Peer-reviewed · Telematics and Informatics (2022) · Open access
A large share of phishing risk is organizational, not individual
A field study of 83,269 employees across 510 organizations, combining a survey of security-related norms with employees' real responses to phishing campaigns.
What the study did
The research merged survey measures of four types of security-related norms — personal, descriptive, injunctive, and formal — with employees' actual behaviour in unannounced simulated phishing campaigns run over 1.5 years: whether they clicked links and whether they entered data on fraudulent sites. It analysed the data with a two-level model that separates individual-level effects from organizational-level ones.
Between 29% and 55% of the variation in phishing susceptibility was attributable to organizational-level factors
Across the sample, a large share of the difference in who was susceptible to phishing came from the organization rather than the individual. Susceptibility to phishing is, to a substantial degree, an organizational property.
Which norms reduced susceptibility
Formal norms — a clear, communicated, and understood security policy — and collectively shared injunctive norms — a shared sense of what colleagues expect of one another — had the strongest effects in reducing susceptibility to phishing. Personal moral norms had only a weak influence.
When good intentions backfire
Descriptive norms — the perception that colleagues are already handling security well — were associated with greater susceptibility rather than less: a boomerang effect consistent with free-riding. A clear, salient security policy could likewise increase casual link-clicking, as employees came to trust that the organization had security handled.
Why it matters
Because security-related norms are organizational-level phenomena, and because well-intentioned norms can backfire, perceptions and written policy alone are not enough. To intervene on valid grounds, organizations need real data on the norms and behaviours that actually exist.
Peer-reviewed field research
29–55%
of the variation in phishing susceptibility is attributable to organizational-level factors, not individual ones.
Measured across 83,269 employees in 510 organizations, using their real responses to phishing campaigns.
Petrič, G., & Roer, K. (2022). The impact of formal and informal organizational norms on susceptibility to phishing. Telematics and Informatics, 67, 101766. Licensed under CC BY 4.0.
Peer-reviewed field research
When employees believed their colleagues were already handling security well, they became more susceptible to phishing, not less — a boomerang effect. A clear, salient security policy could likewise increase casual link-clicking.
From the same field study of 83,269 employees across 510 organizations.
Petrič, G., & Roer, K. (2022). The impact of formal and informal organizational norms on susceptibility to phishing. Telematics and Informatics, 67, 101766. Licensed under CC BY 4.0.