contact@parthenonfrontiers.com
Submit Paper

ASSESSING END-USER RESILIENCE TO PHISHING: A STUDY ON EDUCATIONAL INTERVENTIONS AND SIMULATED ATTACKS IN A CROATIAN UNIVERSITY

Authors

  • Dr. Marko D. Horvat Department of Information and Communication Sciences, University of Zagreb, Croatia Author
  • Dr. Tomislav P. Radić Department of Information Systems, University of Split, Croatia Author

Keywords:

Phishing, Cybersecurity, End-User Awareness, Simulated Attacks

Abstract

Phishing remains a pervasive and evolving cybersecurity threat, consistently exploiting the human element as a primary vulnerability in organizational defenses. This comprehensive study investigates the efficacy of structured educational interventions combined with realistic simulated phishing attacks in bolstering end-user resilience against these threats within a prominent Croatian university. Employing a quasi-experimental design, the research involved a multi-phased approach comprising an initial baseline assessment, targeted educational modules, and subsequent simulated attacks. We meticulously analyzed behavioral responses, compromise rates, and their statistical associations with various demographic and contextual variables, including age, departmental affiliation, and professional qualifications. While individual interventions showed varying degrees of immediate impact, a critical finding emerged regarding the significant influence of temporal factors, particularly pre-holiday periods, on user susceptibility. These results underscore the inherent limitations of standalone awareness assessments and highlight the imperative for ongoing, highly contextualized, and integrated cybersecurity training methodologies. The findings offer practical guidance for academic institutions and other organizations seeking to develop more robust and adaptive phishing defense strategies that account for both human factors and environmental dynamics.

References

1. Ahmad, B.M.; Ahmed, S.M.; Sylvanus, D.E. Enhancing Phishing Awareness Strategy Through Embedded Learning Tools: A Simulation Approach. Arch. Adv. Eng. Sci. 2023, 2, 1–14. [CrossRef]

2. Hillman, D.; Harel, Y.; Toch, E. Evaluating Organizational Phishing Awareness Training on an Enterprise Scale. Comput. Secur. 2023, 132, 103364. [CrossRef]

3. Kävrestad, J.; Hagberg, A.; Nohlberg, M.; Rambusch, J.; Roos, R.; Furnell, S. Evaluation of Contextual and Game-Based Training for Phishing Detection. Future Internet 2022, 14, 104. [CrossRef]

4. Jayakrishnan, G.; Banahatti, V.; Lodha, S. PickMail: A Serious Game for Email Phishing Awareness Training. In Proceedings of the 2022 Symposium on Usable Security, San Diego, CA, USA, 28 April 2022. [CrossRef]

5. Wen, Z.A.; Lin, Z.; Chen, R.; Andersen, E. What Hack: Engaging Anti-Phishing Training Through a Role-playing Phishing Simulation Game. In Proceedings of the 2019 CHI Conference on Human Factors in Computing Systems, Scotland, UK, 4–9 May 2019; pp. 1–12. [CrossRef]

6. Sutter, T.; Bozkir, A.S.; Gehring, B.; Berlich, P. Avoiding the Hook: Influential Factors of Phishing Awareness Training on Click-Rates and a Data-Driven Approach to Predict Email Difficulty Perception. IEEE Access 2022, 10, 100540–100565. [CrossRef]

7. Beu, N.; Jayatilaka, A.; Zahedi, M.; Babar, M.A.; Hartley, L.; Lewinsmith, W.; Baetu, I. Falling for Phishing Attempts: An Investigation of Individual Differences That Are Associated with Behavior in a Naturalistic Phishing Simulation. Comput. Secur. 2023, 131, 103313. [CrossRef]

8. Khan, M.H.; Muntaha, S.T. Evaluating the Effectiveness of Cybersecurity Awareness Programs in Reducing Phishing Attacks: A Qualitative Study. World J. Adv. Res. Rev. 2024, 23, 1663–1673. [CrossRef]

9. Yeoh, W.; Huang, H.; Lee, W.-S.; Al Jafari, F.; Mansson, R. Simulated Phishing Attack and Embedded Training Campaign. J. Comput. Inf. Syst. 2021, 62, 802–821. [CrossRef]

10. Ciupe, A.; Orza, B. Reinforcing Cybersecurity Awareness through Simulated Phishing Attacks: Findings from an HEI Case Study. In Proceedings of the 2024 IEEE Global Engineering Education Conference (EDUCON), Kos Island, Greece, 8–11 May 2024; pp. 1–4. [CrossRef]

