The role of optimism bias in susceptibility to phishing attacks in a financial services organisation

Abstract

Researchers looking for ways to change the insecure behaviour that results in successful phishing have considered multiple possible reasons for such behaviour. Therefore, the purpose of this study is to understand the role of optimism bias (OB "“ defined as a cognitive bias), which characterises overly optimistic or unrealistic individuals, in order to ensure secure behaviour. Research is considered that has focused on issues such as personality traits, trust, attitude and information security awareness training (ISAT). We used a mixed methods design to investigate OB behaviour, building on a recontextualised version of the theory of planned behaviour to evaluate the influence that OB has on phishing susceptibility. To model the data, an analysis was performed on 226 survey responses (systematic random sampling method) from the employees of a financial services organisation using partial least squares (PLS) path modelling. To evaluate OB behaviour, we conducted an experiment consisting of three ISAT sessions and three simulated phishing attacks. After each phishing experiment, we conducted interviews to gain a better understanding of why people succumbed to the attacks. It was subsequently found that overly optimistic individuals are inclined to behave insecurely, while factors such as attitude and trust significantly influence the intention to behave securely. Our contribution to practice is to enhance the effectiveness of ISAT by identifying and addressing the OB weakness to deliver a more successful training outcome. Our contribution to theory enriches the Information Systems literature by evaluating the effect of a cognitive bias on phishing susceptibility and, through research, offering a contextual explanation of the resultant behaviour.