Phishing continues to be a prevalent social engineering attack. Attacks are relatively easy to setup and can target many people at low cost. This study presents a naturalistic field experiment that can be staged by organisations to determine their exposure. This exercise provides results with high ecological validity and can give organisations the information they need to craft countermeasures to social engineering risks. The study was conducted at a university campus in Kenya where 241 valid system users, also known as “insiders,” are targeted in a staged phishing experiment. The results show that 31.12% of the insiders are susceptible to phishing and 88% of them disclose passwords that grant access to attackers. This study outlines various ethical considerations that ensure such exercises do not present any actual harm. The design of data collection instruments is discussed in depth to allow organisations the opportunity to develop similar tools for routine threat assessment.

Figure-1.JPG (79 kB)

Figure-2.JPG (41 kB)

Figure-3.JPG (78 kB)

Figure-4.JPG (52 kB)

Figure-5.JPG (48 kB)