Close
Home
Collections
Login
USC Login
Register
0
Selected
Invert selection
Deselect all
Deselect all
Click here to refresh results
Click here to refresh results
USC
/
Digital Library
/
University of Southern California Dissertations and Theses
/
A research study of employee perceptions on identifying phishing attacks in financial organizations
(USC Thesis Other)
A research study of employee perceptions on identifying phishing attacks in financial organizations
PDF
Download
Share
Open document
Flip pages
Contact Us
Contact Us
Copy asset link
Request this asset
Transcript (if available)
Content
PERCEPTIONS ON PHISHING ATTACKS 1
A Research Study of Employee Perceptions on Identifying Phishing Attacks
in Financial Organizations
by
Lili Ana
A Dissertation Presented to the
FACULTY OF THE USC ROSSIER SCHOOL OF EDUCATION
UNIVERSITY OF SOUTHERN CALIFORNIA
In Partial Fulfillment of the
Requirements for the Degree
DOCTOR OF EDUCATION
May 2024
Copyright 2024 Lili Ana
PERCEPTIONS ON PHISHING ATTACKS 2
Acknowledgments
Gratitude and deep appreciation are extended to Chair, Dr. Alison Muraszewski, and
committee members, Dr. Corinne Hyde, and Dr. Ekaterina Moore. It is with admiration and
respect for the University of Southern California faculty and professors in recognition of their
contributions to education. In acknowledgment of the continued efforts of information security
practitioners who commit themselves to improving cybersecurity education and reducing risk,
this dissertation is dedicated.
PERCEPTIONS ON PHISHING ATTACKS 3
Table of Contents
Acknowledgments 2
Table of Contents 3
List of Tables 8
List of Figures 9
Abstract 10
CHAPTER ONE: INTRODUCTION TO THE STUDY 11
Context and Background of the Problem 11
Purpose of the Study 13
Research Questions 13
Importance of the Study 14
Overview of Theoretical Framework and Methodology 15
Definitions 17
Information Security 18
Cybersecurity 18
Social Engineering 18
Personally Identifiable Information 18
Threat Actor 18
Hacker 18
Phishing 19
Malware 19
Ransomware 19
Organization of the Dissertation 19
CHAPTER TWO: LITERATURE REVIEW 21
Overview of the Cyber Threat Landscape 21
History of Online Crime 25
PERCEPTIONS ON PHISHING ATTACKS 4
Impact of Cyberattacks 28
Timeline of the Largest Reported Financial Data Breaches 29
Characteristics of Cybercrime 31
Taxonomy of Social Engineering 33
Anatomy of a Phishing Attack 36
Types of Phishing Emails Targeting Employees 37
Financial Cybersecurity Regulations 40
Overview of State and Federal Laws 41
Data Privacy Rules 43
Information Security Audits 44
Industry Trends and Challenges 45
Confidentiality, Integrity, Availability (CIA) Triad 46
Data Privacy and Data Security 48
Industry Frameworks and Standards 48
Organizational Practices 51
Principles and Program Models 52
Policies and Procedures 53
Training and Awareness 54
Gap Analysis Framework: Stakeholder Knowledge, Motivation, and
Organizational Influences
56
Employee Knowledge and Skills 58
Employee Knowledge and Skills Gaps 59
Factual Knowledge 60
Conceptual Knowledge 60
Procedural Knowledge 60
Metacognitive Knowledge 61
Employee Motivation 61
PERCEPTIONS ON PHISHING ATTACKS 5
Employee Motivation Gaps 62
Self-Efficacy 62
Value 63
Organizational Influences 64
Organizational Influences Gaps 65
Training 66
Communication 67
Culture 67
Summary 69
CHAPTER THREE: RESEARCH METHODOLOGY AND APPROACH 70
Overview of Research Design 70
Research Procedure 71
Research Setting 71
The Researcher 72
Data Methods 73
Participants 74
Instrumentation 74
Data Collection 74
Data Analysis 75
Credibility and Trustworthiness 75
Ethics 76
CHAPTER FOUR: FINDINGS 78
Participating Stakeholders 78
Phishing Attack Experiences 80
Research Question 1: Knowledge and Motivation Needed to Identify Phishing 82
Knowledge 82
PERCEPTIONS ON PHISHING ATTACKS 6
Factual Knowledge 83
Accurately Defining Phishing 83
Conceptual Knowledge 84
Correctly Identifying Phishing 85
Procedural Knowledge 86
Reporting and Deleting Phishing Emails 86
Metacognitive Knowledge 87
Criminal Operations 87
Phishing Trends 88
Artificial Intelligence 89
Phishing Techniques 90
Motivation 92
Self-Efficacy 92
Wavering Confidence in Recognizing Phishing
Tactics
93
Value 94
Utility Value in the Practice of Identifying Phishing 95
Research Question 2: Organizational Influences Impacting Phishing Identification 96
Organizational Influences 96
Training Practices 97
Training Reinforcement 99
Customized Training 99
Instructor-led Training 100
Gamification 101
Communication Participants Receive 102
Enhancements to Communication Practices 104
Frequency of Communications 105
PERCEPTIONS ON PHISHING ATTACKS 7
Data Protection as a Cultural Model 107
Instrumental Value in Receiving Positive
Reinforcement
108
Increasing Positive Reinforcement 109
Consequences 111
Improving Consequential Models 112
Summary 114
CHAPTER FIVE: RECOMMENDATIONS 115
Discussion of Findings 115
Recommendations for Practice 117
Recommendation 1: Developing Effective Training with an Educational
Framework
117
Recommendation 2: Implementing Communication for Employee
Engagement
127
Recommendation 3: Cultivating a Cultural Model to Support a Training
and Awareness Program
132
Limitations & Delimitations 139
Limitations of the Study 139
Delimitations of the Study 139
Recommendations for Future Research 140
Conclusion 141
References 145
Appendix A: Interview Protocol 169
PERCEPTIONS ON PHISHING ATTACKS 8
List of Tables
Table 1: 10 Biggest Data Breaches in Finance 30
Table 2: Research Questions 71
Table 3: Participants 79
PERCEPTIONS ON PHISHING ATTACKS 9
List of Figures
Figure 1: Gap Analysis Theoretical Framework 16
Figure 2: EY Global Information Security Survey 2018-19 27
Figure 3: Taxonomy of Risks 28
Figure 4: Social Engineering Defense Mechanisms 36
Figure 5: Netflix Phishing Email 38
Figure 6: Current Events Phishing Email 39
Figure 7: Fake PayPal Login Page and Genuine PayPal Login Page 39
Figure 8: U.S. State Privacy Legislation Tracker 42
Figure 9: CIA Triad 46
Figure 10: NIST CSF 2.0 50
Figure 11: Notional Information and Decision Flows Within an Organization 53
Figure 12: Adapted Gap Analysis Conceptual Framework 57
Figure 13: The New World Kirkpatrick Model 122
Figure 14: Lasswell’s Communications Construct 129
Figure 15: Centralized Program 136
PERCEPTIONS ON PHISHING ATTACKS 10
Abstract
This dissertation addresses the problem of practice of the high rate of employees in
financial organizations clicking on phishing links, positioning their companies at risk of a data
incident or breach. The financial sector was the most breached industry in 2022 (Schwartz, 2022)
and was impacted the most by malicious phishing emails (Trellix Advanced Research Center,
2022). This qualitative research study utilized an adapted Clark and Estes (2008) Gap Analysis
conceptual framework to include expectations of knowledge construction (factual, conceptual,
procedural, and metacognitive knowledge) (Krathwohl, 2002), motivation (self-efficacy)
(Bandura, 2000) and (value) (Ambrose et al., 2010), and organizational influences (training,
communication, and culture). Semi-structured interviews were conducted with 13 participants in
August 2023. This research study explored safeguarding against phishing within organizational
settings and contexts in which employees are susceptible to deception and exposed gaps in
organizational influences through significant research findings that more training and awareness
are needed for employees to successfully identify advanced phishing attacks. As the cyber threat
landscape continues to be pervasive, companies utilize a myriad of information security
frameworks for building their security programs; however, these frameworks only require that
employees receive phishing training and do not address how to effectively train staff. This
research study was conducted to serve as a resource for leaders in organizations by providing
recommendations for developing a security-aware culture and effective training and
communication that educates and motivates employees to identify phishing attacks and protect
company and customer data.
PERCEPTIONS ON PHISHING ATTACKS 11
CHAPTER ONE: INTRODUCTION TO THE STUDY
This dissertation addresses the problem of practice of the high rate of employees in
financial organizations clicking on phishing links, positioning their companies at risk of a data
incident or breach. Social engineering is the psychological manipulation of individuals, and the
deceptive practice of phishing is the most popular social engineering tactic (Federal Bureau of
Investigation, 2022). Clicking on phishing links or downloading attachments can lead to a
successful cyberattack and data incident, which includes the disclosure of sensitive information,
the installation of malware, an account takeover, or the detonation of ransomware. Protecting
customer data is an increasing concern, fueled by the rise in cybercrime and data breaches
worldwide. Reputational risk, loss of consumer trust, and severe penalties, including fines and
imprisonment, are all potential consequences of a confirmed or unreported data breach.
In the field of information security, there is an identified inherent information security
knowledge gap in adult populations directly correlated to rising costs of identity theft, fraud, and
data incidents. Security awareness training is an essential component of an information security
program’s governance model, designed to protect companies from experiencing the damaging
impacts of data incidents. The challenge organizations experience today is not just in
understanding the concept of social engineering but in improving immunity to cyberattacks by
identifying individual potential for susceptibility to deception (Montanez et al., 2020),
influencing the value of effective training for implementing appropriate safeguards, and creating
a proactive culture to protect against the advent of a data breach (Berg & Hansen, 2020).
Context and Background of the Problem
The field of information security has evolved rapidly to combat cybercrime since the
invention of the Internet on its formally recognized birth date, January 1, 1983 (McLean, 2022).
PERCEPTIONS ON PHISHING ATTACKS 12
In an interview with Timberg (2015), Vinton Cerf, “Father of the Internet,” was asked about
security in the original design of the Internet, and he expressed that while he was concerned
about untrustworthy individuals, he believed he could exclude them. Cerf concentrated on
developing the Internet, not on users abusing it. When the Internet was created, it was unknown
how criminals would adapt and exploit one of the most popular inventions of all time (Timberg,
2015). The world of cybercrime and the evolution of the Internet as a communications platform
has changed dramatically over the past 40 years. There are now 5.35 billion Internet users
worldwide (Statista, 2024) and 8.02 billion people living on the planet (United States Census
Bureau, 2024). Since the invention of the Internet, the sharing of information has become a
valuable commodity (Cerf, 2008), and yet still, no comprehensive data protection legislation
exists in the United States (Boyne, 2018).
Criminals are becoming more well-funded and scalable (Gordon, 2011) and increasingly
targeting the financial industry. The financial sector was the most breached industry in 2022
(Schwartz, 2022) and was impacted the most by malicious phishing emails (Trellix Advanced
Research Center, 2022). In 2025, the cyber industry is forecasted to incur a global cost of $10.5
trillion USD (Morgan, 2020). Cybercrime can be considered the world’s third-largest economy
after the U.S. and China (World Economic Forum, 2023).
Eighty-two percent of data breaches are caused by human error (Verizon, 2022), and over
90% of cyberattacks involve phishing (Cybersecurity and Infrastructure Security Agency, 2024).
As the cyber threat landscape continues to be pervasive and attacks against infrastructure and
critical systems increase, reviewing approaches to data protection is a responsibility among
industry sectors. Organizations are expected to comply with evolving state laws and regulations
and adopt information security frameworks and best practices.
PERCEPTIONS ON PHISHING ATTACKS 13
Organizations are experiencing the consequences of undeveloped accountability models
and immature security programs, with the average global cost of a data breach exceeding $4.35
million USD (Henriquez, 2022). Companies utilize a myriad of information security frameworks
for building their security programs; however, these frameworks only require that employees
receive phishing training and do not address how to effectively train staff. The minimum
organizational training requirements, including annual self-led compliance courses, are proving
ineffective methods of stopping individuals from clicking on phishing links (Zuopeng et al.,
2021).
Purpose of the Study
The purpose of this research study is to learn about individual perceptions of phishing
and how financial organizations motivate employees and provide resources to combat social
engineering and phishing attacks. Understanding how individuals prefer to be motivated to
identify social engineering and phishing attacks and examining knowledge and skills and
motivation gaps will assist in analyzing how individuals take precautions to refrain from clicking
on links or downloading attachments from unknown senders. The results of this research study
focus on presenting strategies for security practitioners to develop effective information security
training and communication and implement a security-aware culture to motivate their
workforce.
Research Questions
The following research questions are in alignment with the purpose of this study: A
Research Study of Employee Perceptions on Identifying Phishing Attacks in Financial
Organizations:
PERCEPTIONS ON PHISHING ATTACKS 14
1. What individual knowledge and motivation is needed for employees to identify
phishing attacks?
2. What are the organizational influences that impact employees to identify phishing
attacks?
Importance of the Study
Addressing the problem of employee behaviors in clicking on phishing links and
researching the gaps in employee knowledge and skills, motivation, and organizational
influences increases awareness of the significance of the problem of practice. Under the
Financial Modernization Act of 1999, known as the Gramm-Leach-Bliley Act, financial
organizations are governed by data collection and disclosure practices and held to standards for
the safeguarding of personally identifiable information (Federal Trade Commission, 2023).
However, traditional methods of data protection practices and training are not stopping threat
actors from succeeding in their pursuits. The average total cost of a data breach in the financial
industry is $5.97 million USD (IBM Security, 2022), which is higher than the average cost
across industries. In a study of financial breaches from 2018-2022 conducted by Comparitech,
hacking, which encompasses all forms of unauthorized methods of obtaining data, including
obtaining data voluntarily via phishing, was the most common method, accounting for over 50%
of data breaches (508 out of 982 breaches) and the method is increasing as hackers continue to
improve their skills (Bischoff, 2022).
The challenges organizations experience are in understanding employee knowledge and
skills and motivation training gaps and recognizing that passive information delivery and
standard communication techniques and channels used to reinforce the importance of data
protection continue to be ineffective (Keating & Jarvenpaa, 2016). Security practitioners who
PERCEPTIONS ON PHISHING ATTACKS 15
utilize detection and prevention technologies understand that software tools alone cannot combat
cyberattacks (Sabillon et al., 2016). Cybersecurity training and awareness are needed as
preventative measures to tackle cybercrime. However, regulatory requirements declare that
annual compliance training is sufficient when research claims that knowledge decays with time,
and learning reinforcement is critical to claiming an effective training program (Kraiger & Ford,
2021). Retrieval learning, practice, and social fidelity provide structure for effective learning,
“effective instruction facilitates retention and retrieval by having learners practice retrieval
during learning, ensuring that the content is well ingrained (overlearning)” (Kraiger & Ford,
2021, p. 49). Unless organizations improve their training and motivation practices, they will
continue to face the problem of practice with individuals routinely clicking on phishing links,
positioning their companies at high risk for data incidents.
The objective of this research is to contribute to the field of information security by
joining colleagues in the mission to protect individuals and companies against cybercrime,
influence organizational change, and promote positive behavioral modifications to reduce risk.
Increasing awareness of the cyber threat landscape by examining social engineering tactics; the
manipulative techniques cybercriminals deploy, will support employees in understanding the
deceptive strategies used against them as they develop counterstrategies to combat attacks.
Exposing the damaging impacts of successful cyberattacks inspires significant emphasis on
effective training for establishing information safeguards (Baum, 2004).
Overview of Theoretical Framework and Methodology
The Clark and Estes (2008) Gap Analysis theoretical framework focuses on employee
knowledge, motivation, and organizational influences to identify gaps and create performance
solutions.
PERCEPTIONS ON PHISHING ATTACKS 16
Figure 1. Gap Analysis Theoretical Framework (Clark & Estes, 2008).
This research assessed perceptions of knowledge, motivation, and organizational influences
through the lens of the Clark and Estes (2008) theoretical framework. The theoretical framework,
Gap Analysis, served to provide a lens through which the researcher exposed how individuals are
instructed, motivated, and influenced by their organizations to identify phishing attacks. Gap
Analysis was appropriate for examining the problem of practice as it allows for understanding
social engineering tactics and contexts in which employees are susceptible to deception and lack
self-awareness as “people are often unaware of their own lack of knowledge and skills” (Clark &
Estes, 2008, p. 44). The researcher delivered an adapted Gap Analysis conceptual framework of
expectations in knowledge construction (factual, conceptual, procedural, and metacognitive
knowledge) (Krathwohl, 2002), motivation (self-efficacy) (Bandura, 2000) and (value) (Ambrose
et al., 2010), and organizational influences (training, communication, and culture) and researched
how organizations educate and motivate their employees and provide organizational influences
for addressing the problem of practice.
PERCEPTIONS ON PHISHING ATTACKS 17
This qualitative research study focused on interviewing individuals working in financial
organizations within two years of their initial hire date. New hires are the riskiest demographic to
an organization based on several factors, as this segmented population typically clicks the most
on phishing links due to lacking training (Gil, 2022), and for individuals newly entering the
workforce, phishing is not core curricula taught in grades K-12, and individuals may not
understand social engineering. Depending on the volume of turnover an organization
experiences, an organization’s phishing click rate by hire date will fluctuate compared to the
total population.
A qualitative research study was appropriate for examining the problem of practice
because it served as a subjective approach to identifying perceptions, behavior, and experiences
of individuals who recently became employed at their financial organizations and are familiar
with information security training. Exploring motivation and knowledge on safeguarding against
phishing within organizational settings and contexts in which employees are susceptible to
deception supports the framework of this research study as “organizations are made up of people
whose knowledge, skills, and motivation drive the organization” (Clark & Estes, 2008, p.115).
The researcher framed organizations through Gap Analysis and discovered gaps in employee
knowledge and skills, motivation, and organizational influences. The observations and
interpretations of this study were coded and integrated into a thematic analysis of findings
alongside the cumulative results of the study.
Definitions
Key terms found throughout this dissertation that are related to the field of information
security and central to understanding the dissertation design are defined and listed below.
Definitions are referenced from the National Institute of Standards and Technology (National
PERCEPTIONS ON PHISHING ATTACKS 18
Institute of Standards and Technology, 2023). The National Institute of Standards and
Technology guides companies on data protection.
Information Security
The protection of information from unauthorized access, use, disruption, disclosure,
modification, or destruction (National Institute of Standards and Technology, 2023).
Cybersecurity
Protecting the confidentiality, integrity, and availability of information on technology
systems (National Institute of Standards and Technology, 2023).
Social Engineering
Social Engineering is the psychological manipulation of individuals to trick them into
providing something of value (National Institute of Standards and Technology, 2023).
Personally Identifiable Information
Personally Identifiable Information (PII) are the attributes that identify or trace an
individual, such as a birth date, mother’s maiden name, driver’s license number, bank account
number, and sensitive information (National Institute of Standards and Technology, 2023).
Threat Actor
A threat actor is an individual or group of malicious intent with the capability to cause
harm (National Institute of Standards and Technology, 2023).
Hacker
A hacker is a type of threat actor who intentionally exploits vulnerabilities to gain
unauthorized access to systems (National Institute of Standards and Technology, 2023).
PERCEPTIONS ON PHISHING ATTACKS 19
Phishing
Phishing is a social engineering tactic in which the perpetrator masquerades as a
legitimate business or reputable person to trick individuals by email into clicking on links or
open attachments (National Institute of Standards and Technology, 2023).
Malware
Malware is software, hardware, or firmware that is included or inserted into a system
with the intent to cause harm. Once a phishing link or attachment is clicked or opened, malware
can be downloaded onto an individual’s device. Malware will violate security and compromise
the confidentiality, integrity, and availability of data (National Institute of Standards and
Technology, 2023).
Ransomware
Ransomware is a form of malware that renders systems unavailable to the attacked
victim. Threat actors hold data ransom and may even threaten to expose data publicly unless the
ransom is paid. (National Institute of Standards and Technology, 2023).
Organization of the Dissertation
This dissertation is divided into a five-chapter study examining employee perceptions on
identifying phishing attacks in financial organizations. Chapter One introduced the problem of
practice, framed the research, provided an overview of the theoretical and conceptual
frameworks and methodology, and defined key terms appearing throughout the dissertation.
Chapter Two will review the literature and examine the cyber threat landscape, characteristics of
cybercrime, financial cybersecurity regulations, industry trends and challenges, organizational
practices, and examine employee knowledge, motivation, and organizational influences
embedded within the adapted Gap Analysis conceptual framework. Chapter Three will define the
PERCEPTIONS ON PHISHING ATTACKS 20
methodology and approach, provide an overview of the research design model and the
researcher’s bias, and consider data sources, credibility and trustworthiness, and ethics. Chapter
Four will examine the findings and results of the study, and Chapter Five will explore
recommendations for future studies, limitations and delimitations of the study, and methods for
driving results in organizational training, communication, and culture.
PERCEPTIONS ON PHISHING ATTACKS 21
CHAPTER TWO: LITERATURE REVIEW
This chapter will review, synthesize, and summarize the literature about the field of
practice of information security and examine the theory and application of knowledge,
motivation, and organizational influences on information security education. The approach to
this literature review is designed to examine the problem of practice of the rise in employees
clicking on phishing links in financial organizations through the lens of the adapted Gap
Analysis conceptual framework. To understand the origin of the problem of practice, the reader
will be provided with an overview of the cyber threat landscape, the historical background of
online crime, an awareness of the impact of cyberattacks, and the timeline of the largest reported
financial data breaches. The following section will examine the characteristics of cybercrime, the
taxonomy of social engineering, the anatomy of a phishing attack, and the types of phishing
emails targeting employees. This section will be followed by reviewing financial cybersecurity
regulations, an overview of state and federal laws, data privacy rules, and information security
audits. The following section will examine industry trends and challenges by reviewing the
confidentiality, integrity, availability (CIA) Triad model, data privacy and data security, and
industry frameworks. Following this section will be a review of organizational practices,
principles and program models, policies and procedures, and training and awareness. The final
section will review the adapted Gap Analysis conceptual framework of stakeholder knowledge,
motivation, and organizational influences in assessing the problem of practice.
Overview of the Cyber Threat Landscape
The Information Age, beginning in the mid-20th century, propelled economic
globalization centered around information technology, introducing information as capital and,
with it, a new modern phenomenon, cybercrime (Alberts & Papp, 1997). With every invention,
PERCEPTIONS ON PHISHING ATTACKS 22
there are risks, and as industrial countries increase their dependency on the Internet and digital
technologies by including them in daily human processes, the correlated risk associated with
online activities such as financial banking increases. The cyber threat landscape is pervasive as
countries compete to dominate the global order, and nation-state actors continue to increase
funding and improve their skill sets and the sophistication of their techniques.
China, Russia, and Iran are the main threats in cyber warfare, targeting United States
organizations with capabilities to launch cyberattacks impacting U.S. critical infrastructure
(United States Department of Homeland Security, 2023). The war in Ukraine has increased
tensions between Russia and the United States. China and Russia endorse authoritarianism,
conduct cyber espionage, and spread disinformation to promote competition and political conflict
(Office of the Director of National Intelligence, 2023). Tensions between the U.S. and Iran
continue to escalate, and Iran is increasing its expertise in cyberattacks (United States
Department of Homeland Security, 2023). In November 2023, Iranian hacktivists targeted the
U.S. critical infrastructure water and wastewater systems sector (United States Environmental
Protection Agency, 2024). The President of the United States, Joe Biden, declared a $26 Billion
USD increase in the 2024 annual Department of Defense budget, allocating $3.1 Billion USD to
the Cybersecurity and Infrastructure Security Agency (White House, 2023). As stated in
President Joe Biden’s 2023 annual cybersecurity strategic plan, software and systems are
complex, and artificial intelligence systems can act differently than how creators intended for
them to act, expressing his concerns about companies layering new functionality and technology
onto systems at the expense of security (White House, 2023).
As financial companies move swiftly to secure their organizations against external
threats, they must safeguard against insider threats and third-party risk. Internal threats are
PERCEPTIONS ON PHISHING ATTACKS 23
increasing yearly, and items stolen from networks maintained by U.S. universities, businesses,
and government agencies include volumes of intellectual property, larger than what exists in the
Library of Congress (United States Department of Defense, 2011). ChatGPT, the experimental
advanced generative artificial intelligence (GenAI) tool built in 2021, provides conversations
with users and utilizes algorithms to generate content. ChatGPT connected to the Internet in the
spring of 2023 and has gained traction and popularity due to the simple user interface and speed
of information retrieval (Wiggers, 2023). Criminals leverage GenAI and large language models
(LLMs) to enhance their phishing techniques and design advanced phishing campaigns. In 2024,
a financial worker in Hong Kong was tricked by a deepfake video impersonating the chief
financial officer and sent approximately $25.6 Million USD to cybercriminals (Chen &
Magramo, 2024). While foreign money exchange emails, such as the popular yet outdated
“Nigerian Prince” scams, continue to successfully trick victims (Leonhardt, 2019), GenAI is
increasing the attack surface area and employee susceptibility (Krishnan, 2023). GenAI is
creating a new phenomenon for security practitioners to protect against phishing as
cybercriminals leverage evolving technology to rapidly create content (Jang-Jaccard & Nepal
2014) and utilize deepfakes, which is the manipulation of audio and video to deceive victims
(Westerlund, 2019). While GenAI can be used as a deceptive tool for a hacker, such as utilizing
ChatGPT to create grammar-perfect emails, artificial intelligence (AI) has also been leveraged to
defend against phishing and identify patterns. Security professionals can utilize AI as part of
their security stack to defend against phishing. Security technology can detect intrusions, analyze
activity anomalies, and alert security teams while automating manual tasks like blocking
phishing attempts (Mishra, 2003). Even with the implementation of advanced technology,
depending on how security alerts are tuned, employees may receive phishing emails in their
PERCEPTIONS ON PHISHING ATTACKS 24
inboxes. In addition, scandals attributed to software engineers posting proprietary code in
ChatGPT to ask the AI chatbot to solve coding issues by leaking company secrets have sparked
serious concerns in the information security industry (Dreibelbis, 2023). ChatGPT and the
Internet are among various inventions created with positive intentions that have become
maliciously exploited and abused by their users.
While security practitioners can use AI to automate the identification and remediation of
threats, human capital is still utilized to analyze and prioritize investigations. Automation
through AI and machine learning is increasing in demand due to the high volume of cyberattacks
organizations experience. However, despite available technologies and a surplus of software-asa-service and machine reliability and dependability in automating incident responses, human
capital is the best weapon against combatting cybercrime and phishing attacks (Chamkar et al.,
2022). Humans can perform better in areas where machines cannot, such as discovering attack
indicators and patterns and leading the automation of tasks (Chamkar et al., 2022).
As threats from internal and external environments move quickly, companies must
discern which incidents to pursue since manual labor is a depleted resource. There is a deficit in
the cybersecurity labor pool, attributed to the skills gap and a lack of cybersecurity workers in
the industry (Coulson et al., 2018). The Global Information Security Workforce Study conducted
by the International Information System Security Certification Consortium examined the
cybersecurity workers gap and the increase in cyberattacks due to how knowledge and skills are
no longer a barrier for criminals armed with the ability to rent an exploit kit, a botnet, or obtain a
ransomware package (ISC2, 2017). The study surveyed 19,641 professionals in 170 countries
and found that 87% of cybersecurity workers did not enter the industry from a traditional
cybersecurity background, highlighting the value of utilizing non-traditional recruitment
PERCEPTIONS ON PHISHING ATTACKS 25
channels. The study estimated a workforce gap of 1.8 million workers by 2022. In the ISC2 2022
study conducted, it was revealed that the estimate had climbed to 3.4 million workers needed to
fill the workforce gap and that 70% of workers believed they did not have enough staff to be
effective (ISC2, 2022).
In a developing industry of accountability and regulatory scrutiny, chief information
security officers (CISOs) are held responsible for data breaches and face regulatory lawsuits. The
U.S. Securities and Exchange Commission charged SolarWinds’ CISO Timothy G. Brown for
allegedly mismanaging cybersecurity risks (U.S. Securities and Exchange Commission, 2023).
The allegations rattled the security industry, stirring controversy about holding a CISO position
(Lennon, 2023). In 2020, cybercriminals injected malicious source code into SolarWinds
management software, affecting thousands of customers, including federal agencies, as software
updates installed malware (Peisert et al., 2021). As companies experience an increase in threats,
CISOs are navigating regulatory challenges to drive compliance and communicate risk to their
board of directors and executive leadership (Lennon, 2023).
History of Online Crime
Crime has evolved from the physical world into the digital era, creating a new battlefield
(Jewkes & Yar, 2010). With every new technology introduced into the world, new vulnerabilities
develop for criminals to exploit. While the digital economy continues to develop, so does the
perplexity of deception and the advancement of criminal strategies. As the rise of financial
dependency on the Internet increases, so do targeted attacks on the largest banks and financial
organizations.
Cybercrime began in 1834 with the world’s first cyberattack. Thieves hacked the French
Telegraph System to steal financial information (Herjavec, 2019). Computer crime started after
PERCEPTIONS ON PHISHING ATTACKS 26
the launch of the Internet, once criminals discovered the value of the information found online.
Computer crime escalated in 1988 with worms (self-replicating computer programs) and fraud
(Federal Bureau of Investigation, 2018).
One of the first successfully reported phishing attacks was in the mid-1990s when
hackers imitated AOL employees to steal credentials and take over accounts (Gillin, 2023). Over
the past four decades, phishing has evolved to switch platforms and incorporate using phone,
text, and instant messaging. The first ransomware attack occurred in 1989 when a hacker mailed
20,000 floppy disks to participants of a World Health Organization’s AIDS conference, asking
them to complete a “survey,” which resulted in the lockdown of their files unless they paid the
$189 USD requested ransom. Ransomware has evolved from floppy disks and snail mail to now
having the ability to be downloaded with one click on a phishing link, attachment, or website
(Hartford, 2021). The Colonial Pipeline ransomware attack in 2021 gained notoriety as criminals
were able to attack computer systems managing the pipeline, resulting in pipeline operations
shutting down and the halt of air and land travel as gas became scarce across the Southwest over
a six-day period before the ransom was paid and operations were restored. This was the largest
attack in history on oil infrastructure, as fuel shortages affected families and businesses across
the nation (Cybersecurity and Infrastructure Security Agency, 2023).
