Phishing Training: A Preliminary Look at the Effects of Different Types of Training

In this paper, we present the preliminary results of an experiment conducted to observe the impact of the different training techniques to increase the likelihood of participants identifying and reporting phishing messages. Three different training approaches were used – general video/quiz training, just-in-time training with simulated phishing emails, and a leaderboard, which awarded users points for forwarding correct phishing messages and penalized them for incorrect ones. The experiment emulated a normal working day of an executive assistant of a manager in an organization. Each participant was expected to accomplish work tasks and respond to work-related emails while watching for and reporting phishing messages. We observed that both general training and the presence of a leaderboard decreased the propensity to click on a phishing message, while we found no effect for different types of just-in-time training.