Who will take the bait? Using an embedded, experimental study to chart organization-specific phishing risk profiles and the effect of a voluntary microlearning among employees of a Dutch municipality

Phishing can lead to data leaks or infiltration of computer networks. Protection against the risks of phishing is particularly important for public organizations such as municipalities, that process a large amount of sensitive personal information and whose operational processes can have major societal impact. This makes phishing a direct threat to operational continuity and the reputation of the organization and raises the question of how public organizations can combat this effectively and which resources they can deploy to mitigate the risks of phishing. In this experiment, two test phishing emails were sent to the total population of one of the 15 largest Dutch municipalities. We performed an embedded experiment, with employees experiencing the risks of phishing first hand with extensive attention for the ethics of this approach. Senior and middle-aged employees clearly run the biggest risk of becoming victims of phishing at this specific organization, but they are not automatically prepared to do an online, educational microlearning on phishing. This is also the case for young staff. Less voluntary education should be aimed at these groups of employees in this organization to make them and the organization, more resilient to the risks of phishing. Also, the microlearning did not have an effect on the results of our participants. We advocate a tailor-made approach of offline training to raise awareness and resilience against phishing among employees of public organizations, municipalities, and organizations in general. Our experimental design can be reused in this direction. We conclude to also look at how never-clickers think and act, with further theoretical substantiation and research into the application of the human-as-solution approach..