According to Verizon’s annual data breach report (2020), 86% of data breaches are about
money. Threat actors sell information illegally on a decentralized hidden part of the Internet, the
Dark Web. It is on the Dark Web where criminals can hide their online identities or IP addresses,
anonymously buy and sell personally identifiable information, and conduct other criminal
activities (Gupta et al., 2019). It is on the Dark Web marketplace where individuals can
PERCEPTIONS ON PHISHING ATTACKS 27
determine the types of stolen data they want to purchase. Examples of the value of stolen data
include the following: personal credit card information ($240), hacked Gmail account ($80),
hacked Facebook account ($65), PayPal transfer from a stolen account ($340), and each year,
these amounts continue to rise (Sen, 2021). Financial data is the easiest to sell, and for that
reason, criminals target the financial industry. Stolen data can be used in a myriad of ways,
including identity theft and opening up credit cards to filing fraudulent tax returns. Figure 2
examines a survey of the top 10 most valuable information to cyber criminals and the biggest
cyber threats to organizations, which include phishing (22%) as the biggest cyber threat and
customer information (17%) as the most valuable information to obtain.
Figure 2. EY Global Information Security Survey 2018-19 (2019).
Along with a lack of policing, there is a lack of reported crime, making it difficult to
identify criminals and gather metrics. Locating and prosecuting criminals is also challenging,
especially in other countries. With law enforcement involvement, the private sector continues to
PERCEPTIONS ON PHISHING ATTACKS 28
reduce fraud by identifying offenders and prosecuting criminal cases against them (Cobb, 2020).
The challenge with prosecution across states and countries is that some offenses are considered
civil or criminal depending on the country (e.g., theft of trade secrets, which is a criminal offense
in the U.S., and a civil offense in the United Kingdom, depending on the manner in which the
event took place) (Wall, 2015).
Impact of Cyberattacks
Cyberattacks target the financial industry approximately 300 times more than other
industries and are typically designed for maximum impact (Eisenbach et al., 2021). A
cyberattack has the potential to disrupt normal operations or even impact other companies in the
financial system and impair the confidentiality, integrity, and availability of data. A successful
cyberattack, such as a data breach or ransomware attack, can destroy an organization’s
reputation, credibility, and trust and create a surplus of fines and legal issues. Figure 3 highlights
the taxonomy of risks associated with cyberattacks and examines causes/methods of cyber
threats, types of threat actors, intents/motives, and consequences for conducting cyberattacks.
Figure 3. Taxonomy of Risks (Aldasoro et al., 2020).
PERCEPTIONS ON PHISHING ATTACKS 29
Threat actors vary depending on resources, sophistication, and whether attacks are
malicious or unintended. The majority of financial companies are privately held, and information
security is their responsibility, as declared by President Joe Biden (Williams, 2023). Of 27
million firms in the United States, less than 1% of financial companies are public (Biery, 2013).
Governments have created regulations and programs to assist with containing large-scale cyber
incidents. The Department of Homeland Security, the U.S. Department of Treasury, the Federal
Bureau of Investigation, the Cybersecurity and Infrastructure Security Agency, law enforcement,
and financial institutions regularly partner to “share information about current and emerging
threats, develop mitigation strategies, and determine whether any existing or new assets may be
critical to the operations of the sector” (Cybersecurity and Infrastructure Security Agency, 2015,
p. 14). Coordination among companies and entities to respond effectively and timely is the
critical indicator of how quickly an incident response team can identify an attack, mitigate risk,
and contain an incident (Kopp & Kaffenberger, 2019).
Timeline of the Largest Reported Financial Data Breaches
Ten of the largest reported financial data breaches worldwide occurred within the last 16
years. From 2008-2022, of the largest reported financial data breaches, 70% occurred from U.S.
companies, and the remaining 30% of companies were headquartered in Australia, Ireland, and
Canada. The Equifax data breach affected a high volume of Americans, approximately 40%
(Kost, 2023). Financial organizations are targeted for the high amount of sensitive, personally
identifiable information stored on servers.
The timeline below is in order of highest impact. Customers affected had their personally
identifiable information accessed, which contained an array of information depending on the
breach, including various degrees of types of sensitive information, email and home addresses,
PERCEPTIONS ON PHISHING ATTACKS 30
login details, social security numbers, bank account numbers, credit card numbers with
expiration dates, and transaction records among other data.
Table 1
10 Biggest Data Breaches in Finance (Kost, 2023).
Company Headquarters Date Impact Cause of Data Breach
First American
Financial
Corporation
Santa Ana,
California
May 2019 885 million
credit card
applications
Business logic flaw on company
website leading to data leak of
sensitive information.
Equifax Atlanta,
Georgia
September
2017
147 million
customers
Failure to patch critical
vulnerability and separate
ecosystems, credentials stored in
plain text, and an encryption
certification was never renewed.
Heartland
Payment
Systems
Oklahoma City,
Oklahoma
January
2008
130 million
debit and credit
card numbers
Malware injection on the
company website and sniffer
software accessed data in transit.
Capital One McLean,
Virginia
March
2019
100 million
credit card
applications
A former Amazon Web Services
engineer accessed an AWS
server storing credit card data.
JP Morgan
Chase & Co.
New York, New
York
October
2014
83 million
accounts
The highest level of
administrative privilege was
achieved via a security
vulnerability and 90 servers were
accessed to steal customer data.
PERCEPTIONS ON PHISHING ATTACKS 31
Experian Dublin, Ireland August
2020
24 million
customers
A threat actor claimed to be a
company representative and
convinced an employee to
provide them with internal
sensitive data.
Block San Francisco,
California
April 2022 8.2 million
customers
An employee downloaded files
without authorization.
Desjardins
Group
Levis, Canada June 2019 4.2 million
customers
An unauthorized employee
gained access to customer data.
Westpac
Banking
Corporation
Sydney,
Australia
June 2013 98,000
customers
Vulnerability in a third party
with brute force techniques.
Flagstar Bank Troy, Michigan June 2022 1.5 million
customers
The bank did not disclose details
of the attack and how hackers
penetrated their network.
Characteristics of Cybercrime
The Internet is spaceless and cybercrime does not resemble characteristics of traditional
crime in terms of identifying criminals and their backgrounds and discovering their geographical
location (Almazkyzy et al., 2018). Cyberspace is a new territory for criminals to explore, and
globalization adds to the advantages for criminals in extending their reach. Cybercrime is an
illegal criminal activity committed using a computer. Online crimes such as fraud, theft, child
pornography, and hate speech existed before the Internet and are assisted by computers. Crimes
such as hacking and phishing cannot exist without the Internet (Jahankhani et al., 2014).
PERCEPTIONS ON PHISHING ATTACKS 32
Wall (2001) described cybercrime in four categories: cyber-trespass, cyberdeception/thefts, cyber-pornography/obscenity, and cyber-violence. Cyber-trespass is crossing
into unauthorized spaces. Types of cyber-trespassers include hackers, spies, and terrorists.
Cyber-deception/thefts involve obtaining items of value via methods of theft, fraud, raiding of
financial information, and piracy of intellectual information, where ideas are worth money.
Cyber-pornography refers to pornography that is illegal (e.g., child pornography) since
pornography itself is not unlawful. The Internet became popular due to men viewing
pornography and drove the development of the electronic service that provided pornography
(Wall, 2001). The Communications Decency Act was developed in 1996 to ban pornography,
and a year later, it was partially overturned to include the protection of children but was deemed
as an infringement upon adult free speech as Congress determined that the Internet is a computer
service and not a publisher of materials online. Since its passing, this has been described both “as
the savior of free speech in the digital age and as an ill-conceived shield for scoundrels” (Ardia,
2010, p.8). Cyber-violence is not physical in nature but can leave psychological scars; this
includes hate speech, stalking, and cyber-bullying.
Due to a lack of systematic reporting, burden of proof, and standardizations on
cybercrime classifications, on many occasions, many individuals or organizations do not report
their experiences as victims of cybercrime. Victims tend to shield the embarrassment of
declaring they were victims of a cyberattack, as many are still realizing they have become
victims and are fearful of stigmatization and damage to their reputation (Wall, 2001). In the
event of a financial organization breach, repercussions of exposing incidents can be costly as
creditors and investors stop wanting to do business with the company, regulatory agencies
impose hefty fines, and customers take their business to competitors.
PERCEPTIONS ON PHISHING ATTACKS 33
Taxonomy of Social Engineering
Social engineering is a successful manipulative tactic among cybercriminals because the
techniques employed are often easy, cheap to conduct, hard to detect, and highly effective (JangJaccard & Nepal, 2014). Threat actors attempt to befriend individuals or pretend to be someone
they know and trick their victims into clicking on malicious links or attachments or providing
sensitive information. There exists a myriad of tactics that social engineers use to obtain items of
value and exploit individuals by committing identity theft and fraud. Criminals are creatively
utilizing emerging technology to enhance their social engineering techniques (e.g., with GenAI, a
criminal can mimic familiar voices of loved ones over phone calls and trick family members).
Common crimes against financial institutions include account takeovers to commit fraudulent
monetary transfers and counterfeiting stored value cards (Snow, 2011). The global cybersecurity
community, the Financial Services Information Sharing and Analysis Center (FS-ISAC), shares
identified threat data and creates alliances among members to collectively prevent future social
engineering attacks. Security practitioners can partner with other financial organizations to share
best practices and information regarding phishing attacks. The FS-ISAC is a non-profit
organization founded in 1999 that is dedicated to real-time information sharing among financial
institutions (Financial Services Information Sharing and Analysis Center, 2023).
The FBI’s Cyber Division (2023) provides a list of social engineering attack vectors that
target individuals online and are used against employees in financial organizations. Phishing,
business email compromise, and ransomware are among the most preferred and common
criminal tactics, along with spoofing, spear-phishing, whaling, vishing, smishing, dumpster
diving, tailgating, pretexting, and shoulder surfing.
PERCEPTIONS ON PHISHING ATTACKS 34
Attackers use phishing to manipulate individuals to do something that is typically against
their best interests (e.g., click on a link, download an attachment, or provide sensitive
information). Business email compromise appears to be a legitimate request from someone in an
organization. The probability of a successful phishing campaign increases when victims believe
they are engaging with someone they personally know (Federal Bureau of Investigation, 2023).
Ransomware sent via phishing is downloaded onto an employee’s computer when they click on a
phishing link or download an attachment or application, with the goal of spreading ransomware
and holding the individual hostage until the ransom is paid (Federal Bureau of Investigation,
2023). Another ransomware method is when social engineers convince individuals to insert USB
devices into their machines and eject ransomware. Hackers use spoofing to gain access to an
individual account and then use it to send phishing emails to the victim's contact list. Spearphishing targets specific people and organizations, making them more sophisticated and
challenging to spot. Whaling is a method of phishing that profiles high-target individuals and
executives (Regenscheid & Galluzzo, 2023). Vishing is when criminals use the telephone to
solicit sensitive information (Federal Bureau of Investigation, 2010). Smishing exploits text
messages on mobile phones (Cybersecurity and Infrastructure Security Agency, 2021). Dumpster
diving involves financial information retrieved from garbage cans as criminals dig into trash to
discover items of value, such as printed information with personally identifiable information
(Wright, 2023). Tailgating is a method criminals utilize to follow employees into a secure
building (Awati, 2022). Social engineers use pretexting to create credible stories to convince
victims to take action. Criminals stand behind their victims to shoulder surf and observe them
conducting online business, such as entering their passwords and logging in to their computers
(McDowell, 2019).
PERCEPTIONS ON PHISHING ATTACKS 35
Cybercriminals usually have some level of intel about their victims, either through
viewing their profiles on social media sites or obtaining information via news media.
Cybercriminals may know about an individual’s family and friends and other details that can be
found online. Clone phishing and QR code phishing are newer attack methods developed by
cybercriminals. Clone phishing is a method criminals use to gain access to previous emails and
alter them with malicious attachments (National Institute of Standards and Technology, 2019).
QR code phishing is a method criminals use to spoof sites and steal information by disguising
QR codes to appear legitimate (Federal Trade Commission, 2023). Criminals are continuing to
invent new tactics to become strategically effective instead of sending a massive email blast and
hoping for minimal results, as this “is the core difference in targeting victims with a laser-guided
rifle instead of a machine gun” (Bhardwaj et al., 2020, p. 4).
In a survey conducted by Alharthi and Regan in 2021, they found that half of the 1,523
participating employees in public, private, and non-profit industries were unfamiliar with social
engineering tactics. In Figure 4, Alharthi and Regan developed a model of the five main target
points for social engineers: people, data, software, hardware, and networks, and describe defense
mechanisms to prevent attacks. Backup and replication are used to safeguard data, and an
identity asset management program determines least privileges so that only authorized
individuals have access to systems and data they need to perform their duties and do not share
information with employees who are not permitted to access the information. Organizations
develop policies and procedures to protect software and hardware assets, including company
protocol for minimum password requirements, identity authentication, and the acceptable use of
personal devices. Defining managerial oversight of the process of acquiring equipment and
software and ensuring employees are aware of social engineering and policies regarding standard
PERCEPTIONS ON PHISHING ATTACKS 36
code of conduct in work emails and accounts are mechanisms to protect software and hardware
target points. To safeguard a company’s technology ecosystem, a virtual private network (VPN)
allows only authorized individuals to access the company network, and remote desktop protocol
(RDP) enables remote employees to access a local network.
Figure 4. Social Engineering Defense Mechanisms (Alharthi & Regan, 2021).
Anatomy of a Phishing Attack
Phishing is the most common and successful attack method used by criminals, and it was
the criminal technique with the most victims identified by the FBI in 2022 (Federal Bureau of
Investigation, 2022). Cybercriminals are skilled at manipulating victims, triggering responses,
and coercing them into making poor decisions (Carroll et al., 2022). Phishing targets human
emotions to trigger a response (e.g., fear, authority, and familiarity). Cybercriminals manipulate
employees by strategically utilizing psychological tactics on individuals. Criminals leverage
cognitive bias when manipulating the information processing of individuals. Cognitive bias is the
filtering of information that allows individuals to make quick decisions and mental shortcuts
PERCEPTIONS ON PHISHING ATTACKS 37
based on their perceptions and life experiences (Carpenter, 2021). Examples of cognitive bias
include authority bias, which is when messages are spoofed to purport to be sent from a highranking executive (Carpenter, 2022). Criminals often use the halo effect, which is the influence
of an impression of an entity to affect engagements positively or negatively with that entity in all
activities (Carpenter, 2022). An example of the halo effect is when criminals mimic company
logos and websites so that individuals believe they are engaging with a brand they trust.
Individuals can provide social engineers with account information by responding to an email or
clicking phishing links that lead them to a fake website portal, such as their bank account or
company login page, and then enter their credentials, which the criminal can obtain
(Cybersecurity and Infrastructure Security Agency, 2021). Criminals use rewards to create
individual curiosity about a giveaway or prize so that individuals click on a phishing link,
regardless of the negative consequences (Carpenter, 2022). Using loss as a tactic, victims fear
they might incur a penalty if they do not take immediate action (MacRae et al., 2022). In a study
by Hadlington (2017) in the article written by Alkhalil et al. (2021), motor impulsivity was a
significant predictor of risky cybersecurity behavior.
Criminals will try to convince individuals to act by creating fraudulent scenarios
(Cybersecurity and Infrastructure Security Agency, 2021), such as offering large sums of money,
threatening individuals with late fees or consequences, or claiming that an individual’s account
has been locked due to fraudulent activity. Through phishing, malware and ransomware can be
installed, or hackers can gain entry to a system to prepare for future attacks.
Types of Phishing Emails Targeting Employees
Phishing emails circulating the financial industry include topics related to trusted entities
of account updates, current events, and payment information (Cybersecurity and Infrastructure
PERCEPTIONS ON PHISHING ATTACKS 38
Security Agency, 2021). Notifications of account updates prompt individuals to click on a link to
review and revise their account information (Federal Trade Commission, 2022). Cybercriminals
take advantage of current events to create urgency in individuals concerned or interested in a
subject, such as when the World Health Organization began informing individuals about the
COVID-19 pandemic. Criminals leveraged the opportunity to fraudulently represent the nonprofit when sending phishing emails requesting donations to the COVID-19 Solidarity Response
Fund (World Health Organization, 2024). Payment information demands include asking
individuals to take action to avoid account deactivation.
The following figures display popular types of phishing emails and a fake login page
versus a genuine login page. Criminals create urgency by pressing individuals to update their
account information, as indicated in Figure 5.
Figure 5. Netflix Phishing Email (Federal Trade Commission, 2022).
Criminals design phishing emails to imitate trusted organizations and hospitals. The phishing
email in Figure 6 asks the individual to download a malware attachment by creating panic when
informing them that they came into contact with someone who tested positive for COVID-19.
PERCEPTIONS ON PHISHING ATTACKS 39
Figure 6. Current Events Phishing Email (Sonowal, 2021).
In Figure 7, comparing both (a) and (b) websites, (a) has a slightly different website
address which is fake. Individuals unfamiliar with social engineering tactics and website
spoofing may not notice the subtle differences, as both templates look legitimate at a glance.
Figure 7. (a) Fake PayPal Login Page, and (b) Genuine PayPal Login Page (Sonowal, 2021).
Social engineers target the financial industry due to the type of sensitive PII contained
online and the high volume of individuals who utilize financial services. Criminals often create
fake websites to trick users into believing they are logging into a trusted entity, such as their
bank, to obtain their credentials (Moramarco, 2019). According to a 2016 study by Kaspersky
Labs, 47.5% of phishing attacks directed users toward a fake banking site to steal credentials
(Moramarco, 2019).
PERCEPTIONS ON PHISHING ATTACKS 40
Financial Cybersecurity Regulations
In 2013, the President of the United States, Barack Obama, created an executive order to
protect the nation from cyberattacks. In that order, the National Institute for Standards and
Technology (NIST) developed a cybersecurity framework (NIST CSF) to become an
authoritative instrument for security practitioners (Romanosky, 2016). The use of the NIST CSF
is voluntary and is a popular mechanism for designing information security programs. Industry
frameworks are available for companies to select from, and practitioners map their compliance
requirements to frameworks and best practices to provide supporting evidence to regulatory
agencies during external audits and questionnaires. In the composition of collecting and aligning
data protection frameworks, financial organizations determine which frameworks to use,
depending on their types of financial transactions and service offerings, whether they are
publicly or privately held, types of information collected, and locations for conducting business.
In 2022, President Joe Biden signed the Cyber Incident Reporting for Critical
Infrastructure Act of 2022, which requires critical infrastructure companies to report cyber
incidents within 72 hours and ransom payments within 24 hours (Cybersecurity and
Infrastructure Security Agency, 2022). An outcome of the War in Ukraine is that Russia has
increased state-sponsored cyberattacks against the United States, and the President has advised
business leaders to prepare against threats to critical infrastructure (Vazquez et al., 2022). In
2023, President Joe Biden declared, “Cybersecurity is essential to the basic functioning of our
economy, the operation of our critical infrastructure, the strength of our democracy and
democratic institutions, the privacy of our data and communications, and our national defense”
(White House, 2023, p. 2). Until a comprehensive federal data protection law is developed,
achieves bipartisan support, and becomes enacted with the ability to be enforced, companies are
PERCEPTIONS ON PHISHING ATTACKS 41
required to adhere to a collection of legal frameworks (Godlasky, 2022). There exists an
assemblage of federal financial and state laws that companies monitor for adherence and updates.
Overview of State and Federal Financial Laws
Federal financial laws that cover data privacy protection include the Bank Secrecy Act of
1970, the Fair Credit Reporting Act of 1970, the U.S. Privacy Act of 1974, the Right to Financial
Privacy Act of 1978, the Gramm-Leach-Bliley Act of 1999 (GLBA), the Sarbanes-Oxley Act of
2002 (SOX), and the Federal Information Security Management Act of 2002 (FISMA).
Individuals who provide personal information to the financial companies they engage in business
with retain some control over how their personal information is utilized and stored (Office of the
Comptroller of the Currency, 2023). The General Data Protection Regulation (GDPR), a federal
law in the European Union that began in 2018, is designed for companies that process data in 27
European countries to protect European Union citizens and residents. American companies that
conduct business in the European Union must abide by this new law.
The International Association of Privacy Professionals (IAPP) has developed a legislation
tracker of status, which includes whether laws are introduced, in committee, in cross chamber or
cross committee, passed, signed, inactive, or not yet introduced. One state has been enforcing a
privacy law in the United States since 2020, California, which enacted a privacy law in 2018.
Four other states enacted laws that went into effect between January and December 2023:
Virginia, Connecticut, Utah, and Colorado. Ten states have signed laws that will go into effect
between 2024 and 2026, including Delaware, Iowa, Indiana, Kentucky, Montana, New
Hampshire, New Jersey, Oregon, Texas, and Tennessee. The landmark law, the California
Consumer Privacy Act (CCPA), went into effect in 2020, and its amendment CPRA, which
expands the scope of CCPA, took effect on January 1, 2023, and became enforceable on July 1,
PERCEPTIONS ON PHISHING ATTACKS 42
2023. CCPA provides comprehensive data coverage and is the strictest law in the country (IAPP,
2024). The California Consumer Privacy Act protects the rights of California residents by
providing them with control over their personal information. The following are the rights of
California Residents (State of California Department of Justice, 2023):
● The right to know about the personal information a business collects about them
and how it is used and shared;
● The right to delete personal information collected from them (with some
exceptions);
● The right to opt-out of the sale or sharing of their personal information; and
● The right to non-discrimination for exercising their CCPA rights.
The New York State Department of Financial Services (NYDFS) was developed in 2017
and was the first state to declare cybersecurity regulations for financial companies. NYDFS
requires that companies report qualifying security incidents within 72 hours (New York State
Department of Financial Services, 2023). Figure 8, sourced from IAPP, provides an overview of
the U.S. State Privacy Legislation Tracker.
Figure 8. U.S. State Privacy Legislation Tracker (IAPP, April 2024).
PERCEPTIONS ON PHISHING ATTACKS 43
Data Privacy Rules
Data privacy laws protect financial consumers and their data and are enforced by the
Federal Trade Commission (FTC). In 2019, the FTC fined Facebook for violation of a 2012
order and its data privacy practices, which it claimed deceived users about their level of control
over their personal information. The settlement resulted in a penalty of $5 Billion USD for the
FTC, $725 Million USD for a subset of Facebook users, and the restructuring of Facebook’s
privacy practices to ensure accountability (Federal Trade Commission, 2019).
The FTC requires financial organizations to adhere to the Privacy of Consumer Financial
Information Rule and the Safeguards Rule under the Gramm-Leach-Bliley Act. Under the
Privacy of the Consumer Financial Information Rule, organizations must notify customers in
writing about their data collecting and sharing practices and the ability to opt out of having their
information shared with third parties and be provided with policies and procedures to safeguard
data. Under the Safeguards Rule, financial organizations are required to develop a
comprehensive security program (Federal Trade Commission, 2023). Under the U.S. Securities
and Exchange Commission’s Red Flag Rule, financial institutions are required to develop an
identity theft program with policies and procedures to identify, detect, and respond to identity
theft, as well as periodically update the program (U.S. Securities and Exchange Commission,
2023). Under the Controlling the Assault of Non-Solicited Pornography and Marketing Act of
2003 (CAN-SPAM) Rule, consumers are protected against deceptive commercial marketing
communications, and opt-out methods are required (Federal Trade Commission, 2018).
As new rules and regulations require organizations to evaluate effective controls for the
collection of sensitive data, financial companies must put mechanisms in place to identify
technologies and business processes that require controls to protect customer records. The
PERCEPTIONS ON PHISHING ATTACKS 44
lifecycle of each record includes the entire duration of which an individual is a customer. The
ingress and egress of how their data travels throughout the company and how data is stored,
processed, transferred, used, and destroyed are subject to increased legal, regulatory, and thirdparty standards.
Information Security Audits
External auditors and regulatory agencies require compliance with regulatory
requirements and routinely investigate companies. Organizations are required to protect assets,
validate compliance, and provide supporting evidence. An independent information security
audit is conducted in phases to review the maturity levels of a security program, beginning with
an assessment to review security policies and standards, organizational security, personnel
security, communication and operational management, asset management, physical and
environmental security, access control, information technology systems and maintenance,
security incident management, disaster recovery and business continuity management,
compliance, and risk management (Kassa, 2016).
The external auditor evaluates responses and requests clarification to flagged line items.
The auditor thoroughly conducts their review and investigates any additional requirements
before providing recommendations for improvement. Information security audits evaluate the
planning, systems, and implemented controls. Through testing, an assessment of the overall risk
posture and program maturity model can be rated.
System and Organization Controls (SOC) 1, 2, and 3 Type 1 or 2 audits, developed in
2010 by the American Institute of Certified Public Accountants, measure controls for companies
providing services to organizations. The audit types are determined by the maturity of the
company, goals, scope, and duration of the assessment (Poston, 2021). A SOC 2 Type 2 audit is
PERCEPTIONS ON PHISHING ATTACKS 45
extensive and comprehensive, designed to measure a security program’s practices in protecting
data and provides assurance of security controls (Pratt, 2022). A SOC 2 Type 2 audit evaluates a
company’s security program over a period of time, and security practitioners complete lengthy
readiness assessments in advance of the audit to ensure controls are in place. Investing in this
type of audit is necessary for financial organizations to conduct business with organizations that
require it.
Industry Trends and Challenges
On March 9, 2022, the U.S. Securities and Exchange Commission released a proposal to
standardize disclosures for cybersecurity material incident reporting within four days and
governance methods, including policies and procedures, strategy, and risk management. Board
members are required to declare their cybersecurity experience (U.S. Securities and Exchange
Commission, 2022). A significant step forward to protecting data, yet an analysis of publicly
available data identified that 90% of board members are not in a position to prepare for this
landmark requirement as many do not have a board member with cybersecurity expertise
(Walker, 2023).
Increases in cyber criminals’ skills, methods, and sophistication continue to create a catand-mouse chase for security professionals. According to Trellix’s Advanced Research Center’s
2023 Threat Prediction Report, annual threat predictions include geopolitical threats and
misinformation campaigns, including hacktivism and politically motivated cyberattacks. Since
the war began in Ukraine, threats to critical infrastructure have aggressively increased cyber
warfare (Trellix Advanced Research Center, 2023). Threats to supply chains will continue, and
the recruitment of teen hackers by threat actors is a growing trend as youth view online crime,
such as illegally downloading videos and software, as a challenge (Trellix Advanced Research
PERCEPTIONS ON PHISHING ATTACKS 46
Center, 2023). Alternative communications channels for phishing, smishing, and vishing, other
than traditional methods, will increase as cybercriminals improve their creative approaches and
leverage GenAI (e.g., ChatGPT can assist threat actors with designing phishing emails in any
language and deepfake videos). As many companies navigate the new remote environment due
to the COVID-19 pandemic, criminals will continue to take advantage of insecure home
networks and devices (Trellix Advanced Research Center, 2023).
Confidentiality, Integrity, Availability (CIA) Triad
The CIA Triad model provides guidance toward protecting the confidentiality, integrity,
and availability of data and how a data strategy is implemented (Li & Liu, 2021). Confidentiality
refers to authorization for accessing data so that sensitive personally identifiable information is
only accessed by authorized individuals. Integrity includes the assumption that data has not been
modified. Availability of data is reliable and timely access to data without the downtime of
technology (e.g., the ability to access personal online bank accounts 24/7) (Clark & Hakim,
2016). In Figure 9, the CIA Triad model is presented.
Figure 9. CIA Triad (Li & Liu, 2021).
PERCEPTIONS ON PHISHING ATTACKS 47
A defense-in-depth security strategy is developed across layers of security protection to
prevent an intruder from gaining further access to other layers (Fruhlinger, 2022). The term
defense-in-depth originated from the military and devises entry barriers to prevent intruders from
simply accessing data while monitoring their footprint and developing a plan of combat (United
States Department of Homeland Security, 2016). Protection layers include a company’s
workforce, network, cloud, endpoints, and applications to utilize defense-in-depth strategies to
monitor, defend, and block cyberattacks, making it harder for criminals to access critical assets
(Seker, 2020). Identifying and protecting a company’s crown jewels drive the development of a
data classification program that assigns the criticality of assets based on potential impact (United
States Department of Homeland Security, 2016). Control categorizations support employees in
understanding how to share and utilize data and how the information security team develops
controls (United States Department of Homeland Security, 2019). Preventative controls are
policies, procedures, and standards an organization produces to achieve desired business
outcomes. Preventative controls are a proactive approach to limiting data incidents; they include
measures put in place to protect data (e.g., firewalls and segregation of duties). Detective
controls include log monitoring, reconciliations, reviewing processes, and auditing access to data
in the technology environment. Corrective controls include corrective actions to errors or
incidents and mitigate risk by implementing controls to safeguard data after an issue has been
detected. A compensating control is used to mitigate risk when the assigned administrative,
technical, or physical control is unable to be utilized (United States Department of Homeland
Security, 2019).
PERCEPTIONS ON PHISHING ATTACKS 48
Data Privacy and Data Security
Data privacy is based on an individual’s right to own their personally identifiable
information (Shoback, 2023). Data privacy includes visibility of all data movement, from at rest
to in transit. The lifecycle of data includes when a consumer lands on a website, submits their
information in a contact form to become a customer, and provides sensitive information during
the onboarding process. Once data is collected, the organization manages who has access to it.
Data governance processes regulate, manage, and protect how customer data is collected, used,
stored, handled, and destroyed (Jain et al., 2016). Privacy practitioners monitor these processes
for vulnerabilities, manage acceptable risks, and provide support to individuals who might want
to remove their data from these systems. Knowing where data is at all times in order to locate
and retrieve it and restricting access to only those individuals who need to access this data helps
protect companies and customers (Jain et al., 2016).
Data security maintains the CIA Triad and is the blueprint for designing the methods,
technologies, and systems that safeguard data and enable limited access. Data security involves
designing how data is encrypted and retrieved and how individuals and machines are identified
to prevent unauthorized access or theft. Data security practitioners mitigate risks from external
and internal threats, enforce security policies, and create methods to protect data (Jain et al.,
2016).
