Chapter

The “Human Factor” in Cybersecurity: Exploring the Accidental Insider

March 2018

In book: Psychological and Behavioral Examinations in Cyber Security (pp.46-63)

Authors:

Nottingham Trent University

A great deal of research has been devoted to the exploration and categorization of threats posed from malicious attacks from current employees who are disgruntled with the organisation, or are motivated by financial gain. These so-called "insider threats" pose a growing menace to information security, but given the right mechanisms, they have the potential to be detected and caught. In contrast, human factors related to aspects of poor planning, lack of attention to detail, and ignorance are linked to the rise of the accidental or unintentional insider. In this instance there is no malicious intent and no prior planning for their "attack," but their actions can be equally as damaging and disruptive to the organisation. This chapter presents an exploration of fundamental human factors that could contribute to an individual becoming an unintentional threat. Furthermore, key frameworks for designing mitigations for such threats are also presented, alongside suggestions for future research in this area.

Understanding Cognitive and Behavioral Psychological Factors that Lead to Cybersecurity Breaches in Healthcare

Article

Full-text available

Nov 2024

Darrell Norman Burrell

Healthcare institutions are prime targets for cyber-attacks due to their extensive repositories of sensitive patient data and essential operational systems. Human error frequently initiates security breaches in these high-stakes settings, exacerbated by cognitive strain, limited training, and inadequate system design. Research highlights that over 80% of such incidents stem from human-enabled errors, with factors like security fatigue and cognitive overload significantly influencing cybersecurity actions. Despite this, many organizations fail to address the complexities of human behavior in cybersecurity, relying instead on cursory training programs that overlook the nuances of human error. As cybersecurity systems grow more sophisticated, healthcare personnel face increased cognitive and operational demands, further heightening error risks. This study addresses this critical gap by examining the role of human factors psychology in cybersecurity for healthcare and advocating for scientifically grounded strategies that incorporate human behavior, decision-making, and error mitigation to enhance institutional resilience against cyber threats.

REVEALING THE MULTI-PERSPECTIVE FACTORS BEHIND INSIDER THREATS IN CYBERSECURITY

Article

Oct 2024

In the realm of cybersecurity, insider threats persist as significant challenges for organisations globally. Despite increasing acknowledgement of their impact, there is a lack of comprehensive studies that explore the multi-perspective factors contributing to insider threat occurrence from a holistic standpoint. This study aims to address this gap by conducting a thorough analysis of the human, technical, and organisational elements influencing insider threats. Through a content analysis approach, this study delves into the intricate interplay of individual characteristics, technical vulnerabilities, and organisational practices that can give rise to insider threats. This methodology involves systematically collecting, coding, and analysing a diverse range of textual data sources to identify recurring themes and patterns related to insider threats. We employed the Preferred Reporting Items for Systematic Review and Meta-Analysis (PRISMA) method to systematically review the literature. We conducted a literature search on Scopus, Web of Science, and IEEE for articles published between 2014 and 2023. We discovered a total of thirty-two (32) articles that were relevant for further analysis. The data indicates that human factors consist of five themes and fifteen sub-themes, technical factors have one theme and four sub-themes, and organisational factors have four themes and fifteen sub-themes. Overall, this study emphasises the importance of approaching insider threats from multiple perspectives, since no single factor operates independently. Instead, it is the combination and interaction of human, technical, and organisational components that create vulnerabilities and opportunities for insider threats.

Human factors and cyber-security risks on the railway – the critical role played by signalling operations

Article

Full-text available

Jan 2024

Purpose Railways are a well-known example of complex critical infrastructure, incorporating socio-technical systems with humans such as drivers, signallers, maintainers and passengers at the core. The technological evolution including interconnectedness and new ways of interaction lead to new security and safety risks that can be realised, both in terms of human error, and malicious and non-malicious behaviour. This study aims to identify the human factors (HF) and cyber-security risks relating to the role of signallers on the railways and explores strategies for the improvement of “Digital Resilience” – for the concept of a resilient railway. Design/methodology/approach Overall, 26 interviews were conducted with 21 participants from industry and academia. Findings The results showed that due to increased automation, both cyber-related threats and human error can impact signallers’ day-to-day operations – directly or indirectly (e.g. workload and safety-critical communications) – which could disrupt the railway services and potentially lead to safety-related catastrophic consequences. This study identifies cyber-related problems, including external threats; engineers not considering the human element in designs when specifying security controls; lack of security awareness among the rail industry; training gaps; organisational issues; and many unknown “unknowns”. Originality/value The authors discuss socio-technical principles through a hexagonal socio-technical framework and training needs analysis to mitigate against cyber-security issues and identify the predictive training needs of the signallers. This is supported by a systematic approach which considers both, safety and security factors, rather than waiting to learn from a cyber-attack retrospectively.

