Impact of information security training on recognition of phishing attacks: a case study of Vilnius Gediminas Technical University

Abstract

Phishing attack is a type of social engineering attack and often used as the initial stage of a larger campaign. It is dangerous as users might inadvertently reveal to the attackers personal data or sensitive corporate information. Therefore, inability to recognize and properly react to phishing attacks must be treated as one of the main security risks in the enterprise. In this paper, we present a methodology for evaluating employees' resistance to phishing attacks. We also analyze the changes to the situation after the employees participated in information security training. Experiments with employees of Vilnius Gediminas Technical University were carried out within a period of one year to gather information on how credulous they are to phishing attacks before and after security training. Results of the experiment reveal the benefit of security training, however there is still room for improvement and need to pay attention in the future.