To explore employee behaviors in reporting phishing emails, we conducted a month-long "Phish Derby" competition at a large U.S. university, gamifying the phishing security awareness process. Employees competed to detect phishing emails, and their performance was analyzed based on demographic data and two theoretical frameworks: the Big Five personality traits and goal orientation theory. Key findings include that older employees outperformed younger ones, past performance on phishing simulations predicted success, and participants who used a single computing platform outperformed those who used multiple platforms. Interestingly, extraversion, agreeableness, and a learning goal orientation were associated with poorer performance, while self-reported computer skills did not correlate with success. These results highlight the importance of motivating positive cyber behaviors beyond merely tracking employee click rates in phishing simulations.

Authors:

Matthew Canham, Clay Posey, Michael Constantino