Cybersecurity Knowledge Deterioration and the role of Gamification Intervention

Article

Full-text available

Jan 2025

Cybersecurity is becoming an overly critical issue in contemporary times. Cyberspace safety is declining, covering all sphere of humanity. Deterioration in cybersecurity knowledge and awareness has resulted to more cybercrime victimisation. The more novel security systems are being developed, the higher the innovativeness of cybercriminals techniques to attack cyber-users. Thus, investigating the stance of cybersecurity knowledge among general IT (Information Technology) users, especially in the 21 st century is paramount. This paper designed a cybersecurity quiz based on adaptations from literature and past cybersecurity quizzes and conducted investigations to test the knowledge of random cyber-users. Results from investigations are instructive, thus serving as a propelling motivation to develop a cybersecurity game. Findings reveal that most cyber-users lack knowledge about network security. Also, respondents lacked knowledge on social engineering. Thus, it is important for upcoming innovations to consider aspects of network security, social engineering when designing cybersecurity gamification approaches. Gamification has been used as teaching aids for diverse learning fields, however its application in cybersecurity is still understudied. The result of this quiz is intended to further boost the development of a cybersecurity game, which can be age centric, thus developing suitable cybersecurity games for specific user groups. Interestingly, though females were not regular game players, however they were highly interested in playing a cybersecurity game, as majority of cyber-users (males inclusive), believed that a cybersecurity knowledge gamification approach can help enhance their cybersecurity knowledge and awareness. Conclusively, it is obvious that both the young and old still lack basic cybersecurity knowledge, thereby making them easy prey for cyberattacks. Gamification if applied properly into cybersecurity, could be an interactive learning platform that is both enjoyable, produces a high spirit of learning as well as help serve as a strong awareness tool that can boost cybersecurity user's knowledge.

An Examination of the Human Factors in Cybersecurity: Future Direction for Nigerian Banks

Article

Full-text available

Aug 2023

Information and communication technology has become necessary for conducting business operations and ensuring business survival in Nigerian banks. However, this has come with some encumbrances, as this technology is vulnerable to attacks due to technical or human factors. These human factors have been very challenging for organizations due to their multi-dimensional nature and the fact that humans have been responsible for most cybersecurity incidents. Resolving issues arising from cybersecurity incidents is expensive and time-consuming. Therefore, this study is crucial as it will enable Nigerian banks witnessing increased attacks to take preventive measures and reduce the enormous expenditure required for remediation. This study adopts a literature review approach, reviewing previous studies on human factors in cybersecurity to determine the factors responsible for successful cyber-attacks and their suggested mitigations. The findings categorize these human factors into social engineering, poor information security culture, risky password practices, stress, burnout, and security fatigue. The study presents mitigations but notes that training and cybersecurity awareness are the most common reoccurring pre-emptive actions recommended. This research is significant as very little prior research has been conducted in this area targeted at the Nigerian banking sector. Practically, the findings of this study are expected to point Nigerian banks toward the critical human factors that they need to concentrate on to minimize the success rate of cyber-attacks and reduce the associated costs of recovering from these attacks.

Determinants of Cyberattack Prevention in UAE Financial Organizations: Assessing the Mediating Role of Cybersecurity Leadership