Industry Frameworks and Standards
The National Institute of Standards and Technology (NIST), now part of the U.S.
Department of Commerce, developed the NIST Cybersecurity Framework (CSF) in 2014, after
initiation by Executive Order 13636 in 2013 (National Institute of Standards and Technology,
2023) and updated in 2024. The NIST CSF creates guidelines to categorize information and risks
PERCEPTIONS ON PHISHING ATTACKS 49
and outlines an information security program over five categories: Identify, Protect, Detect,
Respond, and Recover (Federal Trade Commission, 2023). NIST 800-53 and NIST 800-171
establish controls for developing an effective NIST CSF.
The NIST CSF is designed to guide the consideration of security strategies to Identify,
Protect, Detect, Respond, Recover, and develop comprehensive protections across layers of
defense. The Federal Trade Commission (2023) provides a high-level breakdown for
implementing the NIST CSF:
Identify: Develop an asset inventory to identify critical assets and their location, determine
access levels, perform gap assessments, and create an information security policy.
Protect: Implement controls, encrypt data, install security software and routine updates, conduct
backups, and develop records retention and training and awareness programs.
Detect: Monitor systems and devices for unauthorized access and investigate suspicious activity
across the network and by users.
Respond: Create incident response, disaster recovery, business continuity plans and
investigative processes, and crisis communications plans in the event of a data incident or
inadvertent events.
Recover: Repair and restore affected systems in the event of a crisis and regularly communicate
with affected employees and customers.
In 2024, the National Institute of Standards and Technology updated the NIST CSF to its 2.0
version and included a sixth category, Govern, to support the outcomes of the five categories and
provide oversight of the cybersecurity strategy. Figure 10 portrays the NIST Cybersecurity
Framework 2.0.
PERCEPTIONS ON PHISHING ATTACKS 50
Figure 10. NIST CSF 2.0 (National Institute of Standards and Technology, 2024).
In 2005, the International Organization for Standardization (ISO) created the ISO 27001
international standard and ISO 27002 supporting standard. ISO 27001 provides information
security best practices and requires an external auditor to evaluate, certify, and assign an
information security program’s certification (International Organization for Standardization,
2024). ISO 27002 guides the implementation of a comprehensive set of internal controls divided
into control sets to protect the confidentiality, integrity, and availability of data. Both ISO 27001
and ISO 27002 support the development of an Information Security Management System
(ISMS), which guides the development of designing a framework for evaluating risk, assigning
roles and responsibilities, aligning policies and procedures, and conducting efforts toward
mitigating risk. As organizations, investors, creditors, and customers consider a financial
organization’s security posture, designing an ISMS creates a competitive advantage, as it
portrays a dedication to necessary precautions and a commitment to data protection
(International Organization for Standardization, 2024). According to the National Institute of
Standards and Technology (2003),
A successful IT security program consists of: 1) developing IT security policy that
reflects business needs tempered by known risks; 2) informing users of their IT security
PERCEPTIONS ON PHISHING ATTACKS 51
responsibilities, as documented in agency security policy and procedures; and 3)
establishing processes for monitoring and reviewing the program (p. 7).
Organizational Practices
Information Security practices of organizations vary depending on the industry,
regulatory requirements, executive support, budget, and talent of resources. Information security
departments are uniquely developed in how they map frameworks, standards, and controls to
develop risk management strategies to collaborate with business partners across an organization
and ensure compliance with regulatory requirements. Risk management strategies include risk
acceptance, risk avoidance, risk reduction, and risk transfer (United States Department of
Homeland Security, 2021). Risk acceptance is defined as accepting risk and taking no action.
Risk avoidance is the removal of exposure to risk. Risk reduction requires taking action to
remove the potential for harm to the business. Risk transfer includes shifting risk to another
“entity, asset, system, network, or geographic area” (United States Department of Homeland
Security, 2021, p. 24). When assessing operational risk and cyber maturity posture, information
security leaders work with executives to classify and review datasets of cyber risk, determine
risk tolerance by their acceptable risk levels, and obtain cyber risk insurance to transfer risk in
the event of a data breach (Cremer et al., 2022).
In 2004, the Payment Card Industry Data Security Standards Council was formed and
developed the Payment Card Industry Data Security Standard (PCI DSS) to regulate financial
companies that process credit cards. PCI DSS guides companies in 12 principle requirements:
develop controls to maintain a secure network and technology systems, protect account data,
design a vulnerability management program, monitor and test networks, and maintain a security
policy. (Payment Card Industry Security Standards Council, 2024).
PERCEPTIONS ON PHISHING ATTACKS 52
Principles and Program Models
The role of information security professionals is to understand cybersecurity risks and
establish a cybersecurity risk strategy to implement controls (National Institute of Standards and
Technology, 2024). Utilizing a defense-in-depth layered security approach, practitioners design
their programs to include vulnerability management and application security, zero-trust
architecture, governance, risk management, identity management, compliance, privacy, and
security operations. A risk-based security approach involves defining layers within the
technology ecosystem and methods for protecting each layer (e.g., network, application, data,
endpoint, perimeter, and human layers).
Information security teams anticipate rapid changes in the risk landscape to increase
stability within the business ecosystem, impact positive behaviors, and influence consumer trust.
The chief information security officer works with executive leadership to determine desired
business outcomes and risk tolerances and develop objectives to achieve collective goals
(National Institute of Standards and Technology, 2018). Leaders source industry frameworks to
define appropriate data use, write policies and procedures, set standards, and disseminate
employee awareness and communication resources to ensure effective controls are in place to
protect data as it flows throughout the organization. Core principles guide security strategy,
planning, implementation, and management (National Institute of Standards and Technology,
2023). The principle of least privilege hardens a security posture by granting employee
permissions and access to data and external emails based on job roles. The principle of need-toknow privilege allows only authorized employees to access data who demonstrate a business
need. Figure 11 examines how information flows throughout an organization to determine risk
management priorities and leadership alignment.
PERCEPTIONS ON PHISHING ATTACKS 53
Figure 11. Notional Information and Decision Flows Within an Organization (National Institute
of Standards and Technology, 2018).
Policies and Procedures
The SANS Institute was created in 1989 as a cooperative for information security
practitioners. The SANS Institute coordinates with information security experts to support
organizations in developing policies and procedures (SANS, 2022). The information security
team employs policies, procedures, and efficiencies for the design, build, and governance of
proprietary technology and monitors the proper handling of data (National Institute of Standards
and Technology, 2024). An information security policy includes the critical components for
creating standards for employee code of conduct and is developed by the information security
team with regular auditing and approvals by executive management. Once policies are approved,
they can be placed on the company intranet, the internal repository where employees can access
them. The human resources department may distribute an information security policy to
employees upon onboarding and ask that they read and sign it to attest to their willingness to
comply with company policies and procedures. Types of information security policies and
procedures that companies develop include a data classification policy and procedure, mobile
PERCEPTIONS ON PHISHING ATTACKS 54
device management policy and procedure, business continuity policy, data retention policy,
acceptable use policy, risk management policy, and an incident response policy.
Training and Awareness
Employees are the first line of a security defense program and an integral component of
protecting data, as “traditional email security systems are unable to detect spam and stop only the
most basic level of phishing attacks” (Bhardwaj et al., 2021, p. 16). As employee workloads and
expectations increase, even highly experienced staff can make mistakes (Bhardwaj et al., 2021).
Cybercriminals exploit human tendencies to be trustworthy, helpful, unaware, and careless,
making it challenging to train employees to resist attacks (Archibald & Renaud, 2019). In a study
conducted by Alharthi and Regan (2021) with 791 employees surveyed, 48% earned a degree in
the IT field, yet 40% did not understand the term “phishing attack,” and 58% were unaware of
scam emails. It is through proactive mechanisms such as training and awareness that individuals
can understand information security best practices, learn how to identify phishing emails, and
develop their significant role in data protection to detect and prevent phishing (Bhardwaj et al.,
2021). Training employees to report phishing emails by creating a clear reporting method
without shaming them supports a healthy trust environment between employees and security
practitioners. When employees report phishing emails, a layer of security protection is added
(National Cyber Security Centre, 2024). If a hacker enters the company network, the information
security team can triage the attack by enacting their incident response plan and alerting
authorities in certain cases.
The National Institute of Standards and Technology (NIST) CSF guidelines do not assist
information security practitioners in how to create effective training, it only specifies that
PERCEPTIONS ON PHISHING ATTACKS 55
training is required. The National Institute of Standards and Technology (2018) guidelines for
critical infrastructure state the following requirements:
● Applicable information from organizational privacy policies is included in
cybersecurity workforce training and awareness activities.
● Service providers that provide cybersecurity-related services for the organization are
informed about the organization’s applicable privacy policies.
Declaring and evidencing that online training occurs annually and that a training and
awareness program measures employee behaviors are minimum requirements sufficient for
passing compliance audits. The National Institute of Standards and Technology designed a
manual in 2003, Building an Information Technology Security Awareness and Training Program
to support practitioners. This document declares that a training and awareness program “is
crucial in that it is the vehicle for disseminating information that users, including managers, need
in order to do their jobs” (National Institute of Standards and Technology, 2003); however, it
does not explain how individuals can execute an effective program to drive results. It is a highlevel list of guidelines for developing a training and awareness strategy and plan:
● Existing national and local policy that requires awareness and training to be
accomplished;
● Scope of the awareness and training program;
● Roles and responsibilities of agency personnel who should design, develop,
implement, and maintain the awareness and training material, and who should
ensure that the appropriate users attend or view the applicable material;
● Goals to be accomplished for each aspect of the program (e.g., awareness,
training, education, professional development [certification]);
PERCEPTIONS ON PHISHING ATTACKS 56
● Target audiences for each aspect of the program;
● Mandatory (and if applicable, optional) courses or material for each target
audience;
● Learning objectives for each aspect of the program;
● Topics to be addressed in each session or course;
● Deployment methods to be used for each aspect of the program;
● Documentation, feedback, and evidence of learning for each aspect of the
program;
● Evaluation and update of material for each aspect of the program; and
● Frequency that each target audience should be exposed to material.
Guidelines provide security practitioners with a basic fundamental understanding of how
to build a training and awareness program. Without providing explicit information on how to
execute guidelines and without regulators assessing the effectiveness of the implemented
guidelines during routine audits, security practitioners make assumptions about how to train
populations and deliver their interpretations of training requirements to their organizations. No
specific requirements or tutelage exist for security practitioners on how to train and educate
employees on identifying phishing. Due to a lack of consensus among literature sources, “a
phenomenon results in a situation in which it is challenging for practitioners to create efficient
anti-phishing training programs” (Jampen et al., 2020, p. 3).
Gap Analysis Framework: Stakeholder Knowledge, Motivation, and Organizational
Influences
Clark and Estes (2008) developed a Gap Analysis theoretical framework for performance
improvement to achieve organizational goals. In developing their framework, they identified
PERCEPTIONS ON PHISHING ATTACKS 57
three causes of performance gaps: people’s knowledge and skills, their motivation to achieve a
goal (particularly when compared to other work goals they are focused on), and organizational
barriers (e.g., lack of resources and inefficient work processes). The authors recognized that
simply paying and training workers does not sufficiently support desired outcomes as “this
results in the perception of employees as expensive necessities, not business resources that can
increase income” (Clark & Estes, 2008, p. 2). The authors wrote a guide to selecting the right
performance solutions, “Turning Research Into Results,” to examine employee knowledge and
skills, motivation, and organizational influences and create a gap analysis blueprint for
organizational success. An adapted Gap Analysis conceptual framework will guide this research
study by examining knowledge (factual, conceptual, procedural, and metacognitive) (Krathwohl,
2002), motivation (self-efficacy) (Bandura, 2000) and (value) (Ambrose et al., 2010), and
organizational influences (training, communication, and culture).
Figure 12. Adapted Gap Analysis Conceptual Framework.
PERCEPTIONS ON PHISHING ATTACKS 58
Employee Knowledge and Skills
Discovering gaps allows for the opportunity to create treatment plans to close gaps and
achieve performance goals. Understanding if employees know the requirements for performance
achievement is necessary for determining gaps. A knowledge and skills gap is identified if
individuals are unaware of how to accomplish performance goals and cannot figure it out
independently (Clark & Estes, 2008). Knowledge is the construction of facts or declarative
information, discrimination, concepts, and awareness of a task, whereas skills are the application
of those facts, and “both knowledge and skills are hierarchical and are logically linked together”
(Healy & Bourne, 2012, p. 5).
Individuals experience disorganized knowledge and transfer failures, which are common
when they do not have adequate structures in place for incoming information and training (Clark
& Estes, 2008). Individuals may know how to solve problems or accomplish a goal but cannot
recall experiences that are relevant to the situation. Training that allows individuals to explore
online resources but does not have clarity and only allows individuals to drift around a
technology tool to compose their own interpretations is insufficient. Training needs to be clear,
descriptive, and relevant to performance goals in order to be effective (Clark & Estes, 2008).
Approaches to building employee knowledge and skills include retrieval learning, which
asks individuals to summarize lessons learned to retrieve the information learned from training,
which supports mental cognition to apply information to their jobs (Healy & Bourne, 2012). As
Healy and Bourne (2012) expressed, cognitive skills are divided into three stages: stimulus
perception, decision-making and response, and response execution. In the second stage, to
promote effective training, trainers must provide individuals with simple direct mapping
instructions for applying decision-making and response immediately on the job (Healy &
PERCEPTIONS ON PHISHING ATTACKS 59
Bourne, 2012) and begin identifying phishing. An example of an effective training method is
developing Cognitive Task Analysis (CTA), a method for training an individual for the purpose
of having them train others (Clark & Estes, 2008). With CTA, “it is possible to capture job
knowledge that takes experts about five years to develop in about fifty hours of information for
use in training” (Clark & Estes, 2008, p. 67). As Clark and Estes (2008) explained, “knowledge
is a long-term business investment, whereas information, job aids, and training have a more
immediate and tangible payoff” (p. 63). Generating new conceptual knowledge (e.g., creative
ideas that lead to innovation) among employees has the potential to provide organizations with
long-term success in their maturity posture and supports the advancement of information security
programs as individuals discover opportunities to communicate value through implementing
their creative ideas.
Knowledge and Skills Gaps
Minimizing gaps in knowledge and skills can be obtained through an information security
training and awareness program. Effective training supports employees in retaining information
security knowledge and creates a proactive ecosystem for protecting data (Jampen et al., 2020).
Once employees understand what is expected of them regarding their specific responsibilities
within the company and the consequences for non-adherence, they can sign an information
security policy and attest their compliance. Phishing simulations support employees by testing
their abilities to spot phishing emails as security practitioners identify individuals susceptible to
clicking on links and opening attachments and provide additional learning resources (Archibald
& Renaud, 2019).
PERCEPTIONS ON PHISHING ATTACKS 60
Factual Knowledge
Krathwohl (2002) created a taxonomy for developing a learning framework to clarify
learning objectives. As Krathwohl (2002) explained, the knowledge dimension includes what
employees are expected to acquire or conduct to obtain concrete knowledge. Employees must be
aware of social engineering attacks (National Institute of Standards and Technology, 2003).
Factual knowledge includes terminology, specific details, and elements. Employees need to
know what phishing is and the dangers associated with clicking on phishing messages or
downloading attachments from unknown senders (National Institute of Standards and
Technology, 2003).
Conceptual Knowledge
Krathwohl (2002) explained conceptual knowledge as knowledge about classifications,
categories, principles, generalizations, theories, models, and structures. Employees need to be
able to identify suspicious emails from safe emails (National Institute of Standards and
Technology, 2003). Multiple ways exist to identify suspicious emails (e.g., greeting, grammar,
punctuation, subject lines, hovering over the sender’s email address, sense of urgency, email
context, etc.). Employees who can identify a suspicious phishing email are more likely to not
click on links or attachments (Williams et al., 2018).
Procedural Knowledge
Procedural knowledge, as explained by Krathwohl (2002), includes knowledge of
subject-specific skills, algorithms, techniques, methods, and criteria for knowing how and when
to use appropriate procedures. Employees must know what actions to take once they identify a
suspicious email and one example of procedural knowledge is how to report a suspicious email
(National Institute of Standards and Technology, 2003).
PERCEPTIONS ON PHISHING ATTACKS 61
Metacognitive Knowledge
Krathwohl (2002) explained metacognitive knowledge as individual awareness of
cognition. A metacognitive knowledge example includes reviewing phishing knowledge and
skills and identifying areas for knowledge improvement, such as how to increase awareness of
social engineering attacks to better protect their organization’s data (National Institute of
Standards and Technology, 2003).
Employee Motivation
Employee motivation is the internal psychological process that supports efforts to
accomplish goals, as active choice, persistence, and mental effort increase motivation
performance when combined with “effective knowledge, skills, and work processes to result in
goal achievement” (Clark & Estes, 2008, p. 81). Active choice is the active pursuit of a goal.
Persistence is the continuous drive toward the goal even with distractions, and with mental effort,
individuals work smarter and create novel solutions. Motivational indexes increase performance
when combined with effective knowledge (Clark & Estes, 2008). Motivation can be assessed by
determining if employees are actively choosing to work toward identifying phishing, persisting
until they are able to successfully identify phishing, and investing the mental effort to achieve the
goal. Identifying employee motivation by active listening and developing feedback loops is key
to understanding their perspectives on training, goal objectives, views on the company and group
cultures, and their self-efficacy in relation to goals.
Employee performance “is largely governed by people’s beliefs about themselves and
their environment” (Clark & Estes, 2008, p. 45). Discovering individual beliefs and perceptions
supports understanding what roadblocks limit an individual from reaching an established goal.
Barriers to motivation include vague and constantly changing performance goals and feedback,
PERCEPTIONS ON PHISHING ATTACKS 62
dishonesty, hypocrisy, unfairness, unnecessary rules and work barriers, constant competition
with everyone, and negative, critical, biased, and prejudicial feedback. As Clark and Estes (2008)
expressed, “negative emotion is one of the biggest killers of motivation” (p. 89).
Employee Motivation Gaps
Employee motivation for adhering to information security policies and expected
behavioral conduct needs to focus on encouraging appropriate behaviors, not just scolding
employees for clicking on links and attachments, “focusing on motivating the good in employee
cyber behaviors is a necessary yet too often overlooked component” (Canham et al., 2022, p. 1).
Motivating employees through performance pay or external rewards creates goals for employees
to achieve. Gamification is another strategy that supports a positive learning environment
(Canham et al., 2022). Gamification and competition are methods for encouraging employees to
learn about identifying phishing attacks (IANS Research, 2022). By making security awareness
fun, individuals are enticed to engage with learning content. When individuals complete training
exercises, leaderboards and certificates can be utilized (IANS Research, 2022).
Self-Efficacy
Self-efficacy, as described by Bandura (2000), expresses that unless individuals believe
they can produce desired results (e.g., identify suspicious emails), they are not motivated to take
action. Perceived self-efficacy affects how individuals determine if they will be motivated
(Schunk & Usher, 2019) to identify suspicious emails as their behavior is aligned with beliefs
about their capabilities. Factors influencing self-efficacy include perceptions of the difficulty of
identifying suspicious emails and the effort required. Without confidence in using computer
systems and phishing reporting tools, individuals experience difficulty with identifying phishing
emails (Baral & Arachchilage, 2019). Practice, successful performance, and mastery support the
PERCEPTIONS ON PHISHING ATTACKS 63
development of self-efficacy (Schunk & Usher, 2019). Confidence in recognizing phishing
emails supports the self-efficacy of individuals to identify suspicious emails and not click on
phishing links or download attachments. Schunk and Usher (2019) declared that how individuals
believe in their own capabilities determines their motivation and aligns their beliefs. Belief in
oneself guides motivation and action as “the stronger the perceived self-efficacy, the more active
the efforts” (Bandura, 1977, p. 4). Individuals who doubt their abilities to identify suspicious
emails will not be as successful in reacting to phishing attacks as individuals who believe in their
own abilities.
Value
As described by Ambrose et al. (2010) and sourced from Wigfield and Eccles (1992,
2000), employee motivation is supported by attainment value; satisfaction from reaching a goal,
intrinsic value; satisfaction from a task rather than the outcome, and instrumental value;
satisfaction from achieving a goal to attain extrinsic rewards. When employees are faced with
competing goals, they select the goal with the highest value. Motivation for competence
develops when employees are guided by learning and performance goals and whether they are
encouraged to achieve goals by either positive reinforcement or fears of consequences.
According to Clark and Estes (2008), values differ among people as individuals place value on
their beliefs, such as interest, skill, and utility. Utility value increases as employees are
encouraged to complete the task of identifying phishing correctly. Eccles and Wigfield (1995)
are referenced in Clark and Estes (2008), describing interest value; individuals select interests
based on “mastering a new skill or adding to their expertise” (p. 95), skill value; individuals
challenge their special skills, and utility value; attempting a task for the benefits, not because an
individual enjoys it or is good at it, as types of values that connect individuals to work goals. A
PERCEPTIONS ON PHISHING ATTACKS 64
predictor of performance, interest, and effort is utility value, and if employees find that value and
interest in learning a task or achieving a goal benefits other areas of their lives (Elliot et al.,
2017). Value alone is not enough to create motivation. Expectancies express that to be
motivated, employees must expect they can successfully achieve a goal (Ambrose et al., 2010).
Motivation increases when individuals believe in their own abilities (Clark & Estes, 2008) to
identify suspicious emails and recognize the personal benefits of identifying phishing attacks.
Engaging employees to add to their expertise and align their interests with identifying phishing
instills effective motivation. Employees will be less concerned about the amount of time spent
identifying phishing and will focus on the resulting outcome if identifying phishing is attributed
to their success in their job roles.
Organizational Influences
Determining organizational goals and cascading them down through ranks supports the
macroeconomic systems view and connects employees to business goals. Articulating defined
objectives and expectations of employee performance clarifies employees’ understanding of
what is required to succeed in their role. As individuals declare their concerns with the lack of
resources and missing elements of organizational structure, such as processes and procedures or
tools, organizational barriers can be identified.
Clark and Estes described the tension between stability and change and that “nearly all
available organizational development and change processes fail two out of every three times”
(2008, p. 114). Organizational change processes fail when they do not have a clear vision, goals,
ways to measure progress, the involvement of top management, aligned structures and processes
to goals, constant communication, individuals prepared for the change, and do not provide
employees with knowledge, skills, and motivational support (Clark & Estes, 2008). Creating
PERCEPTIONS ON PHISHING ATTACKS 65
change involves solving organizational barriers and developing methods to engage employees to
buy into the change in order to minimize resistance and achieve company-wide goals.
Organizational culture determines the collective strength of an organization as “so much
of our cultural heritage is expressed automatically and unconsciously that our cultural selfawareness is very limited” (Clark & Estes, 2008, p. 109). Many cultures exist in an organization,
including culture in the environment, groups, and individuals. Culture describes beliefs, values,
goals, emotions, and processes learned in time (Clark & Estes, 2008). Change relies not only on
changing the culture in the environment but on changing knowledge and beliefs within groups
and individuals, which influence decisions and behaviors. Training and communications provide
employees with education, including new concepts, vital processes, and relevant principles
(Clark & Estes, 2008). Refining phishing knowledge results in room for improving
organizational training and supplying job aids and resources (Clark & Estes, 2008).
Organizational Influences Gaps
Employees who join a company with a thriving information security culture that provides
immediate phishing training and communications are more inclined to exhibit desired behaviors.
Employees who examine colleagues repeatedly clicking on phishing links without repercussions
may adopt bad behaviors and not be motivated to not click on phishing links. As leaders
themselves promote the adoption of information security best practices and cascade down these
expectations among their team members, employees are more likely to assimilate into cultural
norms and practices. Consistency and commitment among leaders are contributing factors to
promoting a culture dedicated to data protection.
PERCEPTIONS ON PHISHING ATTACKS 66
Training
In anticipating future challenges with identifying phishing, requiring novel problemsolving approaches, individuals will need to understand how to flag an email as phishing and not
take action requested by the unknown sender (National Institute of Standards and Technology,
2003). In a financial environment where speed and responding to customers and business
partners are critical to business operations, employees are challenged to slow down and pause
before reacting to emails. As Clark and Estes (2008) expressed, employees need information,
training, job aids, and education to close the knowledge gap. Many experienced trainers believe
that half of the knowledge learned in corporate training is disregarded (Clark & Estes, 2008). As
Clark and Estes (2008) explained, trainers must teach in such a way that once training is
complete, employees instantly apply lessons learned. Employees who are provided with
opportunities to use their new knowledge immediately are more successful at retaining
knowledge (Clark & Estes, 2008). Trainers must develop goals to be accomplished by delivering
training (National Institute of Standards and Technology, 2003). Clark and Estes (2008)
expressed that goals increase work commitment by suggesting connections between individual
values and the benefits of goal achievement. Setting clear goals for motivating learners in a
supportive environment supports increased employee engagement (Ambrose et al., 2010). Quota
schemes rewarding individuals for exceeding performance goals are the most effective (Clark &
Estes, 2008). Goals guide employees forward and influence behavioral actions that are
purposeful. Learning goals, as opposed to performance goals, support desired behavioral
outcomes as employees are intrinsically interested instead of extrinsically motivated for a
reward, which supports competence, intellectual risk, and exploration (Ambrose et al., 2010).
PERCEPTIONS ON PHISHING ATTACKS 67
Communication
Employee responsibility in identifying phishing attacks is a requirement of the National
Institute of Standards and Technology (2003). Organizations must provide individuals with
information security policies and procedures and communicate expectations and consequences
regarding adhering to policies and procedures before holding individuals accountable (National
Institute of Standards and Technology, 2003). As policies and procedures continuously change,
are not well communicated or comprehended, or are not enforced, employees are reduced to
confusion surrounding the culture of data protection and aligning appropriate data protection
practices with expected behaviors.
Communication is at the heart of an organization, and bi-directional communication
builds transparency and trust between employees and leaders, which helps employees assimilate
and adjust (Clark & Estes, 2008). Lack of communication increases confusion, and
communication that is not understood by the receiver is not effective (Musheke & Phiri, 2021).
As Clark and Estes (2008) explained, vagueness and inconsistency are causes for employees to
make assumptions about performance expectations and code of conduct. In addition, messages
need to be repeated more often than leaders realize (Clark & Estes, 2008). As leaders develop
goals and processes to measure progress, Clark & Estes (2008) expressed that communication
helps employees adjust knowledge used to accomplish goals. As Clark and Estes (2008) stated,
clarity with candid communications supports individuals in developing trust, which increases
commitment to adjusting to established performance goals.
Culture
Culture influences the development of self-efficacy (Bandura, 2000). Bandura’s social
cognitive theory expresses how individuals learn through the influences of others, which affect
PERCEPTIONS ON PHISHING ATTACKS 68
individual attitudes (e.g., toward adopting information security best practices), which influences
behaviors (e.g., the adoption of data protection practices) (Schunk & Usher, 2019). By observing
and learning about the data protection behaviors of others and the consequences of misconduct,
individuals determine how to assimilate within a company. Organizations create myriad cultures
over time in a fluid structure for career mobility and as employees recycle (Clark & Estes, 2008).
Complicated changes that affect a work culture includes changes in the marketplace and
competition with retaining top talent, as well as with leaders entering and exiting at a rapid pace
(Clark & Estes, 2008). Building a positive work culture for protecting data and improving
business outcomes begins with leadership values and their shared executive vision to prioritize
the importance of employee retention. Culture is interpreted differently and can be difficult to
influence as time evolves and patterns are developed (Clark & Estes, 2008). An effective way to
reduce risk and phishing click rates is to build an information security culture that encourages
employees to embrace data protection and align with company policies (National Institute of
Standards and Technology, 2023). Organizations can improve employee motivation and
knowledge by establishing a “'cyber security champion' network, developing a brand for the
cyber team, building a cyber security hub, and aligning security awareness activities with
internal and external campaigns” (Alshaikh, 2020, p.1). As Alshaikh (2020) explained,
cybersecurity champions help employees apply security practices, including how to report
phishing and direct individuals to a variety of content located on a security intranet site. A
security brand used consistently helps provide a visual identity to pay attention to important
security campaigns and announcements, and aligning security messaging with organizational
messaging creates greater impact (Alshaikh, 2020). Individuals who experience a culture
PERCEPTIONS ON PHISHING ATTACKS 69
promoting information security best practices are likelier to exhibit desired behaviors (Frenken,
2020).
Summary
With the rise in data breaches and millions of individuals affected, such as in the Equifax
and First American Financial Corporation breaches, consumers' lack of trust is increasing, and
“because of this mistrust, the imperative for businesses to get out in front of these issues could
not be greater” (Ana, 2020, as cited in Bernard, 2020, p.1). As the cyber threat landscape evolves
and criminals continue to develop innovative social engineering techniques leveraging advances
in technology, the best line of defense for safeguarding data is human capital provided with the
knowledge, motivation, and organizational influences to defend against cybercrime. This
research study explored understanding the perceptions of individual experiences with identifying
phishing attacks. This dissertation supports the development of identifying mechanisms for
driving organizational change and developing an effective training and awareness program.
PERCEPTIONS ON PHISHING ATTACKS 70
CHAPTER THREE: RESEARCH METHODOLOGY AND APPROACH
This research study focused on the problem of practice of the high rate of employees in
financial organizations clicking on phishing links, positioning their companies at risk of a data
incident or breach. The methodology for developing this research study incorporated an adapted
Gap Analysis conceptual framework. The approach to conducting this qualitative research study
included interviewing individuals about their perceptions and experiences with phishing.
Interview questions were designed with regard to expectations of knowledge construction
(factual, conceptual, procedural, and metacognitive knowledge) (Krathwohl, 2002), motivation
(self-efficacy) (Bandura, 2000) and (value) (Ambrose et al., 2010), and organizational influences
(training, communication, and culture).
