Cognitive Dissonance–Based Priming Intervention: Randomized Encouragement With in-the-Wild Phishing Simulation Attack in Health Care

Background: Phishing remains a dominant initial attack vector in health care, exploiting psychological factors such as urgency and authority. Despite extensive investment in technical controls and awareness training, health care staff remain highly susceptible in real operational conditions. Cognitive dissonance (CD), the discomfort arising from inconsistencies between beliefs and actions, has been proposed as a mechanism to disrupt unsafe rationalization at the moment of exposure, but has rarely been evaluated in live organizational settings using objective behavioral outcomes. Objective: This study examined whether a brief CD-based priming intervention, delivered immediately prior to a real-world phishing simulation, was associated with differences in phishing susceptibility among health care staff. Secondary objectives explored whether CD exposure was associated with directional differences in security-related perceptions and self-reported practices. Methods: A 2-stage hybrid randomized-encouragement experiment was conducted at a large Norwegian hospital. In Stage 1, staff were randomly assigned to a control or CD-primed condition and completed a survey assessing security perceptions and self-reported practices (n=62). In Stage 2, an in-the-wild phishing simulation was sent to all staff, enabling objective measurement of phishing susceptibility via observed link-click behavior. Behavioral outcomes were analyzed across 3 groups—control (n=34), CD-primed (n=32), and neutral nonresponders (n=753)—using a prespecified omnibus chi-square test as the sole confirmatory analysis. Survey-based multivariate and univariate analyses were treated as exploratory due to limited sample size and variable construct reliability. Results: Due to voluntary uptake, only a subset of randomized participants received the intervention. Observed phishing click rates were 65% (22/34) in the control group, 44% (14/32) in the CD-primed group, and 53% (396/753) in the neutral group. The omnibus chi-square test did not detect a statistically significant association between group membership and click behavior (²=3.00; n=819; =.22; Cramér V=0.06). Descriptive comparisons within the randomized subset suggested lower click rates in the CD-primed group, but effect estimates were imprecise and associated with wide CIs. Survey-based analyses indicated group differences across combined psychological constructs; however, several constructs exhibited low internal consistency, and follow-up analyses were underpowered. Conclusions: In a real-world hospital phishing simulation, pre-exposure CD priming was associated with a directional but statistically nonsignificant pattern of reduced phishing click behavior. This evidence does not establish a reliable behavioral effect, and construct-level findings are exploratory. CD-based prompts may serve as a lightweight behavioral signal in real-world conditions, but larger, fully randomized, and longitudinal studies with improved psychometric validation are needed before such interventions can be considered reliable complements to established cybersecurity controls.