What Motivates and Discourages Employees in Phishing Interventions: An Exploration of Expectancy-Value Theory

Xiaowei Chen, Sophie Doublet, Anastasia Sergeeva, Gabriele Lenzini, Vincent Koenig, Verena Distler

Research output: Chapter in Book/Report/Conference proceedingConference article in proceedingsScientificpeer-review

Abstract

Organizations adopt a combination of measures to defend against phishing attacks that pass through technical filters. However, employees' engagement with these countermeasures often does not meet security experts' expectations. To explore what motivates and discourages employees from engaging with user-oriented phishing interventions, we conducted seven focus groups with 34 employees at a European university, applying the Expectancy-Value Theory. Our study revealed a spectrum of factors influencing employees' engagement. The perceived value of phishing interventions influences employees' participation. Although the expectation of mitigation and fear of consequences can motivate employees, lack of feedback and communication, worries, and privacy concerns discourage them from reporting phishing emails. We found that the expectancy-value framework provides a unique lens for explaining how organizational culture, social roles, and the influence of colleagues and supervisors foster proactive responses to phishing attacks. We documented a range of improvements proposed by employees to phishing interventions. Our findings underscore the importance of enhancing utility value, prioritizing positive user experiences, and nurturing employees' motivations to engage them with phishing interventions.
Original languageEnglish
Title of host publicationProceedings of the Twentieth Symposium on Usable Privacy and Security (SOUPS 2024)
PublisherUSENIX -The Advanced Computing Systems Association
Pages487-506
ISBN (Print)978-1-939133-42-7
Publication statusPublished - 2024
MoE publication typeA4 Conference publication
EventSymposium on Usable Privacy and Security - Philadelphia, United States
Duration: 11 Aug 202414 Aug 2024
Conference number: 20

Conference

ConferenceSymposium on Usable Privacy and Security
Country/TerritoryUnited States
CityPhiladelphia
Period11/08/202414/08/2024

Fingerprint

Dive into the research topics of 'What Motivates and Discourages Employees in Phishing Interventions: An Exploration of Expectancy-Value Theory'. Together they form a unique fingerprint.

Cite this