Steven FurnellUniversity of Nottingham | Notts · School of Computer Science
Steven Furnell
BSc (Hons) PhD
About
520
Publications
175,512
Reads
How we measure 'reads'
A 'read' is counted each time someone views a publication summary (such as the title, abstract, and list of authors), clicks on a figure, or views or downloads the full-text. Learn more
10,926
Citations
Publications
Publications (520)
The Internet of Underwater Things (IoUT) represents an emerging and innovative field with the potential to revolutionize underwater exploration and monitoring. Despite its promise, IoUT faces significant challenges related to reliability and security, which hinder its development and deployment. A particularly critical issue is the establishment of...
Cybersecurity is established as fundamental for organisations and individuals engaging with digital technology. A central topic in cybersecurity is user behaviour, which has been shown to be the root cause or enabler in a majority of all cyber incidents with a resultant need to empower users to adopt secure behaviour. Researchers and practitioners...
This research investigates the deployment and effectiveness of the novel Pre-Signature scheme, developed to allow for up-to-date reputation being available in Vehicle-to-Vehicle (V2V) communications in rural landscapes, where the communications infrastructure is limited. We discuss how existing standards and specifications can be adjusted to incorp...
Encounters and interactions with cybersecurity are now regular and routine experiences for information technology users across a variety of devices, systems and services. Unfortunately, however, despite long-term recognition of the importance of usability in the technology context, the user experience of cybersecurity and privacy is by no means gua...
Cybersecurity threats targeting users are common in today's information systems. Threat actors exploit human behavior to gain unauthorized access to systems and data. The common suggestion for addressing this problem is to train users to behave better using SETA programs. The notion of training users is old, and several SETA methods are described i...
Cyber security is now the concern and responsibility of everyone who uses technology, regardless of whether they are IT or security practitioners. And this needs to be reflected in education. There are many disciplines, not directly related to cyber security, where knowledge of the threats and the basic skills to combat them are becoming necessary...
Formalizing the approach towards risk management on social media is critical for organizations. Regrettably, a review of the state-of-the-art on cybersecurity training highlighted that the existing frameworks are either too generic or too cumbersome to be adapted to different organizations and needs. Thus, we developed the Adaptive Cybersecurity Tr...
Human behaviors and attitudes play a significant role in cybersecurity. However, studies to quantify the impact of such behaviors and attitudes are scarce, and they are not always considered when developing mitigation strategies. To compensate for this, we have looked into a large sample of employees with different levels of expertise and backgroun...
User behavior is widely acknowledged as a crucial part of cybersecurity, and training is the most commonly suggested way of ensuring secure behavior. However, an open challenge is to get users to engage with such training to a high enough extent. Consequently, this paper provides research into user acceptance of cybersecurity training. User accepta...
This paper presents an innovative approach to teaching soft skills in cyber security. It highlights the importance of integrating soft skills, such as critical thinking, problem solving, communication, and empathy, alongside technical skills. The COLTRANE framework is introduced as a tool for educators to enhance the teaching of soft skills. The fr...
Home and hybrid working is now increasingly commonplace in many organizations, particularly in the wake of the enforced home working faced by many during the COVID-19 pandemic. However, while many organizations and workers have now embraced the opportunity, questions remain over whether security practices in the home-based and hybrid context are as...
Significant evidence indicates that insecure employee behavior can be a major threat, undermining cybersecurity in organizations. Although cybersecurity awareness programs aim to enhance behavior and mitigate security risk, much of the current provision is essentially designed to offer a one-size-fits-all and does not pay attention to the differenc...
Connected and Autonomous Vehicles (CAVs) are significantly transforming the definition ‘vehicle’ on the road and in the market through their disruptive and pervasive technologies. Stakeholder research has consistently overlooked consumers and their CAV privacy knowledge. This paper addresses this through evaluating the consumer’s current privacy kn...
Cybersecurity technologies and processes must be usable if users are to make effective use of protection. Many security practitioners accept the value of usable security, but few can precisely define it in practice and in terms of how it influences users’ security behaviour and the wider security culture in organisations. This paper investigates ho...
Small and Medium-sized Enterprises (SMEs) are a critical element of the economy in many countries, as well as being embedded within key supply chains alongside larger organisations. Typical SMEs are data- and technology-dependent, but many are nonetheless ill-equipped to protect these areas. This study aims to investigate the extent to which SMEs c...
Nowadays, users face an increasing range of contexts in which they may wish to control access to and share their data. This includes mobile apps accessing sensitive data, cookies tracking user activity, and social media sites targeting users for advertisement. Existing studies have determined that many ordinary users are unable to make informed per...
