ABSTRACT
As phishing becomes increasingly sophisticated and costly, interventions that improve and prolong resistance to attacks are needed. Previous research supported digital training as a method to reduce phishing susceptibility. However, the effects of training degrade with time. Therefore, we investigate overlearning as an approach that may increase skill retention through repetition and developing automaticity. We performed a longitudinal experiment crossing overlearning with anti-phishing digital training (rule-based, mindfulness, and control). Participants were tested using email identification tests (immediately following and 10 weeks after training) and mock phishing messages delivered to their inboxes (1 week and 8 weeks following training). Results showed that compared to rule-based training, mindfulness training resulted in significantly greater retention in terms of better email discrimination and less susceptibility to phishing attacks but similar levels of caution towards phishing after 2 months. Overlearning resulted in significantly less susceptibility to phishing attacks and more caution towards phishing compared to no overlearning but did not impact the digital training approaches. Even so, mindfulness was more beneficial compared to overlearning. Altogether, the results demonstrate the stability of the benefits of mindfulness training over time in terms of mitigating phishing susceptibility without influencing the chances of missing legitimate emails.
Disclosure statement
No potential conflict of interest was reported by the author(s).
Supplementary material
Supplemental data for this article can be accessed here.
Notes
1. Wombat Security ThreatSim® Phishing Simulations available at https://www.wombatsecurity.com.
2. Mock phishing scores were moderately skewed, with skewness values of −1.55 at Time 1 and −1.49 at Time 2. Because our sample size (n = 453) was twice the size at which the impact of skewness begins to diminish (n = 200; Hair et al., Citation2005), our analysis used untransformed data to allow for easier interpretation of the results.
3. No group-level data was collected based on participants’ assignment to their respective training and overlearning conditions (i.e., there was a lack of dependence and interaction among participants within each respective study condition) or produced through individual-level data aggregation to predict individual performance.