Simulated Stress: A Case Study of the Effects of a Simulated Phishing Campaign on Employees' Perception, Stress and Self-Efficacy

Abstract

Many organizations are concerned about being attacked by phishing emails and buy Simulated Phishing Campaigns (SPC) to measure and reduce their employees' susceptibility to these attacks. Whilst some prior studies reported reduced click rates after SPCs, others have raised concerns that it may have undesirable side effects: causing some employees stress, and/or reducing their self-efficacy. This would be counterproductive, since stress and self-efficacy play a key role in learning and behavior change. We report the first study in which stress and self-efficacy were measured with n = 408 employees immediately after they clicked on or reported a simulated phishing email they received as part of an SPC in a large organization. To obtain richer data how employees experienced the SPC, we conducted semi-structured interviews with n = 21 employees. We find that participants who clicked on and reported simulated phishing emails generally perceived SPCs as positive and effective, even though recent research casts doubt on this effectiveness. We further find that participants who clicked on simulated phishing emails had significantly higher stress levels and significantly lower phishing self-efficacy than participants who reported them. We further discuss the impact of our findings and conclude that the effect of SPCs on the perceived stress of employees is an important relationship that needs to be investigated in future studies.