Effective training is essential for enhancing users' ability to detect phishing attempts. Personalised training offers huge potential to more closely align training content with individuals' needs and skill levels. In an online study, we assigned N=342 participants to personalised training or a random training variant to compare their effectiveness. The personalisation was based on a phishing proficiency score calculated from factors such as detection ability, knowledge, and security attitude. After training, the participants demonstrated greater proficiency, with an increased ability to detect phishing emails and higher security attitudes. These effects were most pronounced in the personalised condition, demonstrating the potential of personalisation to improve training outcomes. Overall, personalised training levelled the playing field, efficiently bringing all groups, regardless of their initial proficiency, to a comparable and desired post-training phishing proficiency level. Finally, we derived recommendations for designing personalised phishing training content and assigning users to suitable training programmes.
https://dl.acm.org/doi/10.1145/3706598.3713845
The ACM CHI Conference on Human Factors in Computing Systems (https://chi2025.acm.org/)