Learning by Phishing via Post-Simulation Feedback: From Embedded to Non-Embedded Training
研究对比了嵌入式培训(即时反馈给点击链接的员工)与非嵌入式培训(延迟反馈给所有员工)在降低员工对钓鱼邮件易感性上的效果,通过三次现场实验发现非嵌入式培训可能更有效。
Given the frequent occurrence of phishing attacks and their devastating consequences, organizations are increasingly deploying phishing simulation emails to quantify employee susceptibility (e.g., clicking within-email links) and investing in training programs to reduce such susceptibility. Interestingly, phishing simulations can also be turned into a training opportunity in themselves. A best practice in industry is “embedded training”—providing immediate feedback on landing pages to employees who fail the simulations. This intervention is intuitively appealing given its “just-in-time” nature. Although laboratory studies from the literature have offered broad support for its effectiveness in reducing employee susceptibility, studies conducted in field settings have observed weaker evidence or even a reversed effect that increased susceptibility. In this research, we recognize an inherent shortcoming of the real-world implementation of embedded training: limited reach. To address this practical challenge, we propose an alternative, novel intervention—“non-embedded training”—that decouples feedback from the failure action and sends delayed feedback to all the employees. Following an “empirics-first” approach, we conducted three randomized field experiments using a leading phishing simulation platform to explore the respective and combined effects of embedded and non-embedded training in reducing user vulnerability over time. This research contributes to the practice and literature on phishing and cybersecurity by challenging the assumed effectiveness of embedded training in practice and revealing how non-embedded training could be a more promising intervention.