Overview of Research Design
This research study examined the perceptions and experiences of employees through the
lens of Gap Analysis by utilizing qualitative research. The emphasis of this research study was
on discovering individual experiences to better understand the subjective opinions and views of
phishing. The researcher created a list of questions related to the problem of practice and the
interview protocol, which is located in the appendix section of this dissertation. The researcher
created 10 questions that focused on the adapted Gap Analysis conceptual framework
(knowledge and skills, motivation, and organizational influences). Five questions related to
knowledge and skills and incorporated factual, conceptual, procedural, and metacognitive
knowledge types of questions. Two questions related to motivation, and the types of questions
focused on self-efficacy and value. Two questions related to organizational influences, and the
types of questions focused on training, communication, and culture. One question related to
PERCEPTIONS ON PHISHING ATTACKS 71
motivation and organizational influences. This research study was designed around the following
two research questions.
Table 2
Research Questions
RQ. 1 1. What individual knowledge and motivation is needed for employees to
identify phishing attacks?
RQ. 2 2. What are the organizational influences that impact employees to identify
phishing attacks?
Research Procedure
The researcher aimed to broaden geographical reach by seeking participants through
networking and displaying an announcement and invitation for participation on her personal
social media profiles: LinkedIn, Facebook, and Instagram. The researcher reviewed the interests
of potential subjects and emailed confirmation once they met the specific criteria for
participation in the study. Once the researcher had a sufficient interview pool of candidates,
interviews were scheduled. The researcher provided the participants with a consent form and the
set of questions in advance to provide transparency and clarity around the research study. The
researcher conveyed expectations of the time length and setting of the interviews to ensure
participants were comfortable with the setting format.
Research Setting
The researcher conducted virtual one-to-one interviews and spent introductory time
developing rapport, leveraging the strength of the intimate format (Merriam & Tisdell, 2016).
Prior to conducting each interview, the researcher ensured that participants approved of the
recording. The researcher aimed to conduct personable and engaging interviews, as the
interviewees' comfort was vital to their openness and candidness in their responses. Upon
PERCEPTIONS ON PHISHING ATTACKS 72
approval by the interviewees, the interviews were recorded for transcribing purposes and
accuracy.
The Researcher
Positionality refers to the context in which the researcher interprets the social world.
(Bukamal, 2022). Epistemology, coupled and defined by positionality and combined with
intersectionality, is the origin of privilege (Secules et al., 2021). The researcher is privileged to
work in the top 1% of female information technology leaders at her global cybersecurity firm. As
a leader reporting to the chief information security officer, she oversees the information security
portfolio and budget, drives transformation and the customer zero program, and guides the
design of security education technology. The researcher is positioned to understand the current
cultural climate and provide recommendations to influence company goals and data protection
best practices.
The researcher’s paradigm encompasses interpretive, constructivist, and critical
worldviews (Creswell & Creswell, 2018), where reality is an interpretation, and reflection and
learning are constructs of the meaning of experiences. As mentioned by Creswell (2013, p. 24),
cited in Merriam and Tisdell (2016), in the constructivist worldview, "individuals seek
understanding of the world in which they live and work" (p. 9). In honing a mindset of inquiry,
the researcher drove a scientific learning mindset of curiosity throughout the interview research
study to challenge any preconceived assumptions. The researcher designed interview questions
that were understood by participants in the same manner as the researcher planned by explaining
the information being asked and confirming that participants interpreted the questions as
intended. The researcher created clear and specific questions and looked for consistency in
responses to similar questions. (Merriam & Tisdell, 2016).
PERCEPTIONS ON PHISHING ATTACKS 73
The researcher worked to mitigate bias regarding personal views on preferred learning
methods and valued the needs and interests of participants (Robinson & Leonard, 2019). The
researcher purposefully discovered insights into the interpretation of individual experiences in
relation to understanding participant responses. The researcher did not design the study with
leading questions. The researcher has experience training populations on identifying phishing,
tracking employee phishing behavioral performance, providing remediation support to reduce
infractions of repeat offenders, and delivering reporting to executives to drive down click rates.
The researcher examined her own bias toward opinions on effective training, communication,
and culture and did not lead participants in suggestive questions to support her hypothesis. The
research utilized truthfulness and objectivity, which are critical components of ethical inquiry
(Creswell & Creswell, 2018). The researcher remained neutral and listened, observed, and
learned from participants’ experiences and perceptions, and did not create inferences or induce
her own judgment but rather collected findings as they were shared and presented in the analysis
portion of this dissertation. The researcher did not engage in confirmation bias.
Data Methods
The approach to conducting this qualitative research study was semi-structured. The
researcher combined structured questions with an unstructured format to allow new information
to emerge (Merriam & Tisdell, 2016). The semi-structured format for these interviews assisted in
creating a flexible conversation, offering a deeper understanding of the interviewee’s
perceptions, beliefs, and experiences as questions flowed naturally. Supporting questions kept
the conversation fluid to engage the participant.
PERCEPTIONS ON PHISHING ATTACKS 74
Participants
Interviews focused on specific criteria to better understand the problem of practice as it
relates to a particular population. The criteria for this research study included individuals who
currently work in a United States financial organization, have a hire date within the last two
years, and have experienced phishing training. The researcher gathered 13 participants and
discovered insights for recommending solutions to solving the problem of practice.
Instrumentation
Video interviews were conducted synchronously through the Zoom application. The
Otter application was used to transcribe responses. The researcher transcribed the interviews
verbatim. The interviews were recorded and saved for future use. Upon concluding the analysis
of findings and publishing this dissertation, the researcher will destroy saved files and email
participants that their responses have been published and recordings of their interviews have
been destroyed.
Data Collection
The researcher began pursuing data collection in August 2023 and continued until
saturation. Recorded interviews lasted between 45-60 minutes. To assist with data collection, the
researcher created a digital log of detailed responses to utilize in the data analysis phase. A
spreadsheet log with responses aligned to questions supported the approach to analyzing the data.
The researcher created a journal of her own thoughts and perspectives on the content provided by
participants to aid in the research process and regularly reviewed her notes to reflect on insights
learned in the process of developing data categorization. Reviewing notes aids the research
process by eliminating any discovered biased interpretations, clarifying unclear responses with
PERCEPTIONS ON PHISHING ATTACKS 75
participants, and highlighting areas of reflection where the researcher probed further to discover
validity in underlying assumptions.
Data Analysis
The comparison of similarities and differences in responses across research participants
was analyzed alongside their interpretations and meanings of responses. The methodology for
analyzing this research study included using a priori coding and emergent coding to classify
responses, and the coding of responses was utilized to identify trends and patterns among
participants. The researcher developed a thematic analysis of core Gap Analysis concepts and
used qualitative data analysis in the presentation of the results as findings. The data was
evaluated to contextualize methods and frame the findings. In reviewing the transcripts from the
participants, gaps in identifying phishing attacks were identified among knowledge, motivation,
and organizational influences. To concentrate on the research problem, the data was organized
by the research questions, applying a combination of the adapted Gap Analysis conceptual
framework and logical structure (Elliott & Timulak, 2021). The data was structured according to
the interview protocol utilizing Gibbs’ (2018) comparative analysis to identify and construct
themes and code responses among participants.
Credibility and Trustworthiness
The respondent validation method for data collection was used to maximize the
credibility and trustworthiness of this research study. The researcher shared interview transcripts
with research participants to verify the accuracy of the information provided (Creswell &
Creswell, 2018). Participants were requested to validate their answers to eliminate biased
misinterpretation of their responses. (Merriam and Tisdell, 2016). As Ravitch and Carl (2019)
expressed, qualitative research is interpretive by nature, and the findings presented by the
PERCEPTIONS ON PHISHING ATTACKS 76
researcher are subjective, even with the best intent to remain unbiased. Respondent validation is
a credible approach to challenging one’s understanding of the data and supports the analytical
strategy of purposefully seeking evidence to challenge findings. The researcher designed
respondent validation by creating follow-up emails to confirm answers with participants to
ensure the researcher did not find out what she expected to find and that the data collected was
accurate according to the participants. According to Merriam and Tisdell (2016), “this is the
single most important way of ruling out the possibility of misinterpreting the meaning of what
participants say” (p. 246).
In order to maintain integrity, the researcher purposely reviewed data that had contrary
explanations and challenged biased expectations by creating probing follow-up questions to
better understand the data. The researcher presented the findings in congruence with the data.
Verification of the researcher’s documentation showed empirical evidence of the data analysis
findings. Credibility and trustworthiness are key components to ensuring accuracy in findings
and the delivery of represented statements and artifacts. Ratcliffe (1983, p. 149), cited in
Merriam and Tisdell (2016), suggested that "data do not speak for themselves, there is always an
interpreter, or a translator" (p. 242). Respondent validation supported the confirmation process of
interpretations and materials prior to delivering findings to mitigate any misinterpretations by the
researcher.
Ethics
The researcher safeguarded the responses of all participants and respected “the rights,
needs, values, and desires” of the research subjects by explaining their participatory rights and
ability to contest responses during respondent validation and even change their minds (Creswell
& Creswell, 2018, p. 206). The researcher articulated in writing and verbally disclosed
PERCEPTIONS ON PHISHING ATTACKS 77
information so that participants fully understood the scope of the research study and expectations
of the research study process, and the researcher obtained permission from the research
participants in order to proceed with conducting the research study. The researcher provided
clear information to participants that, at any point, a participant had the right to choose to
withdraw from the study.
PERCEPTIONS ON PHISHING ATTACKS 78
CHAPTER FOUR: FINDINGS
The purpose of this research study is to address the problem of practice of the high rate of
employees in financial organizations clicking on phishing links. The Clark and Estes (2008) Gap
Analysis theoretical framework portrays knowledge, motivation, and organizational influences
guiding this study. Semi-structured qualitative interviews were conducted with 13 participants in
August 2023. Interview questions were inclusive of knowledge construction (factual, conceptual,
procedural, and metacognitive knowledge), motivation (self-efficacy and value), and
organizational influences (training, communication, and culture). This chapter will further reflect
on findings and unique perspectives among participants. A priori codes and emergent codes were
used in alignment with the research questions:
1. What individual knowledge and motivation is needed for employees to identify phishing
attacks?
2. What are the organizational influences that impact employees to identify phishing
attacks?
Participating Stakeholders
The 13 individuals in this study met the criteria for participating in this research,
including currently working in a United States financial organization, having a hire date within
the last two years, and having experienced phishing training. Two of the 13 participants work in
small-sized companies (under 100 employees), while the remaining 10 participants work in
enterprise-sized companies (over 1,000 employees). Three of the 13 participants manage staff,
while the rest serve as individual contributors. Participants work in financial industries ranging
from banks to mortgage lenders and financial advisory firms. Participants were representative
across the United States, from the North, South, East, and West regions. The participants'
PERCEPTIONS ON PHISHING ATTACKS 79
financial industry experience ranged from one year to 30 years. The participant pool varied in job
responsibilities from marketing and sales to entry-level roles in information security and an
information security department's chief information security officer. Table 3 lists participating
stakeholders, the region of the United States in which they reside, their specific industries within
the financial sector, years employed in the financial sector, their role, company size, and if they
manage employees.
Table 3
Participants
Participating
Stakeholder
Region Financial
Industry
Years in
Financial
Sector
Role at
Company
Company
Size
Manager
Lyra West Bookkeeping 20 Accounts
Payable Lead
Small No
Rigel Northeast Mortgage 2 Public Relations Enterprise No
Sirius Southwest Real Estate 1.10 Cybersecurity
Engineer
Enterprise No
Capella West Bank 25 Project Manager Enterprise No
Phoenix Southwest Investment
Advisory
1 Business Owner
and Sales
Executive
Small No
Draco Midwest Digital Bank 1.7 Internal Cyber
Auditor
Enterprise No
Hydra West Title
Insurance
30 Escrow and Title
Sales
Enterprise No
Lynx Midwest Mortgage 12 Technical Writer Enterprise No
PERCEPTIONS ON PHISHING ATTACKS 80
Polaris West Mortgage 12 Privacy Lead Enterprise Yes
Aquila West Bank 13 Financial
Advisor
Enterprise No
Vega Midwest Mortgage 12 Information
Security
Operations
Manager
Enterprise No
Betelgeuse West Financial
Planning
12 Senior
Marketing
Director
Enterprise Yes
Orion Southwest Bank 7 Chief
Information
Security Officer
Enterprise Yes
Phishing Attack Experiences
While the following section does not relate to a specific research question, it does
provide background information and insight into the phishing behaviors of research study
participants. A surprising finding discovered during the interviews was shared by over half of the
participants, who revealed their experiences with clicking phishing links. Nine of 13 participants
admitted to clicking on phishing links at previous companies. Three individuals clicked on
phishing simulations, and one participant experienced ransomware incidents at a previous
organization. Participants learned the serious implications of phishing from their direct
experiences with clicking on links. Lyra lost a job after uploading sensitive payroll information
to a public website and was socially engineered and privately scammed out of money. In a
separate incident, Lyra was reprimanded for downloading unauthorized information. In another
PERCEPTIONS ON PHISHING ATTACKS 81
incident, Lyra purchased gift cards for a cybercriminal who sent fake checks as reimbursement,
provided an account number, and had to close a personal bank account. Lyra shared, “I actually
fell victim to a scam. I gave them my account number. I'm kind of a little gullible and kind of
buy into some of them. I mean, they look so legitimate, they're getting more clever.” Rigel
mistakenly clicked on a phishing email and stated, “I did actually click a link at a previous
company that I didn't mean to click but I accidentally clicked on it.” In addition, Vega said, “At
one point at my previous company, when it was very early on, I did click on a phishing link.”
Betelgeuse experienced data theft and said, “I have had my personal information stolen before.”
Draco experienced ransomware twice due to phishing. Draco did not click but was a team
member on the information security team, hired to lead the incident and repair services during
the recovery effort. Draco explained,
I was on the job for three weeks, and we got hit with ransomware, the cause of that was a
phishing attack. It was the third-largest school district. I got to learn real quick what it
was, how it works, and what the effects are. They got hit by one click of an email. Then I
came on, and they had already been in the network for a year before I got there. Then we
got hit the second time, and the schools were shut down for like, a month and a half. We
were able to recover probably 90% of data, so we're able to build from that. So yeah, I
was brought in to shore up security. And so the director says to the board, it's going to be
about $2 million and take about two years. Fast forward, and we had an open checkbook
from the board of education. Security is never an issue until it becomes an issue. You're
going to pay for it on the front end or the back end.
Participants were candid about their responses, openly providing information about their
previous phishing incidents. The transparency provided by participants helped the researcher
PERCEPTIONS ON PHISHING ATTACKS 82
frame their perceptions of phishing. None of the participants in this study are entry-level
employees just entering the workforce. All participants have had previous employment
experience and have been informed about phishing. Participants provided ample information
about their perceptions of knowledge, motivation, and organizational influences on identifying
phishing, as guided by the interview protocol.
Research Question 1: Knowledge and Motivation Needed to Identify Phishing
Participants provided insights into their perceptions of becoming susceptible to phishing
attacks. Participants demonstrated their perceptions regarding factual, conceptual, procedural,
and metacognitive knowledge and motivation, including self-efficacy and value. Participants
shared their perspectives on improving knowledge and motivation, which can be supported at the
organizational level.
Knowledge
Participants were interviewed in accordance with lower to higher-level thinking skills in
their cognitive process as expressed by the Anderson et al. (2001) revision of the original
Bloom’s taxonomy (Bloom & Krathwohl, 1956), where the cognitive domain is redefined at the
intersection of the Cognitive Process Dimension and the Knowledge Dimension. Participants
described their perceptions of identifying phishing attacks through the cognitive process of
remembering, understanding, applying, analyzing, evaluating, and creating, combined with their
factual, conceptual, procedural, and metacognitive knowledge. Thirteen out of 13 participants
expressed varying levels of knowledge about phishing, and none of the participants were
unaware of what phishing is and the dangers associated with clicking on suspicious emails. Five
of the 13 participants currently work within an information security department and have
demonstrated advanced phishing knowledge. The challenges impeding identifying phishing
PERCEPTIONS ON PHISHING ATTACKS 83
attacks ranged from a lack of understanding of new trends and how cybercriminals use artificial
intelligence to difficulties identifying suspicious contexts in other forms of media besides email,
such as through text messages.
Factual Knowledge
Factual knowledge of phishing supports individuals with an understanding of identifying
suspicious emails and the dangers associated with clicking on phishing links or downloading
attachments (National Institute of Standards and Technology, 2003). Thirteen out of 13
participants demonstrated factual knowledge of phishing, including the basic elements of
phishing and the importance of safeguarding data at their organizations. Participants expressed
their own definitions of their perceptions about what phishing is and understood the risks and
consequences associated with clicking on phishing links or downloading attachments.
Participants shared that phishing emails they have received have been targeted at their line of
work in the financial industry, and the types of phishing attacks they have experienced include
Business Email Compromise, Spear-Phishing, Phishing, Vishing, and Smishing.
Accurately Defining Phishing
Thirteen out of 13 participants demonstrated a general understanding of phishing.
Participants shared their own definitions as they described what phishing is. Rigel stated,
“Phishing is when you're getting either emails or texts and if you click on them, bad things can
happen, people can steal your identity, you can be exposing the company and yourself to data
loss.” Participants understood how social engineers manipulate and deceive individuals and
disguise themselves in attempts to fool victims, as Aquila shared, “It's like rattling messages for
the most part. They're just looking for confidential information, and they usually seem legit, or
coming from trustworthy sources. Looks very familiar, but it's kind of tricky.” Individuals who
PERCEPTIONS ON PHISHING ATTACKS 84
work in information security are versed with advanced vocabulary about phishing, as Draco
stated, “Phishing is where bad guys are trying to get in and get you to give up some credentials to
threat actors.” In addition, Vega said, “People try to gather your financial information or
personal information in some way, shape, or form via email. They try to disguise themselves to
capture that information so that they can use it for typically illegal activities.” Participants
understood that phishing is an attempt by threat actors to gather sensitive information with
harmful intent, as expressed by Betelgeuse, who shared, “somebody's trying to gather your
information so they can steal from you so they can potentially use it.” None of the participants
lacked awareness of the dangers associated with clicking on links or downloading attachments
from unknown senders. While participants demonstrated an awareness and understanding of
what phishing is, if they are unaware that the messages they receive are phishing, they are at risk
of responding or taking action requested by the threat actor.
Conceptual Knowledge
Conceptual knowledge of phishing includes understanding the interrelationships among
the basic elements of phishing, identifying suspicious emails, and constructing the meaning of
social engineering (National Institute of Standards and Technology, 2003). Employees should be
able to determine how cybercriminals develop unusual and alarming requests and use urgency to
solicit action from their victims (Cybersecurity and Infrastructure Security Agency, 2023).
Thirteen out of 13 participants could conceptually dictate the appearance of a phishing email and
identify red flag warning signs. Participants expressed their vigilance toward an awareness of
identifying phishing and described indicators of suspicious emails.
PERCEPTIONS ON PHISHING ATTACKS 85
Correctly Identifying Phishing
Thirteen out of 13 participants expressed their recognition of identifying phishing and the
characteristics of a suspicious email. Participants were asked to explain how they identify and
determine a suspicious email as phishing. Generic phishing emails contain the following warning
signs, as understood by Betelgeuse, who explained, “It's almost intuition. The email is usually
cheesy and looks like a five-year-old in it.” Participants noted the characteristics to identify
phishing, for example, Phoenix shared, “jumble of letters and numbers, that's a red flag, or if the
URL domain doesn't match.” In addition, Aquila stated, “There are usually different font sizes,
and the email signature, sometimes it just looks weird.” Participants were aware that social
engineers cleverly disguise the appearance of their email address to mimic a legitimate company,
as expressed by Rigel, who said,
If you think an email is suspicious, look at the sender. Just because it appears to be
coming from maybe somebody or a company that you know, you have to look at the
actual email addresses. Identify if something looks like it's false. There may be some sort
of a trap with the link when it's coming from a company or a person that I've never heard
of or done business with before. If there are a lot of misspellings within the email that can
also be a giveaway.
Participants explained that identifying suspicious emails is becoming more challenging,
as Lyra shared, “They're getting more clever. Anything that's trying to get information would be
considered a potential phish until it's verified.” Participants understood that threat actors design
their techniques in anticipation of manipulating a victim and are continuing to improve their
skills. None of the participants were unfamiliar with current email tactics employed by social
engineers. Individuals who know what to look for to identify a suspicious email are equipped to
PERCEPTIONS ON PHISHING ATTACKS 86
pause, reflect, and not click on suspicious links or open attachments. Without awareness and a
conceptual understanding of social engineering tactics criminals use to trick users into divulging
sensitive information, susceptibility to engagement increases.
Procedural Knowledge
Procedural knowledge of phishing is the informational criteria individuals combine with
their skills to take appropriate action once they identify a phishing attack (National Institute of
Standards and Technology, 2003). Participants explained their behaviors upon receiving
suspicious emails and their actions to delete or report them to their technology department. Once
an email is identified as suspicious, 13 out of 13 individuals explained how they report and/or
delete phishing emails. Participants who report suspicious emails using a technology report tool
in their email client have their emails automatically forwarded to the information security
department and deleted simultaneously. Company policies vary in outlining specific
requirements.
Reporting and Deleting Phishing Emails
Eleven out of 13 individuals explained they reported phishing emails. Two out of 13
individuals stated they deleted phishing emails. Lyra understood that not clicking on phishing
links or downloading attachments was an expected course of action for handling a phishing email
as well as reporting it to the information security team, and said, “So, normally what I'll do is just
report it and block it. That way, you know, I don't even have to worry about it anymore.” In
addition, Sirius shared, “We are trained not to take chances so I forwarded the entire message to
our security operations team and basically, they dissect it and figure it out.” Vagueness around
company protocol can be misinterpreted if companies do not clarify expectations or enforce
policy, as Lynx explained, “I submit it and mark it as a suspicious email which quarantines it and
PERCEPTIONS ON PHISHING ATTACKS 87
sends it to our security team. Company policy encourages that employees do that but they don't
have to do it.” Participants were aware of the basic actions to take once they flagged an email as
phishing.
Metacognitive Knowledge
Metacognitive knowledge of phishing includes a review of individual comprehension of
phishing attacks and areas for improving knowledge and skills (National Institute of Standards
and Technology, 2003). Thirteen out of 13 participants evaluated their knowledge about phishing
and reflected on what they already knew about phishing and any curiosity about learning more
about the subject. As individuals reflected on their understanding of phishing and what, if
anything, they would like to know more about to better identify phishing attacks, they expressed
a desire toward continued education in specific topics, including how criminals conduct their
operations, phishing trends, artificial intelligence, and different types of phishing techniques.
Criminal Operations
As participants considered what they would like to know more about regarding phishing,
seven out of 13 participants were interested in learning about criminal operations, how criminals
conduct their phishing attacks, and the purpose of why they are committing illegal activities.
Participants were curious about individuals who conduct cybercrime, as explained by Rigel, who
shared, “My interests would be who is doing it and why, what types of information are they
looking to get from me by sending a phishing email to me.” In understanding how criminals
operate and the step-by-step process for conducting a phishing attack, participants would like to
better understand how phishing scams work and how criminals benefit from obtaining sensitive
information, as Aquila stated,
PERCEPTIONS ON PHISHING ATTACKS 88
I would like to know more about smart people doing bad things and what's really the
purpose of it besides having access to confidential information. When they want to install
a virus on your computer, what do they get from it, what's the benefit?
Participants were interested in the technical side of criminal operations, as Draco stated,
“Some of the backend stuff I don't know and would like to get to know more of the tech side of
it.” In addition, Betelgeuse said, “I would want to know exactly how they do it.” Participants
desired to demystify the mystery behind criminal operations and what happens once they obtain
sensitive information, as explained by Polaris, who shared,
Being able to see the behind-the-scenes, like how quickly once you click on it, what
happens. Where does it go? How does a hacker work and what kind of data can be traded.
I think that kind of view is very powerful.
Participants were interested in understanding the desired outcomes of threat actors. Knowing
what a cybercriminal intends to do with the obtained information would help participants
become more vigilant in identifying suspicious emails. Showing interest in advanced knowledge
about phishing was an indicator that participants aspire to reduce their susceptibility to falling for
a phishing attack.
Phishing Trends
The word “trends” was used by 12 out of 13 participants when discussing what they
would like to learn more about in regard to identifying phishing attacks. Participants were
interested in capturing information about phishing attacks circulating their industry, as Lyra
shared, “It'd be nice to be on the lookout for common factors and track trends.” In addition,
Sirius shared, “What are phishing trends that they're seeing and how are those attacks playing
out? What can be done to protect it?” When asked about what the organization could do to
PERCEPTIONS ON PHISHING ATTACKS 89
further support employees in identifying phishing, Betelgeuse was interested in how quickly the
organization could identify a trend and stop a phishing attack and shared, “Whenever they spot a
trend, try to get to the bottom of the issue before it spreads like wildfire.” As participants
reflected on learning about phishing, there was a desire to receive information about trends
targeted not only to the financial sector but to their organization specifically, as Lynx said,
I would like to see some more real-time data about what is going out and even monthly
trends we're seeing to keep an eye out for. I think that'd be very helpful to see what kind
of trends are out there, not just out there in the marketplace as much as what kind of
trends we've seen specifically targeted to our company.
Participants were interested in trends as they did not understand what phishing techniques
were circulating in their industry. If individuals are unaware of phishing attacks trending in their
industry, they are potentially vulnerable to becoming victims. Participants repeatedly expressed a
desire for their organizations to supply them with knowledge about phishing trends.
Artificial intelligence
When asked about improving their phishing knowledge, six out of 13 participants stated
they were interested in learning more about artificial intelligence, how criminals use it to
leverage operations, and how their companies can use it to protect against phishing. With the rise
in GenAI such as ChatGPT, participants were interested in how to prepare for potential phishing
attacks, as described by Sirius, who shared, “The ability to have technology that can better
analyze what we're about to encounter with ChatGPT. That's where I feel if there's any area that
would require additional understanding would be that because of what we're preparing to
experience.” In addition, Capella said, “AI and machine learning are basically working 24 hours
a day without supervision. And I'm sure there's a lot of interesting things to learn about the
PERCEPTIONS ON PHISHING ATTACKS 90
application of those technologies.” As threat actors leverage GenAI, phishing emails are
increasingly becoming more difficult to spot, as Lynx explained, “Especially with the advent of
changing technology and all the AI out there. There are a lot less typos in them. Now, it's hard to
know for sure if it's a phishing email as the technology gets more and more advanced.” When
asked about specific interests in learning more about artificial intelligence, Orion stated,
I think we're all interested in how generative AI will impact phishing. From a knowledge
perspective, at my level, I would like to know how they are using generative AI to
improve their campaigns. I've literally run into employees who have said, if you don't
block it (in regard to phishing emails), then I believe I can actually click on it. There are
some employees who have this mentality, that it is up to the IT department to 100%
protect them. There's no security tool that is 100% effective.
Two participants requested that their company provide technology pop-up banners in
their email clients to identify suspicious emails, alerting them if an email may appear suspicious.
As expressed by Vega who said, “It'd be great if we had a banner in Outlook that would tell us
about the email. I've heard that this is something that can be done. It's just something that hasn't
been done. And that would really help me determine what is legitimate so I don't have to worry.”
The ability for participants to have an indication of potential phishing would support them in
identifying flagged emails as phishing. In mature security programs, security software blocks
incoming phishing emails or recognizes and flags suspicious emails, warning users.
Phishing Techniques
Twelve out of 13 participants were interested in learning more about phishing techniques
and described a need for support in identifying tactics cybercriminals use. Participants
understood phishing techniques evolve, as Lyra shared,
PERCEPTIONS ON PHISHING ATTACKS 91
Do they have a more detailed explanation of the types of phishing? It'd be nice to know
what common phishing scams we would potentially see so that we would be more aware.
Especially if there are newer techniques and newer ways that they've been sending these
things.
As criminals improve their skills, participants are unaware of how to stay vigilant with
unknown techniques, and as explained by Rigel, who stated, “I imagine the level of
sophistication and phishing emails probably gets greater and there are new forms of phishing I
might not be looking for.” In addition, Hydra explained, “I understand what's out there, but
there's always new stuff coming out, current hacks that are happening.” Phoenix was concerned
with the rate of how fast criminals are improving their techniques and shared,
What are the new and novel attempts coming along? I certainly want to stay on top of
that. It's scary how fast the people who implement phishing attempts evolve and how
creative they are. It's the thing that worries me when I stop and think about this. I might
just not know what I don't know.
As criminals continue to evolve their operations, phishing attempts on mobile devices and social
media are newer techniques that participants are interested in learning more about, as Polaris
shared,
I think the only thing that I may be interested in is how it's working across devices. I
receive phishing through my phone. And so far, I haven't been susceptible to it. I've
caught it. But I think with the immediacy that we respond on our mobile devices, that
increases the likelihood that someone is going to react versus taking the time to think
about what it is that someone has just sent them. Hackers are leveraging technology and
so, you just don't want to be caught with a new technique that you weren't aware of.
PERCEPTIONS ON PHISHING ATTACKS 92
While participants understand how phishing attacks occur in an email, they are unclear about
how threat actors utilize other platforms. Threat actors continuously invent new ways to attack
employees and improve their efficiency, using alternative methods to deploy social engineering
attacks.
Motivation
Participants expressed their perceptions of self-efficacy and value as drivers of
motivation. Active choice, persistence, and mental effort toward goals are facets of motivated
performance rooted in the desire to be effective in impactful activities (Clark & Estes, 2008).
Participants shared their perceptions regarding motivation to identify suspicious emails and not
click on links or download attachments from unknown senders. Thirteen out of 13 participants
expressed motivation was a factor in identifying phishing attacks. Participants provided insights
into improving their confidence, as well as the value of how their efforts to identify phishing are
directed. The challenge impeding motivation toward identifying phishing attacks was a lack of
self-efficacy toward recognizing sophisticated phishing techniques, such as phishing created by
GenAI, rendering suspicious emails more difficult to identify.
Self-Efficacy
Self-efficacy supports individuals in believing they can achieve desired results (Bandura,
2000). Thirteen out of 13 participants expressed high self-efficacy in identifying common
phishing tactics but expressed low self-efficacy in identifying advanced phishing attacks. None
of the participants expressed low confidence in their abilities to identify suspicious emails;
however, they admitted that even though they have confidence with current phishing strategies,
novel techniques and technologies are continuously utilized by cybercriminals, which decreases
their confidence in spotting advanced phishing attacks. Individuals reflected on what would
PERCEPTIONS ON PHISHING ATTACKS 93
improve their confidence to identify novel phishing attacks, describing a lack of understanding
about the advanced techniques of cybercriminals.
