{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,17]],"date-time":"2026-03-17T03:23:12Z","timestamp":1773717792307,"version":"3.50.1"},"reference-count":22,"publisher":"Emerald","issue":"4","license":[{"start":{"date-parts":[[2014,10,7]],"date-time":"2014-10-07T00:00:00Z","timestamp":1412640000000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.emerald.com\/insight\/site-policies"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2014,10,7]]},"abstract":"\n Purpose<\/jats:title>\n \u2013 The purpose of the study was threefold: to understand security behaviours in practice by investigating factors that may cause an individual to comply with a request posed by a perpetrator; to investigate if adding information about the victim to an attack increases the probability of the attack being successful; and, finally, to investigate if there is a correlation between self-reported and observed behaviour. <\/jats:p>\n <\/jats:sec>\n \n Design\/methodology\/approach<\/jats:title>\n \u2013 Factors for investigation were identified based on a review of existing literature. Data were collected through a scenario-based survey, phishing experiments, journals and follow-up interviews in three organisations. <\/jats:p>\n <\/jats:sec>\n \n Findings<\/jats:title>\n \u2013 The results from the experiment revealed that the degree of target information in an attack increased the likelihood that an organisational employee falls victim to an actual attack. Further, an individual\u2019s trust and risk behaviour significantly affected the actual behaviour during the phishing experiment. Computer experience at work, helpfulness and gender (females tend to be less susceptible to a generic attack than men), had a significant correlation with behaviour reported by respondents in the scenario-based survey. No correlation between the results from the scenario-based survey and the experiments was found. <\/jats:p>\n <\/jats:sec>\n \n Research limitations\/implications<\/jats:title>\n \u2013 One limitation is that the scenario-based survey may have been interpreted differently by the participants. Another is that controlling how the participants reacted when receiving the phishing mail, and what actually triggered each and every participant to click on the attached link, was not possible. Data were however collected to capture these aspects during and after the experiments. In conclusion, the results do not imply that one or the other method should be ruled out, as they have both advantages and disadvantages which should be considered in the context of collecting data in the critical domain of information security. <\/jats:p>\n <\/jats:sec>\n \n Originality\/value<\/jats:title>\n \u2013 Two different methods to collect data to understand security behaviours have rarely been used in previous research. Studies that add target information to understand if such information could increase the probability of attack success is sparse. This paper includes both approaches.<\/jats:p>\n <\/jats:sec>","DOI":"10.1108\/imcs-11-2013-0083","type":"journal-article","created":{"date-parts":[[2014,10,29]],"date-time":"2014-10-29T06:51:52Z","timestamp":1414565512000},"page":"393-406","source":"Crossref","is-referenced-by-count":47,"title":["Using phishing experiments and scenario-based surveys to understand security behaviours in practice"],"prefix":"10.1108","volume":"22","author":[{"given":"Waldo","family":"Rocha Flores","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Hannes","family":"Holm","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Gustav","family":"Svensson","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"G\u00f6ran","family":"Ericsson","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"140","reference":[{"key":"key2020122819525002300_b1","unstructured":"Alseadoon, I.\n , \n Chan, T.\n , \n Foo, E.\n and \n Nieto, J.G.