Does penalty help people learn to detect phishing emails?

Abstract

Phishing attacks are increasingly prevalent and pose a significant threat to organizations worldwide. Many organizations implement phishing training programs to educate employees on how to recognize and avoid phishing attacks. Incentives are often used in these training programs to motivate employees to participate and engage with the material. However, the impact of incentives on the effectiveness of these training programs is not well understood. Similarly, how often such training should be provided, remains an additional factor in improving detection ability. Past research has provided evidence that frequency impacts the susceptibility to phishing emails. However, the interaction of frequency and incentives in phishing training is not well known. Key questions persist: Do individuals exhibit greater attention and motivation to detect phishing emails when penalties are imposed? How does exposure to more phishing emails contribute to evading penalties? This paper manipulates the frequency of phishing emails during the training phase and incentive structure for classifying emails. Experiments were conducted using a Phishing Training Task (PTT) i.e. an interactive software platform that emulates key tasks associated with email response decision making to test the impact of learning factors on phishing detection. The results indicate that imposing penalties for incorrect decisions does not have a significant effect on the detection performance for most of the conditions. Thus, our results suggest providing a symmetric incentive structure may not improve the phishing detection ability. These findings highlight the importance of experimenting with additional incentive structures in phishing training programs. This paper will provide guidelines to use cognitive models to design effective incentive structures.

Keywords: Phishing, Incentives, Phishing Training, Cybersecurity

DOI: 10.54941/ahfe1004767