Wavering Confidence in Recognizing Phishing Tactics
Thirteen out of 13 participants demonstrated confidence in recognizing common phishing
tactics. Participants were asked to share their perceived confidence levels and attributing factors.
All 13 participants felt highly confident in their abilities to detect a phishing attack. However,
everyone feels susceptible to an attack as none of the participants believe they may never click
on a phishing link. When participants were asked how confident they felt in identifying a
phishing attack, Rigel shared, “I'm fairly confident. I would say that there's a 1% chance that I
might actually fall for it and click on something.” In addition, Phoenix stated, “With a high
degree of confidence, I’m not saying that I'm not susceptible to falling victim to a phishing
attack.” All participants have a strong sense of confidence in their abilities to detect commonly
recognized suspicious emails, yet nine participants have previously clicked on phishing or
simulated phishing emails. While individuals have high confidence in current phishing tactics,
advanced phishing attempts are a challenge. Participants declared that it is difficult to identify
advanced phishing attacks when the messages seem legitimate. Participants were asked about
where their lack of confidence stems from, as Lynx shared, “I think there's going to be some
really sophisticated ones that are not going to see right away, and those might catch me but
otherwise they're pretty easy to spot.” Polaris stated lack of confidence stems from threat actors
continuously improving their techniques, rating their confidence,
Very high, on a scale of 10, probably at least a nine. That one percent lack of confidence
comes from the increasing sophistication of the potential for these phishing attempts to
PERCEPTIONS ON PHISHING ATTACKS 94
look legitimate. The cloning of logos, that sort of thing makes it so that potentially,
everyone's susceptible.
While Orion declared “Very High” confidence in spotting phishing attacks, it was also
shared that their confidence, instead of increasing, is declining due to the sophisticated
techniques criminals are using as they improve their tactics, as Orion stated, “My confidence is
going lower. As threat actors start using generative AI to prep phishing emails, in the future we
may actually be unable to personally detect them.” Participants are concerned about their
abilities to detect sophisticated forms of phishing. Participants explained their confidence is high
when detecting generic phishing emails. However, when it comes to newer phishing methods,
participants are not as confident; they may assume the email is legitimate and mistakenly click
on a phishing link. While all participants are confident in identifying generic phishing emails,
many felt their confidence lowering with their abilities to detect advanced phishing attacks.
Value
Individuals are motivated to pursue goals and outcomes that offer the greatest value and
are believed to be achievable (Ambrose et al., 2010). Three ways that individuals believe value
will help them include interest value, skill value, and utility value, as sourced from Eccles and
Wigfield (1995) in Clark and Estes (2008). Thirteen out of 13 participants expressed utility value
as the leading motivational influence and found value in identifying phishing attacks and
protecting company data. Individuals relate value in the identification of phishing to enhancing
their success in their specific job functions. No challenges were discovered among participants in
impeding motivation in identifying phishing attacks.
PERCEPTIONS ON PHISHING ATTACKS 95
Utility Value in the Practice of Identifying Phishing
Thirteen out of 13 participants expressed value in protecting company and customer data
in their financial organizations and related the value of identifying phishing attacks to their roles
and responsibilities. When considering the importance of identifying phishing emails, Lyra
shared, “I work with industry and consumer media in order to enhance and protect awareness and
reputation for the company. It's like family. They trust us with their information so we have to
protect it like we're protecting a family member.” In addition, Rigel, who works in media
relations and in a role that requires discretion when sharing information publicly, stated,
Especially in my role, I'm definitely sensitive to private information and know that there
are certain things that just are not meant for external use. In my role, I am motivated
enough to not do it (in reference to clicking on phishing links) because of the negative
consequences for the company.
As an owner of their company, Phoenix highly values the role of protecting data and said,
It's been the nature of my particular role with various companies that are dealing with
very sensitive personal data for a lot of people. I need to not cause problems for them. I'm
one of the owners, so the four of us that work there all have ownership in the company. I
have a degree of commitment to avoid clicking on something that might impact our
business to any extent. We are regulated by the Securities and Exchange Commission, the
SEC. If we don't act in a prudent manner to protect our data, which in effect is the data of
our clients, then we could be subjected to any number of consequences from that
regulator.
Polaris instructs employees on data privacy best practices and shared,
PERCEPTIONS ON PHISHING ATTACKS 96
I manage the privacy function for my organization so I have a lot of contact with the
processing of personal information of consumers and employees. And specific to my role,
it's very important that I get those types of activities (in reference to phishing attacks)
shut down as quick as possible to avoid any incidents that could happen as a result.
Aquila understands the implications of protecting customer information and shared, “I do
see the value and I think we can all agree it's important because it can affect personal lives. There
is no room for error when it comes to client information.” All participants valued their positions
in safeguarding customer and company information. Identifying phishing attacks supports
participants to be successful in their roles at their financial companies.
Research Question 2: Organizational Influences Impacting Phishing Identification
All 13 participants demonstrated their perceptions regarding organizational influences on
identifying phishing attacks. The interview protocol was directed toward understanding the
effectiveness of training, communication, and organizational culture. Participants provided
insights into improving organizational influences and removing barriers to identifying suspicious
emails.
Organizational Influences
As Clark and Estes (2008) expressed, effective training, communications, and culture
support the achievement of organizational goals. Thirteen out of 13 participants shared their
perceptions about organizational influences on identifying phishing attacks. All of the
participants who participated in the research study took phishing training at least once at their
company. The organizational barriers described by participants ranged from the low frequency
and training methods to minimal communications received from their organizations, a lack of
PERCEPTIONS ON PHISHING ATTACKS 97
positive reinforcement and consequential models, and inconsistent leadership support in building
a culture of security awareness.
Training Practices
Thirteen out of 13 individuals received a self-led online training course at least once via a
presentation or video. Eight out of 13 participants believed that their company training had been
helpful in learning how to identify suspicious emails. When asked about the effectiveness of the
training video, Lyra shared, “I learned a lot through the videos. It helped me to be aware of the
common things that these scammers would use.” After participants watched their training video,
passing a quiz was mandatory, as Rigel stated, “The format that we have it in is pretty good. I'm
forced to pay attention because I need to pass the quiz at the end of the training. I kind of do it
begrudgingly.” Polaris believed training helped them learn how to identify phishing, and stated,
“Video training teaches the user how to spot phishing, what to do, what not to do, when they
believe they receive a phishing email. I would say that I think it's effective.” Aquila shared that
because the company has not experienced a data breach, the training seems to be effective,
I’ve seen some videos and then taken a quiz at the end. You have to get at least 80% of
the questions right. I feel like what they're doing so far has been working because other
companies, their information was compromised. Overall, the company seems to be doing
okay.
Orion explained that training and remediation training are effective and included that many
employees do spend their free time learning about phishing, and stated,
We've got a strong training program. What's most effective from phishing training is the
National Cybersecurity Awareness Month training and if somebody does click one of our
training programs, they get specific training classes they have to take. We actually get
PERCEPTIONS ON PHISHING ATTACKS 98
well over 50% participation monthly on employees just going to the free informational
training. It’s optional. We did an extensive marketing campaign around that with
marketing. 70% of employees participated in all 12 modules last year.
In contrast, five out of 13 participants did not believe their training was effective.
Training videos can be designed in-house or purchased from a third party to provide general
content about phishing awareness. Vendors may offer the ability to customize modules and tailor
content to a company’s needs. When asked why they did not believe their training was effective,
Sirius said, “Most training when it comes to phishing, I don't feel is very relevant.” In addition,
Hydra said, “I've always not really liked the videos, it's the same stuff every single year.”
Participants were interested in what organizations are doing to train repeat offenders. Vega
expressed organizations should discover why individuals repeatedly fail phishing simulations,
provide more training, and stated,
It's important to deep-dive into the root cause why repeat offenders continue to fail. I’ve
learned that sometimes it takes someone to hear something or to learn something seven
times before it finally kicks in. If you're only taking this training once a year, it's not
sufficient. There's a lot of people within the organization that fail multiple times a year so
there must be something else that we can do.
Lynx shared that there should be more focus on solving the problem of repeat offenders clicking
on phishing links, and explained how individuals could skip through modules to get to the end of
the training video without paying much attention and said,
No, it's not effective. Because honestly, you can set up on one monitor and continue
working on the other monitor without watching it at all. No one is trying to educate
people. You need to figure out what's wrong, how to educate them better. We do have a
PERCEPTIONS ON PHISHING ATTACKS 99
learning platform; it may have a course or two about phishing in there as well but I can’t
imagine anyone can be doing that in their free time, on purpose, without an incentive to
do so.
Depending on how video training is built, individuals could fast-forward sections to get
to the quiz at the end, which could be resolved in the instructional design of the course.
Participants felt their annual training was ineffective due to a lack of reinforced learning
occurring throughout the rest of the year. Cybercriminals catch victims off guard when
individuals do not have phishing top of mind, which can result in the potential for risky
behaviors.
Training Reinforcement
Thirteen out of 13 individuals stated their desired preferences for training. Participants
provided an array of perceptions regarding organizational improvements and training
opportunities, including real-world examples in lieu of generic content so it resonates with
employees. Participants stated interest in customized training, including phishing simulations,
instructor-led training, and gamification, to better relate to and understand phishing attacks on
their industry and what to expect as criminals use spear-phishing to target individuals in specific
job roles.
Customized Training
Thirteen out of 13 participants expressed interest in enhanced phishing training tailored to
their specific needs and areas for improvement. When asked about desired training methods,
Lyra desired an interest in experiencing phishing simulations and increased transparency of
phishing attacks and said, “If they came across new and creative ways to test our ability to
identify phishing, that'd be kind of neat. Also, build a list of stuff we've seen. If something comes
PERCEPTIONS ON PHISHING ATTACKS 100
in, I don't have to question it, I can just see it's on the list.” Participants were interested in
examples of actual phishing attacks occurring in their environment, as Capella said, “I think
samples from data from real life will be something that will trigger even more internal safety nets
to be careful. You’ve got to teach them with an example, and then people would pay more
attention.” Personalized training was a request among participants, as Lynx shared, “I think we
need something that is tailored to us.” In addition, Polaris explained,
I think more frequent customized training opportunities would make sense and so moving
to real-world examples as training. Personalizing to the risk of your own data on your
own computer because the same thing applies. That could also be the art of making it
more interesting. I also think that it probably makes sense to do it both ad hoc and
customized for more vulnerable functions and departments. I think we need something
that is tailored to us. And not a textbook video that we're currently using for our training,
to the industry would probably be the best.
Participants were interested in learning about phishing attacks occurring in their industry.
The phishing simulations and training received were described as generic, outdated, and not
applicable to their roles. Individuals expressed a desire for more relevant content and
personalized learning paths.
Instructor-led Training
Five out of 13 participants preferred incorporating the method of instructor-led training.
When asked about instructor-led versus self-led training preferences, Polaris shared, “It probably
would be more effective to have a live demonstration of phishing.” In addition, Draco stated,
PERCEPTIONS ON PHISHING ATTACKS 101
In person you’re going to learn more, right? I think that would be the most effective way
to do it on-site. If you had it in person and had the option to remote in, it's still just more
personal, I think, as opposed to having a video rolling.
Participants assessed the financial investment to hire a trainer, as Aquila said, “Maybe in-person
training. Maybe it can be worth it, worth the company’s money.” Orion led an advanced training
and awareness program and stated, “We bring in outside experts from the FBI, the Secret
Service, and CISA to present on cyber threats.” In-person training or virtual instructor-led
workshops support individuals with guided instruction and facilitate opportunities for employees
to ask questions, which can engage employees to pay attention, especially if the instructor makes
the training interactive.
Gamification
Six out of 13 participants suggested gamification as a method for engaging employees in
learning about identifying phishing attacks. Competition can boost performance, as Lyra stated,
“If they constantly track certain departments, we can have competition. That'd be nice.” When
asked why gamification is their preferred training method, Lynx shared, “Interactive or
gamifying is the way you're going to actually absorb information. I think gamifying is going to
be key. Making a game to play, something that's entertaining and that'll be fun.” Creative and
micro-learning methods can increase engagement, as Polaris said, “I think comic book collateral
is fun, easily and quickly digestible.” Adding gamification supports employees by providing
additional learning methods, as Vega stated, “We need something else in addition to the base
training. Something interactive, something fun. Everyone learns differently, so you can't just rely
on one form, you need games.” Orion had ideas for enhancing the training and awareness
program and shared, “We're going to build crossword puzzles around cybersecurity and offer that
PERCEPTIONS ON PHISHING ATTACKS 102
for everyone. It depends on your audience, right? I'm Gen X, I don't need gamification. Gen Ys
and Gen Zs love gamification.” Participants were interested in how gamification can benefit
learning by creating a lively and enjoyable learning environment. Ideas about the types of games
to use, such as crossword puzzles and bingo, were discussed. Participants were not asked to
provide their age in the interview, and those who were interested in gamification did not selfidentify with a specific generation.
Communication Participants Receive
Individuals discussed communications regarding phishing awareness that they have
received at their organization. Phishing awareness communications directed to employees to
protect against phishing were received by seven out of the 13 participants and ranged from
singular communications at an ad hoc frequency to monthly or quarterly communications. The
types of communications participants received included phishing alerts about actual phishing
attacks occurring in real-time at their organizations and general phishing awareness, including
tips about signs to spot phishing. Communications were received regularly by Capella, who
stated, “There's always some kind of a statement to remember not to click links from unknown
sources. And the way that it’s presented, it's always a different type of message, but you have to
read it.” When asked about the communications they receive, Draco stated, “We'll get some stuff
every once in a while through our corporate emails.” Hydra explained their company actively
supports employees with regular communications, “My company is looking for new trends for
hackers. A department watches that and when they see it, here's the scam of the week. They
email our company every time they find something, which tends to be on a weekly basis.” In
addition, Orion shared,
PERCEPTIONS ON PHISHING ATTACKS 103
Every month, we communicate our phishing training results to the entire company. The
real ones are communicated as needed within 24 hours of one of those campaigns. We're
very open within the company. We've had attempted business email compromise type
emails for large phishing campaigns. We will actually communicate those out to
employees and let them know that those campaigns are running so they can be extra
vigilant.
Participants who work in companies with advanced training and awareness programs,
with security professionals distributing communications routinely and advising employees, are at
an advantage in stopping phishing attacks. Participants who read communications about phishing
regularly are more likely to identify phishing attacks since they constantly learn about new
trends, techniques, and tactics, and keep phishing awareness top of mind.
In contrast, no communications regarding protecting against phishing were stated to be
received by six out of 13 participants. When asked about any communications received about
phishing, Rigel said, “I can't remember a time when we've received a standalone email about a
phishing scam.” In addition, Betelgeuse shared, “I've never seen, ‘Hey, be careful.’” In small
companies without dedicated personnel, phishing awareness communications may be less
distributed, as Lyra said, “Nothing. They leave it up to us to find it (in regard to phishing emails)
without much pre-emptive information. I don’t know if it’s because they are still a small
company.” Polaris also did not receive communications about phishing and stated, “I'm not
aware of ongoing campaigns around phishing.” Vega lost their communications team, and said,
“When I first joined the company, we had a communications department that was great and we
put out communications, and that has just been lost right now.” Participants explained that
because their organizations did not provide communications about phishing awareness, they
PERCEPTIONS ON PHISHING ATTACKS 104
were not aware of phishing attacks circulating in their industry. Participants expressed that there
were no opportunities for bi-directional communication about phishing training.
Enhancements to Communication Practices
Thirteen out of 13 individuals expressed a desire for increased communications and
discussed their beliefs around their desired frequency for receiving communications. Participants
shared desired types of communications, including trends of phishing attacks and channels of
communication, which include instant messaging and websites in addition to traditional email.
Many organizations leverage the Marketing department in their organization, as Draco
stated,
Bring in the marketing team and brainstorm on some short, interactive video clips to grab
their attention. Give people the option that they can go work out for a half hour or an
hour, or sit through a training video, and they’d probably get more people sitting in the
video.
Security professionals can partner with marketing team members and leverage their creativity
and graphic design skill sets, enhancing standard communications to engage employees. When
discussing desired channels for receiving communications, Vega said,
People are more prone to look at their instant messages. We used to have a
communications department that would send out information regarding phishing
simulations. So, I think, a little bit more of that and utilizing the company website more
would be great.
Lynx discussed entertaining emails are more likely to get read and shared,
These are the trends we're seeing- would be a really nice communication. That's a way of
getting more information out. I think it's got to be entertaining to a certain degree, you
PERCEPTIONS ON PHISHING ATTACKS 105
have to have some kind of inner entertainment factor because people aren't going to read
emails that aren’t interesting. It has to have some kind of interest to it.
Sirius discussed challenges with designing communications and shared, “It's challenging to
create corporate-wide anti-phishing, that would affect people in the same way.” Participants were
interested in personalized communications and ways to ensure individuals would read their
emails. In many organizations, it is feasible for individuals to attest that they read an email, as
Betelgeuse shared, “Elaborate the communication’s importance. If there's some type of trend,
send out an email, confirming that you read it.” While it is not always possible to capture read
and open rates to identify if employees are reading their emails, it is possible to utilize a website
to capture engagement and interest on web pages.
Frequency of Communications
Nine out of 13 individuals indicated a preference for an increased frequency of
communications to inform employees about safeguarding against phishing. There were mixed
responses around the frequency that companies should deploy communications, as Lyra shared,
“Monthly would be pretty good. It'd be nice to see how the traffic changed if the internet traffic
is still similar to the previous month or if we're seeing an increase in those kinds of attacks.”
Alternately, Draco stated, “Let's say once a quarter I think that a lot of companies get inundated
with stuff internally, so you’ve got to measure it just right even if it's once a month.” In
discussing the ability to reach an appropriate frequency of communications, Orion shared, “In
my own career, what you see is two things. Either employees complain that they’re not getting
enough communication or they complain that they’re getting too much communication. Try to
strike the right balance.” Sirius discussed designing simple yet impactful communications at a
frequency that makes sense for the business and said,
PERCEPTIONS ON PHISHING ATTACKS 106
I think monthly to quarterly, depending. You have to be effective with communication
and minimize the amount that you communicate because no one's going to want to read
paragraphs on paragraphs. You're trying to simplify it. You're trying to grab them in
those first couple of seconds just to get them to go through it.
Participants were interested in increasing the frequency of communications about
phishing so they could better learn about techniques and trends. Participants did not feel that
communications were sufficient at their current frequency. However, participants did not ask for
an unreasonable frequency of communications as most preferred monthly or quarterly.
In cautionary support, four out of 13 participants described a desire for their companies to
be mindful of the frequency of phishing communications, or it would not be read. Rigel was not
interested in receiving too many unnecessary emails and stated,
No more than once a month or even quarterly. I think if you get any more, if you go into
more than that, I feel like I would just completely ignore it, like I do with a lot of the
emails that come through. Unless there's any new type of phishing scam that I might not
be aware of, and that I might be more likely to fall victim to, I don't need to see constant
communication about it. I think there has to be something within the subject line that is
compelling enough for me to open it.
In addition, Capella shared, “if you overdo it then people just don’t look at it over time.”
Phoenix did not want the organization to provide frequent communications and said, “I don’t
really feel like I need regular reminders just for the sake of that.” Aquila did not want
communications to be irrelevant and stated, “I would like to know about what's out there if
there's anything new. I don't want to be receiving the same email every single month on the same
topic.” Balancing the frequency of communications is critical to aligning with the culture of the
PERCEPTIONS ON PHISHING ATTACKS 107
company. Overwhelming employees with multiple communications detracts from the importance
of the messaging about phishing awareness.
Data Protection as a Cultural Model
Twelve participants expressed that their organizations have areas for improvement in
strengthening their cultural models to influence the adoption of training and awareness programs.
Making data protection popular was a request from Betelgeuse, who shared, “You want to make
it fun and cool to protect people's data. Create a culture of awareness. And I think if you create a
culture like that, it can be very successful.” Draco discussed leadership’s involvement in
developing a culture and said, “It has to come from leadership and it has to come constantly.
That’s where the culture is driven from so it has to come from the top down.” When corporate
campaigns are centralized, and ambassadors are not established at the local level, individuals
may not be as engaged with security awareness, as Hydra shared, “There's a cybersecurity
awareness program, but it's more on a corporate level. I mean, obviously, the local county
managers or executives will say, ‘Hey, make sure you pay attention to this.’” When discussing
how to attract buy-in for security training and awareness programs, Sirius stated,
I think the challenge is that the business has certain goals and constraints, and so it's
really about convincing the business of why you're trying to add or request additional
resources for the protection of the business. And it takes time. It takes time for buy-in,
time to get the culture to embrace it.
As leaders determine where a training and awareness program fits into their cultural model,
considering organizational priorities was shared by Sirius, who stated,
PERCEPTIONS ON PHISHING ATTACKS 108
Leadership really needs to decide what direction they want to go. The idea of security
may not have the same level of importance as a lot of other competing priorities. What it
takes to have an effective training program, requires the work of multiple stakeholders.
Orion was the only participant with an established cultural model embracing data protection. The
remaining 12 participants desired an enhanced cultural model to further support phishing
awareness. During interviews, discussions about leadership needing to align priorities and
engage employees in the training and awareness program were repeated.
Instrumental Value in Receiving Positive Reinforcement
Nine out of 13 participants declared that positive reinforcement for identifying phishing
attacks does not exist in their organizations. Four out of 13 participants declared positive
reinforcement for identifying phishing attacks exists in their organizations. When asked about
incentivized learning programs, Lyra shared, “There really isn't much incentive. There isn't really
a reward process that I've seen personally.” Draco attends a monthly information security
department meeting where individual behaviors are recognized, which is a motivating factor, and
stated, “When they go over the metrics of the phishing campaigns, they will put up team
manager names or directors names, and they'll have a bar graph of who had the most responses,
who reported the most, so there's a huge incentive because you don't want to have the lowest
number.” Draco explained that more can be done across the company to foster phishing
awareness, as it was unknown if other departments recognize individuals and conduct positive
reinforcement in the same manner. Two participants received congratulatory emails when they
correctly identified a phishing simulated email, as Polaris said, “The organization will conduct
random mutation simulations, and we will inform individuals when they pass.” When asked
about any type of reward program, Aquila said, “no kind of monetary compensation but you will
PERCEPTIONS ON PHISHING ATTACKS 109
get maybe an E-card saying, congratulations for recognizing a phishing email.” Orion has the
most advanced training and awareness program, offering participants swag for promoting
positive behaviors, and shared, “When we do launch a phishing campaign, employees who are
the first to report theirs and so forth, get company paraphernalia, a polo shirt for example. That's
the first three that get rewarded for reporting.” Creating a thriving training and awareness
program supported by the culture was a proud achievement for Orion to discuss. As a chief
information security officer, Orion understands that cultures vary across companies, and not all
security leaders are as successful in implementing and sustaining their programs.
Increasing Positive Reinforcement
Eleven out of 13 participants stated they wanted increased positive reinforcement and
shared examples of their interests in incentivizing learning. Betelgeuse believes in positive
reinforcement and said, “I think having some positive reinforcement would work.” When asked
about types of desired positive reinforcement, Lyra stated, “It'd be nice. Just because it shows
that we're actively trying to protect the company. I mean, that's kind of an important thing.
Getting to go home a little early would be kind of neat or a casual day or a luncheon. It makes us
feel like we're important.” In addition, Polaris said, “I think maybe it would be worth coming up
with some incentive for employees when they pass simulations, just random acknowledgment,
and they get a mug or something that says, I passed phishing.” Vega explained public
recognition would be beneficial, and stated, “it would be great if there was something on a
company website, where it would incentivize reporting phishing emails, and maybe then people
would click a little bit more on this report phishing button.” Recognizing employees for not
clicking on phishing links was a recurrent theme requested by participants. Participants
PERCEPTIONS ON PHISHING ATTACKS 110
explained that supporting employees to refrain from bad behaviors by encouraging good
behaviors would produce better results and drive down phishing click rates.
In support of increasing employee perks for identifying phishing, five out of the 13
participants expressed how using rewards for positive reinforcement would be beneficial.
Developing a reward system was discussed by Capella, who shared, “Maybe we should develop
a system where upon having an employee that found something reported, and it turned out to be
dangerous, they could let us know and we'll provide that employee with some points.”
Participants were interested in the ability to provide recognition among their teams, as Draco
stated, “Have points that you can give other colleagues, some kind of positive reinforcement in
front of your peers. Just making people feel valued, that would be one good way to incentivize
it.” In addition, Hydra said, “I think it would be beneficial. Points and gift cards would just give
the extra edge I think to pay more attention.” Lynx explained that rewards would encourage an
increase in the reporting of phishing emails,
If you click or report a phishing email, you're entered into a drawing for a rewards cardsomething like that. Just something that helps people want to report stuff could be very
helpful to get that positive engagement that we're looking for. That'd be wonderful. It'd be
amazing. I think cash is king. You can’t give someone an “attaboy,” that’s not going to
do it for anybody, that doesn't give them what they really want. I think it needs to be
some kind of cash incentive that's going to get you there.
Aquila shared that saving the company from a data breach could warrant a rewards
program and said, “If we're doing the right thing, we might be positively saving the company
some money, you know, and maybe with these dollars or savings they could pass that revenue
along to their employees doing the right thing.” Participants were excited about discussing
PERCEPTIONS ON PHISHING ATTACKS 111
rewards as a driver of positive reinforcement. It was evident during the interviews that
participants were interested in incentives to promote the adoption of desired behaviors.
Consequences
Consequences exist in companies where three of the 13 participants are employed. Ten
participants did not indicate any known consequences for clicking on phishing links. Three out
of 13 participants stated that their companies provide remedial training as a consequence method
when individuals click on phishing links. Rigel was unaware of any consequences and said, “I've
never felt like I'm at risk of getting in trouble if I clicked on something.” Capella believes there
may be consequences but is not sure, and said, “I would imagine that the damage will have to be
substantial enough to prompt some type of negative consequences to employ.” Vega shared that
training occurs when an individual fails a phishing simulation and explained,
With regard to consequences, if you click on a phishing link, you are assigned training. I
know that there are repeat offenders, people that continually fail the phishing simulations,
and nothing is done. We haven't done the internal investigation because there is no
consequence model.
Orion has enacted an advanced consequence model, which has been effective at reducing
click rates, and shared,
We've had positive reinforcement and the consequence model and seen much more
vigilance since the consequence model went into effect. We have a phishing consequence
program where typically a user continues clicking on phishing emails, and the
consequence starts with mandatory training, escalates into training and manager
notification, and then escalates further into the manager having to counsel employees.
That's only been in effect about three months. Because we have this program I have
PERCEPTIONS ON PHISHING ATTACKS 112
personally reported more emails. Our volumes are up significantly. We actually have a
very high rate right now of no second-time clickers, zero third-time clickers, zero fourthtime offenders, as employees are being extra vigilant.
Orion has experienced an increase in desired behaviors due to enforcing the new
consequence model and explained that employees were also supported by their managers in the
second and third levels of the consequence escalation process. This cultural setting provides
context for the resulting decrease in repeat offender rates.
Improving Consequential Models
Thirteen out of 13 individuals declared that a consequential model is necessary to align
behaviors and stated their perceptions around the benefits or detriments of consequential models.
Nine out of 13 individuals provided insights to improve consequential models at their companies.
When asked if consequences would support an improvement of behaviors for identifying
phishing and not clicking on suspicious links, Rigel stated, “I think if there were negative
consequences maybe I would be a little more cautious.” In addition, Sirius said, “If you don't
teach users the consequences of their actions you're nearly not helping them connect the dots on
how their actions negatively impact the business.” There were mixed responses regarding
enforcing the termination of employees who repeatedly clicked phishing links. Betelgeuse shared
that termination should be a component of the consequential model and said, “I guess if you
continually do it, and you're trained, just like anything else you should get fired. Especially if
you're putting the company and your clients at risk.” If training is effective, individuals will
know how to identify phishing and utilize training, as Lynx stated,
I think if you fail two in a row, you should absolutely have a certain consequence. I don't
think you should be fired for that because everybody makes mistakes. I don't want to say
PERCEPTIONS ON PHISHING ATTACKS 113
it's always their problem. Sometimes it's an “us” problem. We didn't train you well
enough. But I think there needs to be some kind of consequence model built out.
Assumptions about individual abilities in detecting phishing were a concern of Polaris, who
stated,
Can we assume that everyone has the ability and should have the ability to detect an
obvious phishing attempt? But even with posing that question, can we define what an
obvious phishing attempt would look like? If we felt that we could do that, then I think
we can move forward to say, you know, we'll look at it on a per occurrence basis, but
after a certain number of times, we would have to remove them as an employee because
they were just too much of a liability. It's really a Legal and HR question.
Aquila explained that individuals may make mistakes and to allow for a small amount, and said,
I honestly believe that some might make a genuine mistake, they just didn't know how to
recognize them. I hate to say this, but most of the time people just don't have a lot of
experience with the Internet, and it's not their fault that they didn't grow up with it. It's
just a little bit harder for them to recognize certain things they see online. So, if you make
an honest mistake, once or twice, all right, slap on the hand. But you can only make the
same mistake so many times. There should be consequences because you keep making
the same mistake.
Participants desired a supportive consequence model and believed that implementing one would
improve desired outcomes. Participants debated the maximum amount of phishing link clicks
organizations would tolerate and suggested terminating high-risk individuals who routinely click
on multiple phishing links.
PERCEPTIONS ON PHISHING ATTACKS 114
Summary
This qualitative research study focused on understanding perceptions of knowledge and
skills, motivation, and organizational influences on identifying phishing attacks. The researcher
compared similarities and differences in responses across participants. The cumulative
qualitative results of the research study identified that all 13 participants declared their need for
their organizations to continue educational programming for identifying phishing attacks.
Participants responded that organizations could deliver customized and instructor-led training,
gamification, phishing simulations, enhanced communications, and trends on techniques
cybercriminals use to deploy phishing attacks. The findings of this research study determined
that organizations can better support their employees with knowledge, motivation, and
organizational influences by improving current operations. This study was conducted to serve as
a resource for leaders in organizations to develop a security-aware culture and effective
communication and training that educates and motivates employees to identify phishing attacks
and protect company and customer data.