\n (2012), \u201cWho is more susceptible to phishing emails?: a Saudi Arabian study\u201d, Proceedings of the 23rd Australasian Conference on Information Systems 2012, 3-5 December 2012, Geelong."},{"key":"key2020122819525002300_b2","doi-asserted-by":"crossref","unstructured":"Applegate, S.D.\n (2009), \u201cSocial engineering: hacking the wetware!\u201d, Information Security Journal: A Global Perspective, Vol. 18 No. 1, pp. 40-46.","DOI":"10.1080\/19393550802623214"},{"key":"key2020122819525002300_b3","doi-asserted-by":"crossref","unstructured":"Bakhshi, T.\n , \n Papadaki, M.\n and \n Furnell, S.\n (2009), \u201cSocial engineering: assessing vulnerabilities in practice\u201d, Information Management & Computer Security, Vol. 17 No. 1, pp. 53-63.","DOI":"10.1108\/09685220910944768"},{"key":"key2020122819525002300_b4","unstructured":"Barwick, H.\n (2012), \u201cSocial engineering, big data top security priorities for 2013: gartner\u201d, Computerworld, available at: www. computerworld.com.au\/article\/441539\/social_engineering_big_data_top_security_priorities_2013_gartner_\/ (accessed 10 January 2013)."},{"key":"key2020122819525002300_b5","doi-asserted-by":"crossref","unstructured":"Bergkvist, L.\n and \n Rossiter, J.R.\n (2007), \u201cThe predictive validity of multiple-item versus single-item measures of the same constructs\u201d, Journal of Marketing Research, Vol. 44 No. 2, pp. 175-184.","DOI":"10.1509\/jmkr.44.2.175"},{"key":"key2020122819525002300_b6","doi-asserted-by":"crossref","unstructured":"Crossler, R.E. Johnston, A.C.\n , \n Lowry, P.B.\n , \n Hu, Q.\n , \n Warkentin, M.\n and \n Baskerville, R.\n (2013), \u201cFuture directions for behavioral information security research\u201d, Computers & Security, Vol. 32 No. 1, pp. 90-101.","DOI":"10.1016\/j.cose.2012.09.010"},{"key":"key2020122819525002300_b22","doi-asserted-by":"crossref","unstructured":"Dhamija, R.\n , \n Tygar, J.D.\n and \n Hearst, M.\n (2006), \u201cWhy phishing works\u201d, in Proceedings of the SIGCHI conference on Human Factors in computing systems.","DOI":"10.1145\/1124772.1124861"},{"key":"key2020122819525002300_b7","unstructured":"D Mitnick, K.\n and \n L Simon, W.\n (2002), The Art of Deception: Controlling the Human Element of Security, Wiley Publishing, Indianapolis, IN."},{"key":"key2020122819525002300_b8","doi-asserted-by":"crossref","unstructured":"Dodge, R.\n , \n Carver, C.\n and \n Ferguson, A.\n (2007), \u201cPhishing for user security awareness\u201d, Computers & Security, Vol. 26 No. 1, pp. 73-80.","DOI":"10.1016\/j.cose.2006.10.009"},{"key":"key2020122819525002300_b9","unstructured":"Glass, G.V.\n and \n Hopkins, K.D.\n (1995), Statistical Methods in Education and Psychology, 3rd ed., Allyn & Bacon, The University of Michigan, Boston."},{"key":"key2020122819525002300_b10","doi-asserted-by":"crossref","unstructured":"Holm, H.\n , \n Rocha Flores, W.\n and \n Ericsson, G.\n (2013), \u201cCyber security for a smart grid \u2013 what about Phishing?\u201d, Proceedings of the 4th European Innovative Smart Grid Technologies (ISGT) Conference, Lyngby.","DOI":"10.1109\/ISGTEurope.2013.6695407"},{"key":"key2020122819525002300_b11","doi-asserted-by":"crossref","unstructured":"Jagatic, T.N.\n , \n Johnson, N.A.\n , \n Jakobsson, M.\n and \n Menczer, F.\n (2007), \u201cSocial phishing\u201d, Communications of the ACM, Vol. 50 No. 10, pp. 94-100.","DOI":"10.1145\/1290958.1290968"},{"key":"key2020122819525002300_b12","doi-asserted-by":"crossref","unstructured":"Jakobsson, M.\n and \n Ratkiewicz, J.\n (2006), \u201cDesigning ethical phishing experiments\u201d, Proceedings of the 15th international conference on World Wide Web - WWW \u201906, ACM Press, New York, NY, p. -.","DOI":"10.1145\/1135777.1135853"},{"key":"key2020122819525002300_b13","doi-asserted-by":"crossref","unstructured":"Jansson, K.\n and \n von Solms, R.