Deterrent effects of punishment and training on insider security threats: a field experiment on phishing attacks

There is no doubt that organisational security threats are currently surging, internally and externally. In an effort to prevent internal threats - employee violations of information security policy (ISP) - security training programmes and sanction policies are implemented to a large extent in organisations. However, few studies have verified their practical effectiveness and the impact of individual characteristics within organisations. This study conducted a field experiment to examine the actual deterrent effect of those measures against phishing attacks. By fabricating fake phishing schemes through a simulation programme, the specific deterrent effect of punishment, the general deterrent effect of education, and employees' organisational position were tested on their ISP compliance behaviour. Findings confirmed that punishment effectively prevented the punished from falling for phishing again and that the trained group fell for phishing much less often than the untrained group. In addition, the higher one's organisational position, the more likely the person fell for phishing. Regardless of the treatment (i.e. training or punishment), this position effect stood out. The results of this study offer researchers and practitioners insightful information about effective deterrence measures and policies for organisational information security.