Xiaowei Chen, Sophie Doublet, Anastasia Sergeeva, Gabriele Lenzini, and Vincent Koenig, University of Luxembourg; Verena Distler, University of the Bundeswehr Munich
Organizations adopt a combination of measures to defend against phishing attacks that pass through technical filters. However, employees’ engagement with these countermeasures often does not meet security experts’ expectations. To explore what motivates and discourages employees from engaging with user-oriented phishing interventions, we conducted seven focus groups with 34 employees at a European university, applying the Expectancy-Value Theory. Our study revealed a spectrum of factors influencing employees’ engagement. The perceived value of phishing interventions influences employees’ participation. Although the expectation of mitigation and fear of consequences can motivate employees, lack of feedback and communication, worries, and privacy concerns discourage them from reporting phishing emails. We found that the expectancy-value framework provides a unique lens for explaining how organizational culture, social roles, and the influence of colleagues and supervisors foster proactive responses to phishing attacks. We documented a range of improvements proposed by employees to phishing interventions. Our findings underscore the importance of enhancing utility value, prioritizing positive user experiences, and nurturing employees’ motivations to engage them with phishing interventions.
Open Access Media
USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.
author = {Xiaowei Chen and Sophie Doublet and Anastasia Sergeeva and Gabriele Lenzini and Vincent Koenig and Verena Distler},
title = {What Motivates and Discourages Employees in Phishing Interventions: An Exploration of {Expectancy-Value} Theory},
booktitle = {Twentieth Symposium on Usable Privacy and Security (SOUPS 2024)},
year = {2024},
isbn = {978-1-939133-42-7},
address = {Philadelphia, PA},
pages = {487--506},
url = {https://www.usenix.org/conference/soups2024/presentation/chen},
publisher = {USENIX Association},
month = aug
}