Search
Close
Search
Advanced Search
Search Menu
AI Discovery Assistant

Abstract

Phishing can lead to data leaks or infiltration of computer networks. Protection against the risks of phishing is particularly important for public organizations such as municipalities, that process a large amount of sensitive personal information and whose operational processes can have major societal impact. This makes phishing a direct threat to operational continuity and the reputation of the organization and raises the question of how public organizations can combat this effectively and which resources they can deploy to mitigate the risks of phishing. In this experiment, two test phishing emails were sent to the total population of one of the 15 largest Dutch municipalities. We performed an embedded experiment, with employees experiencing the risks of phishing first hand with extensive attention for the ethics of this approach. Senior and middle-aged employees clearly run the biggest risk of becoming victims of phishing at this specific organization, but they are not automatically prepared to do an online, educational microlearning on phishing. This is also the case for young staff. Less voluntary education should be aimed at these groups of employees in this organization to make them and the organization, more resilient to the risks of phishing. Also, the microlearning did not have an effect on the results of our participants. We advocate a tailor-made approach of offline training to raise awareness and resilience against phishing among employees of public organizations, municipalities, and organizations in general. Our experimental design can be reused in this direction. We conclude to also look at how never-clickers think and act, with further theoretical substantiation and research into the application of the human-as-solution approach..

Introduction

For many years phishing has been top of the list as the most frequently occurring digital crime in organizations [1, 2]. This comes as no real surprise. Cybercriminals often use phishing as a springboard (initial access) to other forms of digital crime, such as hacking, ID fraud, and ransomware [3]. After all, it is easier to infiltrate computer systems by deceiving people than exploiting technical vulnerabilities in the same systems [4–9]. This has made phishing a major problem worldwide [3]. The Netherlands is no exception with victimization through phishing a frequent occurrence according to recent research by the Central Bureau of Statistics Netherlands [10]: ‘In 2021, more than two out of three (68%) Dutch people aged 15 years or older say they have received at least one phone call, email or other message in the past 12 months that was most likely from a scammer. Two percent said they fell for it. Almost half of these (0.8%, more than 100 thousand people) ended up losing money because of it.’

Phishing is not only a problem for private citizens, but also for organizations [11]. As a result of phishing, companies risk reputational damage, interruption of business continuity, and bankruptcy [12]. Phishing attacks, including clicking on malicious URLs or opening infected attachments, remain a prominent way to access organizations. For example, it is estimated by the cyber security sector that around 40% of the cyber incidents at organizations are preceded by phishing attacks (IBM Security, 2024). Protection against the risks of phishing is particularly important for public organizations that process a large amount of sensitive personal information and whose operational processes can have major societal impact [9, 13]. Phishing can lead to data leaks or infiltration of computer networks. This makes phishing a direct threat to operational continuity in the public sector [9, 14–16], such as municipalities [17].

This raises the question of how public organizations and municipalities can combat this effectively and which resources they can deploy to mitigate the risks of phishing. The main question of our experimental study into organization-specific phishing risk profiles for an anonymous municipality organization in the Netherlands is: ‘Which groups of employees at Municipality X run a high risk of falling victim to phishing based on an embedded experimental design and what is the learning effect of a voluntary e-learning?’. In an attempt to answer this question, we sent two test phishing emails to all employees based on an ethically sound experimental design. Between these two test-attacks, a random group of employees were offered a voluntary, online microlearning on phishing to find out whether staff with a high risk of clicking on fraudulent links and filling in their credentials, would do such a training out of their own initiative.

In this paper, we contribute to the existing literature on strategies to mitigate the risk of phishing in organizations [16, 18, 19] and in municipalities more specifically [17] by providing insight into context factors that may affect phishing vulnerability of employees. We also add to the literature on the effectiveness of trainings on the risk of phishing [20, 21] and the ethics of applying test phishing mails [22]. Last but not least, we contribute to the literature of so called embedded awareness trainings [20, 23, 24] and offer an—ethically substantiated—experimental method, which can be reused to subtract organization-specific phishing risk profiles that may function as a foundation for tailor-made trainings to raise awareness and resilience among employees against phishing attacks [8, 25].

Before discussing the research results, we will first explore what is already known in scientific literature and previous empirical research into phishing. Subsequently, we will look at the research design, outline the research limitations and after examining the results, we will draw conclusions, and give our recommendations for practice and further research.

Theory and previous research on resilience to phishing

We will now first explore what is already known from scientific theory and previous empirical research into resilience to phishing attacks.

What is phishing and how does it work?

Phishing can roughly be defined as: ‘a scalable form of deception using the impersonation of an actor to obtain information from a target’ [5, pp. 25, 3]. Such an attack is usually carried out by email but may be done through offline postal correspondence or for example through text messages. In this paper, we focus on phishing by email. This includes a distinction between a general phishing attack and a spear phishing attack. In a general attack, a message is sent to a large group of receivers in an attempt to get as many people as possible to fall for the message. In a spear phishing attack, a specific message is sent to a specific target or specific target group [26]. According to Steinmetz et al. (2020) [58], a phishing attack tries to engender trust, uses as much inside and publicly available knowledge as possible. Phishing emails are also professionally formatted and spell-checked, deploy well-known brands with almost identical details and exploit recipients’ emotions, perceptions, and flaws. Cybercriminals have an arsenal of psychological tricks available to them from offline experiences with fraud and from the world of marketing. Phishing is a type of crime that does not target technology, but rather the person behind the screen [5, 6, 27].

Human factors in phishing victimization

With limited technological opportunities to detect phishing e-mails [9, 16], one of the key focal points in the research into phishing is to ascertain, which human factors contribute to making one person more susceptible and another not or less susceptible for phishing [28]. We will consecutively discuss what is known about the influence of demography, context factors, personality traits, and digital literacy on susceptibility to phishing and risk profiles.

Demography. Some studies see older people become victims of phishing [10, 17] while others see young people [4, 23, 29, 30] and there are authors who see either slight or no influence of age [6, 8]. The same goes for gender [4, 6, 8, 31, 32]. And this is also the case with educational level [6, 23, 33, 34].

Context factors. In sum, susceptibility to phishing cannot be directly explained in terms of a fixed set of demographic factors, but needs to be primarily examined within specific contexts [35–37]. However, this research is scarce [24, 38]. According to Viswanath et al. [39] and Luo et al. [40], workload also has influence, as those having to process larger numbers of emails appear more susceptible to phishing than those with a lower number of received daily emails [17]. Also, staff who spend a lot of time online [25, 34] run a greater risk of becoming victims of phishing attacks. It appears that people ‘take the bait’ more readily when emails have been sent by a recognizable authority and we are more inclined to act quickly when we experience time constraints [5, 41]. Also, the more experience someone has with particular software or a platform, the more likely they are to spot any abnormalities [35, 42–44].

Personality traits. In addition to demographic and context factors, academics focus on the relationship between victimization and personality traits [45]. It seems that decreased emotional stability, extroversion, and agreeableness increase susceptibility to phishing [7, 29–31, 37, 45–49]. Furthermore, these personality traits are closely linked to levels of self-control, and therefore a greater chance of becoming victims of crimes like phishing [45, 46]. Conversely, conscientious, emotionally stable, and introvert types are better at recognizing phishing [4, 29, 50, 51].

Digital literacy. People who are more familiar with digital devices and internet are more capable of recognizing phishing [52, 53]. However, it is worth noting that those who spend more time online are also more likely to become phishing victims [25, 34].

Risk profiles. There is a noticeable lack of attention for repeat victimization and the context in which this victimization occurs [38]. Caputo et al. [24] distinguish between ‘never clickers’, ‘occasional clickers’, andrepeat clickers’. Canham et al. [38] took this a step further by also including the desired behaviour (stewardship) of reporting phishing in their experiments. Classifying staff in such ‘risk profiles’ provides an organization with tools for tailor made educational, organizational, or technical measures to fit the vulnerabilities and needs of staff.

Measures against phishing

Technical measures can provide support in organizational resilience against phishing attacks [19]. But it is unrealistic to expect that phishing can be successfully combatted solely through education and organizational norms [54]. In any event, it is accepted that a multilayered approach is most promising—this combines technical and organizational measures as well as the training of individual employees [16, 18, 19]. It is generally considered to be worthwhile training individual employees to recognize phishing attacks [2, 8, 20, 21, 55]. Such an awareness training is held to be most effective when employees experience the risks of phishing first hand—embedded—[20, 23–25]. This can be done by testing employees with test phishing emails and subsequently offering them tailored training [8]. Stockhardt et al. [56] found in their study that training given by instructors is most successful in staff recognizing phishing emails. Instructors are better at focusing on the actual situation and work context and this makes the training more interactive [8]. Another condition for effective education is repetition. The positive effects of the training decrease with time, sometimes already after only two weeks [8, 19, 21, 57]. As a result, Jampen et al. [20] propose that phishing education should ideally be repeated four times per year to maintain phishing resilience levels among employees.

Research set-up

Despite the earlier findings that computer-based training courses to raise employee awareness of phishing have repeatedly proven to be rather ineffective [20, 23, 56], we aimed to verify this before making steps towards more complex and expensive, tailor-made training programs [8]. After all, computer-based trainings have the benefit of being flexible in time and are relatively cheap [23]. Additionally, this experiment took place during the Covid-pandemic with almost every employee working from home, making any other types of training rather impossible. In this section, we will deal with the selection of the organization, research questions, methods, ethical considerations, and describe the participants and limitations of our research.

