Undertsanding the intention to click on a phishing e-mail

i

Master Degree Program in Data Science and Advanced Analytics

Understanding the intention to click on a phishing e-mail

Inês Garcia da Costa

Dissertation presented as partial requirement for obtaining the Master Degree Program in Data Science and Advanced Analytics

NOVA Information Management School

Instituto Superior de Estatística e Gestão de Informação

Universidade Nova de Lisboa

MDSAA

i

[this page should not be included in the digital version. Its purpose is only for the printed version]

Understandingthe intention to click on a phishing e-mail

Inês Garcia da Costa MDSAA

2022

i NOVA Information Management School

Instituto Superior de Estatística e Gestão de Informação Universidade Nova de Lisboa

Understanding the intention to click on a phishing e-mail

by

Inês Garcia da Costa

Dissertation presented as partial requirement for obtaining the Master’s degree in Advanced Analytics, with a Specialization in Data Science / Business Analytics

Supervisor: Carlos Tam Chuem Vai, PhD

November 2022

ii

STATEMENT OF INTEGRITY

I hereby declare having conducted this academic work with integrity. I confirm that I have not used plagiarism or any form of undue use of information or falsification of results along the process leading to its elaboration. I further declare that I have fully acknowledge the Rules of Conduct and Code of Honor from the NOVA Information Management School.

Sintra, Novembro 2022

iii

PUBLICATIONS

"What explains the intention to click on a phishing e-mail?" submitted to a journal of quartile one of Scimago index.

iv

ACKNOWLEDGEMENTS

First of all, a special thanks to my mother, father, and grandparents, for all the unconditional support they gave me over the years, which has been key to my success. It was only because of all their effort combined with all the love they gave me that I am the person I am today and for that I will be eternally grateful. Thank you very much.

To Professor Carlos Tam, for all the support and availability shown in this work and for all the instruction and knowledge he provided to me. Thank you so much for all the understanding and collaboration, which were essential for this work.

v

ABSTRACT

A phishing e-mail takes advantage of human vulnerability, which is common, and is consequently not completely preventable. Phishing e-mails are the leading cause of organizational security breaches. To study this phenomenon, we combine the theory of planned behaviour model with preventive countermeasures to understand the intention to click on a phishing e-mail. Based on 144 individuals, we show that behaviour intention and preventive countermeasures influence the intention to click on a phishing e-mail. Based on our findings, we provide theoretical and practical implications.

KEYWORDS

Phishing e-mail; theory of planned behaviour; preventive countermeasures; intention to click on a phishing e-mail; behaviour intention

vi

INDEX

1. Introduction ... 1

2. Literature review ... 3

2.1. Phishing e-mails ... 3

2.2. Theory of planned behaviour (TPB) ... 3

2.3. Preventive Countermeasures ... 4

3. Research Model ... 5

4. Methodology ... 7

5. Results... 9

5.1. Measurement model ... 9

5.2. Structural Model ... 11

6. Discussion ... 12

6.1. Theoretical implications ... 12

6.2. Practical Implications ... 13

6.3. Limitations and future research ... 13

7. Conclusions ... 14

8. References ... 15

Appendix... 19

1

1. INTRODUCTION

Organizations, regardless of their size or success, have become increasingly dependent on the Internet, which greatly affects the way companies operate in order to increase performance and competitive advantage. Despite the advantages that the Internet can provide to companies and all their users, the Internet is also the operating space of a variety of cybercrimes. The vast majority of these attacks are related to phishing, which is described by many authors as the easiest and oldest form of cyber-attack (Lallie et al., 2021). According to the annual Internet Crime Report, the FBI reports that people lost more than 6.9 billion USD in crimes committed on the Internet in 2021, a jump of more than 2 billion USD from 2020. In the year 2021, a total of 847,376 complaints were filed regarding crimes on the Internet, which means an increase of 7% compared to 2020 and an exponential increase of 81%

compared to 2019. One of the top three cybercrimes reported in the year 2021 was phishing (Anders, 2022).

According to Salloum et al. (2022), phishing is a social engineering crime that aims to acquire users' private and confidential information through deceptive electronic communication. Phishing consists of sending fraudulent messages, usually through communication channels such as e-mail, phone calls, or contacts on social networks, which appear to come from safe and reliable sources. The main objective of this type of cyberattack is to steal specific and confidential personal data. Examples of credentials often of interest to phishers are login data, passwords, credit and debit card information, and national identification numbers.

This type of social engineering is an easy crime to automate in most cases, and there is thus the possibility of being performed on a large scale, which explains the exponential increase in the practice of this crime and the numbers reported above. The result of some social engineering crimes such as e- mails, which is considered an information security breach, can be less harmful. Such breaches can lead to loss of productivity, or in the worst case, to the loss of confidential information, which in turn can lead to financial losses, consequently affecting the company's reputation (Yaacoub et al., 2022). In some cases companies may never be able to recover after the crime, or it may take a long time to return to the earlier levels (Abawajy, 2014).

The motivation of the current research is to understand the phenomenon of phishing and to offer a guide for those interested in the topic. Understanding this crime, it is easier to understand what protective measures should be adopted.

