Simulation of phishing attacks and Awareness Plans applicable to the business environment – A practical approach to improve organizational resilience
Article Sidebar
Main Article Content
Abstract
The study evaluated the effectiveness of phishing attack simulations and awareness plans to reduce employees' vulnerability to cyberattacks in a small business. Using a sample of one hundred employees, improvements in detecting fraudulent emails and response times were analyzed following a series of simulations and training programs. Initially, employees had a 65% click rate on malicious links, which decreased to 20% after the intervention, validated by regression analysis and T-tests with a p-value less than 0.001. Response time improved from an average of 50 minutes to 20 minutes. The analysis revealed that age, work experience, and access to sensitive information impacted response capacity, with better results among younger, technologically experienced employees. Although awareness reduced vulnerability, risks associated with human behavior persisted, suggesting the need for ongoing training and automated technological solutions. Despite sample limitations, the results indicated that phishing simulations and personalized training programs are valuable tools for enhancing cybersecurity. It is recommended that companies implement awareness plans as part of comprehensive cybersecurity strategies, tailored to employees' demographic characteristics and responsibility levels. Future research should address larger companies and several types of cyberattacks. The study concludes that these strategies effectively improve threat response and detection, building a more resilient organizational culture towards cybersecurity.
Downloads
Article Details
This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.
COPYRIGHT NOTICE
Authors who publish in the INNOVA Research Journal keeps copyright and guarantee the journal the right to be the first publication of the work under the Creative Commons License, Attribution-Non-Commercial 4.0 International (CC BY-NC 4.0). They can be copied, used, disseminated, transmitted and publicly exhibited, provided that: a) the authorship and original source of their publication (magazine, publisher, URL and DOI of the work) is cited; b) are not used for commercial purposes; c) the existence and specifications of this license of use are mentioned.
References
Ávila-Coello, A. A. (2024). Seguridad de la información en instituciones públicas: desafíos y buenas prácticas en el contexto ecuatoriano. Journal of Economic and Social Science Research 4(2), 140–156. https://doi.org/10.55813/gaea/jessr/v4/n2/96
Banco Mundial. (2020). Global Economic Prospects. Washington, DC: Banco Mundial. https://openknowledge.worldbank.org/handle/10986/33748
Bass, B., & Avolio, B. (2000). MLQ Multifactor Leadership. Mind Garden.
Bautista Chimarro, F. F., Flores Ruiz, A. E., & Aguirre Inga, R. G. (2023). Ciberseguridad en pymes: caso de estudio en Cayambe. Dominio de las ciencias, 388–402. https://doi.org/10.23857/dc.v9i4.3597
Bazalar H., G., Esteban R., C. D., & Rodriguez N., J. P. (2022). Modelo de madurez para determinar el nivel de cultura de ciberseguridad en organizaciones industriales. Lima: Universidad Peruana de Ciencias Aplicadas (UPC). http://hdl.handle.net/10757/669347
BCE. (2020). Estadísticas económicas: Sector real. Obtenido de Banco Central del Ecuador: https://contenido.bce.fin.ec/documentos/Estadisticas/SectorReal/CuentasCantonales/Indice.htm
Benavides-Astudillo, E., Fuertes-Diaz, W., & Sánchez-Gordón, S. (2019). Un experimento para crear conciencia en las personas acerca de los ataques de Ingeniería Social. Revista Ciencia UNEMI, 27-40. https://www.redalyc.org/journal/5826/582661898003/582661898003.pdf
Bueno, G., & Haz, L. (2022). Ciberseguridad post Covid-19 y su impacto en las pymes del Ecuador [Post-covid-19 cybersecurity and its impact on Ecuador's SMEs]. Pro Sciences: Revista De Producción, Ciencias E Investigación, 6(46), 103–120. https://doi.org/10.29018/issn.2588-1000vol6iss46.2022pp103-120
Casana, K., & Carhuancho, I. (2019). Análisis de la gestión del talento humano en una institución pública, en Perú. Investigação Qualitativa em Ciências Sociais/Investigación Cualitativa en Ciencias Sociales, 3, 120-125.
Cegarra, J., & Martínez, A. (2017). Gestión del conocimiento. Una ventaja competitiva. Madrid: ESIC.
