Why do users not report spear phishing emails?

Cyber security training programs encourage users to report suspicious spear phishing emails, and most antiphishing software provide interfaces to assist in the reporting. Evidence, however, suggests that reporting is scarce. This research examined why this is the case. To this end, Social Cognitive Theory (SCT) was used to examine the influence of the triadic factors of perceived self-efficacy toward antiphishing behaviors, expected negative outcomes from reporting spear phishing emails, and cyber security self-monitoring, on individuals’ likelihood of reporting spear phishing emails. Based on recent research on phishing victims, the present study also incorporated cyber risk beliefs (CRBs) into the SCT framework. The model, tested using survey data (N = 386), revealed that the likelihood of reporting spear phishing emails is increased by perceived self-efficacy, expected negative outcomes, and cyber security self-monitoring. Furthermore, the CRBs directly influenced the three SCT factors and indirectly the individuals’ likelihood of reporting spear phishing emails. The findings add to our understanding of SCT and the science of cyber security.