Selection of organization and generalizability

Like Hanus et al. [17] have done in the USA, we have conducted the fieldwork of this study at a municipal organization. We performed our study at one of the 15 largest Dutch municipalities: ‘Municipality X’. Before our experiment, only a very small part of the employee received prior training on phishing as a part of their onboarding process. Therefore, we hold Municipality X to be representative for Dutch, lager municipalities, public organizations as well as organizations in general with a high risk and high impact of phishing attacks. Especially for these organizations where employees have received little to none training on phishing. But, like these authors outlined before, the results of a study at a single organization should be approached with caution [17].

Research questions

The central question of this research is: ‘Which groups of employees at Municipality X run a high risk of falling victim to phishing based on an embedded experimental design and what is the learning effect of a voluntary e-learning?’ The subquestions are respectively:

  1. What are the shared characteristics of Municipality X employees who clicked on the link or entered their credentials in the baseline measurement (T = 1)?

  2. What are the shared characteristics of Municipality X employees who clicked on the link or entered their credentials in the second measurement (T = 2)?

  3. Which employees at Municipality X appear to belong to the high-risk group of potential phishing victims?

  4. What are the shared characteristics of employees at Municipality X have who did a voluntary microlearning on phishing?

  5. What is the learning effect of the microlearning on phishing on employees at Municipality X?

Research design

In this research, we have used the design of an experiment [9, 17, 37]: two test phishing emails were sent to the total population of Municipality X. The test phishing emails were based on principles of social engineering described by various authors on phishing [58–60]:

  • The baseline measurement email (T = 1, Fig. 1) capitalized on the then current theme of working from home during the covid pandemic. The story was that the MS Teams program (probability) needed an update to rid it of a delay (credible story) and that this had to be carried out before the end of the week, otherwise MS Teams would no longer function (urgency). As this mail was sent on a Tuesday afternoon, this baseline measurement included mild time pressure. Furthermore, the account from which the email was sent was from another domain for those who cared to look (typo squatting). The referred link was extremely long and appeared to be an internal link at first glance (name of municipality with some extra characters (e.g. mun[n]icipalityX[.]com). When the recipients clicked on the link, they arrived in an environment showing an imitation of a Microsoft 365 login screen and they were requested to log in by entering their credentials;

  • The second email (T = 2, Fig. 2) capitalized on the topical New Year (credible story) and on the incentive that there was still credit available for an end-of-year gift (greed) but this would only be available for a limited period (urgency). The referred link was again extremely long and was external to the organization (officence.com). After clicking on the link—once again a very long link, outside the organization's own domain—the respondent had to log in using their credentials.

Test phishing email used at baseline measurement (T = 1).
Figure 1.

Test phishing email used at baseline measurement (T = 1).

Open in new tabDownload slide
Test phishing email used at second measurement (T = 2).
Figure 2.

Test phishing email used at second measurement (T = 2).

Open in new tabDownload slide

During our experiment, the organization’s email system did not allow people to report these messages as suspicious by simply clinking a button. The procedure was to report suspicious e-mails at the IT Service Desk, which was logged and later pseudonymized for analyses. Unfortunately, this was not done accurately for the second measurement (T = 2) due to communication problems with the IT Service Desk. For both test phishing mails (T = 1 and T = 2) the variables and potentials scores were:

  • Result: ‘email not delivered’ (0); ‘successfully delivered’ (1); ‘email link clicked’ (2); and ‘credentials supplied’ (3).

  • Click, time of day: ‘early in the morning 06–09 h’ (1); ‘late in the morning 09–12 h’ (2); ‘early in the afternoon 12–15 h’ (3); ‘late in the afternoon 15–18 h’ (4); ‘in the evening 18–24 h’ (5); and in ‘the night 00–06 h’ (6).

  • Click, time of day office hours: ‘during office hours 09–18 h’ (0) and ‘outside office hours 18–09 h’ (1).

For the baseline measurement (T = 1) we have also measured:

  • Report T = 1: ‘employee did not report e-mail as suspicious’ (0) and ‘employee reported e-mail as suspicious’ (1).

Additionally we have gathered the following data on the employees:

  • Gender: ‘unknown’ (0); ‘male’ (1); and ‘female’ (2).

  • Age group: ‘unknown’ (0) and in groups of 10 years starting at ‘10–20 years’ (1) up to ‘70–80 years’ (7).

  • Type of employment contract: ‘unknown’ (0); ‘parttime’ (1); ‘fulltime’ (2), and ‘otherwise’ (3).

  • Number of years of service: ‘0–1 year’ (0); ‘2–5 years’ (1); ‘6–10 years’ (2); ‘11–15 years’ (3); and ‘15 + years’ (4).

  • Microlearning: ‘not invited’ (0); ‘invited’ (1); and ‘completed’ (2).

In the data-sets of both measurements, each participant could be uniquely identified by one’s email address. After combining the participant’s scores on both measurements (T = 1 and T = 2), the background data of participants and the data provided by the IT service desk on reporting the baseline measurement (T = 1) in one file, the data was pseudonymized [17]. The participants’ email addresses were replaced by a respondent number. The combination of this number and the initial email address was not kept due to ethical considerations (see Ethical considerations).

Since all employees of Municipality X received these test phishing mails, there was no control group for the overall design. This is called a one-group–premeasurement–postmeasurement-design [61]. This part of the research design answers the first three subquestions of the research. Part of our design was another experiment. Between the two test phishing emails (T = 1 and T = 2), a random sample of personnel received an invitation to take a voluntary online microlearning. In this instance there is a control group. The group that accepted the invitation and took part in the online microlearning is the experimental group and the group that received the invitation but decided not to take the online microlearning is the control group. We call this a premeasurement–postmeasurement–control-group-design [61]. This part of the research design answers subquestions four and five.

To exclude historical influence, the other employees who were not invited to take part in an online microlearning, were not included in the analysis of this second experiment (ibidem). The effect of the voluntary microlearning was assessed by comparing scores on the baseline (T = 1) and second measurement (T = 2). The latter took place a month after the online microlearning closed, due to earlier insights of the effects of education on phishing decreasing with time [8, 21, 57].

Ethical considerations

As Resnik and Finn [22] pointed out, phishing experiments raise significant ethical concerns, because (i) participants will be part of our experiment without their consent and (ii) the experiment itself will contain deception. Using deception in experiments is highly controversial in academic research, because it (i) violates the good standard of informed consent, (ii) might damage trust in research, and (iii) it can cause temporary minimal harm in the form of anger and frustration to a small percentage of our participants. Resnik and Finn [22] explained that realistic phishing experiments cannot be done with the consent of participants, because asking for their consent would compromise the very validity of the experiment: it would raise their awareness to the risk of phishing and thereby lead to unrealistic results.

The authors therefore concluded that researchers must make an effort to limit the negative impact of the experiment with effective debriefing [9]. Effective debriefings explain to participants how deception was used, why this was necessary, and what can be learned from this experience. Such debriefing hold the potential to turn the experience of deception into a long-term, positive effect by the personal experience of susceptibility. Crucial for the reception of this debriefing is that it must not come out of the blue to its participants. So, the debriefing on the phishing experiment must always be preceded by a general message that cybersecurity research will be done at the organization, in order to prevent the debriefing to arrive unexpected. Also, potential participants must have the opportunity to opt out.

We have applied Resnik and Finn’s ethical guidelines [22] in our phishing experiment in the following ways. First of all, we have proactively evaluated the potential impact of our experiment on the participants and discussed them in depth with the board, works council and ethical advisor of Municipality X and our strategy to counter negative effects and they approved our strategy, as did the Ethical Research Committee of the University of Applied Sciences involved. Second, we have announced that test phishing emails would be send to all employees two weeks in advance on the general intranet environment of the organization. Employees were informed by this message and were given the opportunity to contact the research team by two e-mail addresses: one of the general IT department and one of a specific e-mail address. In both waves of the test phishing emails, no employee has contacted the IT-department or the research team to opt out.

We have also made sure that effective debriefing was given to all participants by a general e-mail to all employees of the organization after every test phishing wave in our experiment. This message contained how deception was used on our participants, how they can notice these realistic tactics in the future, and the meta data of the experiments were shared. We again added both email addressed to contact the researchers to this e-mail, which was used by one respondent who expressed some frustration. The research team contacted this respondent by telephone. This person’s frustration actually had more to do with not getting the New Years present (T = 2), than it had to do with our use of deception in general. The person understood our approach after our explanation.

In addition to this digital and quantitative debriefing, we have also included a qualitative debriefing after the first wave of test phishing emails by both an offline and online meeting for employees who were interested in the results. All four debriefing meetings had ~30 visitors. The research team had visited two teams after the second wave of test phishing emails: the team that performed best and the team that preformed worst on the tests. The first team was given a cake, a trophy, and public praise on the general intranet environment of the organization. The second team was given a positively framed training on how they can recognize phishing emails in the future and what to do when in doubt or after finding out that you have fallen victim of phishing. Of course the identity of the second team is kept confident to date. Also, we have only used aggregated data in all our debriefings. Our research design including our ethical considerations are reflected in Fig. 3.

Reflection of our research design and ethical considerations.
Figure 3.

Reflection of our research design and ethical considerations.

