Safeguarding against phishing emails

Thursday, April 27, 2023

Awareness of personalities matters! - Personalities are predetermined, and diversity is in place

By Jessie Ge, PhD Candidate

Picture of Efrim Boritz

Cyber-attacks and data breaches are of great concern for data-sensitive organizations. These organizations are adept at safeguarding data but fail in safeguarding against cyber-attacks. Phishing is a semantic attack that deceives email users into clicking on the embedded link or attachment in an email. The goal could be to induce the email users to subsequently give away sensitive information, enable malware that can steal passwords, or install a backdoor into the user’s system and encrypt the users’ data. Phishing imposes a great risk on these organizations for two reasons. First, even a non-vital position in which employees likely perceive little cyber risk, if being attacked, could cause significant economic loss and litigations. Second, phishing emails could simultaneously reach most employees within an organization. Thus, strengthening the frontier of safeguarding against phishing is of vital importance.

Personalities are predetermined, and diversity is in place. What organizations need is to tailor countermeasures for and to train heterogenous groups of employees.

This research examines the role of employees’ personality traits of suspicion/trust and cognitive traits such as risk-taking propensity, cognitive (inhibitory) control, and social cognition, in determining susceptibility to phishing. The researchers administered a survey instrument among employees with diverse demographics in a professional services firm and a bank. The inferences of this research should be informative at least to organizations in these two industries.

Takeaways that deserve awareness for both organizations and employees

  • Risk-taking propensity increases susceptibility to phishing for employees who are less likely to take the initiative of searching for knowledge (SSK)
  • High cognitive (inhibitory) control decreases susceptibility to phishing for employees with low levels of SSK and employees with low levels of self-confidence
  • High social cognition decreases susceptibility for employees with low levels of self-determining in making decisions
  • Bank employees are more susceptible to being phished than those in the professional services firm
  • Within the bank, employees with professional certificates are less susceptible to phishing attacks.
  • Employees who perceive themselves to have a higher responsibility for cybersecurity are less likely to be phished.

For Employees: Know your vulnerabilities to be a good gatekeeper!

For Organizations: Know your employees, tailor the training, make smart arrangements, and preserve the diversity

The study Factors affecting employees’ susceptibility to cyber attacks, authored by Boritz, Ge, and Patterson will be published in the American Accounting Association’s Journal of Information Systems.