AUTHOR=Canham Matthew , Posey Clay , Constantino Michael 

TITLE=Phish Derby: Shoring the Human Shield Through Gamified Phishing Attacks

JOURNAL=Frontiers in Education

VOLUME=Volume 6 - 2021

YEAR=2022

URL=https://www.frontiersin.org/journals/education/articles/10.3389/feduc.2021.807277

DOI=10.3389/feduc.2021.807277

ISSN=2504-284X

ABSTRACT=To better understand employees’ reporting behaviors in relation to phishing emails, we gamified the phishing security awareness training process by creating and conducting a month-long ‘Phish Derby’ competition at a large university in the U.S. Employees competed against one another for prizes and were instructed to report emails as potential phishing attacks. Prior to the beginning of the competition, we collected demographic data and data related to the concepts central to two theoretical foundations: the Big Five personality traits and goal orientation theory. We found several notable relationships between demographic variables and Derby performance, which was operationalized from the number of phishing attacks reported and employee report speed.  Several key findings emerged, including past performance on simulated phishing campaigns positively predicted Phish Derby performance; older participants performed better than their younger colleagues, but more education led to poorer performance; and individuals who used a mix of PCs and Macs at work performed worse than those using a single platform. We also found that two of the Big Five personality dimensions, extraversion, and agreeableness, were both associated with poorer performance in phishing detection and reporting. Likewise, individuals who were driven to perform well in the Derby because they desired to learn from the experience (i.e., learning goal orientation) performed at a lower level than those driven by other goals.  Interestingly, self-reported levels of computer skill and the perceived ability to detect phish failed to exhibit a significant relationship with Derby performance. We discuss these findings and describe how focusing on motivating the good in employee cyber behaviors is a necessary yet too often overlooked component in organizations whose training cyber cultures are rooted in employee click rates alone.