Phish Derby: Shoring the Human Shield Through Gamified Phishing Attacks

Matthew Canham; Clay Posey; Michael Constantino

doi:10.3389/feduc.2021.807277

Frontiers in Education (Jan 2022)

Phish Derby: Shoring the Human Shield Through Gamified Phishing Attacks

Matthew Canham,
Clay Posey,
Michael Constantino

Affiliations

Matthew Canham: Beyond Layer Seven, LLC, Oviedo, FL, United States
Clay Posey: Information Systems, Marriott School of Business, Brigham Young University, Provo, UT, United States
Michael Constantino: Information Security Office, University of Central Florida, Orlando, FL, United States

DOI: https://doi.org/10.3389/feduc.2021.807277
Journal volume & issue: Vol. 6

Abstract

Read online

To better understand employees’ reporting behaviors in relation to phishing emails, we gamified the phishing security awareness training process by creating and conducting a month-long “Phish Derby” competition at a large university in the U.S. The university’s Information Security Office challenged employees to prove they could detect phishing emails as part of the simulated phishing program currently in place. Employees volunteered to compete for prizes during this special event and were instructed to report suspicious emails as potential phishing attacks. Prior to the beginning of the competition, we collected demographics and data related to the concepts central to two theoretical foundations: the Big Five personality traits and goal orientation theory. We found several notable relationships between demographic variables and Phish Derby performance, which was operationalized from the number of phishing attacks reported and employee report speed. Several key findings emerged, including past performance on simulated phishing campaigns positively predicted Phish Derby performance; older participants performed better than their younger colleagues, but more educated participants performed poorer; and individuals who used a mix of PCs and Macs at work performed worse than those using a single platform. We also found that two of the Big Five personality dimensions, extraversion and agreeableness, were both associated with poorer performance in phishing detection and reporting. Likewise, individuals who were driven to perform well in the Phish Derby because they desired to learn from the experience (i.e., learning goal orientation) performed at a lower level than those driven by other goals. Interestingly, self-reported levels of computer skill and the perceived ability to detect phishing messages failed to exhibit a significant relationship with Phish Derby performance. We discuss these findings and describe how focusing on motivating the good in employee cyber behaviors is a necessary yet too often overlooked component in organizations whose training cyber cultures are rooted in employee click rates alone.

Published in Frontiers in Education

ISSN: 2504-284X (Online)
Publisher: Frontiers Media S.A.
Country of publisher: Switzerland
LCC subjects: Education: Education (General)
Website: http://journal.frontiersin.org/journal/education

About the journal

Abstract

Keywords