# Employee risk recognition and reporting of malicious elicitations: longitudinal improvement with new skills-based training

**Authors:** Deanna D. Caputo, Lura Danley, Nathaniel J. Ratcliff

PMC · DOI: 10.3389/fpsyg.2024.1410426 · Frontiers in Psychology · 2024-07-31

## TL;DR

A new skills-based training improved employees' ability to recognize and report malicious attempts to gather sensitive information over a 12-month period.

## Contribution

A skills-based training approach was developed and shown to be more effective than traditional awareness-based training in recognizing malicious elicitations.

## Key findings

- Skills-based training improved reporting of malicious elicitations compared to traditional training.
- The improvement in reporting lasted for up to 12 months after training.
- Test messages revealed sustained effectiveness of the new training method.

## Abstract

Numerous security domains would benefit from improved employee risk recognition and reporting through effective security training. This study assesses the effectiveness of a new skills-based training approach to improve risk recognition and reporting of malicious elicitations. Malicious elicitations are techniques that strategically use conversation (i.e., online, in writing, in person, or over the phone) with the sole purpose of collecting sensitive, non-publicly available information about business operations, people, or technological assets without raising suspicion. To an untrained observer, a skilled elicitor can make conversations seem analogous to many professional networking situations such as those experienced over email and at conferences. A 12-month longitudinal experimental study was conducted to test training effectiveness on employees of a large corporation that focuses on serving national security needs and the public interest. Half of participants were randomly assigned to receive traditional awareness-based training (i.e., reviewing informational slides) while the other half of participants received a new skills-based training that allowed them—over the course of five weeks—to iteratively practice skills learned in the training and receive feedback on their performance in their day-to-day work environment. Following training for both experimental groups, malicious elicitations and benign professional networking test messages were sent (via email & text message) to unaware employee participants for 12 months. Findings revealed that skills-based training improved reporting of malicious elicitations and lasted for up to 12 months compared to traditional awareness-based training.

## Full-text entities

- **Species:** Homo sapiens (human, species) [taxon 9606]

## Full text

_Full body text omitted from this summary view._ Fetch the complete paper as Markdown: https://tomesphere.com/paper/PMC11321953/full.md

## Figures

6 figures with captions in the complete paper: https://tomesphere.com/paper/PMC11321953/full.md

## References

22 references — full list in the complete paper: https://tomesphere.com/paper/PMC11321953/full.md

---
Source: https://tomesphere.com/paper/PMC11321953