TY - JOUR
T1 - Falling and failing (to learn)
T2 - Evidence from a nation-wide cybersecurity field experiment with SMEs
AU - Gonzalez-Jimenez, David
AU - Capozza, Francesco
AU - Dirkmaat, Thomas
AU - van de Veer, Evelien
AU - van Druten, Amber
AU - Baillon, Aurélien
N1 - JEL classification: C93, D83
Publisher Copyright: © 2025 The Authors
PY - 2025/2
Y1 - 2025/2
N2 - Prior experiences are crucial in shaping risk prevention behavior. Previous studies have shown that experiencing a simulated phishing attack (a “phishing drill”) reduces the likelihood of clicking on unsafe links and disclosing one's password. In a large field experiment involving 670 small and medium-sized enterprises (SMEs) and their 33,000 employees, we examined the impact of experience on individuals’ ability to detect cyber-security threats, and whether this effect persisted over several months. We collected data at both the company and individual levels, including risk preference, time preference, and trust. Our findings indicate only a non-systematic, short-term effect of previous phishing emails on clicking behavior. A cluster of individuals with greater patience, trust, and risk seeking was more likely to click on phishing links in the first place but then also more likely to benefit from phishing drills.
AB - Prior experiences are crucial in shaping risk prevention behavior. Previous studies have shown that experiencing a simulated phishing attack (a “phishing drill”) reduces the likelihood of clicking on unsafe links and disclosing one's password. In a large field experiment involving 670 small and medium-sized enterprises (SMEs) and their 33,000 employees, we examined the impact of experience on individuals’ ability to detect cyber-security threats, and whether this effect persisted over several months. We collected data at both the company and individual levels, including risk preference, time preference, and trust. Our findings indicate only a non-systematic, short-term effect of previous phishing emails on clicking behavior. A cluster of individuals with greater patience, trust, and risk seeking was more likely to click on phishing links in the first place but then also more likely to benefit from phishing drills.
UR - http://www.scopus.com/inward/record.url?scp=85214026031&partnerID=8YFLogxK
U2 - 10.1016/j.jebo.2024.106868
DO - 10.1016/j.jebo.2024.106868
M3 - Article
AN - SCOPUS:85214026031
SN - 0167-2681
VL - 230
JO - Journal of Economic Behavior and Organization
JF - Journal of Economic Behavior and Organization
M1 - 106868
ER -