.1007/978-3-030-66504-3_19
Rick Wash. 2010. Folk Models of Home Computer Security. In Proceedings of the Sixth Symposium on Usable Privacy and Security (Redmond, Washington, USA) (SOUPS'10). Association for Computing Machinery, New York, NY, USA, Article 11, 16 pages. https://doi.org/10.1145/1837110.1837125
Rick Wash and Molly M. Cooper. 2018. Who Provides Phishing Training? Facts, Stories, and People Like Me. In Proceedings of the 2018 CHI Conference on Human Factors in Computing Systems (Montreal QC, Canada) (CHI'18). Association for Computing Machinery, New York, NY, USA, 1-12. https://doi.org/10.1145/3173574.3174066
Rick Wash and Emilee Rader. 2011. Influencing Mental Models of Security: A Research Agenda. In Proceedings of the 2011 New Security Paradigms Workshop (Marin County, California, USA) (NSPW'11). Association for Computing Machinery, New York, NY, USA, 57-66. https://doi.org/10.1145/2073276.2073283
Patrickson Weanquoi, Jaris Johnson, and Jinghua Zhang. 2018. Using a game to improve phishing awareness. Journal of Cybersecurity Education, Research and Practice 2018, 2 (2018), 2.
Zikai Alex Wen, Zhiqiu Lin, Rowena Chen, and Erik Andersen. 2019. What.Hack: Engaging Anti-Phishing Training Through a Role-Playing Phishing Simulation Game. In Proceedings of the 2019 CHI Conference on Human Factors in Computing Systems (Glasgow, Scotland Uk) (CHI'19). Association for Computing Machinery, New York, NY, USA, 1-12. https://doi.org/10.1145/3290605.3300338
Emma J Williams, Joanne Hinds, and Adam N Joinson. 2018. Exploring susceptibility to phishing in the workplace. International Journal of Human-Computer Studies 120 (2018), 1-13.
Emma J Williams and Adam N Joinson. 2020. Developing a measure of information seeking about phishing. Journal of Cybersecurity 6, 1 (2020), tyaa001.
Rogier Woltjer, Jiri Trnka, Jonas Lundberg, and Björn Johansson. 2006. Role-playing exercises to strengthen the resilience of command and control systems. In Proceedings of the 13th Eurpoean conference on Cognitive ergonomics: trust and control in complex socio-technical systems. ECCE'06, Zurich, Switzerland, 71-78.
William Yeoh, He Huang, Wang-Sheng Lee, Fadi Al Jafari, and Rachel Mansson. 2022. Simulated phishing attack and embedded training campaign. Journal of Computer Information Systems 62, 4 (2022), 802-821.
Leah Zhang-Kennedy and Sonia Chiasson. 2021. A Systematic Review of Multimedia Tools for Cybersecurity Awareness and Education. ACM Comput. Surv. 54, 1, Article 12 (jan 2021), 39 pages. https://doi.org/10.1145/3427920
Sarah Ying Zheng and Ingolf Becker. 2023. Phishing to Improve Detection. In Proceedings of the 2023 European Symposium on Usable Security (Copenhagen, Denmark) (EuroUSEC'23). Association for Computing Machinery, New York, NY, USA, 334-343. https://doi.org/10.1145/3617072.3617121
Verena Zimmermann and Karen Renaud. 2019. Moving from a 'human-as-problem” to a 'human-as-solution” cybersecurity mindset. International Journal of Human-Computer Studies 131 (2019), 169-187.