Open in new tabDownload slide

Participants

Our measurements led to a total of 1660 employees who participated in the study. Unfortunately, we had to delete some cases, as 133 respondent who received the second measurement (T = 2) on 17 March 2022 were not employed by Municipality X at the time of the baseline measurement (T = 1). For another 90 cases, it was unclear why the baseline measurement test phishing mail (T = 1) was not delivered on 26 October 2021. We had to perform listwise deletion to these cases, because our research questions mainly compare the scores for the baseline (T = 1) and second measurement (T = 2). This makes a total population of 1437 participants to our experiment. The characteristics of the total group of participants are outlined in the first column of Table 1.

Table 1.
Open in new tab

Characteristics of respondent groups.

Total population (n = 1437)
Subquestion 1–3		Experimental group (n = 92)
Subquestion 4–5		Control group (n = 240)
Subquestion 4–5
GenderMale—40% (n = 575) Female—49.5% (n = 711) Unknown—2.6% (n = 38) Missing—7.9% (n = 113)Male—34.8% (n = 32) Female—62% (n = 57) Unknown—1.3% (n = 3)Male—45% (n = 108) Female—52.5% (n = 126) Unknown—1.2% (n = 3) Missing—1.2% (n = 3)
AgeUp to 20 years—0.2% (n = 3) 20–30 years—7.9% (n = 113) 30–40 years—17.3% (n = 249) 40–50 years—25.1% (n = 360) 50–60 years—27.2% (n = 391) 60 years and over—11.8% (n = 170) Unknown—2.6% (n = 38) Missing—7.9% (n = 203)Up to 20 years—0% (n = 0) 20–30 years—2.2% (n = 2) 30–40 years—8.7% (n = 8) 40–50 years—27.2% (n = 25) 50–60 years—35.9% (n = 33) 60 years and over—22.8% (n = 21) Unknown—3.3% (n = 3)Up to 20 years—0.4% (n = 1) 20–30 years—5% (n = 12) 30–40 years—22.5% (n = 54) 40–50 years—31.2% (n = 75) 50–60 years—30.8% (n = 74) 60 years and over—7.5% (n = 18) Unknown—1.2% (n = 3) Missing—1.2% (n = 3)
Contract typePart-time—42.6% (n = 612) Full-time—42% (n = 603) Other—4.9% (n = 71) Unknown—2.6% (n = 38) Missing—7.9% (n = 113)Part-time—46.7% (n = 43) Full-time—47.8% (n = 44) Other—2.2% (n = 2) Unknown—3.3% (n = 3)Part-time—44.2% (n = 106) Full-time—50.8% (n = 122) Other—2.5% (n = 6) Unknown—1.2% (n = 3) Missing—1.2% (n = 3)
Years of serviceUp to 1 year—10.7% (n = 154) 2–5 years—33.7% (n = 484) 6—10 years—14.8% (n = 212) 11–15 years—10% (n = 143) 15 + years—23.3% (n = 335) Missing—7.6% (n = 109)Up to 1 year—1.1% (n = 1) 2–5 years—23.9% (n = 22) 6–10 years—16.3% (n = 15) 11–15 years—13% (n = 12) 15 + years—45.7% (n = 42)Up to 1 year—0.8% (n = 2) 2–5 years—38.3% (n = 92) 6–10 years—22.9% (n = 55) 11–15 years—12.1% (n = 29) 15 + years—24.6% (n = 59) Missing—1.2% (n = 3)
Total population (n = 1437)
Subquestion 1–3		Experimental group (n = 92)
Subquestion 4–5		Control group (n = 240)
Subquestion 4–5
GenderMale—40% (n = 575) Female—49.5% (n = 711) Unknown—2.6% (n = 38) Missing—7.9% (n = 113)Male—34.8% (n = 32) Female—62% (n = 57) Unknown—1.3% (n = 3)Male—45% (n = 108) Female—52.5% (n = 126) Unknown—1.2% (n = 3) Missing—1.2% (n = 3)
AgeUp to 20 years—0.2% (n = 3) 20–30 years—7.9% (n = 113) 30–40 years—17.3% (n = 249) 40–50 years—25.1% (n = 360) 50–60 years—27.2% (n = 391) 60 years and over—11.8% (n = 170) Unknown—2.6% (n = 38) Missing—7.9% (n = 203)Up to 20 years—0% (n = 0) 20–30 years—2.2% (n = 2) 30–40 years—8.7% (n = 8) 40–50 years—27.2% (n = 25) 50–60 years—35.9% (n = 33) 60 years and over—22.8% (n = 21) Unknown—3.3% (n = 3)Up to 20 years—0.4% (n = 1) 20–30 years—5% (n = 12) 30–40 years—22.5% (n = 54) 40–50 years—31.2% (n = 75) 50–60 years—30.8% (n = 74) 60 years and over—7.5% (n = 18) Unknown—1.2% (n = 3) Missing—1.2% (n = 3)
Contract typePart-time—42.6% (n = 612) Full-time—42% (n = 603) Other—4.9% (n = 71) Unknown—2.6% (n = 38) Missing—7.9% (n = 113)Part-time—46.7% (n = 43) Full-time—47.8% (n = 44) Other—2.2% (n = 2) Unknown—3.3% (n = 3)Part-time—44.2% (n = 106) Full-time—50.8% (n = 122) Other—2.5% (n = 6) Unknown—1.2% (n = 3) Missing—1.2% (n = 3)
Years of serviceUp to 1 year—10.7% (n = 154) 2–5 years—33.7% (n = 484) 6—10 years—14.8% (n = 212) 11–15 years—10% (n = 143) 15 + years—23.3% (n = 335) Missing—7.6% (n = 109)Up to 1 year—1.1% (n = 1) 2–5 years—23.9% (n = 22) 6–10 years—16.3% (n = 15) 11–15 years—13% (n = 12) 15 + years—45.7% (n = 42)Up to 1 year—0.8% (n = 2) 2–5 years—38.3% (n = 92) 6–10 years—22.9% (n = 55) 11–15 years—12.1% (n = 29) 15 + years—24.6% (n = 59) Missing—1.2% (n = 3)
Table 1.
Open in new tab

Characteristics of respondent groups.

Total population (n = 1437)
Subquestion 1–3		Experimental group (n = 92)
Subquestion 4–5		Control group (n = 240)
Subquestion 4–5
GenderMale—40% (n = 575) Female—49.5% (n = 711) Unknown—2.6% (n = 38) Missing—7.9% (n = 113)Male—34.8% (n = 32) Female—62% (n = 57) Unknown—1.3% (n = 3)Male—45% (n = 108) Female—52.5% (n = 126) Unknown—1.2% (n = 3) Missing—1.2% (n = 3)
AgeUp to 20 years—0.2% (n = 3) 20–30 years—7.9% (n = 113) 30–40 years—17.3% (n = 249) 40–50 years—25.1% (n = 360) 50–60 years—27.2% (n = 391) 60 years and over—11.8% (n = 170) Unknown—2.6% (n = 38) Missing—7.9% (n = 203)Up to 20 years—0% (n = 0) 20–30 years—2.2% (n = 2) 30–40 years—8.7% (n = 8) 40–50 years—27.2% (n = 25) 50–60 years—35.9% (n = 33) 60 years and over—22.8% (n = 21) Unknown—3.3% (n = 3)Up to 20 years—0.4% (n = 1) 20–30 years—5% (n = 12) 30–40 years—22.5% (n = 54) 40–50 years—31.2% (n = 75) 50–60 years—30.8% (n = 74) 60 years and over—7.5% (n = 18) Unknown—1.2% (n = 3) Missing—1.2% (n = 3)
Contract typePart-time—42.6% (n = 612) Full-time—42% (n = 603) Other—4.9% (n = 71) Unknown—2.6% (n = 38) Missing—7.9% (n = 113)Part-time—46.7% (n = 43) Full-time—47.8% (n = 44) Other—2.2% (n = 2) Unknown—3.3% (n = 3)Part-time—44.2% (n = 106) Full-time—50.8% (n = 122) Other—2.5% (n = 6) Unknown—1.2% (n = 3) Missing—1.2% (n = 3)
Years of serviceUp to 1 year—10.7% (n = 154) 2–5 years—33.7% (n = 484) 6—10 years—14.8% (n = 212) 11–15 years—10% (n = 143) 15 + years—23.3% (n = 335) Missing—7.6% (n = 109)Up to 1 year—1.1% (n = 1) 2–5 years—23.9% (n = 22) 6–10 years—16.3% (n = 15) 11–15 years—13% (n = 12) 15 + years—45.7% (n = 42)Up to 1 year—0.8% (n = 2) 2–5 years—38.3% (n = 92) 6–10 years—22.9% (n = 55) 11–15 years—12.1% (n = 29) 15 + years—24.6% (n = 59) Missing—1.2% (n = 3)
Total population (n = 1437)
Subquestion 1–3		Experimental group (n = 92)
Subquestion 4–5		Control group (n = 240)
Subquestion 4–5
GenderMale—40% (n = 575) Female—49.5% (n = 711) Unknown—2.6% (n = 38) Missing—7.9% (n = 113)Male—34.8% (n = 32) Female—62% (n = 57) Unknown—1.3% (n = 3)Male—45% (n = 108) Female—52.5% (n = 126) Unknown—1.2% (n = 3) Missing—1.2% (n = 3)
AgeUp to 20 years—0.2% (n = 3) 20–30 years—7.9% (n = 113) 30–40 years—17.3% (n = 249) 40–50 years—25.1% (n = 360) 50–60 years—27.2% (n = 391) 60 years and over—11.8% (n = 170) Unknown—2.6% (n = 38) Missing—7.9% (n = 203)Up to 20 years—0% (n = 0) 20–30 years—2.2% (n = 2) 30–40 years—8.7% (n = 8) 40–50 years—27.2% (n = 25) 50–60 years—35.9% (n = 33) 60 years and over—22.8% (n = 21) Unknown—3.3% (n = 3)Up to 20 years—0.4% (n = 1) 20–30 years—5% (n = 12) 30–40 years—22.5% (n = 54) 40–50 years—31.2% (n = 75) 50–60 years—30.8% (n = 74) 60 years and over—7.5% (n = 18) Unknown—1.2% (n = 3) Missing—1.2% (n = 3)
Contract typePart-time—42.6% (n = 612) Full-time—42% (n = 603) Other—4.9% (n = 71) Unknown—2.6% (n = 38) Missing—7.9% (n = 113)Part-time—46.7% (n = 43) Full-time—47.8% (n = 44) Other—2.2% (n = 2) Unknown—3.3% (n = 3)Part-time—44.2% (n = 106) Full-time—50.8% (n = 122) Other—2.5% (n = 6) Unknown—1.2% (n = 3) Missing—1.2% (n = 3)
Years of serviceUp to 1 year—10.7% (n = 154) 2–5 years—33.7% (n = 484) 6—10 years—14.8% (n = 212) 11–15 years—10% (n = 143) 15 + years—23.3% (n = 335) Missing—7.6% (n = 109)Up to 1 year—1.1% (n = 1) 2–5 years—23.9% (n = 22) 6–10 years—16.3% (n = 15) 11–15 years—13% (n = 12) 15 + years—45.7% (n = 42)Up to 1 year—0.8% (n = 2) 2–5 years—38.3% (n = 92) 6–10 years—22.9% (n = 55) 11–15 years—12.1% (n = 29) 15 + years—24.6% (n = 59) Missing—1.2% (n = 3)

