Abstract
Organizations adopt a combination of measures to defend against phishing attacks that pass through technical filters. However, employees' engagement with these countermeasures often does not meet security experts' expectations. To explore what motivates and discourages employees from engaging with user-oriented phishing interventions, we conducted seven focus groups with 34 employees at a European university, applying the Expectancy-Value Theory. Our study revealed a spectrum of factors influencing employees' engagement. The perceived value of phishing interventions influences employees' participation. Although the expectation of mitigation and fear of consequences can motivate employees, lack of feedback and communication, worries, and privacy concerns discourage them from reporting phishing emails. We found that the expectancy-value framework provides a unique lens for explaining how organizational culture, social roles, and the influence of colleagues and supervisors foster proactive responses to phishing attacks. We documented a range of improvements proposed by employees to phishing interventions. Our findings underscore the importance of enhancing utility value, prioritizing positive user experiences, and nurturing employees' motivations to engage them with phishing interventions.
Original language | English |
---|---|
Title of host publication | Proceedings of the Twentieth Symposium on Usable Privacy and Security (SOUPS 2024) |
Publisher | USENIX -The Advanced Computing Systems Association |
Pages | 487-506 |
ISBN (Print) | 978-1-939133-42-7 |
Publication status | Published - 2024 |
MoE publication type | A4 Conference publication |
Event | Symposium on Usable Privacy and Security - Philadelphia, United States Duration: 11 Aug 2024 → 14 Aug 2024 Conference number: 20 |
Conference
Conference | Symposium on Usable Privacy and Security |
---|---|
Country/Territory | United States |
City | Philadelphia |
Period | 11/08/2024 → 14/08/2024 |