IDEAS home Printed from https://ideas.repec.org/a/sae/sagope/v11y2021i1p2158244021990656.html
   My bibliography  Save this article

Phishing for Long Tails: Examining Organizational Repeat Clickers and Protective Stewards

Author

Listed:
  • Matthew Canham
  • Clay Posey
  • Delainey Strickland
  • Michael Constantino

Abstract

Organizational cybersecurity efforts depend largely on the employees who reside within organizational walls. These individuals are central to the effectiveness of organizational actions to protect sensitive assets, and research has shown that they can be detrimental (e.g., sabotage and computer abuse) as well as beneficial (e.g., protective motivated behaviors) to their organizations. One major context where employees affect their organizations is phishing via email systems, which is a common attack vector used by external actors to penetrate organizational networks, steal employee credentials, and create other forms of harm. In analyzing the behavior of more than 6,000 employees at a large university in the Southeast United States during 20 mock phishing campaigns over a 19-month period, this research effort makes several contributions. First, employees’ negative behaviors like clicking links and then entering data are evaluated alongside the positive behaviors of reporting the suspected phishing attempts to the proper organizational representatives. The analysis displays evidence of both repeat clicker and repeat reporter phenomena and their frequency and Pareto distributions across the study time frame. Second, we find that employees can be categorized according to one of the four unique clusters with respect to their behavioral responses to phishing attacks—“Gaffes,†“Beacons,†“Spectators,†and “Gushers.†While each of the clusters exhibits some level of phishing failures and reports, significant variation exists among the employee classifications. Our findings are helpful in driving a new and more holistic stream of research in the realm of all forms of employee responses to phishing attacks, and we provide avenues for such future research.

Suggested Citation

  • Matthew Canham & Clay Posey & Delainey Strickland & Michael Constantino, 2021. "Phishing for Long Tails: Examining Organizational Repeat Clickers and Protective Stewards," SAGE Open, , vol. 11(1), pages 21582440219, January.
    • Handle: RePEc:sae:sagope:v:11:y:2021:i:1:p:2158244021990656
    DOI: 10.1177/2158244021990656
    as

    Download full text from publisher

    File URL: https://journals.sagepub.com/doi/10.1177/2158244021990656
    Download Restriction: no
    File URL: https://libkey.io/10.1177/2158244021990656?utm_source=ideas
    LibKey link: if access is restricted and if your library uses this service, LibKey will redirect you to where you can use your library subscription to access this item
    ---><---

    References listed on IDEAS

    as
    1. Nina Sebescen & Jessica Vitak, 2017. "Securing the human: Employee security vulnerability risk in organizational settings," Journal of the Association for Information Science & Technology, Association for Information Science & Technology, vol. 68(9), pages 2237-2247, September.
    2. John D’Arcy & Anat Hovav, 2009. "Does One Size Fit All? Examining the Differential Effects of IS Security Countermeasures," Journal of Business Ethics, Springer, vol. 89(1), pages 59-71, May.
    3. Ryan Wright & Suranjan Chakraborty & Asli Basoglu & Kent Marett, 2010. "Where Did They Go Right? Understanding the Deception in Phishing Communications," Group Decision and Negotiation, Springer, vol. 19(4), pages 391-416, July.
    4. Michael Workman, 2008. "Wisecrackers: A theory‐grounded investigation of phishing and pretext social engineering threats to information security," Journal of the American Society for Information Science and Technology, Association for Information Science & Technology, vol. 59(4), pages 662-674, February.
    Full references (including those not matched with items on IDEAS)

    Citations

    Citations are extracted by the CitEc Project, subscribe to its RSS feed for this item.
    as


    Cited by:

    1. Zhengyang Fan & Wanru Li & Kathryn Blackmond Laskey & Kuo-Chu Chang, 2024. "Investigation of Phishing Susceptibility with Explainable Artificial Intelligence," Future Internet, MDPI, vol. 16(1), pages 1-18, January.