Article

Full-text available

May 2023

Cyberattack prevention factors have a significant impact on the perception of social and moral values in the business context. Despite leaders’ significant role in encouraging and enculturating cybersecurity practices in their organizations, there is a noticeable gap in the literature to highlight empirically how leaders and top management in organizations foster organizational cybersecurity. Therefore, this study aims to explore the role of cybersecurity leadership in financial organizations in preventing cyberattacks and investigate other human and non-technical factors related to the individual in financial organizations. Based on Protection Motivation Theory (PMT), the research framework was developed with the tallying of new variables focusing on the role of an organization’s cybersecurity leadership, training frequency, and the role of government frequent alerting. This research employed a quantitative research method. The data were collected through a questionnaire from 310 financial executive officers from selected banks in UAE that use digital technology to enhance their daily banking operations. Using Structural Equation Modelling (SEM), the results indicated (1) a significant association between all investigated independent variables and cybersecurity leadership through hypothesis (H8–H14); (2) cybersecurity leadership mediates the relationship between investigated independent variables and cyberattack prevention, from hypothesis (H15, and H16–H22); (3) no significant association between investigated independent variables and cyberattack prevention from hypothesis (H1–H6), except hypothesis (H4 and H7), which show a significant association. The coefficient of cybersecurity leadership in this study is viewed as a prevention element against cyberattacks based on the findings. With greater cybersecurity leadership success, the implementation of cyberattack prevention increases. This study emphasizes the importance of cybersecurity leadership in a cyberspace environment that protects against cyberattacks and promotes cybersecurity awareness within financial organizations and society in UAE.

System End-User Actions as aThreat to Information System Security

Conference Paper

Full-text available

Oct 2021

Information system security is of paramount importance to every institution that deals with digital information. Nowadays, efforts to address cybersecurity issues are mostly software or hardware-oriented. However, the most common types of cybersecurity breaches happen as a result of unintentional human errors also known as end user actions. Thus, this study aimed to identify the end-user errors and the resulting vulnerabilities that could affect the system security requirements, the CIA triad of information assets. The study further presents state-of-the-art countermeasures and intellectual ideas on how entities can protect themselves from advent events. Adopted is a mixed-method research approach to inform the study. A closed-ended questionnaire and semi-structured interviews were used as data collection tools. The findings of this study revealed that system end user errors remain the biggest threat to information systems security. Indeed errors make information systems vulnerable to certain cybersecurity attacks and when exploited puts legitimate users at risk.

Root causes of falling victim to phishing - The effects of human behavior, emotions and demographics

Thesis

Jan 2021

Hossein Abroshan

Phishing is a social engineering scam that can result in data loss, reputational damage, identity theft, the loss of money, and many other damages to peoples and organisations. A phishing scam usually starts with an email trying to gain the potential victim's trust and convince them to take the attacker's desired actions, such as clicking on a link or opening an attachment. In the next step, the user might enter their sensitive information on a phishing website, or open an infected attachment that can compromise their account, computer, or even an organisation's network and systems. Prior studies have investigated the impacts of user traits on the success of phishing attacks and how they can increase or decrease susceptibility to phishing emails. However, little is known about the effect of users' behaviour in the different steps in a phishing attack, nor in different situations such as a pandemic, as exemplified by the COVID-19 outbreak in early 2020. Researchers and solution vendors have developed many technical anti-phishing solutions which can prevent phishing emails and websites. Nonetheless, users remain the weakest link and attackers know how to fool them by manipulating their behaviour. They always design new phishing campaigns and there are always users who fall into the scammers' traps. Knowing the behaviours and emotions of users that influence the success of phishing attacks will help us tackle this problem from its root causes. This study investigates which behaviour on the part of the users might affect the success of phishing and provides a framework that can be used to figure out the impact of more root causes. Based on the insights obtained, it also suggests a guideline to minimise phishing success by addressing human factors which might influence users' responses to phishing emails. This suggested guideline is flexible and can be enhanced by adding more predictors (i.e., behaviour and emotions) and learning from users' responses to phishing in the real world over time. However, there are some limitations which future studies can address to gain more accurate results and develop a comprehensive solution using the proposed guideline. This is a paper-based PhD dissertation consisting of six chapters. The dissertation starts with an introduction and continues with four papers (chapters 2-5). The first paper has been published in a post-conference proceeding of an international conference, the second has been published in an international peer-reviewed journal, the third paper is, at the time of writing, under revision with an international peer-reviewed journal, and the last paper is published in ACM proceeding.

