'Employees' Self-Efficacy and Intention to Seek Help in Countering Phishing'
(AsPredicted #137944)


Author(s)
Xiaowei Chen (University of Luxembourg) - xiaowei.chen@uni.lu
Anastasia Sergeeva (University of Luxembourg) - anastasia.sergeeva@uni.lu
Margault Sacré (University of Luxembourg) - margault.sacre@uni.lu
Pre-registered on
07/10/2023 12:22 AM (PT)

1) Have any data been collected for this study already?
No, no data have been collected for this study yet.

2) What's the main question being asked or hypothesis being tested in this study?
The presented study has four main research questions:
RQ1: What is the effect of role-playing training on employees' self-efficacy in countering phishing attacks compared to no intervention and group discussions condition?
RQ2: What is the effect of role-playing training on employees' intention of seeking support when receiving phishing emails compared to no intervention and group discussions condition?
RQ3: What are the potential vulnerabilities of the organization perceived by the employees?
RQ4: How do role-playing training, simulated phishing tests, and group discussions influence employees' strategies in countering phishing attacks?
To address research questions RQ1 and RQ2, we propose the following hypotheses:
H1: Participants in the role-playing training condition will rate their self-efficacy level higher compared to participants in the group discussion (H1a) and no intervention (H1b) conditions.
H2: Participants in the role-playing training condition will rate their intention of seeking support higher compared to participants in the group discussion (H2a) and no intervention (H2b) conditions.
H3: Participants in the role-playing training condition will demonstrate better recognition and reporting of simulated phishing emails compared to participants in the group discussion (H3a) and no training (H3b) conditions.
RQ3 and RQ4 will be addressed via exploratory qualitative analysis.

3) Describe the key dependent variable(s) specifying how they will be measured.
Employee's self-efficacy in countering phishing attacks was measured using a set of 7 items derived from validated studies that focused on self-efficacy in phishing research. Four items evaluated participants' confidence in defending against phishing attacks (Ng et al., 2009), while three assessed their confidence in learning and updating their knowledge of phishing attack techniques (Williams & Joinson, 2020).
We use the number of employees correctly identifying (not clicking) and reporting simulated phishing tests as indicators of self-efficacy in countering phishing attacks. The measurements are the number of recognized (not clicked) and reported phishing emails. We'll also calculate the sum of binary outcomes, indicating whether each simulated phishing email was reported or not.
We adapted the instrumental support-seeking scale(Greenglass et al., 1999) to evaluate participants' intention of seeking support when receiving suspicious emails

4) How many and which conditions will participants be assigned to?
Condition A: Pre-questionnaire on Day 1, no intervention, post-questionnaire on Day 7, receive three simulated phishing emails between Day 14 to Day 42.
Condition B: Pre-questionnaire on Day 1, phishing fundamentals tutorial, group discussion, and lesson learned, post-questionnaire immediately after training, and post-questionnaire on Day 7, receive three simulated phishing emails between Day 14 to Day 42.
Condition C: Pre-questionnaire on Day1, phishing fundamentals tutorial, group discussion, design phishing emails, phish each other and lesson learned, post-questionnaire immediately after training, and post-questionnaire on Day 7, receive three simulated phishing emails between Day 14 to Day 42.

5) Specify exactly which analyses you will conduct to examine the main question/hypothesis.
To analyze H1 and H2, we intend to use ANOVA analysis on delta scores of difference between measurements before and after training (post-questionnaire Day 1 and Day 7) with post hoc correction for multiple comparisons. However, if our preliminary testing reveals that the data residuals deviate from normality, we will employ the non-parametric Kruskal-Wallis test instead. In this case, we will conduct post hoc pairwise Mann-Whitney tests, appropriately corrected for multiple comparisons.
We intend to utilize the Chi-square test in order to compare the results of non-clicking and reporting for each simulated phishing email across various groups as part of our analysis on H3. Additionally, we will calculate an ANOVA analysis to compare the sums of reporting between the conditions.
We also plan to apply a general linear model (GLM), where the dependent variable is the difference between pre-and post-training scores, and the independent variables are demographics variables and a number of recognized simulated phishing attempts.
As an additional measure to justify the use of an adapted intention of seeking support scale (Greenglass et al., 1999), we plan to conduct confirmatory factor analyses to confirm the structure of the scale. In the case that the structures are not confirmed, we will conduct exploratory factor analyses. Reliability indexes will also be computed (Cronbach's alpha, MacDonald's omega)

6) Describe exactly how outliers will be defined and handled, and your precise rule(s) for excluding observations.
Study participants are randomly recruited and must be employees of the tested organization. No other exclusion criteria are planned.

7) How many observations will be collected or what will determine sample size?
No need to justify decision, but be precise about exactly how the number will be determined.

The study will have 3 conditions, with 35 participants in each condition.

8) Anything else you would like to pre-register?
(e.g., secondary analyses, variables collected for exploratory purposes, unusual analyses planned?)

Nothing else to pre-register.

Version of AsPredicted Questions: 2.00