    Most related items

    These are the items that most often cite the same works as this one and are cited by the same works as this one.
    1. Sirkka L. Jarvenpaa & Ann Majchrzak, 2010. "Research Commentary ---Vigilant Interaction in Knowledge Collaboration: Challenges of Online User Participation Under Ambivalence," Information Systems Research, INFORMS, vol. 21(4), pages 773-784, December.
    2. Naci Akdemir & Serkan Yenal, 2021. "How Phishers Exploit the Coronavirus Pandemic: A Content Analysis of COVID-19 Themed Phishing Emails," SAGE Open, , vol. 11(3), pages 21582440211, July.
    3. Kim Kaivanto, 2014. "The Effect of Decentralized Behavioral Decision Making on System‐Level Risk," Risk Analysis, John Wiley & Sons, vol. 34(12), pages 2121-2142, December.
    4. Ruochen Liao & Shenaz Balasinorwala & H. Raghav Rao, 2017. "Computer assisted frauds: An examination of offender and offense characteristics in relation to arrests," Information Systems Frontiers, Springer, vol. 19(3), pages 443-455, June.
    5. Chang-Gyu Yang & Hee-Jun Lee, 2016. "A study on the antecedents of healthcare information protection intention," Information Systems Frontiers, Springer, vol. 18(2), pages 253-263, April.
    6. Brent Pethers & Abubakar Bello, 2023. "Role of Attention and Design Cues for Influencing Cyber-Sextortion Using Social Engineering and Phishing Attacks," Future Internet, MDPI, vol. 15(1), pages 1-19, January.
    7. Jingguo Wang & Yuan Li & H. Raghav Rao, 2017. "Coping Responses in Phishing Detection: An Investigation of Antecedents and Consequences," Information Systems Research, INFORMS, vol. 28(2), pages 378-396, June.
    8. Frank Kun-Yueh Chou & Abbott Po-Shun Chen & Vincent Cheng-Lung Lo, 2021. "Mindless Response or Mindful Interpretation: Examining the Effect of Message Influence on Phishing Susceptibility," Sustainability, MDPI, vol. 13(4), pages 1-25, February.
    9. Utsav Upadhyay & Alok Kumar & Gajanand Sharma & Ashok Kumar Saini & Varsha Arya & Akshat Gaurav & Kwok Tai Chui, 2024. "Mitigating Risks in the Cloud-Based Metaverse Access Control Strategies and Techniques," International Journal of Cloud Applications and Computing (IJCAC), IGI Global, vol. 14(1), pages 1-30, January.
    10. Bruning, Patrick F. & Alge, Bradley J. & Lin, Hsin-Chen, 2020. "Social networks and social media: Understanding and managing influence vulnerability in a connected society," Business Horizons, Elsevier, vol. 63(6), pages 749-761.
    11. Simon Trang & Benedikt Brendel, 2019. "A Meta-Analysis of Deterrence Theory in Information Security Policy Compliance Research," Information Systems Frontiers, Springer, vol. 21(6), pages 1265-1284, December.
    12. Xin Wen & Liang Xu & Jie Wang & Yuan Gao & Jiaming Shi & Ke Zhao & Fuyang Tao & Xiuying Qian, 2022. "Mental States: A Key Point in Scam Compliance and Warning Compliance in Real Life," IJERPH, MDPI, vol. 19(14), pages 1-16, July.
    13. Jeffrey D. Wall & Prashant Palvia & John D’Arcy, 2022. "Theorizing the Behavioral Effects of Control Complementarity in Security Control Portfolios," Information Systems Frontiers, Springer, vol. 24(2), pages 637-658, April.
    14. Ryan T. Wright & Matthew L. Jensen & Jason Bennett Thatcher & Michael Dinger & Kent Marett, 2014. "Research Note ---Influence Techniques in Phishing Attacks: An Examination of Vulnerability and Resistance," Information Systems Research, INFORMS, vol. 25(2), pages 385-400, June.
    15. Liuchang Xu & Jie Wang & Dayu Xu & Liang Xu, 2022. "Integrating Individual Factors to Construct Recognition Models of Consumer Fraud Victimization," IJERPH, MDPI, vol. 19(1), pages 1-12, January.
    16. Zhengyang Fan & Wanru Li & Kathryn Blackmond Laskey & Kuo-Chu Chang, 2024. "Investigation of Phishing Susceptibility with Explainable Artificial Intelligence," Future Internet, MDPI, vol. 16(1), pages 1-18, January.
    17. Amanda M. Y. Chu & Mike K. P. So & Ray S. W. Chung, 2018. "Applying the Randomized Response Technique in Business Ethics Research: The Misuse of Information Systems Resources in the Workplace," Journal of Business Ethics, Springer, vol. 151(1), pages 195-212, August.
    18. Amanda M. Y. Chu & Mike K. P. So, 2020. "Organizational Information Security Management for Sustainable Information Systems: An Unethical Employee Information Security Behavior Perspective," Sustainability, MDPI, vol. 12(8), pages 1-25, April.
    19. Michaelidou, Nina & Micevski, Milena & Cadogan, John W., 2021. "Users’ ethical perceptions of social media research: Conceptualisation and measurement," Journal of Business Research, Elsevier, vol. 124(C), pages 684-694.
    20. Martin (Dae Youp) Kang & Anat Hovav, 2020. "Benchmarking Methodology for Information Security Policy (BMISP): Artifact Development and Evaluation," Information Systems Frontiers, Springer, vol. 22(1), pages 221-242, February.

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:sae:sagope:v:11:y:2021:i:1:p:2158244021990656. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a bibliographic reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: SAGE Publications (email available below). General contact details of provider: .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.