Falling for phishing attempts

• We investigated individual differences in cybersecurity behavior in a naturalistic phishing simulation. • We found that lower phishing email detection accuracy only modestly predicted riskier cybersecurity behavior. • Instead, fewer employment years and lower employee satisfaction and loyalty were most predictive of riskier behavior. • These results suggest that newer employees are more vulnerable to phishing attempts. • Furthermore, interventions that increase employee satisfaction might be effective at reducing risky cybersecurity behavior. Social engineering cyber-attacks such as phishing emails pose a serious threat to the safety of many organizations. Given that the effectiveness of these attacks heavily relies on poor human decision making, an improved understanding of the individual characteristics that increase cybersecurity vulnerability could inform more targeted training. The current study aimed to identify whether several factors, including phishing email detection ability, confidence in one's phishing identification decisions, general attitudes towards one's level of responsibility and efficacy, and employee satisfaction and loyalty to the organization, may predict behavior in a naturalistic phishing simulation in an employment setting. We followed up employees of a large organization who had been recently targeted by a phishing simulation and asked them to complete a survey that included a phishing detection task. The employees’ behavior in the phishing simulation was ranked according to its safety: reporting the suspicious email, neither reporting nor clicking on the embedded link, and clicking on the link. We found that fewer years of employment at the organization and lower employee satisfaction and loyalty predicted increasingly unsafe behavior in the simulation. This suggests that newer and unsatisfied employees are most vulnerable to phishing attempts and might benefit most from targeted cybersecurity training.