Is Punishment an effective deterrent for Phishing?

During a scientific literature review of Phishing-related articles, I stumbled onto a fascinating article on the “Deterrent effects of punishment and training on insider security threats” (Kim, 2020). All scientific articles deserve attention, but this one caught mine a bit more as punishment, or at least the fear of it, is considered an ineffective option to reduce risk, at least without providing a way to cope with the threat. This assumption is often based on research performed on health-related communication. They often tend to measure an attitude (how we feel about something) or an intent (what I think I will do in the future in a context) rather than an action.

Also, phishing is, from my point of view, a specific case as it often occurs as an “accident” during a “normal” activity (going through and reading our emails). Hence, it’s likely linked to a lack of good habits and vigilance than disregard for cybersecurity policies.

On the other hand, our vigilance depends on the context. If we consider any email as suspicious, we will probably be less likely to fall for a phishing email. However, it might create an additional cognitive workload and increase the users’ level of stress (or not, it hasn’t been evaluated, up to my knowledge).

Kim et al. tested the effect of punishment in a real-life setting using an exciting paradigm. To avoid the typical laboratory experiment’s contextual impact, they performed their studies in a governmental organization in Korea. They sent a first phishing email to a group of employees. They then split the people who failed the test in two groups: one that received a punishment (a visit of the security team, a temporary loss of the access to the network and a threat for a bad note for its annual performance review) and a second, control, group of unpunished people.

Twenty weeks later, they sent a second phishing email and compared the click ration between the two groups. 17,5% of the punished group clicked on this second email link while 43.2% of the not punished one clicked on it. Although the sample size is relatively limited (101 persons in total for both groups), the effect is significant (p=0,005). Also, it is noticeable that the results were significantly different between people with a low or a high position in the organization, the employees having a low position clicking significantly less than their high position colleagues (punished: 7,1 vs 46,7% – p=0,002 and not punished: 37,8% instead of 71,4% – p=0.210).

These results are based on a tiny sample and must be treated with the necessary scientific doubt. Still, they raise some questions. Twenty weeks is a very long time. It seems more efficient, in the long term than any training (phishing exercises training maintains effectiveness for a month, at most three, depending on the research).

Also, as Kelsey Pipers reminds us in an article published on Vox, context matters. The results obtained in one context can often hardly be replicated in another one. Still, we should put that to the test and measure if any punishment can effectively reduce the risk of phishing in another context.

References:

  • Bora Kim, Do-Yeon Lee & Beomsoo Kim (2020) Deterrent effects of punishment and training on insider security threats: a field experiment on phishing attacks, Behaviour & Information Technology, 39:11, 1156-1175, DOI: 10.1080/0144929X.2019.1653992
  • Kelsey Pipers (2020) Why we can’t always be “nudged” into changing our behaviour, Vox.com, https://www.vox.com/future-perfect/2020/2/26/21154466/research-education-behavior-psychology-nudging