Change search
ReferencesLink to record
Permanent link

Direct link
Investigating personal determinants of phishing and the effect of national culture
KTH, School of Electrical Engineering (EES), Industrial Information and Control Systems.
University of Skövde.
KTH, School of Electrical Engineering (EES), Industrial Information and Control Systems.ORCID iD: 0000-0003-3922-9606
2015 (English)In: Information Management & Computer Security, ISSN 0968-5227, E-ISSN 1758-5805, Vol. 23, no 2Article in journal (Refereed) Published
Abstract [en]

Purpose – The purpose of the study was twofold: to investigating the correlation between a sample of personal psychological and demographic factors and resistance to phishing; and to investigate if national culture moderates the strength of these correlations.

Design/methodology/approach – To measure potential determinants, a survey was distributed to 2099 employees of nine organizations in Sweden, USA, and India. Then, we conducted unannounced phishing exercises in where a phishing attack targeted the same sample.

Findings – Intention to resist social engineering, general information security awareness, formal IS training, and computer experience were identified to have a positive significant correlation to phishing resilience. Furthermore, the results showed that the correlation between phishing determinants and employees’ observed phishing behavior differs between Swedish, US and Indian employees in six out of fifteen cases.

Research limitations/implications – The identified determinants all had, even though not a strong, a significant positive correlation. This suggests that more work needs to be done in order to more fully understand determinants of phishing. The study assumes that culture effects apply to all individuals in a nation. However, difference based on cultures might exist based on firm characteristics within a country. The Swedish sample is dominating, while only 40 responses from Indian employees were collected. This unequal size of samples suggests that conclusions based on the results from the cultural analysis should be drawn cautiously. A natural continuation of our research is therefore to further explore the generalizability of our findings by collecting data from other nations with similar cultures as Sweden, USA and India.

Originality/value – Using direct observations of employees’ security behaviors has rarely been used in previous research. Furthermore, analyzing potential differences in theoretical models based on national culture is an understudied topic in the behavioral information security field. This paper addresses these both two issues.

Place, publisher, year, edition, pages
Emerald Group Publishing Limited, 2015. Vol. 23, no 2
Keyword [en]
Social engineering, phishing, security behavior, direct observation, cultural differences
National Category
Electrical Engineering, Electronic Engineering, Information Engineering
URN: urn:nbn:se:kth:diva-149375DOI: 10.1108/ICS-05-2014-0029ScopusID: 2-s2.0-84946013752OAI: diva2:739386

Updated accepted to published.

QC 20160201

Available from: 2014-08-21 Created: 2014-08-21 Last updated: 2016-05-03Bibliographically approved
In thesis
1. Shaping information security behaviors related to social engineering attacks
Open this publication in new window or tab >>Shaping information security behaviors related to social engineering attacks
2016 (English)Doctoral thesis, comprehensive summary (Other academic)
Abstract [en]

Today, few companies would manage to continuously stay competitive without the proper utilization of information technology (IT). This has increased companies’ dependency of IT and created new threats that need to be addressed to mitigate risks to daily business operations. A large extent of these IT-related threats includes hackers attempting to gain unauthorized access to internal computer networks by exploiting vulnerabilities in the behaviors of employees. A common way to exploit human vulnerabilities is to deceive and manipulate employees through the use of social engineering. Although researchers have attempted to understand social engineering, there is a lack of empirical research capturing multilevel factors explaining what drives employees’ existing behaviors and how these behaviors can be improved. This is addressed in this thesis.

The contribution of this thesis includes (i) an instrument to measure security behaviors and its multilevel determinants, (ii) identification of multilevel variables that significantly influence employees’ intent for behavior change, (iii) identification of what behavioral governance factors that lay the foundation for behavior change, (iv) identification that national culture has a significant effect on how organizations cope with behavioral information security threats, and (v) a strategy to ensure adequate information security behaviors throughout an organization.

This thesis is a composite thesis of eight papers. Paper 1 describes the instrument measuring multilevel determinants. Paper 2 and 3 describes how security knowledge is established in organizations, and the effect on employee information security awareness. In Paper 4 the root cause of employees’ intention to change their behaviors and resist social engineering is described. Paper 5 and 8 describes how the instrument to measure social engineering security behaviors was developed and validated through scenario-based surveys and phishing experiments. Paper 6 and 7 describes experiments performed to understand reason to why employees fall for social engineering. Finally, paper 2, 5 and 6 examines the moderating effect of national culture.

Place, publisher, year, edition, pages
KTH Royal Institute of Technology, 2016. xv, 156 p.
TRITA-EE, ISSN 1653-5146 ; 2016:061
Information security, Behavioral information security, Social engineering, Phishing, Measuring information security behaviors, Information security governance, Experiments, National culture, Mixed method research design, Quantitative methods
National Category
Other Electrical Engineering, Electronic Engineering, Information Engineering
Research subject
Industrial Information and Control Systems
urn:nbn:se:kth:diva-186113 (URN)978-91-7595-969-6 (ISBN)
Public defence
2016-05-27, L1, Drottning Kristinas väg 30, KTH Campus, Stockholm, 10:00 (English)

QC 20160503

Available from: 2016-05-03 Created: 2016-05-02 Last updated: 2016-05-20Bibliographically approved

Open Access in DiVA

No full text

Other links

Publisher's full textScopus

Search in DiVA

By author/editor
Rocha Flores, WaldoEkstedt, Mathias
By organisation
Industrial Information and Control Systems
In the same journal
Information Management & Computer Security
Electrical Engineering, Electronic Engineering, Information Engineering

Search outside of DiVA

GoogleGoogle Scholar
The number of downloads is the sum of all downloads of full texts. It may include eg previous versions that are now no longer available

Altmetric score

Total: 145 hits
ReferencesLink to record
Permanent link

Direct link