Phishing for proficiency: evaluating proficiency-based categorisation for personalised phishing training

Abstract

Purpose This study aims to investigate the impact of personalised phishing training on users’ phishing detection skills, by adapting training content to users’ phishing proficiency. The authors provide practical recommendations on how phishing training can be improved through personalisation. Design/methodology/approach In two online studies with 96 and 158 participants, the authors assigned participants to one of three groups that received tailored training based on a composite phishing proficiency measure. Findings The training enhanced overall phishing proficiency and reduced disparities between participants, by equalising proficiency across groups, regardless of their initial proficiency. These effects transferred to phishing classification accuracy, which supports the utility of the proficiency-based grouping approach. Originality/value This work advances personalised phishing training by introducing a composite phishing proficiency score, revising it and empirically validating its effectiveness and demonstrating that sparse pre-training data can enable personalised and efficient training. The authors provide an empirically tested foundation for tailoring interventions by mapping users to training modules based on their proficiency, rather than static demographic or personality traits.