A new academic research article published in the Journal of Computer Information Systems suggests that cybersecurity technology and policies alone cannot adequately address rampant phishing threats. Effective security awareness training must also be part of the equation.

Additionally, the article concludes that negative consequences such as shame and disapproval from fellow employees were among the most effective factors deterring surveyed employees from falling for phishing scams.

The researchers, from the University of Sussex and the University of Auckland, created a theoretical model partially based on previous social-technical research and theories to determine some of the biggest influencers affecting employee response behaviors when a phishing email arrives – including individual, organizational and technological factors.

According to the study, clicking on phishing emails is often a reflexive response done out of habit. Technical tools, security standards and policies can help counteract this problem, but are not enough by themselves to trigger a behavioral change, the paper notes.

The researchers therefore recommend that organizations implement a rigorous staff training program that details to employees what security measures are in place, but also the security risks that remain and the key requirements of company email security policies.

“Although technical countermeasures such as anti-phishing and spamming tools, email malware detection and data loss prevention are deployed to mitigate the risk of phishing attacks, using these technologies to detect phishing attacks remains a challenging problem,” said Hamidreza Shahbaznezhad, co-author and senior data scientist in industry at the University of Auckland, in a press release. “This is not least because they often require human intervention to analyze and distinguish between phishing and legitimate emails.”

“Security safeguards alone will not protect a company from phishing scams,” agreed Dr. Mona Rashidirad, report co-author and lecturer in strategy and marketing at the University of Sussex Business School. “Organizations and individuals substantially invest in security safeguards to protect the integrity, availability, and confidentiality of information assets. However, our study supports the findings of recent studies that these safeguards are not adequate to provide the ultimate protection of sensitive and confidential information.”

The researchers, which also included Dr. Farzan Kolini of the University of Aukland (and manager of cyber, privacy and resilience at Deloitte New Zealand), also advise organizations to consider the trio of individual, organizational and technological factors when making efforts to change employee email response behavior.

Indeed, security practitioners should aim such information security awareness programs to inform users about intrinsic and extrinsic factors which can influence their behavior. Therefore, employees can be more vigilant to understand how cybersecurity criminals can exploit employee’s perception from different individual/motivational, organizational, and technological perspectives. Employees may need to know about the existing security arsenals alongside with the security risks that could be exploited by malicious attackers,” the paper states.

Titled "Employees’ Behavior in Phishing Attacks: What Individual, Organizational, and Technological Factors Matter?", the article was informed by a survey of 142 employees based in New Zealand. The researchers claim that this sample size was statistically adequate for a valid analysis.