PERCEPTIONS ON PHISHING ATTACKS 115
CHAPTER FIVE: RECOMMENDATIONS
This research study conducted with 13 individuals addresses the problem of practice of
the high rate of employees in financial organizations clicking on phishing links, positioning
companies at risk of a data incident or breach. The research interview protocol explored
knowledge, motivation, and organizational influences on identifying phishing attacks.
Participants were candid about their experiences with social engineering and shared their
perceptions of identifying phishing and areas for organizational improvement. This study
identified gaps in organizational influences that contribute to employees’ lack of education and
motivation to identify phishing attacks. The following recommendations are created for
knowledge, motivation, and organizational influences and support employees in identifying
phishing by implementing effective training, communication, and a cultural model. This chapter
examines the limitations and delimitations of this research study and provides recommendations
for future research.
Discussion of Findings
A review of this research study, interview transcripts, and the analysis of a priori and
emergent codes indicated that participants need further knowledge, motivation, and
organizational support to identify phishing attacks. A surprising finding was discovered in nine
of 13 participants who admitted to clicking on phishing links at previous companies. In
congruence with Zuopeng et al. (2021), minimal training increases the risk of individual
susceptibility to clicking on phishing links. Thirteen participants demonstrated a general
understanding of phishing as it exists today; however, with the advancement of GenAI, phishing
is progressing as criminals leverage advancements in technology and create near-perfect emails,
unlike their typical emails consisting of generic content, poor grammar, and typos. This aligns
PERCEPTIONS ON PHISHING ATTACKS 116
with recommendations by the Cybersecurity and Infrastructure Security Agency (2023) for
increasing continued education as new threats evolve. Thirteen participants expressed an interest
in continued phishing education with topics including criminal operations, phishing trends,
artificial intelligence, and phishing techniques. All 13 participants expressed high self-efficacy in
their abilities to detect generic phishing attacks; however, they stated that their confidence is
wavering as criminals improve their sophistication and techniques and utilize advanced
technology. As stated by Krishnan (2023), GenAI is increasing individual susceptibility to
phishing attacks. Customized training was desired by all 13 participants who were interested in
training tailored to their industry and job roles, including various methods of instruction, such as
gamification and instructor-led training. A desire for increased corporate communications about
phishing attacks trending in their industry was expressed by all 13 participants, which included
their preferred frequency for receiving phishing communications beyond traditional
communication channels such as email to include websites and instant messaging channels.
While all 13 participants believed their companies valued data protection to safeguard against
phishing, 12 participants expressed misalignment between company values and the
implementation of an effective cultural model for training and awareness to reinforce key
messages to inform users not to click on suspicious links or download attachments from
unknown senders. Nine participants explained that no positive reinforcement for identifying
phishing attacks exists in their organizations, and 11 participants expressed a desire for positive
reinforcement. All 13 participants declared that consequential models are essential to align
behaviors to company policies. This research study, with 13 participants, exposed gaps in
organizational influences through significant research findings that more training and awareness
are needed for employees to successfully identify phishing attacks.
PERCEPTIONS ON PHISHING ATTACKS 117
Recommendations for Practice
Security frameworks are high-level and do not guide organizations in developing
effective training and awareness programs; they only express fundamental requirements and
provide guidelines, creating a phenomenon where organizations continue to adhere to the
minimum threshold as is required by laws, rules, and regulatory agencies. These basic external
requirements limit the success of security practitioners in developing a workforce that has the
organizational influences and self-efficacy needed to identify advanced phishing attacks. To
strengthen the phishing knowledge and motivation of employees, support at the organizational
level is needed. Security professionals developing a training and awareness program within their
organization can utilize the Clark and Estes (2008) adapted Gap Analysis conceptual framework
to assess knowledge, motivation, and organizational influences for identifying phishing attacks.
As companies develop their training and awareness programs, consider the following
recommendations for effective training, communication, and developing a cultural model.
Recommendation One: Developing Effective Training with an Educational Framework
Model
Designing an educational framework model for accountability and the reinforcement of
learning and applying methods learned supports an effective training program (Kirkpatrick &
Kirkpatrick, 2016). Establishing goals, objectives, budgets, and expectations creates an
organizational structure for developing training and drives the momentum of the program
(National Institute of Standards and Technology, 2003). The compliance requirement of
employees to receive phishing training as prescribed by multiple information security
frameworks and standards (e.g., NIST CSF and ISO 27001) and external auditors, does not
provide security practitioners with techniques on how to create effective training for achieving
PERCEPTIONS ON PHISHING ATTACKS 118
measurable goals or sustaining information, as knowledge becomes outdated and irrelevant
(Cybersecurity and Infrastructure Security Agency, 2023). Individuals would benefit from
routine practice with customized training and phishing simulations (Jansson & von Solms, 2013)
so that when they experience phishing and advanced social engineering techniques, they are
better prepared to recognize and report it.
Cybercriminals continue to develop new social engineering techniques and leverage
technological advancements to trick individuals. With the development of GenAI, phishing is
evolving from its traditional form of poorly written email messages and including voice scams
imitating speech patterns, chatbots, and deepfake images and videos, leveraging alternative
methods, media, and channels to surprise and catch victims off guard. By generating well-crafted
content that undermines previously identifiable phishing attacks, threat actors leverage GenAI to
exploit their targets easily. As cybercriminals introduce new techniques, employees must stay
current with the latest scams (Cybersecurity and Infrastructure Security Agency, 2023). As
employees adapt to understanding common phishing scams, new tactics are developed, providing
criminals with an advantage. Depending on their awareness level, individuals are more
susceptible to clicking on phishing links (Alkhalil et al., 2021). With minimal training and
without an understanding of security policies and procedures and sophisticated techniques
cybercriminals employ, individuals are susceptible to social engineering and falling victim to
phishing attacks. Delivering training in a self-led video format is a traditional method for
financial organizations. Depending on the video, it can mandate participation with simulated
phishing training or provide a quiz at the end that employees must earn 80% in order to pass. A
video may not be as stimulating as a live trainer; however, effective training and education do
not depend on the setting in which it occurs (Clark & Estes, 2008). Expanding training to regular
PERCEPTIONS ON PHISHING ATTACKS 119
intervals throughout the year will support employees in keeping phishing top of mind and
vigilant in identifying new trends (Cybersecurity and Infrastructure Security Agency, 2023). As
knowledge decays with time, organizations will need to consider supplying additional training at
an increased frequency compared to the required annual rate, “Don’t just count on once-a-year
training to be enough” (Cybersecurity and Infrastructure Security Agency, 2023, p.1).
Monitoring employee phishing performance throughout the employee’s lifecycle supports a
holistic approach to developing an integrated training program that engages and supports
employee growth. As coined by Doran in 1981, setting SMART goals (specific, measurable,
assignable, realistic, and time-related) supports clear performance standards for the realization of
successful outcomes (Weintraub et al., 2021). SMART goals can be designed for employees to
lower phishing click rates, increase reporting rates, and achieve 100% compliance with passing
training.
Individuals highly confident in their ability to identify common phishing attacks may not
be prepared to identify new phishing trends and advanced GenAI techniques. As Clark and Estes
(2008) declared, overconfidence is destructive as individuals may “misjudge their own ability
and the novelty of the tasks they face” (p. 92). Clark and Estes (2008) explained strategies to
increase confidence, which include setting performance goals, allowing for individual goal
ownership, and providing ways for individuals to obtain information, job aids, or training
directly relevant to their performance goals. When individuals are provided with clear objectives
and organizational policies and procedures, they understand expectations and can comply with
company requirements. Successful training can be achieved when leaders provide employees
with clarity on goals and expectations of the content learned in training in advance of their
training day and opportunities to immediately apply what they learned after training (Clark &
PERCEPTIONS ON PHISHING ATTACKS 120
Estes, 2008). As Clark and Estes (2008) expressed, when instructions are vague, individuals do
not transfer knowledge to their daily routines. Present individuals with knowledge about
identifying phishing and steps to defend against a phishing attack in the same sequence they will
experience it. Applying knowledge on the job can be difficult for individuals, as contextual
understanding differs from the challenge of transferring knowledge into their routines (Clark &
Estes, 2008). As Clark and Estes (2008) explained, knowledge transfer failures are very common
and occur when people understand how to solve problems but do not remember relevant
information to apply lessons learned. Regarding the continued sophisticated skills of social
engineers, employees can learn complex knowledge about phishing and approach learning in
new methods. Knowledge in routine jobs can be unconscious and automated, and knowledge and
skills can be delivered so that employees understand how to prevent phishing so that it becomes
an unconscious action integrated into their daily routines. To transfer training into practice, it is
recommended to provide individuals the opportunity to practice their newly learned skills
immediately after training by distributing a phishing simulation exercise and measuring their
comprehension. Individuals will have to use their own problem-solving to identify phishing
attacks, as each opportunity to practice is unique. As participants evolve their knowledge of
phishing techniques, they can better prevent phishing attacks, as learning begins with awareness
and matures into education (National Institute of Standards and Technology, 2003).
A new model for effective implementation and evaluation is recommended to drive
results and ensure the success of a training and awareness program. The Kirkpatrick Model
(2016) is a framework for achieving desired results and supporting accountability. The
framework concept examines how working backward from the desired result supports the path to
achieving intended business outcomes, evaluates learner models, and emphasizes the
PERCEPTIONS ON PHISHING ATTACKS 121
engagement of stakeholders at initial levels. The Kirkpatrick Model defines four levels:
Reaction, Learning, Behavior, and Results (Kirkpatrick & Kirkpatrick, 2016). Implementation of
the model begins in a reverse approach with executing the fourth level (desired results), followed
by the third level (behaviors that obtain results), trailed by the second level (attitudes that affect
behaviors), and ends with the first level (an environment for engagement). In the first Reaction
level, learners assess their level of engagement and satisfaction with the materials and concepts
presented, and trainers discover individual perceptions through conducting feedback loops and
studying responses. At the Learning level, individuals are assessed after and possibly before to
measure comprehension and lessons learned. During the Behavior level, individuals are
evaluated for how they apply lessons learned and the impact of how the training was received.
The Results level designates preferred outcomes. As the Kirkpatrick Model is implemented and
results are determined in advance, security practitioners can work backward to identify what
knowledge, behaviors, and skills are needed to achieve stated results and address gaps or
limitations to successfully achieve desired results. The Kirkpatrick Model serves as an
accountability mechanism or a means for the facilitation of control (Dubnick, 2014) for the team,
as it helps align employee actions to prescribed behavioral modifications as goals and objectives
are clearly stated to learners. As learners and trainers are evaluated for their participation, and
improvements in training and collateral are assessed, the Kirkpatrick Model invites participants
to reflect on their position in affecting change and encourages adjustments according to an
accountability matrix. As expressed by Dubnick (2014), this moral force of pressure creates
accountability among employees by designing a governance structure that mandates policies and
procedures, instills compliance mechanisms, and enforces accountability. In Figure 13, the
Kirkpatrick Model is displayed.
PERCEPTIONS ON PHISHING ATTACKS 122
Figure 13. The New World Kirkpatrick Model (Kirkpatrick & Kirkpatrick, 2016)
Evaluation of gaps is the first step toward identifying current state baseline measurements to
develop desired state results. According to the National Institute of Standards and Technology
(2003), organizations can begin with a needs assessment to evaluate their gaps,
A needs assessment is a process that can be used to determine an organization’s
awareness and training needs. The results of a needs assessment can provide justification
to convince management to allocate adequate resources to meet the identified awareness
and training needs (p. 16).
Once a needs assessment is conducted, a training and awareness strategy can be created,
followed by an implementation plan and the development of resources and materials. Upon
creating an implementation plan with expectations and results, support for resources and funding
will need to be communicated to leaders to obtain funding for a training and awareness program
(National Institute of Standards and Technology, 2003).
An education model for employees to learn phishing knowledge is recommended to be
targeted based on job function, organizational rank, and specific roles regarding how employees
interact with data and what types of sensitive information they have access to. As phishing
PERCEPTIONS ON PHISHING ATTACKS 123
attacks in the industry are identified, security practitioners can customize training based on job
roles, rank, and attacks circulating in their region, industry, and environment and social
engineering techniques targeting specific job functions and roles. Customized training teaches
employees the dangers of specific advanced forms of phishing attacks and supports individuals
in understanding new threats and trends and how to detect warning signs. Personalized phishing
simulations support employees in identifying their learning challenges and creating individual
learning paths. AI and machine learning security software can help security practitioners design
phishing simulations based on relevant phishing techniques and advanced tactics, which supports
individuals in identifying sophisticated phishing attacks with automated training based on their
responses. Employees are recommended to receive minimum requirements achieved through
interactive software training. Third-party software is customizable and automated to provide a
lift to the information security team and reduce the manual tracking and monitoring of phishing
performance and behaviors. To gain an understanding of social engineering susceptibility,
individuals can be tested with a series of phishing simulation tests measuring performance with
scores attached to their employee profiles. Employee baseline knowledge can be discovered
utilizing difficulty levels to determine learning profiles and deficiencies, comparing the
identification of common phishing attacks to advanced phishing techniques. The NIST Phish
Scale provides guidelines “to rate an email’s human phishing detection difficulty, evaluating
both the properties of a phishing email itself and the characteristics of the email’s recipients”
(National Institute of Standards and Technology, 2023, p. 2). Employees can receive targeted
training at this stage, based on their job profile and interaction with data, as the training becomes
more targeted to their specific needs and those of the company. Once the baseline is documented,
set measurable company and individual goals to reduce phishing click rates and increase
PERCEPTIONS ON PHISHING ATTACKS 124
reporting rates. As employees are monitored for progress and simultaneously tracked by their
entire performance profile, the information security team can better predict risk levels among
employees, divert resources accordingly, and create training with an increased frequency for
high-risk individuals. Upon completing new-hire orientation, mandate that employees attend a
trainer-led workshop. Scaffolding with a trainer assists employees in their zone of proximal
development (Vygotsky, 1978) to identify individual knowledge gaps, improve heuristic
approaches to phishing attacks, and allow for the evaluation of the instructional training design
(Podolskij, 2012). Individuals can learn more by having a skilled information security instructor
guide and motivate their efforts; otherwise, without a trainer, the lessons may not be fully
utilized or maximized. Creating challenging training to identify social engineering red flags and
support performance criteria would be beneficial for learners. Employees are not experienced
with detecting phishing designed by GenAI and would benefit from interactive instructor-led
training to discover new trends circulating in the financial industry and best practices to
safeguard against advanced phishing attacks. When individuals are prompted with questions
about their thought processes and made to feel self-conscious about their decisions, they increase
their effort in solving a problem (Nagel, 2012).
Organizations can support their workforce by providing organized content and linking
new and familiar knowledge (Clark & Estes, 2008) to support individuals in detecting social
engineering attempts and identifying sophisticated techniques. Informing and training employees
on new trends by customizing training needs is a good cyber defense strategy to keep a training
and awareness program relevant (National Institute of Standards and Technology, 2003). Critical
behaviors and required drivers can be taught in themes each month, focusing on advanced
phishing attacks, specific areas of interest, and social engineering across multiple devices and
PERCEPTIONS ON PHISHING ATTACKS 125
platforms. Informing employees about the purpose of cybercriminal activity, how criminals buy
and sell stolen personally identifiable information, and how much data is sold on the dark web,
teaches employees about the dangers associated with phishing. As employees learn how
criminals conduct their operations, they will better understand what they are up against (Fazzini,
2019). When employees understand how cybercriminals operate and the purpose behind social
engineering, they can comprehend the magnitude of the impact of how one click on a phishing
link can cause irreversible damage to an organization. Sharing related cybersecurity events helps
employees understand how trends in the threat landscape could impact their industries and affect
them in their roles (Cybersecurity and Infrastructure Security Agency, 2023). Exposing phishing
trends at other financial organizations supports knowledge construction as individuals stay alert
for similar types of phishing attacks at their own organizations (Jang-Jaccard & Nepal 2014).
Financial organizations can partner to share knowledge and intelligence and collaborate on
strategies to prevent successful phishing attacks.
Additional learning courses ranging in modalities are recommended on a routine basis
and, more often, for problematic individuals who routinely click on phishing links. Appeal to
employee motivation by providing myriad ways to engage with phishing content, including
gamification and incentivized learning with opportunities to earn rewards. Creating a positive
environment for employees by making learning fun can improve employee morale and work
commitment, “the idea of gamification is that organizations can change security behaviors by
turning awareness into a game” (IANS Research, 2022). Organizations can take precautions
when creating entertainment in the workplace so the implementation of games as a learning
method does not backfire, causing employees to invest less mental effort to improve their
knowledge and skills. Combining gamification with learning by having employees apply their
PERCEPTIONS ON PHISHING ATTACKS 126
knowledge and explain their reasoning or test their memory can be effective (Clark & Estes,
2008).
A post-implementation plan will support a training and awareness program to remain
relevant and impactful. Monitoring and evaluating an educational framework model, metrics,
tactics, and engagement levels supports security practitioners in routinely revising and enhancing
their training programs. Asking employees what they thought of training supports the feedback
loop of continued improvement (National Center for Education Statistics, 2023). The trainers
would benefit from including metacognitive exercises in their presentations, allowing individuals
to reflect and understand their learning and identify areas for improvement, strengthening the
growth mindset of learners. Reflecting on learning by having learners share how they think,
learn, and interpret experiences and including responses in the program would support the
effectiveness of the training (Faller et al., 2020). Failure often occurs when organizations assume
people are similar and do not constantly check with individuals and learn what they believe will
increase their confidence in identifying advanced phishing attacks. As employees discover their
own learning challenges with advanced forms of phishing and “come to acknowledge to
themselves that they are vulnerable, they may often choose themselves to be trained regarding
related attacks” (Jansson & von Solms, 2013, p. 592). Security practitioners are recommended to
constantly monitor their program effectiveness and evolve and refine their initiatives as
“Continuous improvement should always be the theme for security awareness and training
initiatives, as this is one area where ‘you can never do enough’” (National Institute of Standards
and Technology, 2003, p.35).
PERCEPTIONS ON PHISHING ATTACKS 127
Recommendation Two: Implementing Communication for Employee Engagement
Communication supports employees by reinforcing phishing awareness, company
policies and procedures, and clarifying expectations. An effective communications strategy
benefits an organization by engaging and motivating employees to align with company goals and
positively affects employee performance (Musheke & Phiri, 2021). A communications strategy
is a vital component to the success of a security program as it influences employees to embrace
security awareness and reduces resistance to security initiatives. Clarity on company values,
principles, and processes is foundational to an organization’s communication strategy (Harshman
& Harshman, 1999). Communication transports information that employees need to be
successful in their roles and increases productivity.
Clark and Estes’ (2008) Gap Analysis theoretical framework supports the development of
a Strengths, Weaknesses, Opportunities, and Threats (SWOT) analysis and audit of the current
internal communications landscape. A SWOT analysis developed by Albert Humphrey evolved
from the origins of Robert Franklin Stewart’s 1960s SOFT analysis (satisfactory, opportunities,
faults, threats) to assess stakeholder expectations and values in designing long-term strategic
planning (Puyt et al., 2023). A SWOT analysis research exercise is the preparation for
developing an evidence-based communications strategy that aligns with the goals and desired
results (Kirkpatrick & Kirkpatrick, 2016) of a training and awareness program. A SWOT
analysis of the internal communications landscape identifies areas of improvement needed to
better support employees with information about identifying phishing. As organizations develop
their communications strategy and determine relevant content and appropriate frequency,
designing consistent and candid communications about initiatives and progress aligns employees
with organizational goals (Clark & Estes, 2008). Organizations can provide individuals with
PERCEPTIONS ON PHISHING ATTACKS 128
clear direction to support their specific job roles and remove vague performance goals (Clark &
Estes, 2008). Delivering communications about information employees are not interested in
could result in low readership. Alternatively, employees may have accidentally missed an email
or not read all parts of it. As Clark and Estes (2008) expressed, messages need to be repeated
more often than leaders realize. Communications can be designed to engage employees to want
to read and comprehend the message and, when applicable, take appropriate action. The effort to
communicate instills trust in employees and attracts engagement. According to Harshman and
Harshman (1999),
Communication that will help build credibility and trust has the following
characteristics:
● Two-way (for exchange and feedback);
● Relevant to employees’ needs;
● Understandable;
● Believable;
● Useful;
● Timely; and
● Mature (does not “talk down” to employees)
The role of communication is to inform and educate, reinforce credibility and trust,
support organizational messages, help employees predict, understand, and control their
environment, and positively influence employee attitudes (Harshman & Harshman, 1999). A
communications model supports security practitioners in developing communications that
resonate with employees and evoke engagement toward adopting phishing awareness. Lasswell’s
Model of Communication, published only in written form in 1948, continues to offer significant
PERCEPTIONS ON PHISHING ATTACKS 129
merit and relevance 75 years later, providing security professionals with an organized and
digestible model that conveys who is communicating, what message, in which channel, to whom,
and in what effect (Sapienza et al., 2015). In Figure 14, Laswell’s Communications Construct is
modeled visually to examine the organization and development of effective communications.
Figure 14. Lasswell’s Communications Construct (Sapienza et al., 2015)
Expanding on the foundation of this model, providing employees with opportunities to
respond allows for bi-directional communication and ongoing feedback loops. Understanding the
employee population provides security professionals with context for the organizational
landscape and how to design effective communications to engage a populace. Consider
segmenting the employee population into upper management, middle management, individual
contributors, and contract workers. Segmenting communications is essential for aligning
appropriate and impactful messaging to targeted audiences. Communications that resonate with
employees require understanding their motivation and values. The act of sending a
communication is not as important as how the message is received (Arvai & Rivers, 2014).
Impactful communications have brevity and simplicity, are compelling and credible, and do not
confuse, mislead, or create resistance (Harshman & Harshman, 1999). Effectively
communicating with employees includes nurturing a bi-directional feedback loop, which goes
both ways between employees and leadership and supports the realization of goals and
PERCEPTIONS ON PHISHING ATTACKS 130
commitment. As individuals are provided with feedback on their performance goals and
motivated to focus on areas that need improvement, they are better prepared to succeed in
identifying phishing attacks and reaching designated goals.
In developing a communications plan to motivate the employee population and articulate
desired results, it is recommended to identify communications channels and establish a
communications channel strategy to communicate company goals for reducing phishing click
rates and improving reporting rates. Selecting channels to attract employee engagement is a
foundational component of internal communications. Each medium offers different speeds and
types of engagement and opportunities for employees to connect with leadership. While face-toface communication can be preferred, other channels exist to support content that can be shared
for convenience and accessibility (Vercic & Spoljaric, 2020). Communications channels include
traditional and non-traditional channels such as email, social forums, instant messaging,
websites, podcasts, town halls, and mobile applications, which offer employees a variety of
opportunities to engage with each other, learn, and discover company information. An integrated
communications channel strategy utilizes the various channels available to reinforce messaging.
Allowing for choice of preferred communications channels gives employees personal agency
(e.g., employees can subscribe to content and blogs). Developing an intranet site utilized by
employees requires publishing useful and relevant information and driving engagement via email
or subscribing individuals to an RSS Feed; otherwise, employees are less likely to be aware that
new content is available.
Simplifying heavy tech jargon and designing the tone of formal communications to be
courteous and professional supports how individuals learn about phishing and engage with the
messaging. While fear, uncertainty, and doubt are one method to provoke strong emotions,
PERCEPTIONS ON PHISHING ATTACKS 131
encouraging behavioral changes among employees prone to clicking on phishing links or
downloading attachments, it may not be the most effective. Fear as an organizational tactic can
detract from engaging employees to pay attention and learn how to best protect against phishing
attacks (Pendergast, 2021). Educating employees on organizational resilience to cybercrime is an
effective way to create an optimistic environment that empowers employees and motivates them
to participate in preventing phishing attacks.
Craft communications according to the needs of the segmented populations and tailor
messaging. Types of communications to promote engagement include security threats and
advisories, phishing alerts, announcements, newsletters, and events. Highlighting industryrelated content and real-world examples of common phishing attacks and phishing attacks in
their own environment creates vigilance among employees to stay alert. Identify opportunities to
personalize communications and provide dedicated information to individuals to create
additional messaging reinforcement for achieving desired results. Automated software can
facilitate the ability of organizations to deliver personalized communications targeting
individuals needing improvement.
Communications can be engaging by including graphics and themes and highlighting
current events to attract readership when promoting internal initiatives. Security teams can
leverage and participate in nationally and internationally recognized events to spread privacy and
security awareness. Cybersecurity Awareness Month in October was founded in 2004 as a
collaborative initiative between the U.S. government and private industry to raise awareness
about cybersecurity (National Institute of Standards and Technology, 2024). Data Privacy Day
(an extension of Data Protection Day in Europe) began in 2008 in the United States and Canada
and has evolved into one week each January (National Cybersecurity Alliance, 2024). Data
PERCEPTIONS ON PHISHING ATTACKS 132
Privacy Week commemorates the 1981 signing of Convention 108, an international treaty to
safeguard data, and promotes awareness about online privacy. Promoting information security
events supports employees with engaging beyond the traditional information security program’s
minimum regulatory requirements.
In evaluating communications, obtaining channel engagement rates and a heat map of
interest levels supports the security practitioner in modifying their communications plan. The
ability to see which parts of a communication employees are most interested in and the
hyperlinks selected would help the security practitioner to identify areas of interest and topics to
revisit and consider for future communications. Monitoring the effectiveness of communications
and measuring key performance indicators with reporting training and awareness program results
supports the security practitioner in continuously refining the integrated communications plan.
Recommendation Three: Cultivating a Cultural Model to Support a Training and
Awareness Program
In introducing a cultural model for engaging employees to embrace data protection and
adopt a culture of safeguarding against phishing attacks, establishing a company-wide security
training and awareness program supports security practitioners in influencing the improvement
of behaviors to protect customer and company data. Formal policies, missions, and goals are the
visible components of a culture, while the rest of the culture remains implicit, automated, and
unconscious underneath attitudes, behaviors, patterns, and style (Clark & Estes, 2008). It is
recommended for information security practitioners to strategically acquire leadership support
with goal alignment, clearly state expectations to stakeholders regarding their adherence to
policies and procedures, and demonstrate accountability and oversight when engaging
populations to reduce cyber risk and data incidents, “Accountability must be derived from a fully
PERCEPTIONS ON PHISHING ATTACKS 133
informed, well-trained, and aware workforce (National Institute of Standards and Technology,
2003, p. 18). Demonstrating through social norms and explicitly articulating to employees their
value and meaningful contributions supports the organization in developing desired security
behaviors (National Institute of Standards and Technology, 2023).
In designing a security-aware culture, consider developing a security brand (Alshaikh,
2020) and highlighting the concept of the organizational human firewall within the technology
ecosystem to reinforce the critical role of employees working together as a shield to defend
against phishing attacks. Constantly promoting and measuring the value of a security awareness
program supports buy-in across employees and leadership. Issues with executive leadership
occur when a training and awareness program is deemed a lower priority than other initiatives
(National Institute of Standards and Technology, 2003). The alignment of leadership priorities to
company goals influences the design of the culture as leaders “recognize cybersecurity as a
foundational element of their organizational culture and not consider it as some discrete risk
mitigation initiative” (Carpenter, 2022, p.1). Clark and Estes’ (2008) Gap Analysis theoretical
framework and research demonstrated that culture and performance are conflicted when
resources, procedures, and policies are not supported at all levels. Organizations are complex
systems, and performance gaps are interconnected. Culture can be positively affected by
establishing goals and training and motivation programs (Clark & Estes, 2008). Developing an
integrated training and awareness program aligns organizational practices and processes with
company values. If data protection is embraced as a core company value, phishing awareness is
integrated into daily routines, and employees are supplied with the knowledge and motivation
they need to identify phishing attacks, phishing click rates in organizations will decrease, and
reporting rates will increase. Leaders invest in where they believe there is value added to the
PERCEPTIONS ON PHISHING ATTACKS 134
company. If leadership does not believe there is value in supplemental phishing training and
motivational rewards, they will not attribute budget. Despite funding and leadership support, a
training and awareness program is ineffective without adoption and employee participation.
Engaging employees in conversations, ideas, and perspectives creates inclusiveness and supports
employees in adapting to a desired culture and adopting company goals (Musheke & Phiri,
2021).
Encourage leaders to support the security training and awareness program by committing
their teams to achieving information security’s SMART goals. Engaging division leaders to work
with their respective teams requires continuous effort and networking. Allow leaders to take
responsibility for the accountability of their teams and drive friendly competition amongst
departments to promote transparency and positively encourage behavioral improvement. As
individuals learn through context and cultural processes (Rueda, 2011), creating a learning
environment that is not ingrained in the culture reduces the effectiveness of the training and the
importance of the lessons, therefore, much of what is being learned will not be reinforced outside
of the training. It would be more effective if the organizational culture provided a clearly
articulated data protection vision for the company and created a cultural shift toward the desired
behaviors; otherwise, according to Searle (2017), in “identity construction,” learners will
accumulate the habits and behaviors of others who are not versed in the training.
Friendly competition amongst teams is a way to encourage employees to learn about
phishing, as team members encourage each other to excel in order to win. Employee
achievements for top learner scores and scores for exceeding performance quotas can be
displayed in a public dashboard per department. Conversely, in maintaining privacy, allow only
managers access to employee performance results. Motivating individuals increases commitment
PERCEPTIONS ON PHISHING ATTACKS 135
to performance goals as individuals are more likely to apply effort to identify phishing attacks if
the organization supplies reinforcements. Consider pay-per-performance dependent on success
rates throughout the year combined with the completion of additional courses and engagement
with the various training and awareness activities. Acknowledging and recognizing employees
on the company intranet for producing desired behaviors reinforces positive behaviors. As Clark
and Estes (2008) expressed, confidence can be built by complimenting employees when they do
a good job. Encouraging employees not to click on phishing links or download attachments with
positive recognition and rewards can effectively motivate employees (IANS Research, 2022).
Individuals observing the recognition of their peers will likely want to assimilate and adopt
similar social norms and behaviors. As employees learn from their colleagues and leadership,
they can mimic the behaviors they see rewarded in their environment (Grant & Shandell, 2022).
