MEASURING THE IMPACT OF DELIVERY METHODS ON RESPONDING TO PHISHING EMAILS BY COLLEGE EMPLOYEES
Berryman, Paul Erick
MetadataShow full item record
Effective security awareness programs are desired at colleges to modify the behavior of employees and to improve the protection of sensitive information. The likelihood of theft of sensitive information from colleges has increased as the use of information technology both in instructional and support work has also grown. The increased risk of data loss is partially due to the susceptibility of employees to social engineering, which is the manipulation by criminals into divulging personal information. This is most notably accomplished by criminals through phishing emails, messages that direct an employee to a fake website with the criminals’ intent of tricking the employee into giving up their password or other sensitive information. Employees are lured to the website by clicking on an embedded link in the email they believe to be from a legitimate organization, when it is, in fact, owned by criminals. Anything typed on the website is copied by the criminals, so they can then pose as the employee on legitimate systems or applications. To protect against this attack method, it is important that employees be educated on ways to minimize risky online behavior. One such way is the use of security awareness training. Security awareness training is a program of educating college employees on security topics such as why phishing emails are used, how they work, and how to avoid them. One obstacle is determining which method of delivering the content would be the most effective and cause the employee to change their online behavior. There are several methods available, including in-person training, online video training, and email messages. These delivery methods have various challenges, including financial costs, time to implement, and time to deliver the content. This study evaluated three delivery methods to determine which is the most effective in changing employee behavior. Employees’ knowledge of terminology or content was not evaluated. Instead, this study measured their response to test emails that appeared to be malicious phishing emails. All three delivery methods were found to improve the employees’ responses to be more secure.