Volume 12 - Issue 4
Assessing the Relevance of Cybersecurity Training and Policies to Prevent and Mitigate the Impact of Phishing Attacks
- Luis Pinto
Instituto Polit´ecnico de Viana do Castelo, 4900-348 Viana do Castelo, Portugal
lfilipepinto@ipvc.pt
- Cesar Brito
Instituto Polit´ecnico de Viana do Castelo, 4900-348 Viana do Castelo, Portugal
cesarbrito@estg.ipvc.pt
- Victor Marinho
Instituto Polit´ecnico de Viana do Castelo, 4900-348 Viana do Castelo, Portugal
victormarinho@ipvc.pt
- Pedro Pinto
Universidade da Maia, 4475-690 Maia, and INESC TEC, 4200-465 Porto, Portugal
pedropinto@estg.ipvc.pt
Keywords: Cybersecurity, Phishing, Attacks, Training, Policies, Social Engineering
Abstract
Social engineering attacks such as phishing are performed against companies and institutions and
thus, cybersecurity awareness and training of technical and non-technical human resources play a
fundamental role in preventing and mitigating a set of cyberattacks. This paper presents a comparative
study based on simulated phishing attacks on two organizations with contrasting security
practices and procedures. The first organization is a secondary school, with no IT staff, no defined
information security policy, no guidance from top management on cybersecurity issues, and no training
actions. The other is a company with a permanent IT staff, a defined security policy, and where its
employees receive regular cybersecurity awareness training exercises. Two simulated phishing attack
scenarios were deployed to compare these organisations regarding the behaviour of their employees
and the readiness of their IT staff and to verify if the employees’ academic degree is a decisive criterion
to protect them against this type of attack. The main results show that the rapid reporting
and action of the IT staff in the organization where it existed, was an effective measure to mitigate
the impact of the simulated phishing attack. In addition, the results show that about 18% of school
employees leaked their data, compared to about 10% of the company. Furthermore, this study allows
us to deduce that the academic level of employees does not seem to be a decisive criterion to protect
them against phishing attacks.