11. Sirawongphatsara, P.; Prachayagringkai, S.; Pornpongtechavanich, P.; Rompun, T.; Chaowmak, K.; Phanthuna, N.; Daengsi, T. Comparative Phishing Attack Simulations: A Case Study of Critical Information Infrastructure Organization Using Two Different Contents. In Proceedings of the 2023 10th International Conference on Electrical Engineering, Computer Science and Informatics (EECSI), Palembang, Indonesia, 20–21 September 2023; pp. 278–281. [CrossRef]

12. McElwee, S.; Murphy, G.; Shelton, P. Influencing Outcomes and Behaviors in Simulated Phishing Exercises. In Proceedings of the SoutheastCon 2018, St. Petersburg, FL, USA, 19–22 April 2018; pp. 1–6. [CrossRef]

13. Osamor, J.; Ashawa, M.; Shahrabi, A.; Philip, A.; Iwendi, C. The Evolution of Phishing and Future Directions: A Review. iccws 2025, 20, 361–368. [CrossRef]

14. Kumar, S.; Menezes, A.; Giri, S.; Kotikela, S. What the Phish! Effects of AI on Phishing Attacks and Defense. TAMU Cybersecur. J. 2025, 27, 45–62. [CrossRef]

15. Heiding, F.; Lermen, S.; Kao, A.; Schneier, B.; Vishwanath, A. Evaluating Large Language Models’ Capability to Launch Fully Automated Spear Phishing Campaigns: Validated on Human Subjects. arXiv 2024, arXiv:2412.00586. [CrossRef]

16. Chen, F.; Wu, T.; Nguyen, V.; Wang, S.; Hu, H.; Abuadbba, A.; Rudolph, C. Adapting to Cyber Threats: A Phishing Evolution Network (PEN) Framework for Phishing Generation and Analyzing Evolution Patterns using Large Language Models. arXiv 2024, arXiv:2411.11389. [CrossRef]

17. Aljeaid, D.; Alzhrani, A.; Alrougi, M.; Almalki, O. Assessment of End-User Susceptibility to Cybersecurity Threats in Saudi Arabia by Simulating Phishing Attacks. Information 2020, 11, 547. [CrossRef]

18. Chatchalermpun, S.; Wuttidittachotti, P.; Daengsi, T. Cybersecurity Drill Test Using Phishing Attack: A Pilot Study of a Large Financial Services Firm in Thailand. In Proceedings of the 2020 IEEE 10th Symposium on Computer Applications & Industrial Electronics (ISCAIE), Penang, Malaysia, 18–19 April 2020; pp. 283–286. [CrossRef]

19. Bayl-Smith, P.; Taib, R.; Yu, K.; Wiggins, M. Response to a Phishing Attack: Persuasion and Protection Motivation in an Organizational Context. Inf. Comput. Secur. 2021, 30, 63–78. [CrossRef]

20. Kudalkar, M.; Singh, J.; Singh, S. Exploring Phishing Awareness and User Behavior: A Survey-Based Investigation. Int. J. Res. Appl. Sci. Eng. Technol. 2024, 12, 4713–4718. [CrossRef]

21. Cranford, E.A.; Lebiere, C.; Rajivan, P.; Aggarwal, P.; Gonzalez, C. Modeling Cognitive Dynamics in End-User Response to Phishing Emails. In Proceedings of the 17th Annual Meeting of the International Conference on Cognitive Modelling, Montreal, QC, Canada, 19–22 July 2019; pp. 35–40.

22. Vishwanath, A. Blunting the Phisher’s Spear: A Risk-Based Approach for Defining User Training and Awarding Administrative Privileges. In Black Hat USA 2016; Black Hat: Las Vegas, NV, USA, 2016. Available online: https://www.blackhat.com/docs/us-16/materials/us-16-Vishwanath-Blunting-The-Phishers-Spear-A-Risk-Based-ApproachFor-Defining-User-Training-And-Awarding-Administrative-Privileges-wp.pdf (accessed on 6 June 2025).

23. Scherb, C.; Heitz, L.B.; Grimberg, F.; Grieder, H.; Maurer, M. A Cyber Attack Simulation for Teaching Cybersecurity. Epic. Ser. Comput. 2023, 93, 129–140. [CrossRef]

24. Jansson, K.; von Solms, R. Phishing for Phishing Awareness. Behav. Inf. Technol. 2013, 32, 584–593. [CrossRef]

Downloads

Published

2024-12-25

Issue

Vol. 1 No. 01 (2024): Volume 01 Issue 01

Section

Articles