Cybersecurity cannot be ensured with mere technical solutions. Hackers often use fraudulent emails to simply ask people for their password to breach into organizations. This technique, called phishing, is a major threat for many organizations. A typical prevention measure is to inform employees but is there a better way to reduce phishing risks? Experience and feedback have often been claimed to be effective in helping people make better decisions. In a large field experiment involving more than 10,000 employees of a Dutch ministry, we tested the effect of information provision, simulated experience, and their combination to reduce the risks of falling into a phishing attack. Both approaches substantially reduced the proportion of employees giving away their password. Combining both interventions did not have a larger impact.

Additional Metadata
Persistent URL,
Journal PLoS ONE
Baillon, A, De Bruin, J. (Jeroen), Emirmahmutoglu, A. (Aysil), Van De Veer, E. (Evelien), & Van Dijk, B. (Bram). (2019). Informing, simulating experience, or both: A field experiment on phishing risks. PLoS ONE, 14(12). doi:10.1371/journal.pone.0224216