According to Krombholz et al. (2014), an attacker's most powerful weapon to commit these crimes is social engineering, manipulating the person, in this case the victim, to provide the attacker with information, which turns out to be the path of least resistance and greatest vulnerability. Social engineering involves exploiting the victim's trust, and abusing the victim's emotions, credulity, and charity (Alabdan, 2020). To Krombholz et al. (2014) this technique is one of the most commonly used these days because even the most secure systems can be compromised, since the users themselves are the most vulnerable part of the system and sometimes the easiest element to attack. Despite the significant information security risks stemming from the human factor, many organizations continue to invest in preventive countermeasures by looking for technology-based solutions. Even though technology-based information security solutions are extremely important, they are not enough to protect users from the great variety of threats, as many features of these security systems depend on the users themselves and their decisions (Abawajy, 2014).

2 The objective of this study is to investigate how preventive countermeasures can be influenced by the factors that influence the decision to click on a phishing e-mail. Many published studies address phishing susceptibility by examining phishing attacks and online users' perceived susceptibility (Chen et al., 2020), or are related to different phishing detection approaches (Zuraiq, AlMaha Abu Alkasassbeh, 2019). With this study we hope to reduce the criminality of this phishing phenomenon, specifically phishing e-mails.

The expected contributions of this study are several, but mainly the fact that it alerts both individuals and companies of the possible dangers when clicking on a link in a phishing e-mail. To the best of our knowledge, neither Portugal nor any other country has been the subject of similar research. This research helps us to understand the important role of preventive countermeasures as well as the intention of the behaviour, in order to help companies and raise awareness amongst their employees.

Therefore, organizations need to develop security education and training programs and explain the benefits of a security behaviour and the costs of non-security behaviour (Kim, H. L., & Han, 2018).

In Section 2 we present the phishing concept, and the theory of planned behaviour (TPB), and briefly discuss recent research related to the topic treated herein, positioning our research in relation to that reported in the literature. The model and hypotheses are then discussed. The methodology and results are described in Sections 4 and 5, followed by conclusions.

3

2. LITERATURE REVIEW

2.1. P

-

Phishing attacks have a negative impact on an organization's reputation, and the threat is considerable for all online service providers. Creating and retaining customer trust is extremely important for any organization that is present online (Sarwar et al., 2012). In addition, customer trust is easily lost, and is difficult to regain. Phishing techniques are constantly being adapted, as are new methods to combat them (Manoharan et al., 2022). Phishing e-mails typically start with the attacker sending an e-mail that appears to be from a legitimate and trusted source to the recipient to steal personal and confidential information, such as passwords and bank card details. A phishing e-mail almost always contains a file attachment or a link to a harmful external website designed to steal confidential and personal data (Manoharan et al., 2022).

Butler (2007) explains that e-mail recipients receive the e-mail and respond to it by clicking on the URL (uniform resource locator) link, which later takes them to a website that appears to be a legitimate website of a trusted organization, where victims enter their personal and confidential information.

According to Parsons et al. (2015), and generally speaking, legitimate e-mails are more likely to have a message in the e-mail text itself, have links that are legitimate, be addressed to the recipient individually, are less likely to contain spelling or grammar errors, and are more likely to be from an origin that appears to be legitimate. Another very important factor to consider is the urgency of the e- mail, which pressures victims to make a quick and sometimes poorly considered decision (Hong, 2012).

Another important approach is related to the age of the site, as malicious sites tend to be more recent than official ones (Saha, 2020).

Based on the findings of Ajzen and Fishbein (1975), a person's behavioural intention is significantly correlated with their behaviour and is able to predict a person's behaviour based on that intention.

Due to the different consequences and impact of clicking on a phishing e-mail, it is necessary to study the factors that influence victims' intentions to click on such e-mails to avoid these behaviours in the future.

2.2. T

(TPB)

The theory of planned behaviour (TPB) emerged from the theory of reasoned action (TRA), due to some limitations of the original theory. One of the central factors in the TPB is an individual's intention to perform a certain behaviour. According to this theory, the performance of a behaviour depends on intention and perceived behavioural control (Ajzen, 1991). Three independent determinants of intention are assumed in the TPB (Ajzen, 1991). First, attitude toward the behaviour indicates whether someone is favourable or unfavourable toward the behaviour. Second, subjective norm refers to the perception of social pressure to perform the behaviour or not. Third is the degree of perceived behaviour control, which refers to the expected ease or difficulty involved in performing a certain behaviour. The perception of behaviour control varies according to situations and actions, so people perceive behaviour control differently based on their circumstances.

In general, the more favourable the attitude and subjective norm toward a behaviour, and the stronger a person's intention to engage in the behaviour, the greater the perceived behavioural control must be. Additionally, it is believed that different behaviours and circumstances would affect how important

4 each of the three main factors—attitude, subjective norm, and perceived behavioural control—is in predicting intention.

Applied to a specific area of interest, the TPB yields a wealth of knowledge to comprehend various behaviours or even to create treatments that will be helpful to modify them. TPB can characterize how people are motivated to act and understand how people can change a certain behaviour. Accordingly, the theory holds that behaviour is controlled by the person's intentions. Therefore, given a certain intention, it is possible to predict a certain behaviour.

Alyahya and Weir (2021) apply the TPB to investigate the diverse responses of individuals to phishing attacks through TPB. Apau and Koranteng (2019) use the theory to analyse consumers' intention to make purchases using e-commerce. Accordingly, with TPB we assume that a person's intention to click on a phishing e-mail is influenced by subjective norms, perceived behavioural control, and attitude toward compliance. Our research takes into account the importance of preventive countermeasures in an employee’s response to phishing e-mails.

