Abstract

Although there have been numerous technological advancements in the last several years, there continues to be a real threat as it pertains to social engineering, especially phishing, spear-phishing, and Business Email Compromise (BEC). While the technologies to protect corporate employees and network borders have gotten better, there are still human elements to consider. No technology can protect an organization completely, so it is imperative that end users are provided with the most up-to-date and relevant Security Education, Training, and Awareness (SETA). Phishing, spear-phishing, and BEC are three primary vehicles used by attackers to infiltrate corporate networks and manipulate end users into providing them with valuable company information. Many times, this information can be used to hack the network for ransom or impersonate employees so that the attacker can steal money from the company. Analysis of successful attacks show not only a lack of technology adoption by many organizations, but also the end user's susceptibility to attacks. One of the primary mediums in which attackers enjoy success is through business email. This dissertation study was aimed at researching several phishing mitigation methods, including phishing training and campaign methods, as well as any human characteristics which create a successful cyberattack through business email. Phase 1 of this study validated the approach and measures through 27 cybersecurity experts’ opinions. Phase 2 was a pilot study that produced a procedure for data collection and analysis and gathered 172 data points across three groups containing 86 users. Phase 3, the main study, used the established data approach and gathered 1,104 data points across three groups containing 552 users. The results of the experiments were analyzed using Analysis of Variance (ANOVA) and Analysis of Covariance (ANCOVA) to address the research questions. Several significant findings are documented, including results that showed there were no statistical differences in phishing training methods. This study indicates that current training methods, such as annual awareness or continuous customized training appear to provide little to no added value compared to no training at all. In addition, this study indicates that phishing campaign methods have a significant impact on phishing success, specifically a Red Team campaign. Lastly, recommendations for future research and opinions for industry stakeholders on ways to strengthen their cybersecurity posture are provided.