CEPAL. (6 de agosto de 2020). Comisión Económica para América Latina y el Caribe. (CEPAL, Ed.) Obtenido de Comisión Económica para América Latina y el Caribe: https://repositorio.cepal.org/bitstream/handle/11362/45877/S2000497_es.pdf?sequence=1&isAllowed=y
Du, D., Zhu, M., Li, X., Fei, M., Bu, S., Wu, L., & Li, K. (2023). A Review of Cybersecurity Analysis, Attack Detection, and Attack Defense Methods in Cyberphysical Power Systems. Journal of Modern Power Systems and Clean Energy, 11(3), 727-743. https://doi.org/10.35833/MPCE.2021.000604
ESET. (2023). Security Report Latinoamérica 2023. https://web-assets.esetstatic.com/wls/es/articulos/reportes/eset-security-report-latam2023.pdf
Flores-Álava, S., & Mena-Hernández, L. (2023). Propuesta de Buenas Prácticas para Mitigar Ciberataques en Usuarios de Entidades Financieras [Proposal for Good Practices to Mitigate Cyber-attacks on Users of Financial Institutions]. 593 Digital Publisher CEIT, 8(4), 159-173. https://doi.org/10.33386/593dp.2023.4.1652
Gioulekas, F., Stamatiadis, E., Tzikas, A., Gounaris, K., Georgiadou, A., Michalitsi- Psarrou, A., Doukas, G., Kontoulis, M., Nikoloudakis, Y., Marin, S., Cabecinha, R., & Ntanos, C. (2022). A Cybersecurity Culture Survey Targeting Healthcare Critical Infrastructures. Healthcare, 10(2). https://doi.org/10.3390/healthcare10020327
INEC. (2020). Insituto Nacional de Estadísticas y Censos. Obtenido de Presentación General CENEC 2011: https://www.ecuadorencifras.gob.ec/informacion-censal-por-provincias/
Jara Fuentealba, N., & Jorquera Cruz, A. (2021). La responsabilidad de la Administración del Estado por incidentes de ciberseguridad. Revista Chilena de Derecho y Tecnología, 10(1), 201–230. https://doi.org/10.5354/0719-2584.2021.58776
Leal, M. M., & Musgrave, P. (2023). Backwards from zero: How the U.S. public evaluates the use of zero-day vulnerabilities in cybersecurity. Contemporary Security Policy, 44(3), 437-461. https://doi.org/10.1080/13523260.2023.2216112
López-Anchala, K. A., & Ordóñez-Parra, Y. L. (2024). Auditoría y ciberseguridad en el sector comercial: evaluación de resiliencia ante amenazas digitales [Audit and cyber security in the commercial sector: assessing resilience to digital threats]. Revista Multidisciplinaria Perspectivas Investigativas, 4(especial), 14–27. https://doi.org/10.62574/rmpi.v4iespecial.154
López Martínez, A., Gil Pérez, M., & Ruiz-Martínez, A. (2023). A Comprehensive Review of the State-of-the-Art on Security and Privacy Issues in Healthcare. ACM
Martínez-Osorio, F. (2021). Plan de concienciación sobre la importancia de la seguridad de la información en las entidades de salud del sector público de Bogotá. Bogotá: Universidad Católica de Colombia. https://hdl.handle.net/10983/25739
Naciones Unidas. (2021). La ciberseguridad en las organizaciones del sistema de las Naciones Unidas. Ginebra: Naciones Unidas. https://www.unjiu.org/sites/www.unjiu.org/files/jiu_rep_2021_3_spanish.pdf
Ortiz Plaza, R., & Nuñez Barjola, A. (2021). De la concienciación al riesgo humano en ciberseguridad. Revista SIC: ciberseguridad, seguridad de la información y privacidad, 72-73. https://dialnet.unirioja.es/servlet/articulo?codigo=7846549
Piñón, L. C., Sapién, A. L., & Gutiérrez, M. d. (2023). Capacitación en ciberseguridad en una empresa mexicana. Información tecnológica 34(6), 43-52.
Prümmer, J., Stee, T. v., & Bibi van den Berg. (2024). A systematic review of current cybersecurity training methods. ScienceDirect. https://doi.org/10.1016/j.cose.2023.103585
Renaud, K., & Ophoff, J. (2021). A cyber situational awareness model to predict the implementation of cyber security controls and precautions by SMEs. Organizational Cybersecurity Journal: Practice, Process and People, 1(1), 24-46. https://doi.org/10.1108/OCJ-03-2021-0004
Salameh, R. (2019). The relationship between engagement levels and players’ intended behaviors in game-based training for cybersecurity. Southern Illinois University at Carbondale.
Shaw, C. (2020). Why phishing works and the detection needed to prevent it (master’s thesis, Utica College). https://www.proquest.com/openview/83fb2f7120db42f9209cc52837774982/1?pq-origsite=gscholar&cbl=51922&diss=y
Uchendu, B., Nurse, J. R. C., Bada, M., & Furnell, S. (2021). Developing a cyber-security culture: Current practices and future needs. Computers & Security, 109, 102387. https://doi.org/10.1016/j.cose.2021.102387
Zhang, X., Zeng, Y., Jin, X. B., Yan, Z. W., & Geng, G. G. (2018). Boosting the phishing detection performance by semantic analysis. In Proceedings - 2017 IEEE International Conference on Big Data, Big Data 2017. 1063–1070. https://doi.org/10.1109/ BigData.2017.8258030