ABSTRACT

Phishing, as a social engineering attack has become an increasing threat to organizations in cyberspace. To prevent this, a well-designed continuous security training and educational program needs to be established and enforced in organizations. Prior studies have focused on phishing attack from a limited view of technology countermeasure, e-mail’s characteristic, information processing, and securing individual’s behaviors to tackle existing gaps. In this research, we developed a theoretical model of factors that influence users in the clicking of phishing e-mails from a broader Socio-Technical perspective. We applied Protection Motivation Theory (PMT) and habit theory for investigating individual factors, Theory of Planned Behavior (TPB) and Deterrence Theory for investigating organizational and technological factors accordingly. The findings revealed habit and protective countermeasure positively affect clicking on phishing e-mails, whereas, no effect of the procedural countermeasures was evident. The results of this study can be used to design phishing simulation exercise and embedded training for vulnerable employees.

摘要

网络钓鱼作为一种社会工程攻击，已成为对网络空间组织越来越大的威胁。为了防止这种情况发生，需要在组织中建立并实施精心设计的持续安全培训和教育计划。先前的研究主要从技术对策、电子邮件的特征、信息处理和保护个人行为以解决现有差距的有限角度来研究网络钓鱼攻击。在这项研究中，我们从更广泛的社会技术角度开发了影响用户点击网络钓鱼电子邮件的因素的理论模型。我们应用保护动机理论 (PMT) 和习惯理论来调查个人因素，计划行为理论 (TPB) 和威慑理论相应地调查组织和技术因素。调查结果显示，习惯和保护对策对点击网络钓鱼电子邮件有积极影响，而程序对策的效果并不明显。本研究的结果可用于设计针对弱势员工的网络钓鱼模拟练习和嵌入式培训。