Assessing Phishing Awareness and Countermeasures Among Employees in Saudi Arabian Healthcare Organizations

Abstract

Phishing is a major cybersecurity threat that targets human behaviour rather than systems, making healthcare organizations especially vulnerable. This study assessed the levels of phishing awareness, Training Exposure and Effectiveness, and detection behaviours among 141 employees in Saudi Arabian healthcare organizations. A self developed questionnaire was validated using Exploratory Factor Analysis (EFA), confirming three factors: awareness, training, and detection. Findings showed that employees scored highly on awareness (M = 3.93) and detection (M = 4.06), but lower on training exposure and effectiveness (M = 3.52). Training was strongly correlated with awareness but less with detection, suggesting that it might raises knowledge but does not always translate into improved real world skills. Only 39% of employees had received training in the past six months, showing inconsistency in organizational practices. Motivators such as certificates and financial rewards were valued, while preferences leaned toward external trainers, interactive formats, and single session delivery. However, prior research suggests repeated, shorter sessions are more effective, creating a gap between staff preferences and best practice. Overall, the study highlights the need for more consistent, practical, and engaging phishing training tailored to the healthcare context. Combining staff preferences with evidence based approaches can improve attendance, strengthen detection skills, and reduce risks.