2.3. P

C

Countermeasures are intended to stop/detect attacks before/after the collection/use of victim data (Aleroud & Zhou, 2017). With the evolution of phishing attacks, the need has arisen to develop a number of responses, most of which have been aimed at detecting phishing sites. However, as phishing e-mails are one of the most common forms of phishing attacks exploited in recent times, this approach is not always the best solution. A common approach to detecting if the links that come in an e-mail are phishing sites is the analysis of the site's URL (Al & Stefano, 2022). According to Al and Stefano (2022), phishing e-mails are an often-used attack vector, and just as there are systems to detect phishing sites, there are also other systems used to detect a phishing e-mail by analysing the content of the e-mail, the links contained in the e-mail, and even the attachments found in the e-mail. These systems usually analyse the URL of links in the same way that they analyse the URL of websites.

Although technical countermeasures are undertaken such as data loss prevention (DLP), e-mail virus detection, and anti-phishing and anti-spamming tools (e.g., SPF), leveraging these technologies to identify phishing attempts remains a challenge. This is due, in part, to the fact that they often require human agency to examine and differentiate between legitimate e-mails and phishing scams (Shahbaznezhad et al., 2021). In order to defend against phishing attacks, e-mail preventive countermeasures combine organizational, technological, and individual needs. However, many businesses and people find it difficult to implement this strategy since recipients often fail to recognize phishing e-mails and become a victim to these attacks. Phishing e-mails are being improved more often to circumvent technology safeguards and to take advantage of cognitive perception (Shahbaznezhad et al., 2021).

5

3. RESEARCH MODEL

To investigate the factors that influence individuals to click on phishing e-mails, we propose to understand how intention behaviour is affected and how preventive countermeasures impact behaviour and the intention to click on a phishing e-mail. We created a research model (Figure 1) by applying TPB and preventive countermeasures to understand the impact on individuals’ intention to click on a phishing e-mail. We test the hypotheses and determine if there are direct relationships between the lack of preventive countermeasures and the behaviour intention.

Figure 1 – Research model

An intention to perform an action can be influenced by subjective norms, attitude toward a behaviour, and perceived behavioural control (Ajzen, 1991). The definition of attitude comes from the positive or negative feeling of the individual in relation to a certain behaviour. The subjective norm it is understood as the perception of an individual about what the people who are closest to her/him will think about a certain behaviour. The third component of TPB is the control of perceived behaviour and concerns the ease or difficulty perceived by an individual in performing a certain behaviour (Ifinedo, 2012). The TPB defends that the more favourable or strong the attitude and subjective norm toward a behaviour, and the greater the perceived behavioural control, the stronger the individual's intention to perform the behaviour must be (Ajzen, 1991). We posit that:

H1: Subjective norms (SN) affect behaviour intention (BI).

H2: Attitude toward a behaviour (ATT) affects behaviour intention (BI).

H3: Perceived behaviour control (PBC) affects behaviour intention (BI).

The motivational factors that affect a particular activity are referred to as behaviour intention, and the stronger the intention to perform the behaviour, the more probable it is that the behaviour will be carried out (Ajzen, 1991). Grassegger & Nedbal (2021) argue that behavioural intention regarding information security policies refers to a subjective consideration of how a person will act in terms of conforming to information security policies. When examined from the point of social engineering, the factors have an impact on both the intention to fend off attacks and actual defence. Thus, if an

6 individual plans to engage in a particular behaviour, that intention can influence whether or not to click on a phishing e-mail. We posit

H4: Behaviour intention influences the individual’s intention to click on a phishing e-mail.

As stated by Shahbaznezhad et al. (2021), preventive countermeasures are considered a technological factor and are related to security controls that can influence an individual's intention to click or not on a phishing e-mail. Preventive countermeasures are based on measures designed to protect against something – in our case, to protect e-mail users from making a poor decision (opening a phishing e- mail) or even from using the e-mail incorrectly. Users' behaviour intention is influenced by preventive countermeasures and by preventing the user from clicking on the phishing e-mail. Accordingly, we propose the following hypotheses:

H5: Preventive countermeasures influence the behaviour intention of an individual.

H6: Preventive countermeasures influence an individual’s intention to click on a phishing e-mail.

7

4. METHODOLOGY

All of the constructs were adapted from those of earlier authors. The constructs (see Appendix A) are the following: attitude toward a behaviour, subjective norms, and perceived behavioural control were adapted from Safa et al. (2015); behaviour intention from Venkatesh et al. (2003); preventive countermeasures and intention to click on a phishing e-mail from Shahbaznezhad et al. (2021).

Our goal was to use quantitative data analysis to examine a selection of assumptions. The sample consists of individuals residing in Portugal who have frequent contact with e-mails. In this descriptive research, we study the intention to click on a phishing e-mail among a sample of portuguese population. Because there is only one sample and all of the findings come from that one group of respondents, the study uses a single cross-selection design. To answer our research question, the data were gathered using a survey posted on a well-known survey website, targeting persons living and working in Portugal. The questionnaire was written in English, then analysed and validated. All of the items were graded on a seven-point Likert scale, from (1) strongly disagree to (7) strongly agree. The questionnaire was split into two parts: one for measuring each model component and one for demographic information. The questionnaire's completion took 10 minutes. Our questionnaire was confidential, anonymous, and provided guarantees that the information would be used for academic purposes only.