\n (2013), \u201cPhishing for phishing awareness\u201d, Behaviour & Information Technology, Vol. 32 No. 6, pp. 584-593.","DOI":"10.1080\/0144929X.2011.632650"},{"key":"key2020122819525002300_b14","doi-asserted-by":"crossref","unstructured":"Luo, X.\n , \n Brody, R.\n , \n Seazzu, A.\n and \n Burd, S.\n (2011), \u201cSocial engineering: the neglected human factor for information security management\u201d, Information Resources Management Journal, Vol. 24 No. 3, pp. 1-8.","DOI":"10.4018\/irmj.2011070101"},{"key":"key2020122819525002300_b15","doi-asserted-by":"crossref","unstructured":"Moos, D.C.\n and \n Azevedo, R.\n (2009), \u201cLearning with computer-based learning environments: a literature review of computer self-efficacy\u201d, Review of Educational Research, Vol. 79 No. 2, pp. 576-600.","DOI":"10.3102\/0034654308326083"},{"key":"key2020122819525002300_b16","unstructured":"Nohlberg, M.\n (2005), \u201cSocial engineering audits using anonymous surveys \u2013 conning the users in order to know if they can be conned\u201d, Proceedings of the 4th Security Conference, Las Vegas."},{"key":"key2020122819525002300_b17","doi-asserted-by":"crossref","unstructured":"Podsakoff, P.M.\n , \n Mackenzie, S.B.\n , \n Lee, J.Y.\n and \n Podsakoff, N.P.\n (2003), \u201cCommon method biases in behavioral research: a critical review of the literature and recommended remedies\u201d, The Journal of applied psychology, Vol. 88 No. 5, pp. 879-903.","DOI":"10.1037\/0021-9010.88.5.879"},{"key":"key2020122819525002300_b18","unstructured":"Provos, N.\n , \n Mavrommatis, P.\n , \n Rajab, M.A.\n and \n Monrose, F.\n (2008), \u201cAll your iFRAMEs point to Us\u201d, Proceedings of the 17th conference on Security symposium, USENIX Association, Johns Hopkins University, pp. 1-15."},{"key":"key2020122819525002300_b21","doi-asserted-by":"crossref","unstructured":"Rhee, H.-S.\n , \n Kim, C.\n and \n Ryu, Y.U.\n (2009), \u201cSelf-efficacy in information security: its influence on end users' information security practice behavior\u201d, Computers & Security, Vol. 28 No. 8, pp. 816-826.","DOI":"10.1016\/j.cose.2009.05.008"},{"key":"key2020122819525002300_b19","doi-asserted-by":"crossref","unstructured":"Sheng, S.\n , \n Holbrook, M.\n , \n Kumaraguru, P.\n , \n Cranor, L.F.\n and \n Downs, J.\n (2010), \u201cWho falls for phish?\u201d, Proceedings of the 28th International Conference on Human Factors in Computing Systems - CHI \u201910, ACM Press, New York, NY, p. -.","DOI":"10.1145\/1753326.1753383"},{"key":"key2020122819525002300_b20","doi-asserted-by":"crossref","unstructured":"Workman, M.\n (2008), \u201cWisecrackers: a theory-grounded investigation of phishing and pretext social engineering threats to information security\u201d, Journal of the American Society for Information Science and Technology, Vol. 59 No. 4, pp. 662-674.","DOI":"10.1002\/asi.20779"}],"container-title":["Information Management & Computer Security"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/www.emeraldinsight.com\/doi\/full-xml\/10.1108\/IMCS-11-2013-0083","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/IMCS-11-2013-0083\/full\/xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/IMCS-11-2013-0083\/full\/html","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,24]],"date-time":"2025-07-24T21:50:50Z","timestamp":1753393850000},"score":1,"resource":{"primary":{"URL":"http:\/\/www.emerald.com\/ics\/article\/22\/4\/393-406\/176021"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2014,10,7]]},"references-count":22,"journal-issue":{"issue":"4","published-print":{"date-parts":[[2014,10,7]]}},"alternative-id":["10.1108\/IMCS-11-2013-0083"],"URL":"https:\/\/doi.org\/10.1108\/imcs-11-2013-0083","relation":{},"ISSN":["0968-5227"],"issn-type":[{"value":"0968-5227","type":"print"}],"subject":[],"published":{"date-parts":[[2014,10,7]]}}}