In total, a random sample of 332 employees of Municipality X (20% of the total population) received an invitation to take part in an online microlearning on phishing. Of these, 92 employees (27.7%) took part in the microlearning (experimental group) and 240 employees (72.3%) ignored the microlearning invitation (control group). The characteristics of these two groups are outlined in the second and third columns in Table 1. The other 1105 employees who did not receive the invitation for the microlearning were not included in the analysis for subquestions 4 and 5, as previously indicated.

Limitations

Just like all research, this study is also subject to limitations. First, for subquestions 1–3, the effect of the experimental treatment (repeated measurement) cannot be fully explained. A possible difference may occur between the baseline (T = 1) and second measurement (T = 2) as a result of the maturing of participants (i.e. they have become better at recognizing phishing attacks) or history (they have heard about large-scale phishing attacks in the news or an acquaintance has recently become a victim of phishing) [61]. Also, the difference between the experimental and control group in subquestions 4 and 5 could be explained by the Hawthorne effect (the experimental group got more attention), the appeal of the microlearning and the guiding influence of the baseline measurement (T = 1), which in any case made participants more aware of phishing (ibidem).

Due to the intake of a relatively large number of new personnel between measurements as well as unknown causes, it is impossible to record the risk profile for a portion of employees (n = 113) as they only participated in one measurement. In addition, due to regard for privacy, only a limited number of background characteristics were included, namely gender, age group, years of service at the organization, and contract type. As a result we can only make more general statements regarding risk profiles relating to potential victimization by phishing. Last but not least, the experimental group was very limited, containing only 5.5% of employees (n = 92), as a result of self-selection through the offer of an online microlearning on phishing, and also had a rather skewed demographic distribution as described earlier. It would have been better to invite the total population or subpopulation that clicked on the link or filled in credentials at the baseline measurement (T = 1) to take part in the microlearning.

Unfortunately, we only have accurate measurements on the reporting behaviour of our participants to the baseline measurement (T = 1) and had to drop results to the second measurement (T = 2), so we could not analyse the effect of the experiment or treatment to reporting behaviour of the employees. Additionally, we have not discussed with the participants to inquire whether and why they did or did not click on the links in the e-mails as we only analysed pseudonymized data for ethical concerns. Also, we did not log whether or not e-mails were opened by the receivers due to both ethical and technical concerns, although 108 employees who received the baseline measurement email did report the email to the IT Service Desk. For these participants we are sure that they have opened and read the email, but unfortunately were are not sure for all our participants. Last but not least, we emphasize that this study at a single organization should be complemented with data from similar and other organizations [17].

Results

Between 26 October 2021 (T = 1) and 17 March 2022 (T = 2), two test phishing mails were send to all employees of Municipality X. Between these dates, a randomly selected group of employees received an offer to do an online microlearning about phishing. We will initially explore the results of the baseline (T = 1) and second measurements (T = 2) and subsequently look at which groups are most at risk of becoming phishing victims. Afterwards we will weigh up the risks of offering voluntary education about phishing to staff and explore the learning effects of the microlearning. We will start with the results of the baseline measurement (T = 1).

Results of the baseline measurement (T = 1)

The baseline measurement e-mail (Fig. 1) was received by 1437 accounts in the organization on 26 October 2021. A total of 64.4% (n = 926) of the recipients did not click on the link. A total of 7.4% (n = 105) solely clicked on the link and 28.3% (n = 406) also entered their credentials. Clicking on the link as well as entering credentials mainly occurred early in the morning between 06:00 and 09:00 (44%, n = 225), followed by early afternoon between 12:00 and 15:00 (29.2%, n = 149) and late morning between 09:00 and 12:00 (14.1%, n = 72). Numbers were negligible at other times of the day. In slightly more than half of cases (50.1%, n = 245) this occurred during office hours (between 09:00 and 18:00) with the remainder (49.9%, n = 244) outside office hours.

When we look at the characteristics of recipients in the baseline measurement who clicked on the link in the message and/or filled in credentials, the following picture emerges:

  • No significant differences were found in the reaction to the baseline measurement regarding gender (X= 5.073, d.f. = 4 < X2critical = 9.488).

  • The differences found were significant among age groups (X= 49.056, d.f. = 14 > X2critical = 23.685) and it was clear that particularly in the age groups 40–50, 50–60, and 60–70 more than average had clicked on the link and filled in their credentials.

  • There were also significant differences found relating to the number of years of service (X= 30.775, d.f. = 8 > X2critical = 15.507) and it was noticeable that recipients employed at the organization for 2–5 years clicked on the link more than average; recipients who worked at the organization for 11–15 years and recipients who had worked at the organization for more than 15 years clicked on the link more than average and in addition filled in their credentials more than average.

  • The different types of employment contract also turned out to be significant (X= 18.639, d.f. = 6 > X2critical = 12.592), it was mainly full-timers who clicked on the link more than average, whereas part-timers filled in their credentials more than average.

The baseline test-phishing e-mail was reported as suspicious at the IT Service Desk by 11.8% of the employees (n = 169), while 88.2% of the employees (n = 1268) did not. Analysis shows mainly employees who had clicked on the link and got a message that they clicked on a test-phishing link (27.6%, n = 29) reported the baseline measurement e-mail as suspicious to the IT Service Desk. A relatively smaller proportion of the employees who reported the e-mail (11.7%, n = 108) simply recognized it as phishing after successful delivery of the email (Table 2):

Table 2.
Open in new tab

Combination of results from the baseline (T = 1) and reporting behaviour.

Did not report baseline e-mail to IT service deskDid report baseline e-mail to IT service desk
Successfully delivered88.3% (n = 818)11.7% (n = 108)
E-mail link clicked72.4% (n = 76)27.6% (n = 29)
Credentials supplied92.1% (n = 374)7.9% (n = 32)
Did not report baseline e-mail to IT service deskDid report baseline e-mail to IT service desk
Successfully delivered88.3% (n = 818)11.7% (n = 108)
E-mail link clicked72.4% (n = 76)27.6% (n = 29)
Credentials supplied92.1% (n = 374)7.9% (n = 32)
Table 2.
Open in new tab

Combination of results from the baseline (T = 1) and reporting behaviour.

Did not report baseline e-mail to IT service deskDid report baseline e-mail to IT service desk
Successfully delivered88.3% (n = 818)11.7% (n = 108)
E-mail link clicked72.4% (n = 76)27.6% (n = 29)
Credentials supplied92.1% (n = 374)7.9% (n = 32)
Did not report baseline e-mail to IT service deskDid report baseline e-mail to IT service desk
Successfully delivered88.3% (n = 818)11.7% (n = 108)
E-mail link clicked72.4% (n = 76)27.6% (n = 29)
Credentials supplied92.1% (n = 374)7.9% (n = 32)

These differences are significant (X= 31.341, d.f. = 2 > X2critical = 5.991). Further analysis showed no significant differences on reporting for gender (X= 0.298, d.f. = 2 < X2critical = 5.991), age groups (X= 10.815, d.f. = 7 < X2critical = 14.067), number of years of service (X= 4.156, d.f. = 3 < X2critical = 7.815), or types of employments contract (X= 6.317, d.f. = 4 < X2critical = 9.488).

