An Analysis of Phishing Susceptibility Through the Lens of Protection Motivation Theory

Abstract

Users of communication tools are vulnerable to a cyberattack called phishing which aims to trick a recipient into giving away information or access that the attacker should not have. There is a great need to protect the recipient from becoming a victim of phishing. Protection can be done a multitude of ways; however, the human will be last barrier of entry when all digital protection fails. This is why anti-phishing training is used to enable email users to see the difference between real email and phishing attacks. This research explores the use of Protection Motivation Theory (PMT) to analyse phishing susceptibility by interviewing ten employees in a large financial company. The analysis spanned all aspects of the original Protection Motivation Theory and sought to answer the research question: “How do employees in a company protect themselves against phishing attacks?”. Furthermore, the study investigated the relationship between the experiences of the participants and what the theory suggested would increase protection motivation. The analysis resulted in findings that were consistent with PMT on the positive effects of rewards for employees to increase protection motivation. Furthermore, a low response cost led to a positive effect where employees had the freedom to properly examine the emails they received and handle them accordingly. Last finding that was consistent with PMT was the positive effect of high efficacy which led to the enabling of employees to make their own decisions based on their experience and knowledge. Surprisingly, findings also contradicted some core aspects of PMT. These include the perception of vulnerability and severity in combination with fear appeal. Although the perception of vulnerability and severity was high, the fear appeal was very low. This is inconsistent with PMT as high perception of vulnerability and severity should lead to high fear appeal. Most importantly, these findings suggest that fear appeal is not as necessary as research has proposed and that protective behaviour in the absence of fear appeal can be replaced by a protective mindset. These findings point to important implications both in theory and in practice. The theoretical implications include the support of rewards and response cost positively affecting protection motivation if rewards are high and response cost is low. Another implication is that fear appeal contrary to peer-reviewed research might not be as important if the company itself focus on security and promote a healthy method of dealing with phishing attacks. The final theoretical implication is the protection behaviour that is a protective mindset. The concept correlates with multiple different behaviours that promote secure behaviour; however, it does so by analysing the need of fear appeal and promote research which investigates protective behaviours without the need for PMT’s version of fear appeal. The practical implication of this study includes the promotion of a healthy protective mindset which can be achieved by anti-phishing training, phishing simulations, and voluntary high awareness when looking at emails. Furthermore, findings show that the financial company studied in this thesis provide a great understanding of secure behaviour and the requirements to achieve it. However, this is done by forcing training whilst experiencing organisational support and incentives to do well. Although it could seem harsh, this has worked well, and should continue to work well.