It's common to find any number of ‘smart’ devices in the modern home, with the most common being so-called smart speakers. Despite their huge popularity, people often view these devices with at least some degree of suspicion, with concerns about security and privacy. With this in mind, this article presents the details of a study conducted among cu...
The formation of information security behavioural intention (ISBI) can be complex and dynamic in different contexts. This paper aims to examine and compare different users' ISBI formalisation mechanisms when dealing with their personal affairs (non-work users) and organisational affairs (work users). Drawing on two principles of Conservation of Res...
Throughout the years, passwords have enjoyed the curious distinction of being both the most maligned and the most widely used aspect of cyber security. We know their weaknesses and people tend to use them badly, yet they continue to be deployed in ways that have allowed poor practices to continue. As a result, the same problems have persisted and w...
Based on an analysis of current cybersecurity education in Europe and findings from a series of workshops conducted with selected groups of educators and learners in several European HEIs, this paper describes a methodology that is aimed at integrating the teaching of applied skills with the prevailing teaching, which is more focused on theoretical...
End-user practices are widely recognized as a source of cybersecurity weaknesses, and yet efforts to support related awareness and understanding are often lacking in both the workplace and wider societal contexts. As a result, users are often expected to be cybersecurity-literate and to follow good cyber hygiene practices, without necessarily havin...
The integration of sensors and communication technologies is enabling vehicles to become increasingly intelligent and autonomous. The Internet of Vehicles (IoVs) is built from intelligent vehicles that work collaboratively and interact with the surrounding environment in real time. The underlying communications infrastructure is provided by Vehicul...
Passwords continue to occupy an interesting position in cyber security, being both widely used and widely criticised at the same time. In many cases the criticism is levelled at users, who are routinely judged to be at fault for making weak choices. However, such judgements frequently tend to overlook that fact that users were ultimately permitted...
Effective provision of cybersecurity requires practitioners to work collaboratively to solve practical real-world problems. However, the extent to which these skills are supported by current higher education programmes is potentially limited. This paper presents an investigation into the needs of related learners and the educators who support them,...
The diverse range of Internet of Things (IoT) devices in smart homes results in users having to deal with a variety of technologies with different and incompatible user authentication methods. Continuous authentication offers an intelligent solution to this problem, although its application within IoT is currently in its infancy, and the limitation...
Cybersecurity is a pressing matter, and a lot of the responsibility for cybersecurity is put on the individual user. The individual user is expected to engage in secure behavior by selecting good passwords, identifying malicious emails, and more. Typical support for users comes from Information Security Awareness Training (ISAT), which makes the ef...
The pandemic has significantly changed the way we work, and many organisations were not prepared for that shift. Many people are working from home but without the protections normally expected in an enterprise environment. Home workers find themselves dependent on the security features and services provided by the vendors of the technology they are...
This chapter sets the scene for the book as a whole, establishing the need for cybersecurity awareness, training, and education in order to enable us to understand and meet our security obligations. It begins by illustrating key elements that ought to form part of cybersecurity literacy and the questions to be asked when addressing the issue. It th...
This chapter provides a specific focus to IoT devices in a domestic scenario. It begins by looking into the nature of IoT devices and interactions within the user's home environment. Attention is then given to the nature of security issues of such devices, and more particularly, the related impact for their users. Next, the chapter examines the IoT...
For more detailed information, please visit the SI website at:
https://www.journals.elsevier.com/journal-of-information-security-and-applications/call-for-papers/special-issue-on-insider-threats-in-cyber-security
Access to the many benefits available from digital technology can often vary depending upon the capabilities and facilities of the individual who is attempting to engage with it. Many digital devices and services require us to be identified and so require some form of user authentication as part of the process. However, the authentication methods t...
The ongoing demand for new and faster technologies continues to leave consumers and business users to face the constant challenge of updating systems and software. This unrelenting pace of technological evolution has not always been matched with a commensurate focus on security and privacy matters. In particular, the obligatory move to embrace clou...
Today, we are living in a digitally dependent world. Through the use of digital technologies, life is meant to be easier and streamlined. This includes giving access to services that previously were unavailable to many due to disability. Although technology has evolved immensely over the past few decades, reducing the digital divide, authentication...
The importance of the human aspects of cybersecurity cannot be overstated in light of the many cybersecurity incidents stemming from insecure user behavior. Users are supposed to engage in secure behavior by use of security features or procedures but those struggle to get widespread use and one hindering factor is usability. While several previous...
The term ‘cyber security’ is increasingly commonplace in everyday life, and is something that users of all ages will encounter in some form. However, there are varying interpretations about what it actually means, and because of this, people have similarly varying assumptions about the extent to which it applies to them or might affect them.