Results of the second measurement (T = 2)

On 17 March 2022 (T = 2), a second test phishing email (Fig. 2) was send to all employees. This measurement was received by 1437 accounts in the organization. Of these, 63.8% (n = 917) of recipients did not click on the link nor fill in credentials. A total of 15.5% (n = 223) solely clicked on the link and 20.7% (n = 297) also entered their credentials. Once again clicking on the link and entering credentials again primarily occurred early in the morning between 06:00 and 09:00 (59.2%, n = 308), followed by later in the morning between 09:00 and 12:00 (26.3%, n = 137) followed by in the early afternoon between 12:00 and 15:00 (9.2%, n = 48). Nearly two out of five cases (39.2%, n = 204) where the link was clicked or credentials were filled in occurred during office hours (between 09:00 and 18:00); in three out of five cases (60.8%, n = 316) this happened outside office hours (between 18:00 and 9:00).

When we look at the characteristics of recipients who clicked on the link in the message and/or filled in credentials, then the following picture emerges:

  • No significant differences were found in the reaction to the second measurement regarding gender (X= 1.484, d.f. = 4 < X2critical = 9.488).

  • There were also no significant differences found regarding age group in the second measurement (X= 20.568, d.f. = 14 < X2critical = 23.685).

  • There were no significant differences found in the number of service years (X= 14.516, d.f. = 8 < X2critical = 15.507).

  • The difference in contract type proved significant in the second measurement (X= 21.946, d.f. = 6 > X2critical = 12.592) and in particular full-timers had clicked on the link and filled in their credentials more than average.

  • No significant differences were found in the reaction to the second measurement regarding reporting behaviour to the baseline measurement (T = 1) (X= 4.037, d.f. = 2 < X2critical = 5.991).

Risk profiles: potential repeat phishing victims

When we combine the results of the baseline (T = 1) and second measurements (T = 2), then the following picture emerges (Table 3).

Table 3.
Open in new tab

Combination of results from the baseline (T = 1) and second measurements (T = 2).

NPercentage (%)
Never clickers—low risk: did not click and did not enter any credentials in T1 or T281556.7
Occasional clickers—average risk: clicked once or filled in credentials in T1 or T243530.3
Repeat clickers—high risk: clicked twice or filled in credentials in both T1 and T218713
NPercentage (%)
Never clickers—low risk: did not click and did not enter any credentials in T1 or T281556.7
Occasional clickers—average risk: clicked once or filled in credentials in T1 or T243530.3
Repeat clickers—high risk: clicked twice or filled in credentials in both T1 and T218713
Table 3.
Open in new tab

Combination of results from the baseline (T = 1) and second measurements (T = 2).

NPercentage (%)
Never clickers—low risk: did not click and did not enter any credentials in T1 or T281556.7
Occasional clickers—average risk: clicked once or filled in credentials in T1 or T243530.3
Repeat clickers—high risk: clicked twice or filled in credentials in both T1 and T218713
NPercentage (%)
Never clickers—low risk: did not click and did not enter any credentials in T1 or T281556.7
Occasional clickers—average risk: clicked once or filled in credentials in T1 or T243530.3
Repeat clickers—high risk: clicked twice or filled in credentials in both T1 and T218713

It is clear that more than half of staff (56.7%, n = 815) who received both test messages run a low risk of becoming phishing victims. It can be said that for nearly a third (30.3%, n = 435) there is an average risk and for more than 1 in 10 (13%, n = 187) there is a high risk, as they, in both cases clicked on the link or filled in credentials. When we look at the characteristics of recipients running a high risk of victimization, then the following picture emerges:

  • No significant differences were found regarding gender (X= 8.613 d.f. = 4 < X2critical = 9.488).

  • The found differences in age groups are significant (X= 23.826, d.f. = 14 > X2critical = 23.685) and in particular the age groups 40–50, 50–60, and 70–80 run a high risk of becoming victims of phishing.

  • Also the differences in contract type are significant (X= 29.165, d.f. = 6 > X2critical = 12.592) with in particular full-time employees running a high risk of becoming victims of phishing;

  • The differences in the number service years are not significant (X= 7.739, d.f. = 8 < X2critical = 15.507).

  • No significant differences were found regarding reporting behaviour to the baseline measurement (T = 1) (X= 3.427, d.f. = 2 < X2critical = 5.991).

Self-selection through the interim offer of an online microlearning on phishing

Between the two measurements a randomly selected portion of employees, namely 332 staff members (20%) received an invitation for a microlearning on phishing. Ultimately only 94 of the 332 employees (28.3%) who received an invitation for the microlearning actually completed it. Therefore, 240 selected employees (72.3%) chose not to do the 4-min online microlearning. This is an interesting finding in its own right, as apparently such an invitation to do an online microlearning on phishing can only count on a very low level of willingness among staff.

When we look at the characteristics of staff who completed this microlearning, the following picture emerges:

  • There are no significant differences found regarding gender (X= 5.697, d.f. = 4 < X2critical = 9.488).

  • Differences relating to age groups were found to be significant (X= 37.314, d.f. = 14 > X2critical = 23.685). It was notably employees in age categories 50–60 and 60–70 who in particular and above average did the microlearning.

  • Differences relating to the number of service years were also found to be significant (X= 74.914, d.f. = 8 > X2critical = 15.507) and most noticeable was that it was particularly longer-serving staff (11–15 years and over 15 years) who above average, did the microlearning, whereas it was short-term staff (up to 5 years in service) who were above average in ignoring the microlearning invitation;

  • Differences relating to contract type were not found to be significant (X= 12.272, d.f. = 6 < X2critical = 12.592).

  • There are no significant differences found regarding reporting behaviour to the baseline measurement (T = 1) (X= 2.731, d.f. = 2 < X2critical = 5.991).

If we subsequently look at whether self-selection has taken place within the previously found risk profiles, then the following picture emerges (Table 4).

Table 4.
Open in new tab

Analysis of self-selection and risk profiles.

Invitation microlearning not receivedInvitation microlearning received, but ignoredInvitation microlearning received and followed up
Never clickers—low risk: did not click and did not enter any credentials in T1 or T278.8% (n = 642)16.2% (n = 132)5% (n = 41)
Occasional clickers—average risk: clicked once or filled in credentials in T1 or T272.6% (n = 316)19.1% (n = 83)8.3% (n = 36)
Repeat clickers—high risk: clicked twice or filled in credentials in both T1 and T278.6% (n = 147)13.4% (n = 25)8% (n = 15)
Invitation microlearning not receivedInvitation microlearning received, but ignoredInvitation microlearning received and followed up
Never clickers—low risk: did not click and did not enter any credentials in T1 or T278.8% (n = 642)16.2% (n = 132)5% (n = 41)
Occasional clickers—average risk: clicked once or filled in credentials in T1 or T272.6% (n = 316)19.1% (n = 83)8.3% (n = 36)
Repeat clickers—high risk: clicked twice or filled in credentials in both T1 and T278.6% (n = 147)13.4% (n = 25)8% (n = 15)
Table 4.
Open in new tab

Analysis of self-selection and risk profiles.

Invitation microlearning not receivedInvitation microlearning received, but ignoredInvitation microlearning received and followed up
Never clickers—low risk: did not click and did not enter any credentials in T1 or T278.8% (n = 642)16.2% (n = 132)5% (n = 41)
Occasional clickers—average risk: clicked once or filled in credentials in T1 or T272.6% (n = 316)19.1% (n = 83)8.3% (n = 36)
Repeat clickers—high risk: clicked twice or filled in credentials in both T1 and T278.6% (n = 147)13.4% (n = 25)8% (n = 15)
Invitation microlearning not receivedInvitation microlearning received, but ignoredInvitation microlearning received and followed up
Never clickers—low risk: did not click and did not enter any credentials in T1 or T278.8% (n = 642)16.2% (n = 132)5% (n = 41)
Occasional clickers—average risk: clicked once or filled in credentials in T1 or T272.6% (n = 316)19.1% (n = 83)8.3% (n = 36)
Repeat clickers—high risk: clicked twice or filled in credentials in both T1 and T278.6% (n = 147)13.4% (n = 25)8% (n = 15)

The differences found are significant (X= 9.855, d.f. = 4 > X2critical = 9.488). The microlearning was mainly taken by employees with an average or high risk of becoming phishing victims. Despite this, staff with a high risk of becoming phishing victims were more often less likely (13.4%) than likely (8%) to do the online microlearning they were offered. So it seems that—in any case for this organization—it is unwise to provide such online training courses solely on a voluntary basis.

Learning effect of online microlearning

Table 5 contrasts the results of these groups in the second measurement with their results in the baseline measurement in order to gauge the learning effect of the microlearning. The differences between the baseline and second measurement proved not to be significant (X= 3.980, d.f. = 4 < X2critical = 9.488) for the experimental group. This was also the case for the control group (X= 5.122, d.f. = 4 < X2critical = 9.488). This means no significant differences were found in the response to the test phishing emails in both the baseline and second measurements between the experimental and control groups, regarding the extent to which links were clicked and credentials filled in. Unfortunately, this means that there is no significant visible learning effect of the online microlearning done by the experimental group.

Table 5.
Open in new tab

Analysis of the learning effect of the microlearning.