The data collection process was divided into two phases. Phase 1 involved distributing the questionnaire to 30 people (a pilot test) in order to determine if it had any issues or concerns. With this analysis of the pilot test, we concluded that the research was valid and that we were able to proceed. The sample for the pilot test was used exclusively to test and confirm the survey's questions, and their results were left out of the final analysis. Phase 2 involved conducting the survey – from 3 March to 26 May 2022. To collect responses from individuals with different profiles, we sent the survey link through a professional social media platform. The questionnaire could be completed only once per individual because the link functioned only once. We obtained 141 valid answers, of which 55% were men, under 25 years old (57%), with a bachelor’s degree (51%). Table 1 presents the detailed information about the respondents. To test for common method bias, Harman's one factor test and the marker variable technique (Podsakoff et al., 2003) were used. The analysis revealed that our sample did not reveal any significant common method bias. The need for these two assessments arises from the fact that data with method biases pose a serious threat since errors can compromise the reliability of the findings (Podsakoff et al., 2003).

8 Table 1 - Sample characteristics

Distribution (n=141)

Gender Education

Male 77 55% Lower than Bachelor degree 2 1%

Female 64 45% Bachelor degree 72 51%

Master's degree or higher 67 48%

Age

<25 80 57% Occupation

25-34 37 26%

97 69%

35-44 8 6%

10 7%

>44 16 11%

28 20%

5 3%

1 1%

9

5. RESULTS

We analysed the data using structural equation modelling (SEM), the combination of statistical information and qualitative causal hypotheses is used in the statistical procedure known as SEM to assess and estimate causal assumptions (Tam et al., 2020). The partial least squares (PLS) approach is often employed in information systems research (College et al., 2003). Consequently, we used this method to evaluate our model hypotheses, ensuring that the results of the structural relationships established are acquired from a collection of measurement tools with psychometric characteristics.

Three other reasons prompted us to choose this method: i) PLS performs well when the sample size is small; ii) it is considered a robust method when the data do not present a normal distribution; iii) PLS is recommended when the investigation is at an early stage or the model has never been tested previously (Oliveira et al., 2020).

The measurement model was examined first, followed by the structural model (Sarstedt et al., 2014).

In this next subsection, by quantifying the constructs' convergent and discriminant validity, we highlight the power of the measurement approach. By defining the constructs’ variance, the convergent validity shows how constructs converge in the items, this convergent validity is evaluated by verifying the average variance extracted (AVE). How an item differentiates from other items in the study model is referred to as discriminant validity and is measured through the correlation between cross-loadings and loadings, the square root of the AVE, and the Heterotrait-monotrait (HTMT) ratio of correlation (Tam & Oliveira, 2019). Tables 2, 3, and 4 report the results of a measurement model that will be explained in the next subsection.

5.1. M

Measurement models look at how latent variables and their indicators interact. In order to validate a model, we must examine composite reliability (CR), Cronbach’s alpha (CA), convergent validity, internal consistency, and discriminant validity (Freeze & Raschke, 2007).

According to Henseler, Ringle, and Sinkovics (2009), to justify the quality of a latent variable, the minimum value of CR must be greater than 0.7. In addition, we also check Cronbach's alpha, which conventionally must be at least 0.7 (Raykov & Marcoulides, 2007). The results suggest that our model has good internal consistency. Sarstedt et al. (2014) states that CR values between 0.70 and 0.95 are solid values, and with this we determine that the model is trustworthy. To be able to test the convergent validity, we should guarantee that the values of the average variance extracted (AVE) (Table 3) are 0.5 or higher (Henseler, Dijkstra, et al., 2014). All constructs in the model are greater than 0.5. The last criterion that we must validate is the Fornell-Larcker criterion and the cross-loadings approach, to evaluate the discriminant validity of the constructs (Tam et al., 2020). The Fornell-Larcker criterion needs the AVE’s square root value to be higher than the construct-to-construct correlations (Fornell & Larcker, 1981). AS we can see in Table 3, the AVE’s square root (diagonal values), are higher than the correlation amongst values in off-diagonal (each pair of constructs) (Tam et al., 2020).

Regarding the criterion of cross-loadings, the item loading must be greater than all cross-loadings (Götz, Liehr-Gobbers, & Krafft, 2010; Grégoire & Fisher, 2006). Due to these reasons, we have removed from the PLS model estimation the items ATT4 and ICPE1 (Table 2). Lastly, the values of the HTMT ratio (Table 4) are below 0.9, thereby indicating discriminant validity (Henseler et al., 2015).

