Falling and failing (to learn): Evidence from a nation-wide cybersecurity field experiment with SMEs

David Gonzalez-Jimenez, Francesco Capozza, Thomas Dirkmaat, Evelien van de Veer, Amber van Druten, Aurélien Baillon*

*Corresponding author for this work

Research output: Contribution to journalArticleAcademicpeer-review

3 Downloads (Pure)

Abstract

Prior experiences are crucial in shaping risk prevention behavior. Previous studies have shown that experiencing a simulated phishing attack (a “phishing drill”) reduces the likelihood of clicking on unsafe links and disclosing one's password. In a large field experiment involving 670 small and medium-sized enterprises (SMEs) and their 33,000 employees, we examined the impact of experience on individuals’ ability to detect cyber-security threats, and whether this effect persisted over several months. We collected data at both the company and individual levels, including risk preference, time preference, and trust. Our findings indicate only a non-systematic, short-term effect of previous phishing emails on clicking behavior. A cluster of individuals with greater patience, trust, and risk seeking was more likely to click on phishing links in the first place but then also more likely to benefit from phishing drills.

Original languageEnglish
Article number106868
JournalJournal of Economic Behavior and Organization
Volume230
DOIs
Publication statusPublished - Feb 2025

Bibliographical note

JEL classification: C93, D83

Publisher Copyright: © 2025 The Authors

Fingerprint

Dive into the research topics of 'Falling and failing (to learn): Evidence from a nation-wide cybersecurity field experiment with SMEs'. Together they form a unique fingerprint.

Cite this