According to Doyle (2003), reinforcement theory expresses that behaviors that are rewarded will
increase. Positive reinforcement can be tangible or intangible to motivate employees not to click
on phishing links or download attachments. For individuals to find benefit from incentivized
learning, performance levels that are challenging yet not impossible provide the most benefit.
While providing financial incentives can encourage employees to understand how to be
successful, it is unnecessarily costly if individuals are already achieving performance goals
without additional rewards (Clark & Estes, 2008).
Designing an ambassador program to promote the cultural mission and driving cultural
learning discussions about phishing amongst key leaders to cascade down to their teams are
mechanisms for cultivating a security-aware culture. Supporting the achievement of security
awareness goals is accomplished when leadership announces alignment and continues to review
and revise criteria for achieving desired results on an ongoing basis. Utilizing industry-related
PERCEPTIONS ON PHISHING ATTACKS 136
phishing attacks to deliver urgency in creating a culture of security awareness supports Kotter’s
(2012) description of utilizing visible crises to drive change in behaviors. As employees are
encouraged to learn about security policies and procedures and preventative strategies, develop
attitudes in favor of adopting lessons learned, adjust behaviors, and intrinsically value their vital
part of the collective human firewall, they will be able to identify phishing attacks, protect data,
and keep their organizations safe.
A culture is strengthened by the centralized management of the training and awareness
program by highly skilled and experienced security professionals. Designing a strategic training
and awareness program includes reporting to executive leadership measurements of risks,
tracking key performance indicators among departments, and assigning accountability for
employee behavioral performance. Develop and distribute dashboards routinely to measure
program impact and explain trends of click rates, reporting rates, and non-compliant training
rates. Figure 15 depicts the arrangement of the central authority oversight guiding policy,
strategy, and implementation among organizational units.
Figure 15. Centralized Program (National Institute of Standards and Technology, 2003).
PERCEPTIONS ON PHISHING ATTACKS 137
Discovering champions to navigate the political, management, and bureaucratic
landscapes throughout the organization can encourage participation and support the realization of
effective implementation by promoting security awareness. An ambassador committee selected
from the influencers of each department supports the central authority in spreading the message
about security policies and procedures and assists employees with learning about phishing best
practices. Developing a security awareness ambassador committee to extend beyond the security
team’s reach and engage employees at the local level further propels an organization toward
embracing security awareness. Encourage ambassadors to cultivate creative and divergent
thinking when brainstorming positive reinforcement ideas for recognizing individuals who pass
simulations and report phishing. Ambassadors provided with a budget can utilize rewards
programs to motivate and positively reinforce employees and publicly recognize top performers
during town halls, security awareness events, campaigns, and cultural activities. Sharing
outcomes of campaigns can attract workforce engagement, commitment, and satisfaction
(National Institute of Standards and Technology, 2023). As department leaders drive weekly
reminders to staff and are transparent with the results of non-compliant individuals, employees
will adapt to the cultural model and become motivated to be recognized for correctly identifying
and reporting phishing attacks.
Accountability creates a healthy organizational culture and fosters alignment among
employees. The information security team is accountable for coordinating training and
disseminating communications, department leaders are responsible for employee compliance to
attend training, and employees are accountable for adhering to security policies and procedures.
According to Hentschke and Wohlstetter (2004), when employees sustain the same values of
protecting data as leadership, accountability is a success. Leaders can contribute to the problem if
PERCEPTIONS ON PHISHING ATTACKS 138
they do not encourage employees to not click on phishing links or download attachments or do
not expect employees to succeed. In alliance with Hall et al. (2017), the enforcement of
consequences drives accountability, and leaders are encouraged to “develop rules and standards
for conduct, evaluate individual performance using those standards, and distribute rewards and
punishments based on these evaluations” (p. 3). Repeat offenders benefit from feedback and an
awareness of their actions, conversations with their managers, and ultimately, companies must
decide on how many strikes on their record a person is allowed (IANS Research, 2022). Clark
and Estes (2008) explained that motivation decreases when individuals are shamed. A
consequence model enforces accountability of a recognized and valued security program.
Consequence models that combine accountability and enforcement can serve as a deterrent for
individuals. As individuals are motivated not to be reprimanded or experience consequences,
they can become more cautious when clicking links or downloading attachments. Consequence
models can be tailored so that individuals are not made to feel wrong or inadequate but are
instead supported and effectively taught to learn how to identify phishing attacks. Leaders can
help individuals reach their full potential and condition employees to improve their data
protection behaviors (Doyle, 2003). Supporting employees in their individual learning paths and
not associating training with punishment is recommended to create a positive culture and outlook
on phishing training. Utilizing gamification can support security practitioners in designing levels
of achievement for desired behaviors and a reduction in levels gained when an infraction occurs.
Monitoring individual progress supports employees when routine feedback is given to direct
employees toward behavioral modifications and alignment with organizational goals (Clark &
Estes, 2008).
PERCEPTIONS ON PHISHING ATTACKS 139
The benefits to organizations for improving their cultural settings and models and
educational and motivational programs are the achievement of desired behavioral modifications
(Clark & Estes, 2008) to better identify phishing attacks and protect data. As companies are
motivated to create peace of mind for customers, minimize risk, and abstain from a data breach,
investing in establishing and prioritizing a training and awareness program to educate their
workforce proactively transforms their organization. As organizations motivate and educate their
workforce, they will simultaneously avoid penalties and fees, reputational damage, and loss of
revenue and customers in the event of a data incident or breach.
Limitations and Delimitations
Limitations of the Study
Limitations are the inherent constraints that restrict this research study (Miles, 2019).
Limitations to this study include a small set of participants (13), which may not be representative
of all stakeholders (Clark & Estes, 2008). Participants may not have comprehended the questions
or have distorted perceptions of phishing and misinterpreted the framing of the questions.
Responses from participants were self-reported, and the researcher assumes responses are
truthful statements. Utilizing video instead of in-person interviews and the length of time to
conduct interviews may have limited the candidness of participants. Participant responses may
not fully capture updates in progress for organizational influences at each organization. The
timeframe for gathering participants, conducting interviews, analyzing the results, and presenting
the findings was slightly challenging based on uncontrollable events.
Delimitations of the Study
Delimitations relate to the boundaries and limited scope and are the self-imposed
restrictions of this research study (Miles, 2019). Delimitations include using social media to open
PERCEPTIONS ON PHISHING ATTACKS 140
the participant pool to a broad geographical reach of individuals representing all organizational
positions. This research study was delimited to focus on studying phishing perceptions from
individuals in United States financial organizations, and the findings may not be representative
of phishing perceptions in other industries or countries. The research study included 10 openended questions, which allowed for discovering insights into areas unknown by the researcher.
The opportunity to obtain detailed information via qualitative research supports the
understanding of complex subjects. This research study was cost-effective as participants
volunteered their time to participate, and the researcher did not travel to conduct interviews.
Recommendations for Future Research
A recommendation for future research includes a quantitative study across the financial
sector to assess employee knowledge in recognizing social engineering. Discovering the
correlation between confidence in identifying generic phishing attacks compared to identifying
advanced phishing attacks utilizing GenAI would support educational models as specific
knowledge gaps in types of social engineering techniques are determined by the study. Another
recommendation for future research includes a study interviewing security practitioners who
deploy phishing training and understanding their qualifications, budgets, practices, security tools,
and challenges with training employees. Additional future research could support discovering
how organizations and security practitioners motivate and educate employees on safeguarding
against phishing. A final recommendation for future research would be a qualitative research
study interviewing executives who were part of a data breach caused by a phishing attack and
understanding their strategic priorities after experiencing a data breach to secure investment in
their training and awareness program and improve employee adoption.
PERCEPTIONS ON PHISHING ATTACKS 141
Conclusion
The purpose of this qualitative research study incorporated the Clark and Estes (2008)
Gap Analysis theoretical framework to discover knowledge, motivation, and organizational
influences on identifying phishing attacks. Thirteen participants from United States financial
organizations were interviewed to share their experiences and perceptions. As evidenced by this
study, individuals, even those with advanced information security backgrounds, are susceptible
to clicking on phishing links. The findings of this study exposed the significance of
organizational culture, training, and communication for supporting employees in identifying
phishing attacks.
Phishing attacks are substantially rising in the financial sector as cybercriminals increase
in sophistication by leveraging technological advances, including GenAI, and become scalable
and well-funded. Companies are at risk of a data breach and reputational damage, fines, and loss
of customers unless organizational improvements to safeguard data and effectively engage
employees in identifying phishing are implemented. As third parties and regulatory agencies
routinely scrutinize data protection methods and controls, external pressure on security teams
exists to develop effective training and awareness programs.
The cost savings to adequately protect employees, customers, and company data versus
paying out fines and customer credit monitoring are correlated to the maturity of a company’s
information security program and proactive educational model. Uneducated and unmotivated
employees clicking on phishing links or downloading attachments can potentially inflict
significant damage. Safeguarding an organization and designing a security culture “in a proactive
approach is far less costly than the alternative, which is a data incident or breach that not only
can destroy a business but can ruin reputation, credibility, and consumer trust" (Ana, 2020 as
PERCEPTIONS ON PHISHING ATTACKS 142
cited in Bernard, 2020, p. 1). Developing a security-aware culture is less expensive compared to
the risk the company accepts if no substantial improvements are made to reduce phishing clicks
across the company.
This dissertation provides a blueprint for action in designing an advanced educational
framework, communications strategy, and cultural model. Whether companies use various
positive reinforcement methods such as competition or rewards to garner engagement in
initiatives or combine consequential models, a carefully designed implementation plan is needed
to educate and motivate a workforce. Companies hire security practitioners who may not be
skilled in delivering training and phishing simulations or versed in how to influence a culture and
engage employees in spotting and preventing attacks. Training security practitioners on how to
develop a strategic training and awareness program is recommended to drive motivation and
educate employees about how social engineers use sophisticated phishing techniques to trick
individuals and obtain sensitive information. Immature cultural models and passive cultural
climates do not support a proactive data protection ecosystem. A weak cultural setting occurs
when established company-wide goals do not include driving down cyber risk and incidents.
When education and communication models continue to be ineffective, resources are not
adequately allocated across the enterprise, and organizations experience immature cultural
models and cultural settings in correlation to inappropriate behaviors, phishing incidents
increase.
The impact of an effective training and awareness program supports the reduction of
successful phishing attacks as employees understand and value their role in safeguarding
information and identifying phishing attacks. A shift in the organizational cultural landscape
from reactive to proactive is needed for employees to embrace security awareness. An
PERCEPTIONS ON PHISHING ATTACKS 143
uneducated and unmotivated workforce unaware of how to safeguard against phishing is a
serious risk. Without an emphasis on designing an integrated training and awareness program
supported by leadership with consistent commitment, attempts to influence employees will
remain ineffective.
Individuals who enter the workforce without previous experience with phishing are more
susceptible to phishing attacks because they are unfamiliar with social engineering and ways to
safeguard against phishing. Security education is not a part of K-12 curricula, and individuals
entering the workforce are unaware of how to safeguard data, leaving organizations vulnerable to
phishing attacks. With the cybersecurity industry’s workforce shortage, the need to attract talent
in short supply could not be greater. A paradigm shift in the data protection priorities of
corporations, combined with an increase in state and federal regulations and requirements,
supports the improvement of cybersecurity disparities and promotes equitable outcomes through
the growth of healthy organizational security cultures, which reduces reseated and compounded
problems of organizational misalignment.
External forces influence or inhibit companies and security professionals to pursue
creating organizational change to enact a security-aware culture. As new laws and regulations
become enacted, organizations will need to improve their security posture, strengthen controls,
and identify how to garner critical executive leadership support for designing a sustainable
security training and awareness program that achieves organizational risk tolerance levels. As
leaders invest in a training and awareness program, they will elevate their security posture and
proactively reduce phishing incidents. As security practitioners become versed in effectively
providing training and motivating a populace, they will decrease phishing click rates and reduce
alert fatigue, lessening the overwhelming workloads on their security teams. As individuals are
PERCEPTIONS ON PHISHING ATTACKS 144
empowered with the knowledge, skills, and motivation to identify phishing attacks, they will
better protect their company and customers from a data incident or data breach, resulting in a
safer online environment.
PERCEPTIONS ON PHISHING ATTACKS 145
References
Alberts, D. S., & Papp, D. S. (1997). The information age: An anthology on its impact and
consequences. Office of the Assistant Secretary of Defense Washington DC Command and
Control Research Program (CCRP). https://apps.dtic.mil/sti/citations/ADA461496
Aldasoro, A., Frost, J., Gambacorta, L., Leach, T., & Whyte, D. (2020). Cyber risk in the financial
sector (Policy Note no. 206). Suerf. https://www.suerf.org/policynotes/18421/cyber-risk-inthe-financial-sector
Alharthi, D. & Regan, A. (2021). A Literature Survey and Analysis on Social Engineering Defense
Mechanisms and Infosec Policies. International Journal of Network Security & Its
Applications, 13(2). https://aircconline.com/ijnsa/V13N2/13221ijnsa04.pdf
Alkhalil, Z., Hewage, C., Nawaf, L., & Khan, I. (2021) Phishing Attacks: A Recent Comprehensive
Study and a New Anatomy. Frontiers in Computer Science 3, 2624-9898.
https://www.frontiersin.org/articles/10.3389/fcomp.2021.563060/full
Almazkyzy, & Esteusizov, Y. N. (2018). The essence and content of cybercrime in modern times.
Journal of Advanced Research in Law and Economics, 9(3), 834–841.
https://doi.org/10.14505/jarle.v9.3(33).05
Alshaikh, M. (2020). Developing cybersecurity culture to influence employee behavior: A practice
perspective. Computers & Security, 98(2). https://doi.org/10.1016/j.cose.2020.102003
Ambrose, S. A., Bridges, M. W., DiPietro, M., Lovett, M. C., & Norman, M. K. (2010). How
learning works (1st ed.). San Francisco: Jossey-Bass. https://firstliteracy.org/wpcontent/uploads/2015/07/How-Learning-Works.pdf)
Anderson, L.W., Krathwohl, D.R., Airasian, P.W., Cruikshank, K.A., Mayer, R.E., Pintrich, P.R.,
Raths, J., & Wittrock, M.C. (2001). A taxonomy for learning, teaching, and assessing: A
PERCEPTIONS ON PHISHING ATTACKS 146
revision of Bloom's Taxonomy of Educational Objectives (Complete edition). New York:
Longman.
Archibald J.M. & Renaud K. (2019). Refining the PoinTER “human firewall” pentesting framework.
Information and Computer Security, 26(4), 575-600.
https://rke.abertay.ac.uk/files/15693517/Archibald_RefiningThePOINTER_Accepted_2019.
PDF
Ardia, D. (2010). Free Speech Savior or Shield for Scoundrels: An Empirical Study of Intermediary
Immunity Under Section 230 of the Communications Decency Act. Loyola of Los Angeles
Law Review, 43(2). https://ssrn.com/abstract=1625820
Arvai, J. & Rivers, L. (2014). Effective risk communication. Routledge, Taylor & Francis Group.
Awati, R. (2022). Tailgating (Piggybacking). Tech Target.
https://www.techtarget.com/whatis/definition/tailgating-piggybacking
Bandura, A. (1977). Self-efficacy: Toward a unifying theory of behavioral change. Psychological
Review, 84(2), 191-215. doi-org.libproxy1.usc.edu/10.1037/0033-295X.84.2.191
Bandura, A. (2000). Exercise of human agency through collective efficacy. Current Directions in
Psychological Science, 9, 75–78. https://doi:10.1111/1467-8721.00064
Baral, G. & Arachchilage, N. (2019). Building Confidence not to be Phished Through a Gamified
Approach: Conceptualising User's Self-Efficacy in Phishing Threat Avoidance Behaviour.
2019 Cybersecurity and Cyberforensics Conference (CCC), Melbourne, VIC, Australia, 102-
110.
https://www.researchgate.net/publication/336257090_Building_Confidence_not_to_be_Phis
hed_Through_a_Gamified_Approach_Conceptualising_User's_SelfEfficacy_in_Phishing_Threat_Avoidance_Behaviour
PERCEPTIONS ON PHISHING ATTACKS 147
Baum, K. (2004). Bureau of Justice Statistics. U.S. Department of Justice.
https://static.prisonpolicy.org/scans/bjs/it04.pdf
Berg, H.H. & Hansen, S.E. (2020). The Stock Market Effect of Cybercriminals. An empirical study
of the price effects on US listed companies targeted by a data breach. Norwegian School of
Economics. https://openaccess.nhh.no/nhhxmlui/bitstream/handle/11250/2736559/masterthesis.pdf?sequence=1
Bernard, A. (2020). Data privacy and data security are not the same. ZDNET.
https://www.zdnet.com/article/data-privacy-and-data-security-are-not-the-same/
Bhardwaj, A., Sapra, V., Kumar, A., Kumar, N., & Arthi, S. (2020). Why is phishing still
successful? Computer Fraud & Security, 9, 15-19.
https://www.ncbi.nlm.nih.gov/pmc/articles/PMC7508510/pdf/main.pdf
Biery, M. (2013). 4 Things You Don't Know About Private Companies. Forbes.
https://www.forbes.com/sites/sageworks/2013/05/26/4-things-you-dont-know-about-privatecompanies/?sh=2d0db215291a
Bischoff, P. (2022). Financial data breaches accounted for 153.3 million leaked records from
January 2018 to June 2022. Comparitech. https://www.comparitech.com/blog/vpnprivacy/financial-data-breaches/
Bloom, B. S., & Krathwohl, D. R. (1956). Taxonomy of educational objectives; the classification of
educational goals by a committee of college and university examiners. Handbook I:
Cognitive Domain. New York, NY; Longmans, Green.
Boyne, S.M. (2018). Data Protection in the United States. The American Journal of Comparative
Law, 66(1), 299-343. https://doi.org/10.1093/ajcl/avy016
PERCEPTIONS ON PHISHING ATTACKS 148
Bukamal. (2022). Deconstructing insider–outsider researcher positionality. British Journal of Special
Education, 49(3), 327–349. https://doi.org/10.1111/1467-8578.12426
Canham, M., Posey, C., & Constantino, M. (2022). Phish Derby: Shoring the Human Shield
Through Gamified Phishing Attacks. Frontiers in Education, 6.
https://www.frontiersin.org/articles/10.3389/feduc.2021.807277
Carpenter, P. (2021). Five Cognitive Biases That Can Threaten Your Cybersecurity Efforts. Forbes.
https://www.forbes.com/sites/forbesbusinesscouncil/2021/12/30/five-cognitive-biases-thatcan-threaten-your-cybersecurity-efforts/?sh=bfb75bd9e319
Carpenter, P. (2022). The five most popular cognitive biases that result in phishing attacks. SC
Magazine. https://www.scmagazine.com/perspective/phishing/the-five-most-popularcognitive-biases-that-result-in-phishing-attacks
Carroll, F., Adejobi, J.A., & Montasari, R. (2022). How Good Are We at Detecting a Phishing
Attack? Investigating the Evolving Phishing Attack Email and Why It Continues to
Successfully Deceive Society. SN Computer Science, 3(2), 170.
https://link.springer.com/article/10.1007/s42979-022-01069-1
Cerf, V. G. (2008). Innovation and the Internet. Research- Technology Management, 51(1), 30-33.
https://www-tandfonlinecom.libproxy1.usc.edu/doi/pdf/10.1080/08956308.2008.11657482?needAccess=true
Chamkar, S.A., Maleh, Y., & Gherabi, N. (2022). The Human Factor Capabilities in Security
Operation Center (SOC). EDPACS, 66(1), 1–14.
https://doi.org/10.1080/07366981.2021.1977026
PERCEPTIONS ON PHISHING ATTACKS 149
Chen, H., & Magramo, K. (2024). Finance worker pays out $25 million after video call with
deepfake ‘chief financial officer. CNN. https://www.cnn.com/2024/02/04/asia/deepfake-cfoscam-hong-kong-intl-hnk/index.html
Clark, R. E., & Estes, F. (2008). Turning research into results: A guide to selecting the right
performance solutions (1st ed.). Charlotte, NC: Information Age Publishing, Inc.
Clark, R. M., & Hakim, S. (2016). Cyber-Physical Security: Protecting Critical Infrastructure at the
State and Local Level, 3. Springer International Publishing AG. https://doi.org/10.1007/978-
3-319-32824-9
Cobb, S. (2020). Advancing Accurate & Objective Cybercrime Metrics. Cybercrime,
Cyberespionage, Cybersecurity, Human Rights in Cyberspace, 10(3), 1-26.
https://jnslp.com/wp-content/uploads/2020/05/Advancing-Accurate-and-ObjectiveCybercrime-Metrics.pdf
Coulson, T., Mason, M., & Nestler, V. (2018). Cyber Capability Planning and the Need for an
Expanded Cybersecurity Workforce. Communications of the IIMA, 16(2), 1–11.
Cremer, F., Sheehan, B., Fortmann, M., Kia, A. N., Mullins, M., Murphy, F., & Materne, S. (2022).
Cyber risk and cybersecurity: a systematic review of data availability. The Geneva papers on
risk and insurance. Issues and practice, 47(3), 698–736. https://doi.org/10.1057/s41288-022-
00266-6
Creswell, J.W. (2013) Research Design: Qualitative, Quantitative, and Mixed Methods Approaches.
4th Edition, SAGE Publications, Inc., London.
Creswell, J. W. & Creswell, J. D. (2018). Research design: Qualitative, quantitative, and mixed
methods approaches. Thousand Oaks, CA: Sage Publications.
PERCEPTIONS ON PHISHING ATTACKS 150
Cybersecurity and Infrastructure Security Agency. (2015). Financial Services Sector-Specific Plan.
https://www.cisa.gov/sites/default/files/publications/nipp-ssp-financial-services-2015-
508.pdf
Cybersecurity and Infrastructure Security Agency. (2021). Avoiding Social Engineering and
Phishing Attacks. https://www.cisa.gov/news-events/news/avoiding-social-engineering-andphishing-attacks
Cybersecurity and Infrastructure Security Agency. (2022). Cyber Incident Reporting for Critical
Infrastructure Act of 2022 (CIRCIA) Fact Sheet.
https://www.cisa.gov/sites/default/files/2023-
01/CIRCIA_07.21.2022_Factsheet_FINAL_508%20c.pdf
Cybersecurity and Infrastructure Security Agency. (2023). Teach Employees to Avoid Phishing.
https://www.cisa.gov/secure-our-world/teach-employees-avoid-phishing
Cybersecurity and Infrastructure Security Agency. (2023, May 7). The Attack on Colonial Pipeline:
What We’ve Learned & What We’ve Done Over the Past Two Years [Press Release].
https://www.cisa.gov/news-events/news/attack-colonial-pipeline-what-weve-learned-whatweve-done-over-past-two-years
Cybersecurity and Infrastructure Security Agency. (2024). General Information.
https://www.cisa.gov/stopransomware/general-information
Doran, G.T. (1981). There’s a SMART Way to Write Management’s Goals and Objectives. Journal
of Management Review, 70, (35-36).
https://community.mis.temple.edu/mis0855002fall2015/files/2015/10/S.M.A.R.T-WayManagement-Review.pdf
PERCEPTIONS ON PHISHING ATTACKS 151
Doyle, C. E. (2003). Work and Organizational Psychology: An introduction with attitude.
Psychology Press.
Dreibelbis, E. (2023). Samsung Software Engineers Busted for Pasting Proprietary Code Into
ChatGPT. PC Magazine. https://www.pcmag.com/news/samsung-software-engineers-bustedfor-pasting-proprietary-code-into-chatgpt
Dubnick, M. (2014). Accountability as a cultural keyword. In M. Bovens, R. E. Goodin, & T.
Schillemans (Eds.), The Oxford handbook of public accountability. Oxford: Oxford
University Press.
Eccles, J. S., & Wigfield, A. (1995). In the mind of the actor: The structure of adolescents'
achievement task values and expectancy-related beliefs. Personality and Social Psychology
Bulletin, 21(3), 215–225. https://doi.org/10.1177/0146167295213003
Eisenbach, T., Kovner, A., & Lee, M. (2021). Cyber Risk and the U.S. Financial System: A PreMortem Analysis. Federal Reserve Bank of New York.
https://www.newyorkfed.org/medialibrary/media/research/staff_reports/sr909.pdf
Elliot, A. J., Dweck, C. S., & Yeager, D. S. (2017). Handbook of competence and motivation. New
York: Guilford Press.
Elliott, R., & Timulak, L. (2021). Essentials of Descriptive-interpretive qualitative research: A
generic approach. American Psychological Association.
EY Global Information Security Survey 2018-19. (2019). Is cybersecurity about more than
protection? https://assets.ey.com/content/dam/ey-sites/ey-com/en_ca/topics/advisory/eyglobal-information-security-survey-2018-19.pdf
PERCEPTIONS ON PHISHING ATTACKS 152
Faller, P., Lundgren, H., & Marsick, V. (2020). Overview: Why and how does reflection matter in
workplace learning? Advances in Developing Human Resources, 22(3), 248–263.
https://doi.org/10.1177/1523422320927295
Fazzini, K. (2019). Cybercrime organizations work just like any other business: Here’s what they do
each day. CNBC. https://www.cnbc.com/2019/05/05/heres-what-cybercriminals-do-duringthe-workday.html
Federal Bureau of Investigation. (2010). Smishing and Vishing and Other Cyber Scams to Watch Out
For This Holiday.
https://archives.fbi.gov/archives/news/stories/2010/november/cyber_112410/cyber_112410
Federal Bureau of Investigation. (2018). The Morris Worm.
https://www.fbi.gov/news/stories/morris-worm-30-years-since-first-major-attack-on-internet110218
Federal Bureau of Investigation. (2022). Internet Crime Report.
https://www.ic3.gov/Media/PDF/AnnualReport/2022_IC3Report.pdf
Federal Bureau of Investigation. (2023). Spoofing and Phishing. https://www.fbi.gov/how-we-canhelp-you/safety-resources/scams-and-safety/common-scams-and-crimes/spoofing-andphishing
Federal Bureau of Investigation. (2023). The Cyber Threat. https://www.fbi.gov/investigate/cyber
Federal Trade Commission. (2018). Privacy & Data Security.
https://www.ftc.gov/system/files/documents/reports/privacy-data-security-update-2018/2018-
privacy-data-security-report-508.pdf
Federal Trade Commission. (2019, July 24). FTC Imposes $5 Billion Penalty and Sweeping New
Privacy Restrictions on Facebook [Press Release]. https://www.ftc.gov/news-
PERCEPTIONS ON PHISHING ATTACKS 153
events/news/press-releases/2019/07/ftc-imposes-5-billion-penalty-sweeping-new-privacyrestrictions-facebook
Federal Trade Commission. (2022). How To Recognize and Avoid Phishing Scams.
https://consumer.ftc.gov/articles/how-recognize-and-avoid-phishing-scams
Federal Trade Commission. (2023). How To Comply with the Privacy of Consumer Financial
Information Rule of the Gramm-Leach-Bliley Act. https://www.ftc.gov/businessguidance/resources/how-comply-privacy-consumer-financial-information-rule-gramm-leachbliley-act
Federal Trade Commission. (2023). Protecting Consumers’ Financial Privacy.
https://www.ftc.gov/news-events/topics/protecting-consumer-privacy-security/financialprivacy
Federal Trade Commission. (2023). Scammers hide harmful links in QR codes to steal your
information. https://consumer.ftc.gov/consumer-alerts/2023/12/scammers-hide-harmfullinks-qr-codes-steal-your-information
Federal Trade Commission. (2023). Understanding the NIST cybersecurity framework.
https://www.ftc.gov/business-guidance/small-businesses/cybersecurity/nistframework#:~:text=The%20NIST%20Cybersecurity%20Framework%20helps,The%20Fram
ework%20is%20voluntary.
Financial Services Information Sharing and Analysis Center. (2023). Safeguarding the Global
Financial System by Reducing Cyber Risk. https://www.fsisac.com/
Frenken, P. (2020). Why Build a Cybersecurity Culture? ISACA.
https://www.isaca.org/resources/news-and-trends/isaca-now-blog/2020/why-build-acybersecurity-culture
PERCEPTIONS ON PHISHING ATTACKS 154
Fruhlinger, J. (2022). Defense in depth explained: Layering tools and processes for better security.
CSO Online. https://www.csoonline.com/article/3667476/defense-in-depth-explainedlayering-tools-and-processes-for-better-security.html
Gibbs, G. R. (2018). Analyzing qualitative data (Vol. 6). Sage.
Gil, M. (2022). My Employees are Clicking on Phishing Emails… What Do I Do Now? Cyber
Ready. https://cybeready.com/my-employees-are-clicking-on-phishing-emails
Gillin, P. (2023). The history of phishing. Verizon.
https://www.verizon.com/business/resources/articles/s/the-history-ofphishing/#:~:text=It's%20thought%20that%20the%20first,passwords%20and%20hijack%20t
heir%20accounts.
Godlasky, A. (2022). American Data Privacy and Protection Act (ADPPA) Didn't Pass But Got
Further Than Ever. National Press Foundation. https://nationalpress.org/topic/data-privacyact-adppa-us-lacks-law-eu-standard/
Gordon, S. (2011). Statement before the House Financial Services Committee, Subcommittee on
Financial Institutions and Consumer Credit.
https://archives.fbi.gov/archives/news/testimony/cyber-security-threats-to-the-financialsector
Grant, A., & Shandell, M. (2022). Social Motivation at Work: The Organizational Psychology of
Effort for, Against, and with Others. Annual Review of Psychology, 73(1), 301-326.
Gupta, A., Maynard, S., & Ahmed, A. (2019). The Dark Web Phenomenon: A Review and Research
Agenda. Australasian Conference on Information Systems.
https://arxiv.org/ftp/arxiv/papers/2104/2104.07138.pdf
PERCEPTIONS ON PHISHING ATTACKS 155
Hall, A. T., Frink, D. D., & Buckley, M. R. (2017). An accountability account: A review and
synthesis of the theoretical and empirical research on felt accountability. Journal of
Organizational Behavior, 38(2), 204-224.
