Simulated Phishing Attack and Embedded Training Campaign

Phishing attacks are costly for both organizations and individuals, yet existing academic research has provided little guidance on how to strategize and implement a combined phishing awareness and training campaign. Drawing on operant conditioning theory, we conduct an in-depth case study on a large phishing awareness campaign and reveal that phishing awareness is a learning process through which individuals' behavior can be strengthened by reinforcement and punishment. Based on the case study findings, we present several propositions for cybersecurity stakeholders. This study contributes to the phishing awareness literature and has implications for research and practice. This paper is useful for organizations planning or in the process of implementing or reviewing a phishing awareness and education program.