Development of Cyber Security Awareness and Education Framework

Article

Jan 2025

Enhancing Employee Cybersecurity Awareness in Small Businesses

Article

Oct 2024

Abinet Onkiso

DATA CONFIDENTIALITY AND INTEGRITY: A REVIEW OF ACCOUNTING AND CYBERSECURITY CONTROLS IN SUPERANNUATION ORGANIZATIONS

Article

Full-text available

Jan 2024

In an era dominated by digital transformation, superannuation organizations face unprecedented challenges in safeguarding the confidentiality and integrity of sensitive financial data. This review explores the intricate relationship between accounting practices and cybersecurity controls within the context of superannuation entities. By examining the existing literature, regulatory frameworks, and industry best practices, this paper synthesizes the key considerations essential for ensuring robust data protection. The study delves into the critical role of accounting systems in managing financial information and the subsequent implications for data confidentiality. It investigates how evolving accounting standards and practices intersect with cybersecurity protocols to fortify the integrity of financial records within superannuation organizations. The dynamic nature of cyber threats necessitates a comprehensive analysis of technological safeguards, risk management frameworks, and compliance measures to uphold data confidentiality. Furthermore, the review underscores the imperative for a multidimensional approach to cybersecurity in the superannuation sector. It discusses the integration of advanced technologies such as encryption, blockchain, and anomaly detection alongside traditional accounting controls to create a resilient defense against emerging threats. The exploration extends to the examination of employee training programs, incident response strategies, and third-party risk assessments as integral components of a comprehensive cybersecurity posture. As superannuation organizations navigate the complex landscape of data management, a holistic understanding of the interplay between accounting and cybersecurity controls becomes paramount. This review contributes to the existing body of knowledge by providing insights into the challenges and opportunities presented by the evolving technological landscape, offering practitioners and policymakers a foundation for enhancing data confidentiality and integrity in the superannuation sector. Keywords: Data Confidentiality; Accounting; Cybersecurity; Superannuation Organization; Data Integrity.

Cyber Security and Frameworks: A Study of Cyber Attacks and Methods of Prevention of Cyber Attacks

Conference Paper

Mar 2023

Exposing the darkness within: A review of dark personality traits, models, and measures and their relationship to insider threats

Article

Dec 2022

Insider threats are a pernicious threat to modern organizations that involve individuals intentionally or unintentionally engaging in behaviors that undermine or abuse information security. Previous research has established that personality factors are an important determinant of the likelihood that an individual will engage in insider threat behaviors. The present article asserts that dark personality traits, non-clinical personality characteristics that are typically associated with patterns of anti-social and otherwise noxious interpersonal behaviors, may be particularly useful for understanding and predicting insider threat behaviors. Although some relationships between insider threats and dark traits have been documented, most attention has been devoted to a limited subset of dark traits. To address this issue, we critically review contemporary models of dark traits and their potential value for understanding both malicious and non-malicious insider threats, supplemented by discussions of subject matter expert ratings concerning the relevance of dark traits for both insider threat behaviors and cybersecurity personnel job performance. We then review potential assessment issues and provide evidence of possible moderators for the relationships under investigation. Finally, we develop avenues for future research, an agenda for improving the measurement of dark traits, and guidance for how organizations may implement the assessment of dark traits in their organizational processes.

Information Security Mechanisms and ICT Policy in Practice: A Case of the University of Namibia

Article

Full-text available

Dec 2021

Understanding factors that influence unintentional insider threat: a framework to counteract unintentional risks

Article

Full-text available

Aug 2022
Cognit Tech Work

The exploitation of so-called insiders is increasingly recognised as a common vector for cyberattacks. Emerging work in this area has considered the phenomenon from various perspectives including the technological, the psychological and the sociotechnical. We extend this work by specifically examining unintentional forms of insider threat and report the outcomes of a series of detailed Critical Decision Method (CDM) led interviews with those who have experienced various forms of unwitting cybersecurity breaches. We also articulate factors likely to contribute firmly in the context of everyday work-as-done. CDM’s probing questions were used to elicit expert knowledge around how decision making occurred prior, during and post an unintentional cyber breach whilst participants were engaged in the delivery of cognitive tasks. Through the application of grounded theory to data, emerging results included themes of decision making, task factors, accidents and organisational factors. These results are utilised to inform an Epidemiological Triangle to represent the dynamic relationship between three vectors of exploit, user and the work environment that can in turn affect the resilience of cyber defences. We conclude by presenting a simple framework, which for the purposes of this work is a set of recommendations applicable in specific scenarios to reduce negative impact for understanding unintentional insider threats. We also suggest practical means to counteract such threats rooted in the lived experience of those who have fallen prey to them.

