Improving Organizational Resilience to Phishing: A Cluster Randomized Field Experiment with Embedded Microlearning
DOI:
https://doi.org/10.61978/data.v3i1.948Keywords:
Phishing, Security Awareness, Microlearning, Resilience Factor, Field Experiment, Human Error, NIST Phish ScaleAbstract
Phishing remains one of the most prevalent cybersecurity threats worldwide, with a growing focus on human error as a primary attack vector. This study investigates whether structured security awareness training featuring embedded microlearning, periodic reinforcement, and difficulty calibrated phishing simulations can reduce susceptibility to phishing and improve organizational resilience. Using a cluster randomized field experiment design, the intervention was implemented across multiple business units. Participants received an initial training module (30–60 minutes), followed by booster sessions every 3–4 months. Simulated phishing emails, rated for difficulty via the NIST Phish Scale, were distributed to measure failure, reporting, and credential submission rates. Resilience factor, defined as reporting rate divided by failure rate, was introduced as a composite behavior metric. Statistical analyses included GLMMs for repeated binary outcomes and survival models for latency behaviors. The training significantly lowered failure rates (from 11.2% to 7.5%), doubled reporting rates (14% to 28%), and increased resilience (1.2 to 3.7). Time to report metrics suggested faster user response, while stratified analysis showed greater gains among newer and non technical employees. Real world phishing incident rates declined post intervention, correlating with training engagement. These results validate the long term impact of calibrated and behavior driven awareness programs. In conclusion, this study offers a scalable, ethical, and statistically grounded approach to phishing risk mitigation. Emphasizing performance metrics such as resilience factor, it supports the integration of adaptive training strategies into broader cybersecurity frameworks.
References
Abdulmajeed, M., & El-Ibiary, R. (2023). Journalistic Role Conceptions and Performance in the Global South: A Comparison Between Egypt and the UAE During COVID-19. International Communication Gazette, 85(8), 646–662. https://doi.org/10.1177/17480485231214367 DOI: https://doi.org/10.1177/17480485231214367
Abroshan, H., Devos, J., Poels, G., & Laermans, E. (2021). Phishing Happens Beyond Technology: The Effects of Human Behaviors and Demographics on Each Step of a Phishing Process. Ieee Access, 9, 44928–44949. https://doi.org/10.1109/access.2021.3066383 DOI: https://doi.org/10.1109/ACCESS.2021.3066383
Al-Kumaim, N. H. & Sultan Khalifa Humaid Khalifa Alshamsi. (2023). Determinants of Cyberattack Prevention in UAE Financial Organizations: Assessing the Mediating Role of Cybersecurity Leadership. Applied Sciences, 13(10), 5839. https://doi.org/10.3390/app13105839 DOI: https://doi.org/10.3390/app13105839
Beu, N., Jayatilaka, A., Zahedi, M., Babar, M. A., Hartley, L., Lewinsmith, W., & Baetu, I. (2022). Falling for Phishing Attempts: An Investigation of Individual Differences That Are Associated With Behavior in a Naturalistic Phishing Simulation. https://doi.org/10.31234/osf.io/xdk53 DOI: https://doi.org/10.31234/osf.io/xdk53
