Comparative Simulation of Phishing Attacks on a Critical Information Infrastructure Organization: An Empirical Study

TL;DR

This empirical study evaluates the effectiveness of simulated phishing attacks on a critical infrastructure organization, revealing how different content influences employee awareness and susceptibility.

Contribution

It provides novel insights into how phishing content variations impact employee awareness and susceptibility in critical infrastructure settings.

Findings

10.9% of workers fell for the first phishing attempt

Only 1.4% fell for both attacks after training

Content differences significantly affect awareness levels

Abstract

Nowadays, cybersecurity is crucial. Therefore, cybersecurity awareness should be a concern for businesses, particularly critical infrastructure organizations. The results of this study, using simulated phishing attacks, indicate that in the first attempt, workers of a Thai railway firm received a phony email purporting to inform recipients of a special deal from a reputable retailer of IT equipment. The findings showed that 10.9% of the 735 workers fell for the scam. This demonstrates a good level of awareness regarding cyber dangers. The workers who were duped by the initial attack received awareness training. Next, a second attempt was carried out. This time, the strategy was for the workers to change their passwords through an email notification from the fake IT staff. According to the findings, 1.4% of the workers fell victim to both attacks (different email content), and a further 8.0% of the workers who did not fall victim to the first attack were deceived. Furthermore, after the statistical analysis, it was confirmed that there is a difference in the relationship between the workers and the two phishing attack simulations using different content. As a result, this study has demonstrated that different types of content can affect levels of awareness.