Stevens News / Research & Innovation

Casting a Wider Net to Detect Phishing Scams

SSB Dean GJ de Vreede and his co-authors examine the effectiveness of current employee training methods
Closeup image of mail with hook on top of keyboard. Phishing email, malware and cyber security concept

Fool a person into participating in phishing email training and they might spot them once. Use a more thoughtful approach that doesn’t embarrass them or put them on the defensive, and they’ll have a better chance at spotting them for a lifetime.

While it is not the original meaning of the often-quoted proverb, new research by Stevens School of Business Dean GJ de Vreede and co-authors Dezhi Yin and Matthew Mullarkey from the University of South Florida’s Muma College of Business, and Moez Limayem, President and professor at the University of North Florida, finds that the sentiment is applicable to an organization’s cybersecurity plan.

The article, recently published in MIS Quarterly, examined the effectiveness of embedded training. In this model, companies send out simulated phishing emails, and those employees who get hooked are immediately sent into a training module. Until now, this method has been considered a best practice by anti-phishing cybersecurity experts.

“You have to be willing to absorb the feedback,” de Vreede said “We think a factor contributing to delayed training working better than an immediate training is if people fail a test, and you immediately tell them, ‘You failed. This is what you did wrong. Let us explain how you were irresponsible, and you didn't see the signs,’ it may invoke a bit of a defensive reaction. They may feel a bit embarrassed, and that may decrease the effectiveness of the training. If you delay the training and give it to everybody, then the thought becomes more, ‘The company wants me to understand what we have to look for or what we have to avoid. People open up more, they absorb more from the training and their awareness of phishing attacks goes up.”

The study involved three comprehensive experiments utilizing an authentic phishing simulation tool. Thousands of student participants were sent convincing simulated phishing messages, with some receiving instant feedback upon clicking while others got delayed responses several days afterward. The research team then monitored participants' susceptibility to subsequent simulated attacks across the following weeks and months.

“This research took place over the course of several years with a very large group of students that actually didn't expect what was going on,” de Vreede said. “Typically, when you do research with human subjects, they are informed beforehand, but with a phishing simulation, if you inform people, the simulation will fail because they know what to expect. We got special permission to initially deceive the subjects. They got a simulation. Some failed and some didn't, but everybody got the training. Of course, we disclosed the purpose of the simulation to them afterwards. Students, like everybody else, get phishing emails all the time. They may be very vulnerable, but they're not so used to it yet and may unwillingly expose university systems. These students got an extra experience in cybersecurity training during the course of their studies.”

The initiative launched with assistance from KnowBe4, a cybersecurity firm based in Clearwater, Florida, which contributed software licenses for over 12,000 users along with additional support for the research. Their investment paid off with new ideas and practices already implemented into their operation.

“We were very fortunate to partner with KnowBe4 because they are experts and industry leaders in phishing simulation,” de Vreede said. “By partnering with them, we knew from the start that we would be working with some thought leaders that would help us to really sharpen our research.”

“I always believe that research should serve two purposes,” he continued. “It has to both advance science and have practical applicability. Our society supports our research, so society should benefit from this research. I think what pleases me most about this study is that we haven't just been able to make a next theoretical leap on phishing simulation research. We also have been able to come up with very clear guidelines for organizations and phishing simulation service providers. The proof is that KnowBe4, once they learned of our findings, said that they were going to change their approach.”

A prolific researcher, de Vreede's work focuses on artificial intelligence, crowdsourcing and collaboration engineering. His research has garnered significant attention, accumulating over 14,000 citations and appearing in prestigious journals such as Management Information Systems Quarterly, Information Systems Research, Journal of Management Information Systems, Information & Management, Small Group Research, and Communications of the ACM.

Back to School of Business News