Brown, A. M., & Leite, A. C. (2022). The Effects of Social and Organizational Connectedness on Employee Well‐being and Remote Working Experiences During the COVID‐19 Pandemic. Journal of Applied Social Psychology, 53(2), 134–152. https://doi.org/10.1111/jasp.12934 DOI: https://doi.org/10.1111/jasp.12934
Campbell, C. (2021). The Impact of COVID-19 on Local Government Stakeholders’ Perspectives on Local Food Production. Journal of Agriculture Food Systems and Community Development, 1–18. https://doi.org/10.5304/jafscd.2021.102.035 DOI: https://doi.org/10.5304/jafscd.2021.102.035
Cartwright, A. J. (2023). The Elephant in the Room: Cybersecurity in Healthcare. Journal of Clinical Monitoring and Computing, 37(5), 1123–1132. https://doi.org/10.1007/s10877-023-01013-5 DOI: https://doi.org/10.1007/s10877-023-01013-5
Dawkins, S., & Jacobs, J. (2023). NIST Phish Scale User Guide. https://doi.org/10.6028/nist.tn.2276 DOI: https://doi.org/10.6028/NIST.TN.2276
Douha, N. Y., Sasabe, M., Taenaka, Y., & Kadobayashi, Y. (2023). An Evolutionary Game Theoretic Analysis of Cybersecurity Investment Strategies for Smart-Home Users Against Cyberattacks. Applied Sciences, 13(7), 4645. https://doi.org/10.3390/app13074645 DOI: https://doi.org/10.3390/app13074645
Evans, M., He, Y., Yevseyeva, I., & Janicke, H. (2019). Published Incidents and Their Proportions of Human Error. Information and Computer Security, 27(3), 343–357. https://doi.org/10.1108/ics-12-2018-0147 DOI: https://doi.org/10.1108/ICS-12-2018-0147
Iuga, C., Nurse, J. R. C., & Erola, A. (2016). Baiting the Hook: Factors Impacting Susceptibility to Phishing Attacks. Human-Centric Computing and Information Sciences, 6(1). https://doi.org/10.1186/s13673-016-0065-2 DOI: https://doi.org/10.1186/s13673-016-0065-2
Jerry-Egemba, N. (2023). Safe and Sound: Strengthening Cybersecurity in Healthcare Through Robust Staff Educational Programs. Healthcare Management Forum, 37(1), 21–25. https://doi.org/10.1177/08404704231194577 DOI: https://doi.org/10.1177/08404704231194577
Kang, M., Shonman, M., Subramanya, A., Zhang, H., Li, X., & Dahbura, A. (2021). Understanding Security Behavior of Real Users: Analysis of a Phishing Study. https://doi.org/10.24251/hicss.2021.862 DOI: https://doi.org/10.24251/HICSS.2021.862
Kannelønning, K., & Katsikas, S. (2023). A Systematic Literature Review of How Cybersecurity-Related Behavior Has Been Assessed. Information and Computer Security, 31(4), 463–477. https://doi.org/10.1108/ics-08-2022-0139 DOI: https://doi.org/10.1108/ICS-08-2022-0139
Keller, T. E., Drew, A. L., Clark‐Shim, H., Spencer, R., & Herrera, C. (2020). It’s About Time: Staff Support Contacts and Mentor Volunteer Experiences. Journal of Youth Development, 15(4), 145–161. https://doi.org/10.5195/jyd.2020.879 DOI: https://doi.org/10.5195/jyd.2020.879
Kennedy, A., Gunn, K. M., Duke, S., Jones, M., Brown, E., Barnes, K., Macdonald, J., Brumby, S., Versace, V. L., & Gray, R. (2023). Co‐designing a Peer‐led Model of Delivering Behavioural Activation for People Living With Depression or Low Mood in Australian Farming Communities. Australian Journal of Rural Health, 31(3), 556–568. https://doi.org/10.1111/ajr.12982 DOI: https://doi.org/10.1111/ajr.12982
Kessel, R. v., Haig, M., & Mossialos, E. (2023). Strengthening Cybersecurity for Patient Data Protection in Europe. Journal of Medical Internet Research, 25, e48824. https://doi.org/10.2196/48824 DOI: https://doi.org/10.2196/48824