10 Table 2 - PLS loadings and cross-loading

Constructs ATT SN PBC BI PC ICPE

Attitude ATT1

.422 .385 .556 .432 .598

ATT2

.347 .331 .492 .345 .531 ATT3

.390 .382 .513 .380 .594 ATT5

.365 .426 .502 .317 .552 ATT6

.439 .342 .443 .369 .605 Subjective Norms SN1 .443

.475 .302 .425 .552 SN2 .165

.267 .188 .268 .240 SN3 .352

.318 .255 .431 .400 SN4 .273

.231 .196 .244 .281 SN5 .367

.232 .320 .598 .402 SN6 .365

.376 .390 .467 .483 Perceived

Behavioural Control

PBC1 .163 .133

.112 -.002 .076 PBC2 .414 .387

.373 .179 .276 PBC3 .330 .350

.369 .282 .268 PBC4 .357 .371

.389 .288 .157 Behaviour

Intention

BI1 .626 .404 .512

.271 .574 BI2 .419 .293 .255

.195 .353 BI3 .400 .270 .296

.177 .320 Preventive

countermeasures

PC1 .449 .560 .281 .232

.441 PC2 .365 .484 .268 .240

.398 PC3 .399 .509 .282 .289

.414 PC4 .338 .448 .223 .172

.382 PC5 .301 .468 .160 .177

.363 Intention to click

on a phishing e- mail

ICPE2 .377 .289 .140 .335 .224

ICPE3 .625 .541 .236 .457 .482

ICPE4 .636 .509 .287 .480 .407

Table 3 - Means, standard deviations, correlations, and reliability and validity

measures (CR, CA, and AVE) of latent variables

Constructs Mean SD CA CR ATT SN PBC BI PC ICPE

ATT 6.347 .841 .926 .945

SN 5.513 1.167 .860 .893 .446

PBC 5.682 .927 .796 .862 .425 .424

BI 5.801 1.144 .873 .917 .572 .380 .431

PC 5.764 1.251 .935 .950 .420 .557 .277 .253

ICPE 6.228 .989 .808 .888 .655 .538 .266 .501 .451

11 Table 4 - Heterotrait-Monotrait Ratio of correlations (HTMT)

Constructs ATT SN PBC BI PC ICPE

ATT

SN .480

PBC .467 .465

BI .597 .395 .433

PC .446 .586 .292 .262

ICPE .744 .601 .309 .554 .500

5.2. S

M

Using the path coefficients, variance inflation factor (VIF), t-statistic value, and variance explained (R²), we verify the constructs and hypotheses (Figure 2). During the structural model analysis, 5,000 bootstrap resamples were employed to estimate the pathways' relevance (Henseler, Ringle, &

Sinkovics, 2009). According to the VIF, all constructs are below the threshold of 5, indicating no multicollinearity (Hair, Hult, Ringle, & Sarstedt, 2016).

The model explains 38.0% of the variation of behaviour intention. The attitude ( =.458, p<.001) and perceived behavioural control ( =.200, p<.01) are statistically significant in explaining behaviour intention, which confirms H1 and H3. The subjective norm and preventive countermeasures are not statistically significant in explaining behaviour intention, and thus H2 and H5 are not confirmed. The research model also explains 36.3% of the variation of intention to click on a phishing e-mail, given that the behaviour intention ( =.413, p<.001) and preventive countermeasures ( =.346, p<.001) are significant, supporting H4 and H6.

Figure 2. Structural model results

12

6. DISCUSSION

6.1. T

One of the fastest growing cybercrimes on the Internet is phishing e-mails that harm people and businesses, imposing billions of dollars in costs annually. Phishing techniques are evolving quickly and depend on the hacker's sophistication. Our study investigates the issue of what influences an individual's intention to click on a phishing e-mail. In order to achieve that purpose, we combined the TPB with preventive countermeasures and intention to click on a phishing e-mail. Results of the research model (Figure 2) reveal that 38% of the variation in behaviour intention is supported by attitude and perceived behavioural control, respectively, H1 and H3. This means that attitude and perceived behavioural control are important in behaviour intention. In general, people engage in behaviours they intend to engage in based on their intentions. Based on the relationship between behaviours and perceived behaviour control, it is more likely that we will engage in (attractive/desirable) behaviours we can control and avoid engaging in behaviours we do not have control over (Conner & Mark, 1998). Attitudes are considered predictors of behavioural intentions. An individual's attitudes are their evaluations of their behaviour. These results are also in line with findings from other studies (Tam et al., 2022; Thompson et al., 2017).

In contrast, the variables of subjective norms and preventive countermeasures are not influential in explaining the behaviour intention. Subjective norms refer to the individual's perception of social pressures coming from persons who are important to them (Ham et al., 2015). In our case it means that individuals are not concerned with the perception of other individuals who are close to them. For instance, if a company has an information security behaviour, or if co-workers have security behaviours, these will not influence the behaviour intention of the individual himself. This might occur because people are teleworking more often following the Covid-19 pandemic, and because there is less sharing compared to working in proximity with colleagues and supervisors. Preventive countermeasures are security actions to counter ongoing threats. According to our findings, preventive countermeasures do not influence individuals' behaviour intention.

The research model accounts for 36.3% of the variation in intention to click on a phishing e-mail, supporting H4 and H6. In conclusion, we can say that behaviour intention and preventive countermeasures influence intention to click on a phishing e-mail. When individuals know that there are preventive countermeasures, they are not so concerned about whether a certain behaviour is secure. As there are preventive countermeasures in place, one’s intention to click or not to click on a phishing e-mail will thus be inconsequential. There is also alignment between these findings and earlier research (Shahbaznezhad et al., 2021).

As a result of data security becoming increasingly important and as businesses become more aware of that fact, this research broadens the body of knowledge on information systems security. Companies now have access to a burgeoning amount of information, and they use that information to develop their next plan and course of action (McAfee, Brynjolfsson, Davenport, Patil, & Barton, 2012).

Therefore, we must safeguard anything of value and prevent any unlawful access to it (McAfee, et al., 2012). With this research we demonstrate the importance of attitude in explaining the behaviour intention and in turn, the importance of explaining an individual’s intention to click on a phishing e- mail. The effect of behaviour intention on security behaviour is moderated by job satisfaction.

13

6.2. P

I

Even though many organizations understand how important information security is, incidents involving insiders are constantly being reported. Our questionnaire had a question followed by an image of a screenshot of a malicious e-mail. We asked if the person received an e-mail like the one in the image, would they click on the link. Our results provide evidence that out of every 100 people, only 36 would not click on a phishing e-mail, which means the remaining 64 would. This finding demands the attention of all employers.