Experimental group—microlearning taken (n = 92)Control group—microlearning ignored (n = 240)
Results second measurement (T = 2)Results second measurement (T = 2)
Results baseline measurement (T = 1)Email ignoredClicked on linkFilled in credentialsEmail ignoredClicked on linkFilled in credentials
Email ignored70.5% (n = 31)9.1% (n = 4)20.5% (n = 9)61.4% (n = 97)17.7% (n = 28)20.9% (n = 33)
Clicked on link100% (n = 6)0% (n = 0)0% (i = 0)46.7% (n = 7)40% (n = 6)13.3% (n = 2)
Filled in credentials64.3% (n = 27)16.7% (n = 7)19% (n = 8)65.7% (n = 44)17.9% (n = 12)16.4% (n = 11)
Experimental group—microlearning taken (n = 92)Control group—microlearning ignored (n = 240)
Results second measurement (T = 2)Results second measurement (T = 2)
Results baseline measurement (T = 1)Email ignoredClicked on linkFilled in credentialsEmail ignoredClicked on linkFilled in credentials
Email ignored70.5% (n = 31)9.1% (n = 4)20.5% (n = 9)61.4% (n = 97)17.7% (n = 28)20.9% (n = 33)
Clicked on link100% (n = 6)0% (n = 0)0% (i = 0)46.7% (n = 7)40% (n = 6)13.3% (n = 2)
Filled in credentials64.3% (n = 27)16.7% (n = 7)19% (n = 8)65.7% (n = 44)17.9% (n = 12)16.4% (n = 11)
Table 5.
Open in new tab

Analysis of the learning effect of the microlearning.

Experimental group—microlearning taken (n = 92)Control group—microlearning ignored (n = 240)
Results second measurement (T = 2)Results second measurement (T = 2)
Results baseline measurement (T = 1)Email ignoredClicked on linkFilled in credentialsEmail ignoredClicked on linkFilled in credentials
Email ignored70.5% (n = 31)9.1% (n = 4)20.5% (n = 9)61.4% (n = 97)17.7% (n = 28)20.9% (n = 33)
Clicked on link100% (n = 6)0% (n = 0)0% (i = 0)46.7% (n = 7)40% (n = 6)13.3% (n = 2)
Filled in credentials64.3% (n = 27)16.7% (n = 7)19% (n = 8)65.7% (n = 44)17.9% (n = 12)16.4% (n = 11)
Experimental group—microlearning taken (n = 92)Control group—microlearning ignored (n = 240)
Results second measurement (T = 2)Results second measurement (T = 2)
Results baseline measurement (T = 1)Email ignoredClicked on linkFilled in credentialsEmail ignoredClicked on linkFilled in credentials
Email ignored70.5% (n = 31)9.1% (n = 4)20.5% (n = 9)61.4% (n = 97)17.7% (n = 28)20.9% (n = 33)
Clicked on link100% (n = 6)0% (n = 0)0% (i = 0)46.7% (n = 7)40% (n = 6)13.3% (n = 2)
Filled in credentials64.3% (n = 27)16.7% (n = 7)19% (n = 8)65.7% (n = 44)17.9% (n = 12)16.4% (n = 11)

Conclusions, discussion, recommendations, and suggestions for further research

In this section, we evaluate our findings and by answering our subquestions we will be able to answer our main question. Subsequently, we will look at our results in a broader theoretical and empirical context. After that we will make several recommendations for strengthening employee resilience to phishing and suggestions for further research.

Conclusions

The first subquestion was: ‘What are the shared characteristics of employees at Municipality X who clicked on the link or entered their credentials in the baseline measurement (T = 1)?’ This was mainly done by full-time staff aged 40 and older. This occurred most early in the morning between 06:00 and 09:00 but overall predominantly in office hours. Full-timers with 2–5 years of service and 11–15 years of service or more were most likely to click on the link and part-timers who had been at the organization for more than 15 years, were most likely to fill in their credentials. Slightly more than 1 out of 10 employees reported the baseline phishing e-mail to the IT Service desk but these were mainly employees who had clicked on the link and got a message that they clicked on a test-phishing link. This picture largely corresponds with that of the employees who clicked on the link and filled in their credentials in the second measurement. The answer to the second subquestion: ‘What are the shared characteristics of Municipality X employees who clicked on the link or entered their credentials in the second measurement (T = 2)?’ is that it was again mainly full-timers, only this time mainly outside office hours, early in the morning before 09:00.

The third subquestion: ‘Which employees at organization X run a high risk of becoming a victim of phishing?’ helps us zoom in on the high-risk category, or rather the repeat clickers. These are employees who divulged their credentials in both measurements. These were primarily full-time staff aged between 40 and 50, 50 and 60, and 70 and 80 of age. The fourth subquestion: ‘What are the shared characteristics of employees who volunteered to do a microlearning on phishing?’ looks at whether self-selection took place regarding being offered a microlearning on phishing. This was definitely the case, as the microlearning was mainly taken by employees with an average or high risk of becoming a victim of phishing. However, more of the high-risk category of the previous subquestion chose not to do the microlearning than to do it. Younger employees and those only employed at the organization for a short time more frequently ignored the microlearning invitation.

For the fifth and final subquestion—‘What is the learning effect of the microlearning on phishing on employees at Municipality X?’the results of the second measurement compared the group of employees who did the microlearning (experimental group) with the group of employees who ignored the invitation (control group). There was unfortunately no significant learning effect visible as a result of the online microlearning done by the experimental group. This brings us to the central question of this research: ‘Which groups of employees at Municipality X run a high risk of falling victim to phishing and are they prepared to do a voluntary online phishing awareness microlearning when offered and what is the learning effect of this education?’. It is clear that senior and middle-aged employees run the biggest risk of becoming victims of phishing in this Dutch municipality, but they are not automatically prepared to do an educational microlearning on phishing. This is also the case for young staff who have only been employed for a short time. Less voluntary education should be aimed at these specific groups to make them and therefore the organization, more resilient to the risks of phishing. Also, the online microlearning proved to have no significant learning effect.

Discussion and suggestions for further research

Contrary to for instance Sheng et al. [56], we did not encounter any effect of gender on phishing susceptibility. Most participants who either clicked on the links or provided their credentials were aged 40 and older. This aligns with the findings of Hanus et al. [17] as well as the Central Bureau of Statistics Netherlands [10], but might well be a function of lesser amounts of computer self-efficacy, web experience and security knowledge [25] and digital literacy [52, 53] among these employees. We also found that younger participants with 2–5 years of service were more at risk of phishing victimization. This aligns with earlier findings of other authors [4, 29, 30, 55] but contradicts the findings of Hanus et al. [17] at an American municipal organization. For both the baseline and second measurement, most clicks and filled in credentials happened early in the morning between 06:00 and 09:00. This might be an indication of a relation that other authors [7, 18] found between e-mailing habits and phishing susceptibility as well as an indication of a high e-mail load [39].

It is highly questionable whether a voluntarily, computer-based training of employees can be expected to have an optimum effect [20, 23, 56]. We see possibilities for future research to not only incorporate test-phishing e-mails into an experiment to reveal organization specific risk profiles as we have done in this study, but make this design part of a holistic research approach combining the methods of experiments, questionnaires, and embedded training [18, 35, 62, 63]. In this approach, personal, organizational, and personality factors can be studied in cohesion with a focus on e.g. personality factors [63] and formal and collectively shared injunctive norms [62]. We also see good possibilities for incorporating games [23] as means to teach employees how to safeguard themselves and their organization against phishing, but stress the importance of (at least initial) instructor based training [56].

Nearly 80% of the never clickers in Municipality X had in no way whatsoever taken head of the online microlearning on phishing. Therefore, we conclude that a significant part is going well in the workplace of this organization. When we research the risk of phishing in specific contexts and this is more common, this needs to be given the acknowledgement it deserves in both a practical and scientific sense. An alternative can be found in the ‘human-as-solution’ approach of Zimmermann and Renaud [64]. Here, the problem is not sought in human behaviour but rather more in the complexity and opacity of the socio-technical environment where people work. We align ourselves with this approach—as a consequence of insights gained—where testing employees by deploying test phishing emails is just one part of a broader, more positive treatment of personnel as part of the solution [12]. We also think that the ethics of phishing experiments [22] might further benefit from such a positive treatment of personnel in the future. Clearly, this positive approach needs more attention in future research into the resilience of organizations and employees to the risk of phishing.

Practical recommendations

Computer-based training courses to raise employee awareness of phishing have repeatedly proven to be rather ineffective [56]. Live in-person instructors are better at focusing on the actual situation and the work context [35] and that makes the training more interactive [8]. A multilayered approach—combining the training of individual employees with technical and organizational measures—seems to be most promising [18, 19]. We advocate to use test phishing emails in this context to compile organization-specific risk profiles, which can then subsequently be used to develop tailored awareness-training courses. We advise to only use test phishing emails as part of a broader, positive approach of employees, where the test phishing mails are primarily used for learning purposes and their potential contribution to protect the organization against phishing attacks [12, 64]. But repeating education on phishing is still crucial for all staff as knowledge and experience gained doesn't stick easily [8, 19–21, 57].

Our advice to other municipalities, public organizations, and fellow researchers is to repeat our experimental set up at multiple organizations and do more research into repeat clickers and the context factors that play a role in their potential repeated victimization by phishing [24, 35, 36, 38]. Given results of an earlier empirical studies and indications in our own results we recommend to pay special attention to staff who experience a high work load, a higher number of emails that need to be processed, and time pressure causing people to deal more quickly with reacting to emails [5, 17, 39–41]. We emphasize that more data from similar and other organizations would strengthen the approach for embedded, experimental studies to chart organization-specific phishing risk profiles [17]. However, we advise not to only to research how personnel in organizations are vulnerable to phishing emails but rather also look at how never clickers think and act by observing behaviour in realistic scenarios (e.g. in a lab-setting). In addition, it is certainly worthwhile recommending further theoretical substantiation and research into the application of the human-as-solution [64] approach to cyber resilience in organizations.

