Xiaowei Chen, Sophie Doublet, Anastasia Sergeeva, Gabriele Lenzini, and Vincent Koenig, University of Luxembourg; Verena Distler, University of the Bundeswehr Munich
Organizations adopt a combination of measures to defend against phishing attacks that pass through technical filters. However, employees’ engagement with these countermeasures often does not meet security experts’ expectations. To explore what motivates and discourages employees from engaging with user-oriented phishing interventions, we conducted seven focus groups with 34 employees at a European university, applying the Expectancy-Value Theory. Our study revealed a spectrum of factors influencing employees’ engagement. The perceived value of phishing interventions influences employees’ participation. Although the expectation of mitigation and fear of consequences can motivate employees, lack of feedback and communication, worries, and privacy concerns discourage them from reporting phishing emails. We found that the expectancy-value framework provides a unique lens for explaining how organizational culture, social roles, and the influence of colleagues and supervisors foster proactive responses to phishing attacks. We documented a range of improvements proposed by employees to phishing interventions. Our findings underscore the importance of enhancing utility value, prioritizing positive user experiences, and nurturing employees’ motivations to engage them with phishing interventions.