A typical preventive countermeasure is the use of technology to detect and remove phishing, filter it, or block it (e.g., spam filters). Also useful are user training programs to prevent phishing, and a combination of technology and human decisions, such as pop-up warning messages. Regarding the questions related to preventive countermeasures, most of the individuals answered that they believed that the companies where they work implement security control measures to prevent these types of malicious e-mails. Which, on the one hand, is a way for individuals to be less alert even when they receive a suspicious e-mail, thus adopting a more relaxed attitude toward security. The risk of phishing in the workplace comes from the fact that it can disable an organization's defensive IT systems by attacking their users (Kim, Bora, Do-Yeon & Lee, 2020). Our research model was designed not only to contribute to theory, but also to address the importance of policymakers’ future preventive countermeasures.

6.3. L

In order to understand how individuals would react to a phishing e-mail and to understand the practices used regarding information security, we tested our model in Portugal. The findings may not apply elsewhere, which can be a limitation. The model should be tested in other countries in order to gain a greater sense of generalization. In addition, national culture might have an impact on phishing behaviour, which was not considered in this study (Flores, Holm, Nohlberg, & Ekstedt, 2015). Future studies can include culture dimensions, which can bring interesting insights.

Finally, there are several methodological issues that must be addressed in future studies. One factor that may have weakened the correlations with dependent variables was the quality of the normative measuring instruments. In our questionnaire some of the measurement items and their wordings such as "information security behaviour ", "security controls", and "data security" might have been misinterpreted by the respondents. Therefore, in a future study it would be advisable to have a short glossary of concepts, before proceeding to the questions. Despite its limitations, we believe that our work contributes to new understandings in the fields of both security and information systems.

14

7. CONCLUSIONS

The Internet's fastest-growing cybercrimes such phishing e-mails, hurt both individuals and businesses.

The goal is to trick victims into divulging their financial information such as credit card numbers, passwords, or account usernames, by luring them to spurious websites. The crime costs billions of dollars annually. The effectiveness of phishing techniques depends on how intelligent the hacker is in manipulating victims and inducing them click on the link attached to the e-mail. To better understand the individual’s intention to click on a phishing e-mail, we proposed a research model that combines the TPB with preventive countermeasures dimension. With a total of 141 questionnaire responses collected in Portugal, we found that behaviour intention and preventive countermeasures are important to explain the intention to click on a phishing e-mail. Our findings highlight the value of implementing preventive countermeasures. We expect that this research will lead to more investigation in the area of phishing detection.

15

8. REFERENCES

Abawajy, J. (2014). User preference of cyber security awareness delivery methods. Behaviour and Information Technology, 33(3), 237–248. https://doi.org/10.1080/0144929X.2012.708787 Ajzen, I. (1991). The theory of planned behavior. Organizational Behavior and Human Decision

Processes, 50(2), 179–211.

Ajzen, I., & Fishbein, M. (1975). A Bayesian analysis of attribution processes. Psychological Bulletin, 82(2), 261–277.

Al, A. F., & Stefano, Q. (2022). The COVID ‐ 19 scamdemic: A survey of phishing attacks and their countermeasures during COVID ‐ 19. Information Security, 16(5), 324–345.

https://doi.org/10.1049/ise2.12073

Alabdan, R. (2020). Phishing attacks survey: Types, vectors, and technical approaches. Future Internet, 12(10), 1–39. https://doi.org/10.3390/fi12100168

Aleroud, A., & Zhou, L. (2017). Phishing environments, techniques, and countermeasures: A survey.

Computers & Security, 68, 160–196. https://doi.org/10.1016/j.cose.2017.04.006

Alyahya, A., & Weir, G. R. S. (2021). Understanding Responses to Phishing in Saudi Arabia via the Theory of Planned Behaviour. Proceedings - 2021 IEEE 4th National Computing Colleges Conference, NCCC 2021. https://doi.org/10.1109/NCCC49330.2021.9428823

Anders, D. (2022). Internet Crime Cost People More Than $6.9B in 2021, FBI Says. Cnet.

https://www.cnet.com/tech/computing/internet-crime-cost-people-more-than-6-9b-in-2021- fbi-says/

Apau, R., & Koranteng, F. N. (2019). Impact of cybercrime and trust on the use of e-commerce technologies: An application of the theory of planned behavior. International Journal of Cyber Criminology, 13(2), 228–254. https://doi.org/10.5281/zenodo.3697886

Butler, R. (2007). A framework of anti-phishing measures aimed at protecting the online consumer’s identity. Electronic Library, 25(5), 517–533. https://doi.org/10.1108/02640470710829514 Chen, R., Gaia, J., & Rao, H. R. (2020). An examination of the effect of recent phishing encounters on

phishing susceptibility. Decision Support Systems, 133(September 2019), 113287.

https://doi.org/10.1016/j.dss.2020.113287

College, C. T. B., Chin, W. W., Marcolin, B. L., & Newsted, P. R. (2003). A Partial Least Squares Latent Variable Modeling Approach for Measuring Interaction Effects : Results from a Monte Carlo Simulation Study and an Electronic-Mail Emotion / Adoption Study. 14(2), 189–217.

Conner, Mark, and C. J. A. (1998). Extending the Theory of Planned Behavior : A Review and Avenues for Further Research. Journal of Applied Social Psychology, 28(15), 1429–1464.

Flores, W. R., Holm, H., Nohlberg, M., & Ekstedt, M. (2015). Investigating personal determinants of phishing and the effect of national culture. Information & Computer Security, 23(2), 178–199.

https://doi.org/10.1108/ICS-05-2014-0029

Fornell, C., & Larcker, D. F. (1981). Evaluating Structural Equation Models with Unobservable Variables and Measurement Error. Journal of Marketing Research, 18(1), 39–50.