Harshman, E.F., & Harshman, C.L. (1999). Communicating With Employees: Building on an
Ethical Foundation. Journal of Business Ethics, 19, 3–19. https://doiorg.libproxy1.usc.edu/10.1023/A:1006141704179
Hartford, I. (2021). The history and evolution of ransomware. Tech Target.
https://www.techtarget.com/searchsecurity/feature/The-history-and-evolution-of-ransomware
Healy, A. F., & Bourne, L. E. (2012). Training Cognition: Optimizing Efficiency, Durability, and
Generalizability (1st ed.). Psychology Press. https://doi.org/10.4324/9780203816783
Henriquez, M. (2022). $4.35 million-The average cost of a data breach. Security Magazine.
https://www.securitymagazine.com/articles/98486-435-million-the-average-cost-of-a-databreach#:~:text=The%20global%20average%20cost%20of,of%20a%20Data%20Breach%20
Report.%E2%80%9D
Hentschke, G. C., & Wohlstetter, P. (2004). Cracking the code of accountability. University of
Southern California Urban Education.
Herjavec, R. (2019). Cybersecurity CEO: The History Of Cybercrime, From 1834 To Present.
Cybercrime Magazine. https://cybersecurityventures.com/cybersecurity-ceo-the-history-ofcybercrime-from-1834-to-present/
IANS Research. (2022). How to Deal with Individuals Who Repeatedly Fail Phishing Simulations.
https://www.iansresearch.com/resources/all-blogs/post/security-blog/2022/05/05/how-todeal-with-individuals-who-repeatedly-fail-phishing-simulations
PERCEPTIONS ON PHISHING ATTACKS 156
IAPP. (2024). U.S. State Privacy Legislation Tracker. https://iapp.org/resources/article/us-stateprivacy-legislation-tracker/
IBM Security. (2022). Cost of a Data Breach Report 2022.
https://www.ibm.com/downloads/cas/3R8N1DZJ
ISC2. (2017). 2017 Global Information Security Workforce Study. https://www.isc2.org/-
/media/Project/ISC2/Main/Media/documents/research/Innovation-Through-InclusionReport.pdf
ISC2. (2022). 2022 Cybersecurity Workforce Study. https://www.isc2.org/-
/media/Project/ISC2/Main/Media/documents/research/ISC2-Cybersecurity-WorkforceStudy.pdf?rev=ae39d66a4616478792d38da57fb80564&hash=31B8381DC81AD70B9B6DA
6FF84534B33
International Organization for Standardization. (2024). ISO 27001 Information Security
Management Systems. https://www.iso.org/standard/27001
Jahankhani, H., Hosseinian-Far, A., & Al-Nemrat, A. (2014). Cyber crime Classification and
Characteristics. Cyber Crime and Cyber Terrorism Investigator’s Handbook, 149-164.
https://www.researchgate.net/publication/280488873_Cyber_crime_Classification_and_Char
acteristics
Jain, P., Gyanchandani, M., & Khare, N. (2016). Big data privacy: a technological perspective and
review. Journal of Big Data, 3(25). https://doi.org/10.1186/s40537-016-0059-y
Jampen, D., Gür, G., Sutter, T., & Tellenbach, B. (2020). Don’t click: Towards an effective antiphishing training. A comparative literature review. Human-centric Computing and
Information Sciences, 10(1), 1-41. https://doi.org/10.1186/s13673-020-00237-7
PERCEPTIONS ON PHISHING ATTACKS 157
Jang-Jaccard, J., & Nepal, S. (2014). A survey of emerging threats in cybersecurity. Journal of
Computer and System Sciences, 80(5), 973-993. https://www-sciencedirectcom.libproxy1.usc.edu/science/article/pii/S0022000014000178
Jansson, K., & von Solms, R. (2013). Phishing for phishing awareness. Behaviour & Information
Technology, 32(6), 584–593. https://doi.org/10.1080/0144929X.2011.632650
Jewkes, Y., & Yar, M. (2010). Handbook of internet crime. Willan Publishing.
Kassa, S. (2016). Information Systems Security Audit: An Ontological Framework. ISACA Journal,
5. https://www.isaca.org/resources/isaca-journal/issues/2016/volume-5/information-systemssecurity-audit-an-ontological-framework
Keating, E., & Jarvenpaa, S. (2016). Words Matter: Communicating Effectively in the New Global
Office (1st ed.). University of California Press.
Kirkpatrick, J. D., & Kirkpatrick, W. K. (2016). Kirkpatrick's four levels of training evaluation.
Association for Talent Development.
Kopp E., & Kaffenberger L. (2019). Cyber Risk Scenarios, the Financial System, and Systemic Risk
Assessment. Carnegie Endowment. https://carnegieendowment.org/2019/09/30/cyber-riskscenarios-financial-system-and-systemic-risk-assessment-pub-79911
Kost, E. (2023). 10 Biggest Data Breaches in Finance. UpGuard.
https://www.upguard.com/blog/biggest-data-breaches-financial-services
Kotter, J. P. 2012. Leading Change. Boston: Harvard Business Press.
Kraiger K., & Ford, J.K. (2021). The Science of Workplace Instruction: Learning and Development
Applied to Work. Annual review of organizational psychology and organizational behavior,
8(1), 45-72. https://www.annualreviews.org/content/journals/10.1146/annurev-orgpsych012420-060109
PERCEPTIONS ON PHISHING ATTACKS 158
Krathwohl, D. R. (2002). A revision of Bloom’s Taxonomy: An overview. Theory Into Practice,
41(4), 212–218. https://doi.org/10.1207/s15430421tip4104_2
Krishnan, A. (2023). Generative AI is making phishing attacks more dangerous. Tech Target.
https://www.techtarget.com/searchsecurity/tip/Generative-AI-is-making-phishing-attacksmore-dangerous
Lennon, M. (2023). Cybersecurity Leaders Spooked by SEC Lawsuit Against SolarWinds CISO.
Security Week. https://www.securityweek.com/cisos-spooked-by-sec-lawsuit-againstsolarwinds-ciso/
Leonhardt, M. (2019). ‘Nigerian prince’ email scams still rake in over $700,000 a year-here’s how
to protect yourself. CNBC. https://www.cnbc.com/2019/04/18/nigerian-prince-scams-stillrake-in-over-700000-dollars-a-year.html
Li, Y. & Liu, Q. (2021). A comprehensive review study of cyber-attacks and cyber security;
Emerging trends and recent developments. Energy Reports, 7(1). 8176-8186. https://wwwsciencedirect-com.libproxy1.usc.edu/science/article/pii/S2352484721007289
MacRae, I., Ojha, R., Smith, E., Krawczyk, D., Berk, M., & Eyre, H.A. (2022). Cybercriminal
Exploitation of Cognitive Biases: A Brain Capital Perspective. Psychiatric Times.
https://centerforbrainhealth.org/article/cybercriminal-exploitation-of-cognitive-bias
McDowell, M. (2019). Protecting Portable Devices: Physical Security. Cybersecurity and
Infrastructure Security Agency. https://www.cisa.gov/news-events/news/protecting-portabledevices-physical-security
Merriam, S. B., & Tisdell, E. J. (2016). Qualitative research: A guide to design and implementation
(4th ed.). San Francisco: Jossey-Bass.
PERCEPTIONS ON PHISHING ATTACKS 159
McLean, C. (2022). When was the internet invented? What to know about the creators of it and
more. USA Today. https://www.usatoday.com/story/tech/2022/08/28/when-was-internetcreated-who-invented-it/10268999002/
Miles, D. A. (2019). Research Methods and Strategies: Let’s Stop the Madness Part 2:
Understanding the Difference Between Limitations vs. Delimitations. ResearchGate.
https://www.researchgate.net/publication/334279571_ARTICLE_Research_Methods_and_St
rategies_Let's_Stop_the_Madness_Part_2_Understanding_the_Difference_Between_Limitati
ons_vs_Delimitations
Mishra, S. (2023). Exploring the Impact of AI-Based Cyber Security Financial Sector Management.
Applied Sciences, 13(10), 5875. https://doi.org/10.3390/app13105875
Montanez, R.. Golob, E., & Xu, S. (2020). Human cognition through the lens of social engineering
cyberattacks. Frontiers in Psychology, 11(1).
https://www.frontiersin.org/journals/psychology/articles/10.3389/fpsyg.2020.01755/full
Moramarco, S. (2019). Phishing attacks in the banking industry. Infosec Institute.
https://resources.infosecinstitute.com/topic/phishing-banking-industry/
Morgan, S. (2020). Cybercrime To Cost The World 10.5 Trillion Annually By 2025. Cyber Crime
Magazine. https://cybersecurityventures.com/cybercrime-damages-6-trillion-by-2021//
Musheke, M. & Phiri, J. (2021). The Effects of Effective Communication on Organizational
Performance Based on the Systems Theory. Open Journal of Business and Management.
9(2). https://www.scirp.org/pdf/ojbm_2021031715203254.pdf
Nagel, J. (2012). Knowledge and Reliability. In Hilary Kornblith & Brian McLaughlin (eds.), Alvin
Goldman and his Critics. Oxford: Blackwell, 237-256.
https://philpapers.org/archive/NAGKAR.pdf
PERCEPTIONS ON PHISHING ATTACKS 160
National Center for Education Statistics. (2023). Safeguarding your technology. Training: A
Necessary Investment in Staff. U.S. Department of Education.
https://nces.ed.gov/pubs98/safetech/chapter10.asp
National Cybersecurity Alliance. (2024). Data Privacy Week.
https://staysafeonline.org/programs/data-privacyweek/about/#:~:text=It%20is%20an%20extension%20of,spread%20awareness%20about%20
online%20privacy.
National Cyber Security Centre. (2024). Phishing attacks: defending your organisation.
https://www.ncsc.gov.uk/guidance/phishing
National Institute of Standards and Technology. (2003). Computer Security: Building an Information
Technology Security Awareness and Training Program.
https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-50.pdf
National Institute of Standards and Technology. (2018). Framework for Improving Critical
Infrastructure Cybersecurity.
https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
National Institute of Standards and Technology (2019). Trustworthy Email.
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-177r1.pdf
National Institute of Standards and Technology. (2023). Glossary. https://csrc.nist.gov/glossary
National Institute of Standards and Technology. (2023). History and Creation of the Framework.
https://www.nist.gov/cyberframework/online-learning/history-and-creation-framework
National Institute of Standards and Technology. (2023). NIST Phish Scale.
https://nvlpubs.nist.gov/nistpubs/TechnicalNotes/NIST.TN.2276.pdf
PERCEPTIONS ON PHISHING ATTACKS 161
National Institute of Standards and Technology. (2023). Organizational Culture.
https://www.nist.gov/baldrige/self-assessing/improvement-tools/job-qualitytoolkit/organizational-culture
National Institute of Standards and Technology. (2023). Security and Privacy Controls for
Information Systems and Organizations. https://csrc.nist.gov/CSRC/media/Projects/riskmanagement/800-53%20Downloads/800-53r5/SP_800-53_v5_1-derived-OSCAL.pdf
National Institute of Standards and Technology. (2024). Cybersecurity Awareness Month.
https://www.nist.gov/cybersecurity/cybersecurity-awarenessmonth#:~:text=Cybersecurity%20Awareness%20Month%20%E2%80%94%20celebrated%2
0every,safer%20and%20more%20secure%20online.
National Institute of Standards and Technology. (2024). The NIST Cybersecurity Framework (CSF)
2.0. https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.29.pdf
New York State Department of Financial Services. (2023). Cybersecurity Requirements for
Financial Services Companies 23 NYCRR 500.
https://www.dfs.ny.gov/industry_guidance/cybersecurity
Office of the Comptroller of the Currency. (2023). Privacy.
https://www.occ.treas.gov/topics/consumers-and-communities/consumerprotection/privacy/indexprivacy.html#:~:text=Two%20federal%20laws%20cover%20your,the%20Federal%20Trade
%20Commission%20website.
Office of the Director of National Intelligence. (2023). Annual Threat Assessment of the U.S.
Intelligence Community. https://www.dni.gov/files/ODNI/documents/assessments/ATA2023-Unclassified-Report.pdf
PERCEPTIONS ON PHISHING ATTACKS 162
Payment Card Industry Security Standards Council. (2024). PCI DSS Security Standard.
https://www.pcisecuritystandards.org/document_library/
Peisert, S., Schneier, B., Okhravi, H., Massacci, F., Benzel, T., Landwehr, C., Mannan, M.,
Mirkovic, J., Prakash, A., & Michael, J.B. (2021). Perspectives on the SolarWinds Incident.
IEEE Security & Privacy, 19(2), (7-13). https://ieeexplore.ieee.org/document/9382367
Pendergast, T. (2021). Strengthening your security culture: Does the “fear factor” approach really
work? Security Magazine. https://www.securitymagazine.com/articles/94850-strengtheningyour-security-culture-does-the-fear-factor-approach-really-work
Podolskij, A. (2012). Zone of Proximal Development. Research Gate.
https://www.researchgate.net/publication/278641381_Zone_of_Proximal_Development
Poston, H. (2021). Overview: Understanding SOC compliance: SOC 1 vs. SOC 2 vs. SOC 3. Infosec
Institute. https://www.infosecinstitute.com/resources/management-complianceauditing/overview-understanding-soc-compliance-soc-1-vs-soc-2-vs-soc-3/
Pratt, M. (2022). How to prepare for a SOC 2 audit-it’s a big deal, so you’d better get ready. CSO
Online. https://www.csoonline.com/article/3678849/how-to-prepare-for-a-soc2-audit-it-s-abig-deal-so-you-d-better-get-ready.html
Puyt, R.W., Lie, F.B., & Wilderom, C.P.M. (2023). The origins of SWOT analysis. Long Range
Planning, 56(3). https://doi.org/10.1016/j.lrp.2023.102304
Ravitch, S. M., & Carl, N. M. (2019). Qualitative research: Bridging the conceptual, theoretical,
and methodological. Sage.
Regenscheid, A., & Galluzzo, R. (2023). Phishing Resistance-Protecting the Keys to Your Kingdom.
National Institute of Standards and Technology. https://www.nist.gov/blogs/cybersecurityinsights/phishing-resistance-protecting-keys-your-kingdom
PERCEPTIONS ON PHISHING ATTACKS 163
Robinson, S. B., & Firth Leonard, K. (2019). Designing quality survey questions (1st ed.). Los
Angeles, CA: Sage.
Romanosky, S. (2016). Examining the costs and causes of cyber incidents, Journal of Cybersecurity,
2(2), (121–135). https://doi.org/10.1093/cybsec/tyw001
Rueda, R. (2011). The 3 dimensions of improving student performance (1st ed.). New York: Teachers
College Press.
Sabillon, R., Cano, J., Cavaller, V., & Serra, J. (2016). Cybercrime and cybercriminals: A
comprehensive study. International Journal of Computer Networks and Communications
Security, 4(6), 165-176. Retrieved from http://libproxy.usc.edu/login?url=https://wwwproquest-com.libproxy1.usc.edu/scholarly-journals/cybercrime-cybercriminalscomprehensive-study/docview/1874038161/se-2
SANS Institute. (2022). Security Policy Templates. https://www.sans.org/information-securitypolicy/
Sapienza, Z. S., Iyer, N., & Veenstra, A. S. (2015). Reading Lasswell’s Model of Communication
Backward: Three Scholarly Misconceptions. Mass Communication & Society, 18(5), 599–
622. https://doi.org/10.1080/15205436.2015.1063666
Schunk, U., & Usher, E. L. (2019). Social Cognitive Theory and Motivation. In The Oxford
Handbook of Human Motivation (2nd ed.). Oxford University Press.
https://doi.org/10.1093/oxfordhb/9780190666453.013.2
Schwartz, M. (2022). Financial Services Was Among Most-Breached Sectors in 2022. Bank Info
Security. https://www.bankinfosecurity.com/financial-services-was-among-most-breachedsectors-in-2022-a-20760
PERCEPTIONS ON PHISHING ATTACKS 164
Searle, K. (2017). Sociocultural theory. In K. Peppler (Ed.), The SAGE Encyclopedia of Out-ofschool Learning. 728-732. SAGE Publications, Inc.
https://www.doi.org/10.4135/9781483385198.n279
Secules, S., McCall, C., Mejia, J. A., Beebe, C., Masters, A. S., L. Sánchez‐Peña, M., & Svyantek,
M. (2021). Positionality practices and dimensions of impact on equity research: A
collaborative inquiry and call to the community. Journal of Engineering Education, 110(1),
19-43. https://onlinelibrary-wiley-com.libproxy2.usc.edu/doi/10.1002/jee.20377
Seker, E. (2020). Defense-In-Depth. Medium. https://medium.datadriveninvestor.com/defense-indepth-d6c070eac12d
Sen, R. (2021). Here’s how much your personal information is worth to cybercriminals- and what
they do with it. PBS. https://www.pbs.org/newshour/science/heres-how-much-your-personalinformation-is-worth-to-cybercriminals-and-what-they-do-with-it
Shoback, J. (2023). Data Privacy Vs. Data Security: Four Implications For Business Leaders.
Forbes. https://www.forbes.com/sites/forbesbusinesscouncil/2023/01/09/data-privacy-vsdata-security-four-implications-for-business-leaders/?sh=600009116afa
Snow, G. (2011). Statement before the House Financial Services Committee, Subcommittee on
Financial Institutions and Consumer Credit. Federal Bureau of Investigation.
https://archives.fbi.gov/archives/news/testimony/cyber-security-threats-to-the-financialsector
Sonowal, G. (2021). Phishing and Communication Channels: A Guide to Identifying and Mitigating
Phishing Attacks (1st ed.). Apress L. P.
State of California Department of Justice. (2023). California Consumer Privacy Act (CCPA). Office
of the Attorney General. https://oag.ca.gov/privacy/ccpa
PERCEPTIONS ON PHISHING ATTACKS 165
Statista. (2024). Number of internet and social media users worldwide as of January 2024.
https://www.statista.com/statistics/617136/digital-population-worldwide/
Timberg, C. (2015). A flaw in the design. The Washington Post.
https://www.washingtonpost.com/sf/business/2015/05/30/net-of-insecurity-part-1/
Trellix Advanced Research Center. (2022). The Threat Report, Fall 2022. Trellix.
https://www.trellix.com/en-us/advanced-research-center/threat-reports/nov-2022.html
Trellix Advanced Research Center. (2023). 2023 Threat Predictions Report. Trellix.
https://www.trellix.com/2023-threatpredictions/#:~:text=After%20looking%20into%20our%20crystal,physical%20warfare%20a
nd%20military%20movement.
United States Census Bureau. (2024). U.S. and World Population Clock.
https://www.census.gov/popclock/
United States Department of Defense. (2011). Department of Defense Strategy for Operating in
Cyberspace. https://csrc.nist.gov/CSRC/media/Projects/ISPAB/documents/DOD-Strategyfor-Operating-in-Cyberspace.pdf
United States Department of Homeland Security. (2016). Recommended Practice:
Improving Industrial Control System Cybersecurity with Defense-in-Depth Strategies.
https://www.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICSCERT_Defense_in_Depth_2016_S508C.pdf
United States Department of Homeland Security. (2019). Security Controls.
https://fedvte.usalearning.gov/publiccourses/FCRM/course/videos/pdf/FCRM_D02_S03_T0
1_STEP.pdf
PERCEPTIONS ON PHISHING ATTACKS 166
United States Department of Homeland Security. (2021). Risk Management Fundamentals.
https://www.dhs.gov/xlibrary/assets/rma-risk-management-fundamentals.pdf
United States Department of Homeland Security. (2023). Homeland Threat Assessment 2024.
https://www.dhs.gov/sites/default/files/2023-09/23_0913_ia_23-333-ia_u_homeland-threatassessment-2024_508C_V6_13Sep23.pdf
United States Environmental Protection Agency. (2024, March 19). Biden-Harris Administration
engages states on safeguarding water sector infrastructure against cyber threats [Press
Release] https://www.epa.gov/newsreleases/biden-harris-administration-engages-statessafeguarding-water-sector-infrastructure
U.S. Securities and Exchange Commission. (2022, March 9). SEC Proposes Rules on Cybersecurity
Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies
[Press Release]. https://www.sec.gov/news/press-release/2022-39
U.S. Securities and Exchange Commission. (2023). Identify Theft Red Flag Rules.
https://www.sec.gov/tm/infosmallbussecgidentity-theft-red-flag-secg
U.S. Securities and Exchange Commission. (2023, October 30). SEC Charges SolarWinds and Chief
Information Security Officer with Fraud, Internal Control Failures [Press Release].
https://www.sec.gov/news/press-release/2023-227
Vazquez, M., Judd, D., Lyngaas, S., & Cohen, Z. (2022). Biden warns business leaders to prepare
for Russian cyber attacks. CNN. https://www.cnn.com/2022/03/21/politics/biden-russiacyber-activity/index.html
Vercic, A. & Spoljaric, A. (2020). Managing internal communication: How the choice of channels
affects internal communication satisfaction. Public Relations Review, 46(3).
https://doi.org/10.1016/j.pubrev.2020.101926
PERCEPTIONS ON PHISHING ATTACKS 167
Verizon. (2020). 2020 Data Breach Investigations Report.
https://www.verizon.com/about/news/verizon-2020-data-breach-investigations-report
Verizon. (2022). 2022 Data Breach Investigations Report.
https://www.verizon.com/business/resources/reports/dbir/2022/results-and-analysis-not-thehuman-element/
Vygotsky, L.S. (1978). Mind in Society: The Development of Higher Psychological Processes.
Harvard University Press.
Walker, B. (2023). 90% Of Boards Are Not Ready For SEC Cyber Regulations. Forbes.
https://www.forbes.com/sites/forbestechcouncil/2023/02/06/90-of-boards-are-not-ready-forsec-cyber-regulations/?sh=32a2603788e7
Wall, D. S. (2001). Crime and the Internet (1st ed.). Routledge. https://doiorg.libproxy1.usc.edu/10.4324/9780203299180
Wall, D. S. (2015). The Internet as a Conduit for Criminal Activity. INFORMATION
TECHNOLOGY AND THE CRIMINAL JUSTICE SYSTEM. 77-98. Sage Publications, Inc.
https://ssrn.com/abstract=740626
Weintraub, J., Cassell, D., & DePatie, T. P. (2021). Nudging flow through ‘SMART’ goal setting to
decrease stress, increase engagement, and increase performance at work. Journal of
Occupational and Organizational Psychology, 94(2), 230–258.
https://doi.org/10.1111/joop.12347
Westerlund, M. (2019). The emergence of deepfake technology: A review. Technology Innovation
Management Review, 9(11), 39–52. https://doi.org/10.22215/TIMREVIEW/1282
White House. (2023). Budget of the U.S. Government. Fiscal Year 2024.
https://www.whitehouse.gov/wp-content/uploads/2023/03/budget_fy2024.pdf
PERCEPTIONS ON PHISHING ATTACKS 168
White House. (2023). National Cybersecurity Strategy. https://www.whitehouse.gov/wpcontent/uploads/2023/03/National-Cybersecurity-Strategy-2023.pdf
Wigfield, A., & Eccles, J. S. (1992). The development of achievement task values: A theoretical
analysis. Developmental Review, 12(3), 265–310. https://doi.org/10.1016/0273-
2297(92)90011-P
Wiggers, K. (2023). OpenAI connects ChatGPT to the internet. Tech Crunch.
https://techcrunch.com/2023/03/23/openai-connects-chatgpt-to-the-internet/
Williams, B. K. (2023). Biden to private sector: Cybersecurity is your responsibility-not the user’s.
Bulletin of the Atomic Scientists. https://thebulletin.org/2023/05/biden-to-private-sectorcybersecurity-is-your-responsibility-not-the-users/
Williams, E. J., Hinds, J., & Joinson, A.N. (2018). Exploring susceptibility to phishing in the
workplace. International Journal of Human-Computer Studies, 120(1), 1-13.
https://doi.org/10.1016/j.ijhcs.2018.06.004
World Economic Forum. (2023). Cybersecurity in this era of polycrisis.
https://www.weforum.org/agenda/2023/02/cybersecurity-in-an-era-of-polycrisis/
World Health Organization. (2024). Beware of criminals pretending to be WHO.
https://www.who.int/about/cyber-security
Wright, G. (2023). What is Dumpster Diving? Tech Target.
https://www.techtarget.com/searchsecurity/definition/dumpster-diving
Zuopeng, Z., He, W., Li, W., & Abdous, M. (2021). Cybersecurity awareness training programs: A
cost–benefit analysis framework. [Cybersecurity awareness training programs] Industrial
Management & Data Systems, 121(3), 613-636. https://doiorg.libproxy1.usc.edu/10.1108/IMDS-08-2020-0462
PERCEPTIONS ON PHISHING ATTACKS 169
Appendix A
Interview Protocol
Interview Questions Potential Probes RQ Key Concept
1. What is phishing? Describe your
knowledge about
phishing before joining
your company.
1 Knowledge
(Factual)
2. Can you walk me through the
steps of what to look for to
identify a suspicious email?
Can you describe what
makes emails
suspicious?
1 Knowledge
(Conceptual)
3. How have your phishing
knowledge and skills improved
(if any) since working at your
organization?
How have you spotted
or reported more
suspicious emails (if
any)?
1 Knowledge
(Conceptual)
4. What do you do after you
receive a suspicious email?
1 Knowledge
(Procedural)
5. What about the topic of
phishing do you understand
and what parts about phishing
would you like to know more
about?
What is it about
understanding phishing
that makes you feel
that way?
1 Knowledge
(Metacognitive)
6. Describe your confidence in
being able to spot a phishing
email.
What factors
influenced your level
of confidence (or lack
thereof)?
1 Motivation
(Self-efficacy)
7. Please describe your
perspective if any positive
reinforcements/incentives or
consequences for not to click
on phishing links has been
beneficial.
Do you believe any
incentives or
consequences would
be beneficial (if so,
please describe)?
1 Motivation
(Value)
8. What do you believe would
help you feel more confident
in your ability to identify a
phishing email?
1, 2 Motivation and
Organization
PERCEPTIONS ON PHISHING ATTACKS 170
9. Describe any communications
you have received at your
company regarding antiphishing campaigns.
Describe your ideal
style of continued
communications to
protect against
phishing.
2 Organization
10. What do you think the
company could do to improve
phishing training?
Describe what
resources are needed to
educate employees
about phishing.
2 Organization
Abstract (if available)
Linked assets
University of Southern California Dissertations and Theses
Conceptually similar
PDF
An improvement study of leading a sustainable electric utility future through organizational change effectiveness
PDF
Communication apprehension among autistic employees
PDF
A faith-based nonprofit organization’s implementation of strategic planning: A qualitative study
PDF
Trust in the 100% remote workplace in high growth technology consulting firms
PDF
Corporate innovation labs: exploring the role of university research park innovation lab leaders
PDF
Identifying diversity solutions for the cybersecurity workforce shortage: a phenomenological qualitative study
PDF
Building a framework for guiding fundraiser learning and practice in higher education advancement
PDF
Gender-based leadership barriers: an exploratory study of the underrepresentation of women of color in technology
PDF
Improving network security through collaborative sharing
PDF
Student support professionals: drivers of community cultural wealth aligned practices through support programs for first-generation college students of color amidst institutional shortcomings
PDF
An evaluation of teacher retention in K-12 public schools
PDF
The case for leader self-reflection in the workplace
PDF
The first-time manager journey: a study to inform a smoother leadership transition
PDF
Attending to the lived experiences of behavior technicians to discover the keys to retention: an exploratory study
PDF
A qualitative study that examines the transformational factors that prevent cybersecurity from being a funding priority in healthcare organizations
PDF
Success factors for global virtual team leaders: a qualitative study of leaders of global virtual teams in a global professional service firm employing grounded theory
PDF
The perceived impact of racial microaggressions on the well-being of African American female workers in nonprofit organizations
PDF
LGBTQ+ representation in young children’s television: a qualitative research study
PDF
Financial inequity and the impact of acquiring technology competency within the emergency medical service community
PDF
Healthcare leaders developing highly reliable organizations
Asset Metadata
Creator
Ana, Lili
(author)
Core Title
A research study of employee perceptions on identifying phishing attacks in financial organizations
School
Rossier School of Education
Degree
Doctor of Education
Degree Program
Organizational Change and Leadership (On Line)
Degree Conferral Date
2024-05
Publication Date
04/22/2024
Defense Date
04/19/2024
Publisher
Los Angeles, California
(original),
University of Southern California
(original),
University of Southern California. Libraries
(digital)
Tag
Communication,culture,cyber threat landscape,cybersecurity,education,effective training,financial organization,information security,motivation,OAI-PMH Harvest,organization,phishing,phishing attacks,security program,social engineering,Training
Format
theses
(aat)
Language
English
Contributor
Electronically uploaded by the author
(provenance)
Advisor
Muraszewski, Alison (
committee chair
), Hyde, Corinne (
committee member
), Moore, Ekaterina (
committee member
)
Creator Email
lilia@usc.edu,lilianaauthor@gmail.com
Permanent Link (DOI)
https://doi.org/10.25549/usctheses-oUC113889810
Unique identifier
UC113889810
Identifier
etd-AnaLili-12842.pdf (filename)
Legacy Identifier
etd-AnaLili-12842
Document Type
Dissertation
Format
theses (aat)
Rights
Ana, Lili
Internet Media Type
application/pdf
Type
texts
Source
20240422-usctheses-batch-1143
(batch),
University of Southern California
(contributing entity),
University of Southern California Dissertations and Theses
(collection)
Access Conditions
The author retains rights to his/her dissertation, thesis or other graduate work according to U.S. copyright law. Electronic access is being provided by the USC Libraries in agreement with the author, as the original true and official version of the work, but does not grant the reader permission to use the work if the desired use is covered by copyright. It is the author, as rights holder, who must provide use permission if such use is covered by copyright.
Repository Name
University of Southern California Digital Library
Repository Location
USC Digital Library, University of Southern California, University Park Campus MC 2810, 3434 South Grand Avenue, 2nd Floor, Los Angeles, California 90089-2810, USA
Repository Email
cisadmin@lib.usc.edu
Tags
cyber threat landscape
cybersecurity
effective training
financial organization
information security
motivation
organization
phishing
phishing attacks
security program
social engineering
Training