Abstract
Phishing attacks are the most widely recognised cyber-attacks utilising social engineering techniques. To counteract phishing attacks, organisations frequently use information/cybersecurity awareness campaigns to raise employee awareness about these issues. However, these campaigns often only include some aspect of educating employees about phishing attacks and are not focused on creating a comprehensive awareness around phishing specifically. Furthermore, there is evidence that organisations still struggle with employees falling victim to phishing attacks. Although there are theoretical and conceptual frameworks that provide the steps on what a cybersecurity awareness campaign should address, for example, legal and policy issues, and how to change end-user behavior concerning information security, they do not specify the methods and components of the cybersecurity awareness campaign.
This study, therefore, proposes a conceptual model that has the singular focus of educating employees about phishing attacks. Research shows that South Africa is becoming one of the most targeted countries for socially engineered cyber-attacks. These attacks have increased considerably in the current COVID 19 pandemic era. The conceptual model provides the methods and components that are needed to address phishing attacks in organisations that want to create a new phishing awareness campaign or want to improve their existing campaign. The study aims to address the challenges currently faced by organisations in building a workable phishing awareness campaign.
The model is derived from the literature and enhanced with feedback from industry experts that specialise in cybersecurity and are involved in cybersecurity awareness. The industry experts are drawn from high-level posts in information technology in the organisations (a chief technology officer, senior managers, cybersecurity and information security specialists). The study inductively collected qualitative data via structured online interviews. A total of eight participants (the experts above) that met the sampling criteria were interviewed. The qualitative data were analysed using thematic analysis. Participants shared how their organizations are using current
v
phishing awareness campaigns and what they, as experts, thought would be more effective for users. The experts introduced new components and methods of phishing campaigns which were subsequently incorporated into the proposed final model for phishing awareness campaigns.
Keywords: Information security; cybersecurity; phishing; awareness campaigns; cyber-threats.