Kioskli, K., Fotis, T., Nifakos, S., & Mouratidis, H. (2023). The Importance of Conceptualising the Human-Centric Approach in Maintaining and Promoting Cybersecurity-Hygiene in Healthcare 4.0. Applied Sciences, 13(6), 3410. https://doi.org/10.3390/app13063410 DOI: https://doi.org/10.3390/app13063410
Lee, B. W., Yang, B., & Lee, J. D. (2023). A Side-by-Side Comparison of Transformers for Implicit Discourse Relation Classification. https://doi.org/10.18653/v1/2023.codi-1.2 DOI: https://doi.org/10.18653/v1/2023.codi-1.2
Lennox, C., Leonard, S., Senior, J., Hendricks, C., Rybczynska‐Bunt, S., Quinn, C., Byng, R., & Shaw, J. (2022). Conducting Randomized Controlled Trials of Complex Interventions in Prisons: A Sisyphean Task? Frontiers in Psychiatry, 13. https://doi.org/10.3389/fpsyt.2022.839958 DOI: https://doi.org/10.3389/fpsyt.2022.839958
Naghneh, M. H. K., Tafreshi, M. Z., Naderi, M., Shakeri, N., Bolourchifard, F., & Goyaghaj, N. S. (2017). The Relationship Between Organizational Commitment and Nursing Care Behavior. Electronic Physician, 9(7), 4835–4840. https://doi.org/10.19082/4835 DOI: https://doi.org/10.19082/4835
Nasser, G., Morrison, B. W., Bayl‐Smith, P., Taib, R., Gayed, M., & Wiggins, M. W. (2020). The Role of Cue Utilization and Cognitive Load in the Recognition of Phishing Emails. Frontiers in Big Data, 3. https://doi.org/10.3389/fdata.2020.546860 DOI: https://doi.org/10.3389/fdata.2020.546860
Nifakos, S., Chandramouli, K., Nikolaou, C. K., Papachristou, P., Koch, S., Panaousis, E., & Bonacina, S. (2021). Influence of Human Factors on Cyber Security Within Healthcare Organisations: A Systematic Review. Sensors, 21(15), 5119. https://doi.org/10.3390/s21155119 DOI: https://doi.org/10.3390/s21155119
Perry, S. J., Hunter, E. M., & Currall, S. C. (2016). Managing the Innovators: Organizational and Professional Commitment Among Scientists and Engineers. Research Policy, 45(6), 1247–1262. https://doi.org/10.1016/j.respol.2016.03.009 DOI: https://doi.org/10.1016/j.respol.2016.03.009
Priestman, W., Anstis, T., Sebire, I. G., Sridharan, S., & Sebire, N. J. (2019). Phishing in Healthcare Organisations: Threats, Mitigation and Approaches. BMJ Health & Care Informatics, 26(1), e100031. https://doi.org/10.1136/bmjhci-2019-100031 DOI: https://doi.org/10.1136/bmjhci-2019-100031
Rajagulasingam, C., & Taylor, J. (2021). The Roles of Self-Control, Need for Cognition, Impulsivity and Viewing Time in Deception Detection Using a Realistic E-Mail Phishing Task. 1–5. https://doi.org/10.1109/ecrime54498.2021.9738794 DOI: https://doi.org/10.1109/eCrime54498.2021.9738794
Rizzoni, F., Magalini, S., Casaroli, A., Mari, P., Dixon, M., & Coventry, L. (2022). Phishing Simulation Exercise in a Large Hospital: A Case Study. Digital Health, 8, 205520762210817. https://doi.org/10.1177/20552076221081716 DOI: https://doi.org/10.1177/20552076221081716
Saka, T., Vaniea, K., & Kökciyan, N. (2022). Context-Based Clustering to Mitigate Phishing Attacks. 115–126. https://doi.org/10.1145/3560830.3563728 DOI: https://doi.org/10.1145/3560830.3563728
Salamah, F. B., Palomino, M. A., Craven, M. J., Papadaki, M., & Furnell, S. (2023). An Adaptive Cybersecurity Training Framework for the Education of Social Media Users at Work. Applied Sciences, 13(17), 9595. https://doi.org/10.3390/app13179595 DOI: https://doi.org/10.3390/app13179595
