A Multi-vocal Literature Review on challenges and critical success factors of phishing education, training and awareness

Background: Phishing is a malicious attempt by cyber attackers to steal personal information through deception. Phishing attacks are often aided by carefully crafted phishing emails, which can go undetected by automated anti-phishing tools due to their limited accuracy. Studies found that user education, training, and awareness can thwart phishing attacks. Understanding diverse interconnected challenges and critical success factors of phishing education, training, and awareness (PETA) approaches can help improve organizations' defense against phishing.Objective: This study presents a comprehensive, structured view of the challenges and critical success factors of the design, implementation, and evaluation stages of PETA.Method: We have conducted a Multi-vocal Literature Review (MLR) by systematically collecting 53 academic studies and 16 grey studies from popular databases by following a well-known MLR guideline. Results: We identified 20 challenges and 23 critical success factors, some of which involve human-centric and socio-technical factors in PETA. Our findings point out the need for designing explainable anti-phishing systems and developing automated tools and platforms to conduct real-world phishing studies.Conclusion: Our systematic analysis of 69 studies has enabled us to highlight the need for addressing human-centric issues, incorporating users' knowledge gaps, and adopting personalized approaches in PETA.