Comparative Phishing Attack Simulations: A Case Study of Critical Information Infrastructure Organization Using Two Different Contents

Nowadays, cybersecurity is an important issue at the personal and organizational levels. Therefore, cybersecurity simulation should be conducted in organizations that are considered critical information infrastructure. According to the simulated phishing attack, during the initial attempt, an email offering a fake promotion from a well-known IT equipment store was sent to employees of a railway company in Thailand. The results indicated that out of around 700 employees who received these phishing emails, 9.5% fell for the trap. This demonstrated a higher level of awareness about cyber threats compared to the average rate of 12%. However, the training was performed for the employees who fell into the trap of the first attack. Then, a simulated phishing email attack was executed for the second time by sending an email, notifying the employees to change their passwords, from a fake IT administrator. The results revealed that 8.0% of the employees who do not fall in the first attack were deceived, while there was 1.4% of the employees who fell into both attacks with different contents. Therefore, this study shows that different contents can impact different awareness of users or employees. Thus, it suggests that the process of knowledge transfer based on cybersecurity awareness is very important still.