Abstract

Social engineering attacks such as phishing are performed against companies and institutions and thus, cybersecurity awareness and training of technical and non-technical human resources play a fundamental role in preventing and mitigating a set of cyberattacks. This paper presents a comparative study based on simulated phishing attacks on two organizations with contrasting security practices and procedures. The first organization is a secondary school, with no IT staff, no defined information security policy, no guidance from top management on cybersecurity issues, and no training actions. The other is a company with a permanent IT staff, a defined security policy, and where its employees receive regular cybersecurity awareness training exercises. Two simulated phishing attack scenarios were deployed to compare these organisations regarding the behaviour of their employees and the readiness of their IT staff and to verify if the employees’ academic degree is a decisive criterion to protect them against this type of attack. The main results show that the rapid reporting and action of the IT staff in the organization where it existed, was an effective measure to mitigate the impact of the simulated phishing attack. In addition, the results show that about 18% of school employees leaked their data, compared to about 10% of the company. Furthermore, this study allows us to deduce that the academic level of employees does not seem to be a decisive criterion to protect them against phishing attacks.