Mixed methods research approach and experimental procedure for measuring human factors in cybersecurity using phishing simulations

Abstract

Cyberattacks have a growing effect on business management. Organisations are increasingly focusing on human factors - how to train and evaluate people to minimise potential losses. One of the most scalable and practical ways to measure the human factor is to conduct a phishing experiment. Phishing is a type of cyber-attack that uses socially engineered messages to persuade humans to perform certain actions for the attacker's benefit. There is considerable amount of literature on the topic of phishing - e.g. how it works and how to fight against it. However, there is not much discussion on the particular methods nor the specific process of conducting simulated phishing experiments. This paper suggests a mixed methods approach for conducting phishing experiments and describes the experimental procedure including various technological, ethical and legal aspects. The suggested approach is based on related academic work and practical experience in both public and private sector organisations. Multiple opportunities and challenges regarding phishing experiments are discussed, providing guidelines for future research.