Researchers from the University of Sussex and the University of Auckland, seen here, took a close look at what compels people to click on phishing scams. (possumgirl2, CC BY-SA 2.0 via Wikimedia Commons)
A new academic research article published in the Journal of Computer Information Systems suggests that cybersecurity technology and policies alone cannot adequately address rampant phishing threats. Effective security awareness training must also be part of the equation.
Additionally, the article concludes that negative consequences such as shame and disapproval from fellow employees were among the most effective factors deterring surveyed employees from falling for phishing scams.
The researchers, from the University of Sussex and the University of Auckland, created a theoretical model partially based on previous social-technical research and theories to determine some of the biggest influencers affecting employee response behaviors when a phishing email arrives – including individual, organizational and technological factors.
According to the study, clicking on phishing emails is often a reflexive response done out of habit. Technical tools, security standards and policies can help counteract this problem, but are not enough by themselves to trigger a behavioral change, the paper notes.
The researchers therefore recommend that organizations implement a rigorous staff training program that details to employees what security measures are in place, but also the security risks that remain and the key requirements of company email security policies.
“Although technical countermeasures such as anti-phishing and spamming tools, email malware detection and data loss prevention are deployed to mitigate the risk of phishing attacks, using these technologies to detect phishing attacks remains a challenging problem,” said Hamidreza Shahbaznezhad, co-author and senior data scientist in industry at the University of Auckland, in a press release. “This is not least becau ..