While the creation of a strong security culture has been researched and discussed for decades, it continues to elude many businesses. Part of the challenge faced is distilling pertinent, recent academic findings and research into useful guidance. In this article, we aim to tackle this issue by conducting a state-of-the-art study into organisational...
Purpose
The purpose of this study is to determine effective online safety awareness education for young people in less developed countries. The research followed an explanatory mixed methods design starting with an online survey (quantitative element) and then interesting or anomalous findings were followed up with one-on-one interviews (qualitativ...
Information security is a challenge facing organisations, as security breaches pose a serious threat to sensitive information. Organisations face security risks in relation to their information assets, which may also stem from their own employees. Organisations need to focus on employee behaviour to limit security failures, as if they wish to estab...
While the creation of a strong security culture has been researched and discussed for decades, it continues to elude many businesses. Part of the challenge faced is distilling pertinent, recent academic findings and research into useful guidance. In this article, we aim to tackle this issue by conducting a state-of-the-art study into organisational...
One of the most noticeable effects of the Covid-19 pandemic from the technology perspective has been the significant uptake of online meeting platforms, which many have suddenly found to be a necessary alternative to face-to-face meetings in all manner of contexts. From relatively casual meetings that may have taken place among co-workers in the of...
Complexity and sophistication among multimedia-based tools have made it easy for perpetrators to conduct digital crimes such as counterfeiting, modification, and alteration without being detected. It may not be easy to verify the integrity of video content that, for example, has been manipulated digitally. To address this perennial investigative ch...
While the threats may appear to be vastly different, further investigation reveals that the cybersecurity community can learn much from the COVID-19 messaging response.
The Internet of Things (IoT) allows various embedded devices and smart sensors to be connected with each other, which provides a basis for building smart cities. The IoT-enabled smart city can greatly benefit people’s daily lives, where smartphone is one of the most widely used IoT devices. For example, people can use the phone to check their finan...
While the Internet has become an indispensable aspect of personal and professional lives, it has also served to render many individuals vulnerable to cybersecurity threats. Thus, the promotion of cybersecurity behaviors can effectively protect individuals from these threats. However, cybersecurity behaviors do not necessarily come naturally, and pe...
Cyber security is now an essential requirement for modern organisations, but many face a significant constraint in terms of a lack of skilled personnel to support the required roles and responsibilities. Although numerous related qualifications and certifications are available, it is necessary to understand this landscape in order to make an inform...
Intensive IT development is driving current information security (IS) trends and require sophisticated structures and adequate approached to manage IS for different businesses. The wide range of threats is constantly growing in modern intranets; they have become not only numerous and diverse but also more disruptive. In such circumstances, organiza...
This chapter examines the use of delay-tolerant networks (DTNs) in the context of deep-space data communications: an application area with extreme demands for delay tolerance. The discussion examines the networking requirements of space data communications, and the associated technology requirements to support a deep-space DTN solution. Specific at...
This book is a relevant reference for any readers interested in the security aspects of Cyber-Physical Systems and particularly useful for those looking to keep informed on the latest advances in this dynamic area.
Cyber-Physical Systems (CPSs) are characterized by the intrinsic combination of software and physical components. Inherent elements of...
This book constitutes the proceedings of the 15th IFIP WG 11.12 International Symposium on Human Aspects of Information Security and Assurance, HAISA 2020, held virtually in July 2021.
The 18 papers presented in this volume were carefully reviewed and selected from 30 submissions. They are organized in the following topical sections: attitudes and...
TC 11: Security and Privacy Protection in Information Processing Systems
The prevalence of HTTP web traffic on the Internet has long transcended the layer 7 classification, to layers such as layer 5 of the OSI model stack. This coupled with the integration-diversity of other layers and application layer protocols has made identification of user-initiated HTTP web traffic complex, thus increasing user anonymity on the In...
Media reports regularly highlight organisations that have experienced costly cyber attacks or other cyber security breaches. Such breaches can have far-reaching and long-running impacts, compromising systems and data, impacting relationships with customers, suppliers and partners, and in extreme situations becoming existential threats. As an exampl...
The increased use of digital technologies and services brings with it a similarly increasing requirement for their end-users to have the awareness and ability to protect the security and privacy of their devices and data. However, this raises the related questions of what they need to know and from where they may obtain related guidance. The discus...
Modern network traffic classification puts much attention toward producing a granular classification of the traffic, such as at the application service level. However, the classification process is often impaired by the lack of granular network traffic ground truth. Granular network traffic ground truth is critical to provide a benchmark for a fair...