Freeze, R. D., & Raschke, R. L. (2007). An Assessment of Formative and Reflective Constructs in IS

16 Research . European Conference on Information Systems (ECIS), January, 1481–1492.

Götz, O., Liehr-Gobbers, K., & Krafft, M. (2010). Springer Handbooks of Computational Statistics Series Editors. In Handbook of partial least squares (pp. 691–711).

Grassegger, T., & Nedbal, D. (2021). The role of employees’ information security awareness on the intention to resist social engineering. Procedia Computer Science, 181(2019), 59–66.

https://doi.org/10.1016/j.procs.2021.01.103

Grégoire, Y., & Fisher, R. J. (2006). The effects of relationship quality on customer retaliation.

Marketing Letters, 17(1), 31–46. https://doi.org/10.1007/s11002-006-3796-4

Hair Jr., J. F., Hult, G. T. M., Ringle, C. M., & Sarstedt, M. (2016). A Primer on partial least squares structural equation modeling (PLS-SEM) (Second edi).

Ham, M., Jeger, M., & Ivković, A. F. (2015). The role of subjective norms in forming the intention to purchase green food. Economic Research-Ekonomska Istraživanja, 28(1), 738–748.

https://doi.org/10.1080/1331677X.2015.1083875

Henseler, J., Dijkstra, T. K., Sarstedt, M., Ringle, C. M., Diamantopoulos, A., Straub, D. W., Jr, D. J. K., Hair, J. F., Hult, G. T. M., & Calantone, R. J. (2014). Common Beliefs and Reality About PLS:

Comments on Ronkko and Evermann (2013). Organizational Research Methods, 17(2), 182–209.

https://doi.org/10.1177/1094428114526928

Henseler, J., Ringle, C. M., & Sinkovics, R. R. (2009). The use of partial least squares path modeling in international marketing. Advances in International Marketing, 20, 277–319.

https://doi.org/10.1108/S1474-7979(2009)0000020014

Henseler, J., Ringle, C. M., & Sarstedt, M. (2015). A new criterion for assessing discriminant validity in variance-based structural equation modeling. Journal of the Academy of Marketing Science, 43(1), 115–135. https://doi.org/10.1007/s11747-014-0403-8

Hong, B. J. (2012). The State of Phishing Attacks. Communications of the ACM, 55(1), 74–81.

https://doi.org/10.1145/2063176.2063197

Ifinedo, P. (2012). Understanding information systems security policy compliance: An integration of the theory of planned behavior and the protection motivation theory. Computers and Security, 31(1), 83–95. https://doi.org/10.1016/j.cose.2011.10.007

Kim, B., Lee, D. Y., & Kim, B. (2020). Deterrent effects of punishment and training on insider security threats : a field experiment on phishing attacks experiment on phishing attacks. Behaviour &

Information Technology, 39(11), 1156–1175. https://doi.org/10.1080/0144929X.2019.1653992 Kim, H. L., & Han, J. (2018). Do employees in a “ good ” company comply better with information

security policy ? A corporate social responsibility perspective. Information Technology & People, 32(4), 858–875. https://doi.org/10.1108/ITP-09-2017-0298

Krombholz, K., Hobel, H., Huber, M., & Weippl, E. (2014). Advanced social engineering attacks.

Journal of Information Security and Applications, 22, 113–122.

https://doi.org/10.1016/j.jisa.2014.09.005

Lallie, H. S., Shepherd, L. A., Nurse, J. R. C., Erola, A., Epiphaniou, G., Maple, C., & Bellekens, X. (2021).

Cyber security in the age of COVID-19: A timeline and analysis of cyber-crime and cyber-attacks during the pandemic. Computers & Security, 105, 102248.

17 Manoharan, S., Katuk, N., Hassan, S., & Ahmad, R. (2022). To click or not to click the link: the factors

influencing internet banking users’ intention in responding to phishing emails. Information and Computer Security, 30(1), 37–62. https://doi.org/10.1108/ICS-04-2021-0046

McAfee, A., Brynjolfsson, E., Davenport, T. H., Patil, D. J., & Barton, D. (2012). Big Data : The Management Revolution. Harvard Business Review, 90(10), 60–68.

Oliveira, T., Tomar, S., & Tam, C. (2020). Evaluating collaborative consumption platforms from a consumer perspective. Journal of Cleaner Production, 273, 123018.

https://doi.org/10.1016/j.jclepro.2020.123018

Parsons, K., Butavicius, M., Pattinson, M., Mccormac, A., & Jerram, C. (2015). Do Users Focus on the Correct Cues to Differentiate Between Phishing and Genuine Emails ? 2 Previous Research.

Furnell 2013, 1–10.

Podsakoff, P. M., MacKenzie, S. B., Lee, J. Y., & Podsakoff, N. P. (2003). Common Method Biases in Behavioral Research: A Critical Review of the Literature and Recommended Remedies. Journal of Applied Psychology, 88(5), 879–903. https://doi.org/10.1037/0021-9010.88.5.879

Raykov, T., & Marcoulides, G. A. (2007). Equivalent Structural Equation Models : A Challenge and Responsibility Equivalent Structural Equation Models : A Challenge and Responsibility.