Sarno, D. M., Harris, M. W., & Black, J. (2023). Which Phish Is Captured in the Net? Understanding Phishing Susceptibility and Individual Differences. Applied Cognitive Psychology, 37(4), 789–803. https://doi.org/10.1002/acp.4075 DOI: https://doi.org/10.1002/acp.4075
Sarno, D. M., & Neider, M. B. (2021). So Many Phish, So Little Time: Exploring Email Task Factors and Phishing Susceptibility. Human Factors the Journal of the Human Factors and Ergonomics Society, 64(8), 1379–1403. https://doi.org/10.1177/0018720821999174 DOI: https://doi.org/10.1177/0018720821999174
Schiff, J. W., Liu, J., Wenger, C., & Knapp, J. (2019). Staff Exposure to Trauma and the Impact of Trauma-Informed Care. https://doi.org/10.21203/rs.2.14356/v1 DOI: https://doi.org/10.21203/rs.2.14356/v1
Shaikh, F. A., & Siponen, M. (2023). Information Security Risk Assessments Following Cybersecurity Breaches: The Mediating Role of Top Management Attention to Cybersecurity. Computers & Security, 124, 102974. https://doi.org/10.1016/j.cose.2022.102974 DOI: https://doi.org/10.1016/j.cose.2022.102974
Singh, R., Chandrashekharappa, S., Bodduluri, S. R., Baby, B. V., Hegde, B., Kotla, N. G., Hiwale, A., Saiyed, T., Patel, P. D., Vijay–Kumar, M., Langille, M. G. I., Douglas, G. M., Cheng, X., Rouchka, E. C., Waigel, S., Dryden, G. W., Alatassi, H., Zhang, H.-G., Haribabu, B., … Jala, V. R. (2019). Enhancement of the Gut Barrier Integrity by a Microbial Metabolite Through the Nrf2 Pathway. Nature Communications, 10(1). https://doi.org/10.1038/s41467-018-07859-7 DOI: https://doi.org/10.1038/s41467-018-07859-7
Steves, M. P., Greene, K., & Theofanos, M. (2019). A Phish Scale: Rating Human Phishing Message Detection Difficulty. https://doi.org/10.14722/usec.2019.23028 DOI: https://doi.org/10.14722/usec.2019.23028
Sumner, A., Yuan, X., Anwar, M., & McBride, M. (2021). Examining Factors Impacting the Effectiveness of Anti-Phishing Trainings. Journal of Computer Information Systems, 62(5), 975–997. https://doi.org/10.1080/08874417.2021.1955638 DOI: https://doi.org/10.1080/08874417.2021.1955638
Sutter, T., Bozkır, A. S., Gehring, B., & Berlich, P. (2022). Avoiding the Hook: Influential Factors of Phishing Awareness Training on Click-Rates and a Data-Driven Approach to Predict Email Difficulty Perception. Ieee Access, 10, 100540–100565. https://doi.org/10.1109/access.2022.3207272 DOI: https://doi.org/10.1109/ACCESS.2022.3207272
Tkachenko, O., Quast, L. N., Song, W., & Jang, S. (2018). Courage in the Workplace: The Effects of Organizational Level and Gender on the Relationship Between Behavioral Courage and Job Performance. Journal of Management & Organization, 26(5), 899–915. https://doi.org/10.1017/jmo.2018.12 DOI: https://doi.org/10.1017/jmo.2018.12
Unchit, P., Das, S., Kim, A., & Camp, L. J. (2020). Quantifying Susceptibility to Spear Phishing in a High School Environment Using Signal Detection Theory. https://doi.org/10.48550/arxiv.2006.16380 DOI: https://doi.org/10.1007/978-3-030-57404-8_9
Xu, T., & Rajivan, P. (2023). Determining Psycholinguistic Features of Deception in Phishing Messages. Information and Computer Security, 31(2), 199–220. https://doi.org/10.1108/ics-11-2021-0185 DOI: https://doi.org/10.1108/ICS-11-2021-0185
