Preventing Data Loss in Multinational Companies

Two Case Studies on Phishing Simulation and Drive Encryption

Slide 1

Security Management at Scale

Empirical insights collected from thousands of employees and over 60,000 simulated phishing emails, offering benchmarks for organizational resilience.

Applied Cybersecurity Research

Two real-world case studies conducted within multinational firms to evaluate the effectiveness of phishing simulations and disk encryption rollouts.

Overview

Preventing Data Loss in Multinational Companies (pre-publication, International Journal of Information Security, Elsevier 2025) investigates how large firms implement complementary cybersecurity measures in real operational environments.
The paper combines a 13-month phishing simulation campaign (62,000 emails) with a global deployment of Microsoft BitLocker encryption across thousands of PCs. It documents both the technical processes and the organizational challenges behind large-scale security transformations, producing actionable insights for IT managers and researchers.

Role: Co-Author
Year: 2023 – 2025
Institutions: Ca’ Foscari University of Venice & University of Innsbruck

The challenge

Despite extensive technical literature on cybersecurity, empirical evidence from real organizational implementations remains scarce. The study aimed to close this gap by observing two contrasting approaches to data-loss prevention, behavioral (phishing awareness) and infrastructural (drive encryption), to understand what actually works in practice across distributed corporate environments.

results

The phishing simulation revealed that over 6 % of phishing links were clicked and 11 % of attachments opened, identifying Business and HR-related content as the most deceptive. The BitLocker deployment achieved encryption on 83 % of company PCs, while 59 % also implemented Secure Boot, with hardware obsolescence emerging as the main limitation.
Across both cases, proper scheduling, communication, and the use of clear visual dashboards proved decisive for success. Beyond the data itself, the study offers a replicable methodology for monitoring, training, and enforcing large-scale security policies.

conclusion

This research provides one of the few data-driven looks into how multinational organizations actually implement cybersecurity measures in practice. By combining behavioral and technical perspectives, it shows that successful data-loss prevention depends as much on human engagement and organizational coordination as on the technology itself. The shared strategies derived from both case studies offer practical guidance for firms seeking to balance security enforcement with operational continuity, paving the way for evidence-based policy design in corporate cybersecurity management.