The demand for cybersecurity professionals is growing. Many cybersecurity academic and training programmes exist to prepare students and professionals for these jobs. The programmes cover many areas of cybersecurity with considerable overlap, but with different emphases. Some are highly technical and cover little non-technical; others do the opposi...
The majority of online safety awareness education programmes have been developed in advanced countries and for the needs of their own populations. In less developed countries (LDCs) not only are there fewer programmes there is also a research gap in knowing the issues that face young people in their respective country. The Young People Online Educa...
Purpose
The human factor is a major consideration in securing systems. A wide and increasing range of different technologies, devices, platforms, applications and services are being used every day by home users. In parallel, home users are also experiencing a range of different online threats and attacks and are increasingly being targeted as they...
Home working has been one of the long-promised freedoms of information technology. But until recently it was something that relatively few people had routinely experienced in practice (aside, perhaps, from taking work home to do in the evenings and at weekends). This situation abruptly changed in early 2020, with the Covid-19 pandemic forcing organ...
The surveillance and subsequent privacy risks (i.e., misuse of personal information) of Facebook App data constitute a persistent problem that affects millions of users. However, despite Facebook App research on specifics such as privacy concerns, value of information, and demographics, none of them has conducted vulnerability assessments on the us...
The surveillance of social media-based data is extensive and is showing little signs of abating. Alarmingly, social media corporates are seemingly irreproachable in this matter with many data surveillance practices persisting—even post Cambridge Analytica. In this article, we argue, and demonstrate, that although data surveillance is not a new conc...
Passwords are dead, writes Steven Furnell FBCS of the Centre for Security, Communications and Network Research at the University of Plymouth. Numerous people have said so (just search for the phrase to see for yourself).
With cyber security gaining ever-greater recognition as a key concern in today's organisations, there is an accompanying appreciation that specialist skills are required to support it. However, this has created challenges for employers in recruiting the associated talent, not least because skilled staff are in short supply.
With cyber security beco...
This book constitutes the refereed post-conference proceedings of the 5th International Workshop on Security of Industrial Control Systems and Cyber-Physical Systems, CyberICPS 2019, the Third International Workshop on Security and Privacy Requirements Engineering, SECPRE 2019, the First International Workshop on Security, Privacy, Organizations, a...
This book constitutes the revised selected papers of the 5th International Conference on Information Systems Security and Privacy, ICISSP 2019, held in Prague, Czech Republic, in February 2019.
The 19 full papers presented were carefully reviewed and selected from a total of 100 submissions. The papers presented in this volume address various topi...
This book constitutes the proceedings of the 14th International Symposium on Human Aspects of Information Security and Assurance, HAISA 2020, held in Mytilene, Lesbos, Greece, in July 2020.*
The 27 full papers presented in this volume were carefully reviewed and selected from 43 submissions. They are organized in the following topical sections: pri...
This book constitutes the refereed post-conference proceedings of the 6th International Workshop on Security of Industrial Control Systems and Cyber-Physical Systems, CyberICPS 2020, the Second International Workshop on Security and Privacy Requirements Engineering, SECPRE 2020, and the Third International Workshop on Attacks and Defenses for Inter...
Psychological and behavioral characteristics are among the most important factors that instigate information security incidents. Although many previous studies have discussed the influencing factors of information security policy compliance behavior in an organization, few have considered the influence of organizational structures. In this study, t...
At the present time, there has been a rapid increase in the variety and popularity of messaging systems such as social network messaging, text messages, email and Twitter, with users frequently exchanging messages across various platforms. Unfortunately, in amongst the legitimate messages, there is a host of illegitimate and inappropriate content -...
Although we are continually offered the promise of passwords being eradicated they continue to be used extensively on the majority of devices, sites and services.1, 2 At the same time, they remain a significant point of weakness – particularly in view of the way in which users choose and manage them. For example, in 2017, Verizon's ‘Data Breach Inv...
Purpose
The purpose of this study was to investigate the difference between South Africa (SA) and the United Kingdom (UK) in terms of data protection compliance with the aim to establish if a country that has had data protection in place for a longer period of time has a higher level of compliance with data protection requirements in comparison wit...
With the first incidents dating back to 2003, phishing has now been a problem for over a decade and a half. Unfortunately, just like malware, it's proven to be the cyber security equivalent of an unwanted genie that we can't put back in the bottle. Despite many efforts to educate users and provide safeguards, people are still falling victim.
Althou...
Organizational security is exposed to internal and external threats, with a greater level of vulnerabilities coming from the former. Drawing upon findings from prior works as a foundation, this study aims to highlight the significant factors that influence the security culture within organizations. Phase one of the study reports upon an interview-b...