Author contributions

Remco Spithoven (Conceptualization [equal], Formal analysis [equal], Investigation [equal], Methodology [equal], Resources [equal], Supervision [equal], Visualization [equal], Writing – original draft [equal], Writing – review & editing [equal]), and Anthonie Drenth (Conceptualization [equal], Data curation [equal], Formal analysis [equal], Investigation [equal], Methodology [equal], Project administration [equal], Resources [equal], Visualization [equal], Writing – original draft [equal], Writing – review & editing [equal])

Conflict of interest

None declared.

Funding

None declared.

References

1.

Ardagna
 
C
,
Corbiaux
 
S
,
Sfakianakis
 
A
  et al.  
ENISA threat Landscape 2021
.
Athens
:
European Union Agency for Cybersecurity (ENISA)
,
2021
.

OpenURL Placeholder Text

2.

Kleitman
 
S
,
Law
 
MK
,
Kay
 
J
.
It's the deceiver and the receiver: individual differences in phishing susceptibility and false positives with item profiling
.
PLoS One
.
2018
;
13
:
e0205089
.

Google Scholar

Crossref
Search ADS
PubMed

 
3.

Holt
 
TJ
,
Bossler
 
AM
,
Seigfried-Spellar
 
KC
.
Cybercrime and Digital Forensics: An Introduction
.
London
:
Routledge
,
2018
.

Google Scholar

OpenURL Placeholder Text

 
4.

Darwish
 
A
,
El Zarka
 
A
,
Aloul
 
F
.
Towards understanding phishing victims' profile
. In:
Proceedings of the 2012 International Conference on Computer Systems and Industrial Informatics
.
New York
:
IEEE
,
2012
,
1
5
.

5.

Lastdrager
 
EE
.
Achieving a consensual definition of phishing based on a systematic review of the literature
.
Crime Sci
.
2014
;
3
:
1
10
.

Google Scholar

Crossref
Search ADS

 
6.

Leukfeldt
 
ER
.
Phishing for suitable targets in the Netherlands: routine activity theory and phishing victimization
.
Cyberpsychol Behav Soc Netw
.
2014
;
17
:
551
5
.

Google Scholar

Crossref
Search ADS
PubMed

 
7.

Vishwanath
 
A
.
Examining the distinct antecedents of e-mail habits and its influence on the outcomes of a phishing attack
.
J Comput Med Commun
.
2015
;
20
:
570
84
.

Google Scholar

Crossref
Search ADS

 
8.

Bullée
 
JW
,
Junger
 
M
.
Social engineering: digitale fraude en misleiding: een meta-analyse van studies naar de effectiviteit van interventies
.
Justitiële Verkenningen
.
2020
;
46
:
92
110
.

Google Scholar

Crossref
Search ADS

 
9.

Baillon
 
A
,
De Bruin
 
J
,
Emirmahmutoglu
 
A
  et al.  
Informing, simulating experience, or both: a field experiment on phishing risks
.
PLoS One
.
2019
;
14
:
e0224216
.

Google Scholar

Crossref
Search ADS
PubMed

 
10.

Central Bureau of Statistics Netherlands
.
Nearly 2.5 Million People Victims of Cybercrime in 2021
.
The Hague
,
2022
.
https://www.cbs.nl/en-gb/news/2022/09/nearly-2-5-million-people-victims-of-cybercrime-in-2021 (accessed on November 28, 2023)
.

Google Scholar

OpenURL Placeholder Text

 
11.

Leukfeldt
 
ER
.
De ‘human’ Factor in Cybersecurity: Intreerede
.
The Hague
:
Haagse Hogeschool
,
2018
.

Google Scholar

OpenURL Placeholder Text

 
12.

Rothrock
 
R
.
Digital Resilience: Is Your Company Ready for the next Cyber Threat?
.
Hertogenbosch
:
Amacom
,
2018
.

Google Scholar

OpenURL Placeholder Text

 
13.

Van Rij
 
W
,
Spruit
 
M
.
Informatieveiligheid
. In:
Spithoven
 
R.
  
et al.
(eds).
Basisboek Integrale Veiligheid
.
The Hague
:
Boom Criminologie
,
2022
,
567
90
.

14.

Bijmans
 
H
,
Booij
 
T
,
Schwedersky
 
A
  et al.  
Catching phishers by their bait: investigating the Dutch phishing landscape through phishing kit detection
. In
Proceedings of the 30th USENIX Security Symposium, USENIX Security 21
.
Berkeley
:
USENIX
,
2021
,
3757
74
.

15.

Van der Wagen
 
W
,
van't Zand-Kurtovic
 
EG
,
Matthijsse
 
SR
  et al.  
Cyberdaders?: Uniek Profiel, Unieke Aanpak?
.
Groningen
:
University of Groningen
,
2019
.

Google Scholar

OpenURL Placeholder Text

 
16.

Dutta
 
AK
.
Detecting phishing websites using machine learning technique
.
PLoS One
.
2021
;
16
:
e0258361
.

Google Scholar

Crossref
Search ADS
PubMed

 
17.

Hanus
 
B
,
Wu
 
YA
,
Parrish
 
J
.
Phish me, phish me not
.
J Comput Inf Syst
.
2022
;
62
:
516
26
.

Google Scholar

OpenURL Placeholder Text

 
18.

Shahbaznezhad
 
H
,
Kolini
 
F
,
Rashidirad
 
M
.
Employees’ behavior in phishing attacks: what individual, organisational, and technological factors matter?
.
J Comput Inf Syst
.
2021
;
61
:
539
50
.

Google Scholar

OpenURL Placeholder Text

 
19.

Gragg
 
D
.
A multi-level defense against social engineering
.
SANS Read Room
.
2003
;
13
:
1
21
.

Google Scholar

OpenURL Placeholder Text

 
20.

Jampen
 
D
,
Gür
 
G
,
Sutter
 
T
  et al.  
Don't click: towards an effective anti-phishing training. a comparative literature review
.
Human Centric Comput Inf Sci
.
2020
;
10
:
1
41
.

Google Scholar

Crossref
Search ADS

 
21.

Nguyen
 
C
,
Jensen
 
M
,
Day
 
E
.
Learning not to take the bait: a longitudinal examination of digital training methods and overlearning on phishing susceptibility
.
Eur J Inf Syst
.
2021
;
32
:
1
25
.

Google Scholar

OpenURL Placeholder Text

 
22.

Resnik
 
DB
,
Finn
 
PR
.
Ethics and phishing experiments
.
Sci Eng Ethics
.
2018
;
24
:
1241
52
.

Google Scholar

Crossref
Search ADS
PubMed

 
23.

Sheng
 
S
,
Magnien
 
B
,
Kumaraguru
 
P
  et al.  
Anti-phishing phil: the design and evaluation of a game that teaches people not to fall for phish
. In:
Proceedings of the Third Symposium on Usable Privacy and Security
.
New York
:
ACM
,
2007
,
88
99
.

24.

Caputo
 
DD
,
Pfleeger
 
SL
,
Freeman
 
JD
  et al.  
Going spear phishing: exploring embedded training and awareness
.
IEEE SecurPriv
.
2013
;
12
:
28
38
.

Google Scholar

OpenURL Placeholder Text

 
25.

Wright
 
RT
,
Marett
 
K
.
The influence of experiential and dispositional factors in phishing: an empirical investigation of the deceived
.
J Manag Inf Syst
.
2010
;
27
:
273
303
.

Google Scholar

Crossref
Search ADS

 
26.

Butavicius
 
M
,
Parsons
 
K
,
Pattinson
 
M
  et al.  
Breaching the human firewall: social engineering in phishing and spear-phishing emails
.
arXiv
.
2016
,
1606.00887
.

27.

Ollmann
 
G
.
The Phishing Guide
.
London, Leeds
:
Next Generation Security Software Limited
,
2004
.

Google Scholar

OpenURL Placeholder Text

 
28.

Weulen-Kranenbarg
 
M
,
Leukfeldt
 
ER
.
Cybercrime in Context: The human Factor in Victimization, Offending, and Policing
. In:
Weulen-Kranenbarg
 
M.
,
Leukfeldt
 
E. R.
 (eds).
Cham
:
Springer
,
2021
.

Google Scholar

Crossref
Search ADS

 
29.

Eftimie
 
S
,
Moinescu
 
R
,
Răcuciu
 
C
.
Spear-phishing susceptibility stemming from personality traits
.
IEEE Access
.
2022
;
10
:
73548
61
.

Google Scholar

Crossref
Search ADS

 
30.

Gavett
 
BE
,
Zhao
 
R
,
John
 
SE
  et al.  
Phishing suspiciousness in older and younger adults: the role of executive functioning
.
PLoS One
.
2017
;
12
:
e0171620
.

Google Scholar

Crossref
Search ADS
PubMed

 
31.

Halevi
 
T
,
Memon
 
N
,
Nov
 
O
.
Spear-phishing in the wild: a real-world study of personality, phishing self-efficacy and vulnerability to spear-phishing attacks
.
SSRN Electron J
.
2015
.
http://dx.doi.org/10.2139/ssrn.2544742
.

32.

Diaz
 
A
,
Sherman
 
AT
,
Joshi
 
A
.
Phishing in an academic community: a study of user susceptibility and behavior
.
Cryptologia
.
2020
;
44
:
53
67
.

Google Scholar

Crossref
Search ADS

 
33.

