Roles of Feedback and Phishing Characteristics in Antiphishing Training Performance: Perspectives of Goal Setting and Skill Acquisition

Because phishing attacks often exploit individuals' inexperience in detecting them, it is important for managers to provide workers with proper feedback on their reactions to phishing scams. However, little is known about what types of feedback are more effective in facilitating antiphishing training behavior and performance. The objectives of this study are to identify (1) the determinants of decision avoidance and detection accuracy, (2) the contextual effect of type of feedback in antiphishing training, (3) the impacts of perceived detection efficacy on training outcomes, and (4) the interaction effects between feedback characteristics and perceived detection efficacy/phishing characteristics on training outcomes. Drawing upon goal-setting theory, skill acquisition theory, and antiphishing training literature, our model provides a theoretical account of how feedback characteristics (e.g., type, quantity), phishing characteristics (e.g., phishing cue saliency), and perceived detection efficacy affect antiphishing training outcomes (e.g., decision avoidance and detection accuracy). To empirically test the model, we performed four experiments with 652 subjects in the United States from three different online panels via Amazon Mechanical Turk, Esearch.com, and Clickworker.com. Our results indicate that examplebased feedback is superior to abstract feedback in teaching how to correctly discern between phishing and legitimate emails in the context of link-embedded emails. We also show that perceived detection efficacy is essential for a better understanding of antiphishing training behavior and performance. Finally, we show an interaction effect between feedback quantity and phishing cue saliency on antiphishing training behavior and performance.