Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

The Effects of Group Discussion and Role-playing Training on Self-efficacy, Support-seeking, and Reporting Phishing Emails: Evidence from a Mixed-design Experiment

Xiaowei Chen, Margault Sacré, Gabriele Lenzini, Samuel Greiff, Verena Distler, Anastasia Sergeeva

TL;DR

This study evaluates two interactive anti-phishing trainings—group discussion and role-playing—against a no-intervention control in a field setting with N = 105 participants. Using a mixed-design design with three time points and in-situ phishing tests, both trainings improved anti-phishing self-efficacy and support-seeking, while role-playing uniquely enhanced support-seeking when compared to control. Behavioral outcomes showed increased reporting of phishing emails after training, supporting the value of social interaction and experiential learning for organizational phishing resilience. The findings advocate for incorporating interactive, context-rich training into security programs and introduce support-seeking intention as a meaningful metric for evaluating phishing interventions.

Abstract

Organizations rely on phishing interventions to enhance employees' vigilance and safe responses to phishing emails that bypass technical solutions. While various resources are available to counteract phishing, studies emphasize the need for interactive and practical training approaches. To investigate the effectiveness of such an approach, we developed and delivered two anti-phishing trainings, group discussion and role-playing, at a European university. We conducted a pre-registered experiment (N = 105), incorporating repeated measures at three time points, a control group, and three in-situ phishing tests. Both trainings enhanced employees' anti-phishing self-efficacy and support-seeking intention in within-group analyses. Only the role-playing training significantly improved support-seeking intention when compared to the control group. Participants in both trainings reported more phishing tests and demonstrated heightened vigilance to phishing attacks compared to the control group. We discuss practical implications for evaluating and improving phishing interventions and promoting safe responses to phishing threats within organizations.

The Effects of Group Discussion and Role-playing Training on Self-efficacy, Support-seeking, and Reporting Phishing Emails: Evidence from a Mixed-design Experiment

TL;DR

This study evaluates two interactive anti-phishing trainings—group discussion and role-playing—against a no-intervention control in a field setting with N = 105 participants. Using a mixed-design design with three time points and in-situ phishing tests, both trainings improved anti-phishing self-efficacy and support-seeking, while role-playing uniquely enhanced support-seeking when compared to control. Behavioral outcomes showed increased reporting of phishing emails after training, supporting the value of social interaction and experiential learning for organizational phishing resilience. The findings advocate for incorporating interactive, context-rich training into security programs and introduce support-seeking intention as a meaningful metric for evaluating phishing interventions.

Abstract

Organizations rely on phishing interventions to enhance employees' vigilance and safe responses to phishing emails that bypass technical solutions. While various resources are available to counteract phishing, studies emphasize the need for interactive and practical training approaches. To investigate the effectiveness of such an approach, we developed and delivered two anti-phishing trainings, group discussion and role-playing, at a European university. We conducted a pre-registered experiment (N = 105), incorporating repeated measures at three time points, a control group, and three in-situ phishing tests. Both trainings enhanced employees' anti-phishing self-efficacy and support-seeking intention in within-group analyses. Only the role-playing training significantly improved support-seeking intention when compared to the control group. Participants in both trainings reported more phishing tests and demonstrated heightened vigilance to phishing attacks compared to the control group. We discuss practical implications for evaluating and improving phishing interventions and promoting safe responses to phishing threats within organizations.
Paper Structure (61 sections, 7 figures, 9 tables)

This paper contains 61 sections, 7 figures, 9 tables.

Table of Contents

  1. Introduction
  2. Related Work
  3. Anti-phishing education and training
  4. Evaluating educational and training interventions
  5. Self-efficacy and social interaction in anti-phishing
  6. Methods
  7. Group discussion and role-playing training design
  8. Participants
  9. Study procedure
  10. Conditions
  11. Pre-training assessment
  12. Post-training assessment
  13. In-situ phishing tests
  14. Measures
  15. Assessment scales
  16. ...and 46 more sections

Figures (7)

  • Figure 1: Kruskal–Wallis test of support-seeking deltas.
  • Figure 2: Kruskal–Wallis test of self-efficacy deltas.
  • Figure 3: Number of Participants (N) mentioned specific counter-phishing practices across all questionnaires. To enable comparison between the control group and the treatment groups, in each cell, a participant is only counted once, even if they mentioned a topic in multiple questionnaires. Bright red indicates the largest number of the row.
  • Figure 4: Box plot of self-efficacy scores.
  • Figure 5: Box plot of support-seeking scores.
  • ...and 2 more figures