Structural Equation Modeling: A Multidisciplinary Journal, 5511, 695–700.

https://doi.org/10.1080/10705510701303798

Safa, N. S., Sookhak, M., Von Solms, R., Furnell, S., Ghani, N. A., & Herawan, T. (2015). Information security conscious care behaviour formation in organizations. Computers and Security, 53, 65–

78. https://doi.org/10.1016/j.cose.2015.05.012

Saha, I. (2020). Phishing Attacks Detection using Deep Learning Approach. Icssit, 1180–1185.

Salloum, S., Gaber, T., Vadera, S., & Shaalan, K. (2022). A Systematic Literature Review on Phishing Email Detection Using Natural Language Processing Techniques. IEEE Access, 10, 65703–65727.

https://doi.org/10.1109/access.2022.3183083

Sarstedt, M., Ringle, C. M., Smith, D., Reams, R., & Hair, J. F. (2014). Journal of Family Business Strategy Partial least squares structural equation modeling ( PLS-SEM ): A useful tool for family business researchers. Journal of Family Business Strategy, 5(1), 105–115.

https://doi.org/10.1016/j.jfbs.2014.01.002

Sarwar, M. Z., Abbasi, K. S., & Pervaiz, S. (2012). The effect of customer trust on customer loyalty and customer retention: A moderating role of cause related marketing. Global Journal of

Management and Business Research, 12(6).

Shahbaznezhad, H., Kolini, F., & Rashidirad, M. (2021). Employees’ behavior in phishing attacks: What individual, organizational, and technological factors matter? Journal of Computer Information Systems, 61(6), 539–550. https://doi.org/10.1080/08874417.2020.1812134

Tam, C., Conceição, C. de M., & Oliveira, T. (2022). What influences employees to follow security policies? Safety Science, 147, 105595. https://doi.org/10.1016/j.ssci.2021.105595

Tam, C., Moura, E. J. da C., Oliveira, T., & Varajão, J. (2020). The factors influencing the success of on- going agile software development projects. International Journal of Project Management, 38(3), 165–176. https://doi.org/10.1016/j.ijproman.2020.02.001

18 Tam, C., & Oliveira, T. (2019). Does culture influence m-banking use and individual performance?

Information and Management, 56(3), 356–363. https://doi.org/10.1016/j.im.2018.07.009 Thompson, N., Jane, T., & Wang, X. (2017). “ Security begins at home ”: Determinants of home

computer and mobile device security behavior. Computers & Security, 70, 376–391.

https://doi.org/10.1016/j.cose.2017.07.003

Venkatesh, V., Morris, M. G., Davis, G. B., & Davis, F. D. (2003). User Acceptance of Information Technology: Toward a Unified View. MIS Quarterly, 27(3), 425–478.

Yaacoub, J.-P. A., Noura, H. N., Salman, O., & Chehab, A. (2022). Robotics cyber security:

Vulnerabilities, attacks, countermeasures, and recommendations. International Journal of Information Security, 21(1), 115–158.

Zuraiq, AlMaha Abu Alkasassbeh, M. (2019). Review : Phishing Detection Approaches. 2019 2nd International Conference on New Trends in Computing Sciences (ICTCS), 1–6.

19

APPENDIX

Appendix A

Constructs Item Adapted from

Attitude toward a behaviour

ATT1 “Information security conscious care behaviour is necessary.” Safa et al.(2015) ATT2 “Information security conscious care behaviour is beneficial.”

ATT3 “Practicing information security behaviour is useful.”

ATT4 “I have a positive view about changing the user's information security behaviour to conscious care.”

ATT5 “My attitude toward information security care behaviour is favourable.”

ATT6 “I believe that the information security conscious care is something valuable to any organization.”

Subjective norms SN1 “The information security policies in the company where I work are important to my colleagues.”

Safa et al.(2015) SN2 “The information security behaviour of my colleagues influences my

behaviour.”

SN3 “Information security behaviour culture of the company where I work influences my behaviour.”

SN4 “The information security behaviour of my manager influences my behaviour.”

SN5 “My organization’s IT department pressures me to follow the organization’s e-mail security policy.”

SN6 “My colleagues think that I should follow the organization’s e-mail security policy.”

Perceived behavioural

control

PBC1 “I believe that security behaviour isn’t a hard practice.” Safa et al.(2015) PBC2 “I believe that my experiences help me to have security behaviour about

the data security.”

PBC3 “Following procedures and policies that lead to security behaviour is easy for me.”

PBC4 “Security behaviour is an achievable practice.”

Behaviour intention

BI1 “I intend to have a security behaviour.” Safa et al.(2015) BI2 “I predict to start having a security behaviour.”

BI3 “I plan to start having a security behaviour.”

Preventive countermeasures

PC1 “I believe that my organization implements security controls to prevent phishing e-mails.”

Shahbaznezhad et al.(2021) PC2 “I believe that my organization implements preventive controls to ensure

that it remains secured even though employees click on phishing e-mails.”

PC3 “I believe that my organization has preventive security controls to protect the network and my computer.”

PC4 “I believe that my organization has preventive security controls against stealing or deleting organizational information.”

PC5 “I believe that my organization conducts periodic audits to identify weakness in preventive security controls.”

Intention to click on a phishing e-

mail

ICPE1 If you received an e-mail like the one in the image, click on the link. Shahbaznezhad et al.(2021) ICPE2 “If I received an e-mail like the one in the image, I would report this

situation to my boss.”

ICPE3 “I intend to comply with the requirements of the e-mail security policy of my organization in the future.”

ICPE4 “I intend to protect information and technology resources according to the requirements of the e-mail security policy of my organization in the future.”