Phish me once, shame on you; phish me twice, shame on me: A longitudinal field experiment on the knowledge retention of an embedded anti-phishing training
Professor Xin (Robert) Luo
Endowed Dean’s Professor of Research Excellence
Black, Albert & Mary Jane Full Professor of Management Information Systems
Anderson School of Management, The University of New Mexico
ABSTRACT
Due to the ubiquity of phishing attacks, businesses have increased their investment in information security training. However, the long-term impact of anti-phishing training in an organizational context is still uncertain. Previous empirical research indicates that employees typically forget the anti-phishing training they received after one to six months. Finding the ideal time period may help to prevent the erosion of anti-phishing knowledge and enhance employees’ capacity to identify phishing over the long term. To obtain insight into a long-term viable strategy for embedded anti-phishing training, we evaluate three types of learning schedules in a typical embedded training program and determine the most effective learning schedule for enhancing information retention. More than 8000 employees participated in this study over the course of eight months as part of a longitudinal field study. Expanding the training schedule has a greater effect on long-term information retention than maintaining or expanding the training schedule. This research contributes to the literature on information security by offering a more effective training interval for embedded anti-phishing training.
