Open access repository

Home Open access repository

In 2014, we launched our open-access repository which offers full text access to conference proceedings from many of our events including the INC and HAISA series. These papers are free to access and distribute (subject to citing the source).

» Openaccess proceedings » European Information Security Multi-Conference (EISMC 2013)

European Information Security Multi-Conference (EISMC 2013)

European Information Security Multi-Conference (EISMC 2013)
Lisbon, Portugal, May 8-10, 2013
ISBN: 978-1-84102-345-8

Title: Using Phishing Experiments and Scenario-based Surveys to Understand Security Behaviours in Practice
Author(s): Waldo Rocha Flores, Hannes Holm, Gustav Svensson, Göran Ericsson
Reference: pp79-90
Keywords: Social engineering, phishing, security behaviours, survey method, experiment
Abstract: Threats from social engineering can cause organisations severe damage if they are not considered and managed. In order to understand how to manage those threats, it is important to examine reasons why organisational employees fall victim to social engineering. In this paper, the objective is to understand security behaviours in practice by investigating factors that may cause an individual to comply with a request posed by a perpetrator. In order to attain this objective, we collect data through a scenario-based survey and conduct phishing experiments in three organisations. The results from the experiment reveal that the degree of target information in an attack increases the likelihood that an organisational employee fall victim to an actual attack. Further, an individual's trust and risk behaviour significantly affects the actual behaviour during the phishing experiment. Computer experience at work, helpfulness and gender (females tend to be less susceptible to a generic attack than men), has a significant correlation with behaviour reported by respondents in the scenario-based survey. No correlation between the performance in the scenario-based survey and experiment was found. We argue that the result does not imply that one or the other method should be ruled out as they have both advantages and disadvantages which should be considered in the context of collecting data in the critical domain of information security. Discussions of the findings, implications and recommendations for future research are further provided.
Download count: 4143

How to get this paper:

Download a free PDF copy of this paperBuy this book at

PDF copy of this paper is free to download. You may distribute this copy providing you cite this page as the source.