SSI-co-authored paper „An Organizational Field Experiment on Phishing and Cybersecurity Risk Homeostasis Theory” accepted at AMCIS 2025!

K. Hobbensiefken, B. Balk, A. Peter, und P. Staudt, "An Organizational Field Experiment on Phishing and Cybersecurity Risk Homeostasis Theory" in Proc. of the 31st Americas Conference on Information Systems (AMCIS 2025), 2025.

Short Summary:

Phishing remains a persistent cybersecurity threat, with attackers continuously refining their techniques to evade detection. This study applies Risk Homeostasis Theory (RHT) to understand employee behavior in response to phishing attacks within a large organization. Through a 2x2 between-subjects field experiment involving 400 employees, we assess the impact of cybersecurity training and phishing incident reports on phishing susceptibility. Our findings suggest that general cybersecurity training alone does not immediately reduce phishing risk, but phishing-specific training significantly improves employee susceptibility. Regular phishing incident reports initially enhance risk awareness and reduce susceptibility; however, this effect diminishes over time. Interestingly, combining training and reports does not yield significant improvements, raising questions about the effect of combined interventions. This study provides the first empirical insights into RHT’s application in cybersecurity and highlights the importance of targeted interventions to enhance organizational resilience against phishing threats.