Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Breaking Bad Email Habits: Bounding the Impact of Simulated Phishing Campaigns

Muhammad Zia Hydari, Idris Adjerid, Yingda Lu, Narayan Ramasubbu

TL;DR

A generalizable analytic framework addressing both biases simultaneously in simulated phishing campaigns, utilizing marginal structural models to correct for the endogenous, click-triggered assignment of training, while integrating correlated random effects (CRE) to disentangle true state dependence from stable employee heterogeneity.

Abstract

Simulated phishing campaigns are widely deployed, yet the behavioral data they produce is endogenous: because training is triggered by clicking, the employees receiving intervention have already demonstrated susceptibility. This endogeneity, combined with the difficulty of separating genuine habit formation from stable individual differences, means standard analyses can mischaracterize program effectiveness. In this Research Note, we develop a generalizable analytic framework addressing both biases simultaneously. We utilize marginal structural models (MSMs) to correct for the endogenous, click-triggered assignment of training, while integrating correlated random effects (CRE) to disentangle true state dependence from stable employee heterogeneity. Applying the MSM+CRE estimator to logs from 17 campaigns delivered to university staff (192,840 observations) reveals that analyses ignoring stable differences overstate the causal persistence of clicking; most repeat clicking reflects who employees are, not the effect of recent failures. This persistence is context-dependent, amplifying when successive campaigns share persuasion cues. Teachable-moment features also matter: emotion framing and explicit reporting pitches can largely eliminate persistence, while annotated-email cues modestly exacerbate it. Finally, employees engaging with the education page exhibit greater persistence than those dismissing it, consistent with an emboldening mechanism. We contribute methodologically by integrating MSMs and CRE into a portable framework for analyzing standard simulation logs, and practically by identifying specific design levers so organizations can better sequence and evaluate their phishing programs.

Breaking Bad Email Habits: Bounding the Impact of Simulated Phishing Campaigns

TL;DR

A generalizable analytic framework addressing both biases simultaneously in simulated phishing campaigns, utilizing marginal structural models to correct for the endogenous, click-triggered assignment of training, while integrating correlated random effects (CRE) to disentangle true state dependence from stable employee heterogeneity.

Abstract

Simulated phishing campaigns are widely deployed, yet the behavioral data they produce is endogenous: because training is triggered by clicking, the employees receiving intervention have already demonstrated susceptibility. This endogeneity, combined with the difficulty of separating genuine habit formation from stable individual differences, means standard analyses can mischaracterize program effectiveness. In this Research Note, we develop a generalizable analytic framework addressing both biases simultaneously. We utilize marginal structural models (MSMs) to correct for the endogenous, click-triggered assignment of training, while integrating correlated random effects (CRE) to disentangle true state dependence from stable employee heterogeneity. Applying the MSM+CRE estimator to logs from 17 campaigns delivered to university staff (192,840 observations) reveals that analyses ignoring stable differences overstate the causal persistence of clicking; most repeat clicking reflects who employees are, not the effect of recent failures. This persistence is context-dependent, amplifying when successive campaigns share persuasion cues. Teachable-moment features also matter: emotion framing and explicit reporting pitches can largely eliminate persistence, while annotated-email cues modestly exacerbate it. Finally, employees engaging with the education page exhibit greater persistence than those dismissing it, consistent with an emboldening mechanism. We contribute methodologically by integrating MSMs and CRE into a portable framework for analyzing standard simulation logs, and practically by identifying specific design levers so organizations can better sequence and evaluate their phishing programs.
Paper Structure (40 sections, 5 equations, 1 figure, 9 tables)

This paper contains 40 sections, 5 equations, 1 figure, 9 tables.

Table of Contents

  1. Introduction
  2. Literature Review and Research Gaps
  3. Phishing susceptibility, information processing, and context
  4. Interventions: embedded training, teachable moments, and reporting
  5. Message cues and contextual transfer
  6. Research gaps
  7. Research Context, Data, and Measures
  8. Setting and panel construction
  9. Outcomes
  10. Clicking.
  11. Reporting.
  12. Safe handling.
  13. Covariates and histories
  14. Scenario-level coding scheme and similarity measures
  15. Cue similarity.
  16. ...and 25 more sections

Figures (1)

  • Figure 1: Repeated exposures with click-contingent training. Clicking at exposure $t$ both indicates susceptibility and triggers the teachable-moment page. Histories affect both treatment and subsequent outcomes, motivating marginal structural models.