Graham
 
R
,
Triplett
 
R
.
Capable guardians in the digital environment: the role of digital literacy in reducing phishing victimization
.
Deviant Behav
.
2017
;
38
:
1371
82
.

Google Scholar

Crossref
Search ADS

 
34.

Moody
 
GD
,
Galletta
 
DF
,
Dunn
 
BK
.
Which phish get caught? An exploratory study of individuals’ susceptibility to phishing
.
Eur J Inf Syst
.
2017
;
26
:
564
84
.

Google Scholar

Crossref
Search ADS

 
35.

Tornblad
 
MK
,
Jones
 
KS
,
Namin
 
AS
  et al.  
Characteristics that predict phishing susceptibility: a review
. In:
Proceedings of the Human Factors and Ergonomics Society Annual Meeting
. Vol.
65
.
Los Angeles
:
SAGE Publications
,
2021
,
938
42
.

36.

Frank
 
M
,
Jaeger
 
L
,
Ranft
 
LM
.
Contextual drivers of employees' phishing susceptibility: insights from a field study
.
Decis Supp Syst
.
2022
;
160
:
113818
.

Google Scholar

Crossref
Search ADS

 
37.

Chen
 
Y
,
YeckehZaare
 
I
,
Zhang
 
AF
.
Real or bogus: predicting susceptibility to phishing with economic experiments
.
PLoS One
.
2018
;
13
:
e0198213
.

Google Scholar

Crossref
Search ADS
PubMed

 
38.

Canham
 
M
,
Posey
 
C
,
Strickland
 
D
  et al.  
Phishing for long tails: examining organisational repeat clickers and protective stewards
.
SAGE Open
.
2021
;
11
:
2158244021990656
.

Google Scholar

Crossref
Search ADS

 
39.

Vishwanath
 
A
,
Herath
 
T
,
Chen
 
R
  et al.  
Why do people get phished? Testing individual differences in phishing vulnerability within an integrated, information processing model
.
Decis Supp Syst
.
2011
;
51
:
576
86
.

Google Scholar

Crossref
Search ADS

 
40.

Luo
 
XR
,
Zhang
 
W
,
Burd
 
S
  et al.  
Investigating phishing victimization with the Heuristic–Systematic Model: a theoretical framework and an exploration
.
Comput Secur
.
2013
;
38
:
28
38
.

Google Scholar

Crossref
Search ADS

 
41.

Atkins
 
B
,
Huang
 
W
.
A study of social engineering in online frauds
.
Open J Soc Sci
.
2013
;
01
:
23
32
.
https://doi.org/10.4236/jss.2013.13004
.

Google Scholar

OpenURL Placeholder Text

 
42.

Heartfield
 
R
,
Loukas
 
G
,
Gan
 
D
.
You are probably not the weakest link: towards practical prediction of susceptibility to semantic social engineering attacks
.
IEEE Access
.
2016
;
4
:
6910
28
.

Google Scholar

Crossref
Search ADS

 
43.

Alseadon
 
IM
,
Chan
 
T
,
Foo
 
E
  et al.  
Who is more susceptible to phishing emails? A Saudi Arabian study
. In:
Proceedings of the ACIS 2012 International Conference
.
Washington
:
IEEE Computer Society
,
2012
,
1
11
.

Google Scholar

OpenURL Placeholder Text

 
44.

Downs
 
JS
,
Holbrook
 
M
,
Cranor
 
LF
.
Behavioral response to phishing risk
. In:
Proceedings of the Anti-Phishing Working Groups 2nd Annual eCrime Researchers Summit
.
New York
:
ACM Digital Library
,
2007
,
37
44
.

45.

Van de Weijer
 
SG
,
Leukfeldt
 
ER
.
Big five personality traits of cybercrime victims
.
Cyberpsychol Behav Soc Netw
.
2017
;
20
:
407
12
.

Google Scholar

Crossref
Search ADS
PubMed

 
46.

Lawson
 
P
,
Pearson
 
CJ
,
Crowson
 
A
  et al.  
Email phishing and signal detection: how persuasion principles and personality influence response patterns and accuracy
.
Appl Ergon
.
2020
;
86
:
103084
.

Google Scholar

Crossref
Search ADS
PubMed

 
47.

Anawar
 
S
,
Kunasegaran
 
DL
,
Mas'ud
 
MZ
  et al.  
Analysis of phishing susceptibility in a workplace: a big-five personality perspectives
.
J Eng Sci Technol
.
2019
;
14
:
2865
82
.

Google Scholar

OpenURL Placeholder Text

 
48.

Halevi
 
T
,
Lewis
 
J
,
Memon
 
N
.
Phishing, personality traits and facebook
. (February 8)
arXiv
.
2013
,
1301.7643
.

49.

Greitzer
 
FL
,
Strozer
 
J
,
Cohen
 
S
  et al.  
Unintentional insider threat: contributing factors, observables, and mitigation strategies
. In:
Proceedings of the 2014 47th Hawaii International Conference on System Sciences
.
New York
:
IEEE
,
2014
,
2025
34
.

50.

D’Agata
 
MT
,
Kwantes
 
PJ
.
Personality factors predicting dis- inhibited and risky online behaviors
.
J Indiv Differ
.
2020
;
41
:
199
206
.
http://dx.doi.org/10.1027/1614-0001/a000321
.

Google Scholar

Crossref
Search ADS

 
51.

Pattinson
 
M
,
Butavicius
 
M
,
Parsons
 
K
  et al.  
Factors that influence information security behavior: an Australian web-based study
. In:
Proceedings of the International Conference on Human Aspects of Information Security, Privacy, and Trust
.
Cham
:
Springer
,
2015
,
231
41
.

52.

Pattinson
 
M
,
Jerram
 
C
,
Parsons
 
K
  et al.  
Why do some people manage phishing e-mails better than others?
.
Inf Manag Comput Secur
.
2012
;
20
:
18
28
.

Google Scholar

Crossref
Search ADS

 
53.

Parsons
 
K
,
Butavicius
 
M
,
Delfabbro
 
P
  et al.  
Predicting susceptibility to social influence in phishing emails
.
Int J Hum Comput Stud
.
2019
;
128
:
17
2
.

Google Scholar

Crossref
Search ADS

 
54.

Bullée
 
JW
,
Montoya
 
L
,
Junger
 
M
  et al.  
Spear phishing in organisations explained
.
Inf Comput Secur
.
2017
;
25
:
593
613
.

Google Scholar

Crossref
Search ADS

 
55.

Sheng
 
S
,
Holbrook
 
M
,
Kumaraguru
 
P
  et al.  
Who falls for phish? A demographic analysis of phishing susceptibility and effectiveness of interventions
. In:
Proceedings of the ICS 25,5612 Sigchi Conference on Human Factors in Computing Systems
.
New York
:
ACM
,
2010
,
373
82
.
https://doi.org/10.1145/1753326.1753383
.

56.

Stockhardt
 
S
,
Reinheimer
 
B
,
Volkamer
 
M
  et al.  
Teaching phishing-security: which way is best?
. In:
Proceedings of the IFIP International Conference on ICT Systems Security and Privacy Protection
.
Berlin
:
Springer
,
2016
,
135
49
.

57.

Lastdrager
 
EE
,
Gallardo
 
IC
,
Hartel
 
P
  et al.  
How effective is {anti-phishing} training for children?
. In:
Proceedings of the Thirteenth Symposium on Usable Privacy and Security
.
New York
:
ACM
,
2017
,
229
39
.

58.

Steinmetz
 
KF
,
Pimentel
 
A
,
Goe
 
WR
.
Decrypting social engineering: an analysis of conceptual ambiguity
.
Crit Criminol
.
2020
;
28
:
631
50
.

Google Scholar

Crossref
Search ADS

 
59.

Hadnagy
 
C
.
Social Engineering: The Science of Human Hacking
.
Hoboken
:
Wiley
,
2018
.

Google Scholar

Crossref
Search ADS

 
60.

Kayser
 
CS
.
Cybercrime Through Social Engineering. The New Global Crisis
.
Washington
:
Amazon Distribution
,
2020
.

Google Scholar

OpenURL Placeholder Text

 
61.

Quené
 
H
,
van den Bergh
 
H
.
Kwantitatieve Methoden en Statistiek
.
GutHub
,
2022
.
https://hugoquene.github.io/KMS-NL/ (accessed on October 11, 2023)
.

62.

Petrič
 
G
,
Roer
 
K
.
The impact of formal and informal organisational norms on susceptibility to phishing: combining survey and field experiment data
.
Telemat Inf
.
2022
;
67
:
101766
.

Google Scholar

Crossref
Search ADS

 
63.

Parrish
 
JL
 
Bailey
 
JL
,
Courtney
 
JF
 .
A Personality Based Model for Determining Susceptibility to Phishing Attacks
.
Little Rock
:
University of Arkansas
,
2009
,
285
96
.

Google Scholar

OpenURL Placeholder Text

 
64.

Zimmermann
 
V
,
Renaud
 
K
.
Moving from a ‘human-as-problem” to a ‘human-as-solution” cybersecurity mindset
.
Int J Hum Comput Stud
.
2019
;
131
:
169
87
.

Google Scholar

Crossref
Search ADS

 
© The Author(s) 2024. Published by Oxford University Press.
This is an Open Access article distributed under the terms of the Creative Commons Attribution License (https://creativecommons.org/licenses/by/4.0/), which permits unrestricted reuse, distribution, and reproduction in any medium, provided the original work is properly cited.
Issue Section:
Research Paper
Download all slides