Phishing Susceptibility in Context: A Multilevel Information Processing Perspective on Deception Detection

Abstract

Despite widespread awareness of risks, significant investments in cybersecurity protection, and substantial economic incentives to avoid security breaches, organizations remain vulnerable to phishing attacks. Phishing research has informed effective practical interventions to address phishing susceptibility that emphasize the importance of broadly applicable IT security knowledge. Yet employees still frequently fall victim to phishing attempts. To help understand why, we conceptualize phishing susceptibility as the failure to differentiate between deceptive and legitimate information processing requests that occur within the context of an employee’s typical job responsibilities. We apply this contextual lens to identify characteristics of knowledge workers’ organizational task and social context that may enhance or diminish performance in detecting deception in phishing email attempts. To test our hypotheses, we conducted a study in which employees of the finance division of a large university encountered simulated email-based phishing attempts as part of their normal work routine. We found evidence supporting our hypotheses that an individual’s susceptibility to phishing attacks is influenced by their position in the knowledge flows of the organization and by the impact of workgroup responsibilities on their cognitive processing. We contend that phishing susceptibility is not merely a matter of IT security knowledge but is also influenced by contextualized, multilevel influences on information processing. As phishing attacks are increasingly targeted to specific organizational settings, it is even more important to incorporate this contextualized information processing view of phishing susceptibility.