What Mid-Career Professionals Think, Know, and Feel About Phishing: Opportunities for University IT Departments to Better Empower Employees in Their Anti-Phishing Decisions

Phishing attacks, in which deceptive messages purporting to be from a legitimate contact are used to trick recipients and acquire sensitive information for the purposes of committing fraud, are a substantial and growing problem for organizations. IT departments and professionals may put in place a variety of institutional responses to thwart such attacks, but an organization's susceptibility to phishing also depends on the decisions and actions of individual employees. These employees may have little phishing expertise but still need to react to such attempts on a daily basis. Based on 24 semi-structured interviews with mid-career office workers (70.8% women, averaging 44 years old, with a bachelor's degree or more) at two universities in the midwestern United States, we find that employees self-describe a wide range of levels of awareness of, and confidence, competency and investment in, the organization's proscribed anti-phishing policies and practices. These employees also describe variation in the ways they would prefer to increase their perceived performance levels in all of these areas. In this paper, we argue that in order to empower employees to be better collaborators in an organization's anti-phishing efforts, organizations should embrace a range of efforts akin to the range of expertise among the users themselves. We make four such empowering recommendations for organizations to consider incorporating into their existing anti-phishing policies and practices, including suggestions to 1) embrace educating non-expert users more fully on organizational processes and consequences, 2) provide employees with a standing one-to-one communication channel between them and an IT phishing point-of-contact, 3) keep employees in the loop once phishing reports are made, and 4) avoid testing employees with "gotcha" assessments.