General Skills Training for Public Employees: Experimental Evidence on Cybersecurity Training in Argentina

Cyberattacks have risen to become one of the most critical global risks. Despite increasing investments to combat cyberattacks, there remains a significant, often unnoticed vulnerability: employees. Previous literature reveals that over two-thirds of cyberattacks within organizations result from employee negligence. While strengthening cybersecurity through employee training is essential, traditional methods often fall short. In this study, we tested different approaches to reduce risk exposure to phishing, one of the most common types of cyberattacks, focusing on a sector and context unaddressed by previous literature: the public sector in a developing country (Argentina). We randomly allocated 1,918 public servants to a control group and two treatment groups to compare the effectiveness of online trainingcommonly used to promote behavior changes on ancillary workplace topics such as ethics, discrimination, and data protectionversus a "learning-by-doing" approach, which involved sending repeated phishing emails followed by educational emails. Our findings indicate that the learning-by-doing approach is superior for enhancing phishing email detection, resulting in fewer phishing emails opened, fewer clicks on phishing links, and improved reporting of suspicious emails. This strategy is particularly effective among permanent public officials compared to contractors, as well as among female employees. These findings not only inform organizational cybersecurity practices but also have broader implications for influencing employee behavior on other important workplace topics.