Why Employees (Still) Click on Phishing Links: An Investigation in Hospitals

Jalali, Seyed Mohammad Javad; Bruckes, Maike; Westmattelmann, Daniel; Schewe, Gerhard

Author(s)

Jalali, Seyed Mohammad Javad; Bruckes, Maike; Westmattelmann, Daniel; Schewe, Gerhard

Downloaddocument.pdf (283.3Kb)

Publisher with Creative Commons License

Terms of use

Creative Commons Attribution 4.0 International license https://creativecommons.org/licenses/by/4.0/

Metadata

Show full item record

Abstract

Employees are considered the weakest link in information security; their compliance with security policies has been a major area of research. However, employees click on phishing links even after receiving training. In this study, we explore the factors that influence information security policy compliance, using the theory of planned behavior (TPB) and integrating trust theories. We conduct a survey in hospitals to investigate the components of compliance intention and match employees’ survey results with their actual clicking data from organizational phishing campaigns. Our analysis (N = 430) revealed that TPB factors (attitude, subjective norms, and perceived behavioral control), as well as collective felt trust and trust in information security technology, have positive effects on compliance intention. However, surprisingly, compliance intention does not predict compliance behavior. Of the variables we tested, only the level of employees’ workload shows a significant relationship to their actual behavior. This study contributes to the information systems literature by understanding factors influencing compliance behavior. Also, unlike studies that assess behavior through a questionnaire, our method was able to measure observable compliance behavior using clicking data. Our findings can help organizations augment employees’ compliance with their cybersecurity policies and reduce the likelihood of clicking on phishing links. Keywords: Information security management; phishing emails; compliance; trust; theory of planned behavior

Date issued

2019-02

URI

https://hdl.handle.net/1721.1/124018

Department

Sloan School of Management

Publisher

Elsevier BV

Citation

Jalali, Mohammad S. et al. "Why Employees (Still) Click on Phishing Links: an Investigation in Hospitals." (February 2019)

Version: Final published version

ISSN

1556-5068

Collections

MIT Open Access Articles