Content, Nudges and Incentives: A Study on the Effectiveness and Perception of Embedded Phishing Training

TL;DR

This study examines embedded phishing training's components, timing, incentives, and employee perceptions, revealing that its effectiveness mainly stems from nudges and reminders rather than content, with timing and incentives having limited impact.

Contribution

It provides novel insights into the effectiveness of embedded phishing training, emphasizing the role of nudges over content and evaluating timing and incentives in real-world settings.

Findings

Nudges and reminders are the primary drivers of training effectiveness.

Content consumption by employees is low due to time constraints.

Delaying training does not reduce its effectiveness.

Abstract

A common form of phishing training in organizations is the use of simulated phishing emails to test employees' susceptibility to phishing attacks, and the immediate delivery of training material to those who fail the test. This widespread practice is dubbed embedded training; however, its effectiveness in decreasing the likelihood of employees falling for phishing again in the future is questioned by the contradictory findings of several recent field studies. We investigate embedded phishing training in three aspects. First, we observe that the practice incorporates different components -- knowledge gains from its content, nudges and reminders from the test itself, and the deterrent effect of potential consequences -- our goal is to study which ones are more effective, if any. Second, we explore two potential improvements to training, namely its timing and the use of incentives. Third, we analyze employees' reception and perception of the practice. For this, we conducted a large-scale mixed-methods (quantitative and qualitative) study on the employees of a partner company. Our study contributes several novel findings on the training practice: in particular, its effectiveness comes from its nudging effect, i.e., the periodic reminder of the threat rather than from its content, which is rarely consumed by employees due to lack of time and perceived usefulness. Further, delaying training to ease time pressure is as effective as currently established practices, while rewards do not improve secure behavior. Finally, some of our results support previous findings with increased ecological validity, e.g., that phishing is an attention problem, rather than a knowledge one, even for the most susceptible employees, and thus enforcing training does not help.