Impact of Human Vulnerabilities on Cybersecurity

Article

Full-text available

Sep 2021
COMPUT SYST SCI ENG

Today, security is a major challenge linked with computer network companies that cannot defend against cyber-attacks. Numerous vulnerable factors increase security risks and cyber-attacks, including viruses, the internet, communications , and hackers. Internets of Things (IoT) devices are more effective, and the number of devices connected to the internet is constantly increasing, and governments and businesses are also using these technologies to perform business activities effectively. However, the increasing uses of technologies also increase risks, such as password attacks, social engineering, and phishing attacks. Humans play a major role in the field of cybersecurity. It is observed that more than 39% of security risks are related to the human factor, and 95% of successful cyber-attacks are caused by human error, with most of them being insider threats. The major human factor issue in cybersecurity is a lack of user awareness of cyber threats. This study focuses on the human factor by surveying the vulnerabilities and reducing the risk by focusing on human nature and reacting to different situations. This study highlighted that most of the participants are not experienced with cybersecurity threats and how to protect their personal information. Moreover, the lack of awareness of the top three vulnerabilities related to the human factor in cybersecurity, such as phishing attacks, passwords, attacks, and social engineering , are major problems that need to be addressed and reduced through proper awareness and training.

Assessing The Factors of Cybersecurity Awareness in the Banking Sector

Article

Full-text available

Jun 2021
ARAB GULF J SCI RES

The purpose of this paper is to identify the factors of cybersecurity awareness in the banking sector. Literature shows several gaps that both top management and cybersecurity professionals must close to construct a successful digital institution in the conviction-and assurance-based economy. These gaps indicate four factors, top management commitment and support; budgeting; cybersecurity compliance; and cybersecurity culture. Methodology: A quantitative approach is used with questionnaire analysis. A total of 109 Information Technology (IT) employees completed a self-administrated survey from six Bahraini Islamic retail banks and five Bahraini conventional commercial retail banks. Descriptive analysis with percentage and a simple mean-based ranking of indicators used to analyze the data. Findings reveal the highest mean is 4.28 for security compliance. The lowest mean for Cybersecurity Culture at 4.24 concludes that all the factors are significant for cybersecurity awareness. Respondents strongly agreed with the necessity of these factors in the banking sector. The research limitation due to the insufficient information in the literature regarding the proposed combination of factors recommended. Practical implications for policymakers and cybersecurity specialists: This study provides a vital factor that may help improve policies or guidelines for successful cybersecurity awareness in organizations. To recognize cyber threats, cyber-attacks impact, and how to diminish cyber risk and avoid cyber-crime penetrating their cyberspace. Originality/value fills a gap in the literature to construct a successful digital institution in the conviction-and assurance-based economy. This study helps managers direct and proceed with their daily activities, where maintaining the cybersecurity component is significant. A cybersecurity component is a defense and safeguards the firm's financial information, intellectual properties, and reputation against unauthorized parties. Moreover, the cybersecurity component concerns the organization and the public individuals exposed to cyber threats through their electronic digital media such as smartphones, personal computers, and Internet protocol systems. However, there is insufficient literature on the proposed combination of factors recommended as factors relating to cybersecurity awareness in the banking sector.

Strategies for implementing cybersecurity policies

Book

May 2021

Bayo Olushola Omoyiola

Some cybersecurity leaders have not enforced cybersecurity policies in their organizations. The lack of employee cybersecurity policy compliance is a significant threat in organizations because it leads to security risks and breaches. Grounded in the theory of planned behavior, the purpose of this qualitative case study was to explore the strategies cybersecurity leaders utilize to enforce cybersecurity policies. The participants were cybersecurity leaders from 3 large organizations in the southwest and northcentral Nigeria responsible for enforcing cybersecurity policies. The data collection included semi-structured interviews of participating cybersecurity leaders (n = 12) and analysis of cybersecurity policy documents (n = 20). Thematic analysis identified 4 primary themes: security awareness and training, communication, management support, and technology. Two key recommendations are that organizations should have a chief information security officer for oversight of cybersecurity, and employee cybersecurity compliance should be reviewed regularly throughout the year for improvement and desired cybersecurity behavior. The implications for positive social change include the potential for cybersecurity leaders to implement cybersecurity measures that could enhance the public’s confidence by assuring them of their data’s safety and confidentiality, the integrity of data, and the availability of their services.

Mitigating Cyber Threats: Strategies for Securing Communication Systems in Ghana

Chapter

May 2025

Toward a Framework to Improve Employees’ Compliance with Cybersecurity Policy in Organizations

Chapter

Sep 2023

Digital transformation has influenced organizations’ operations significantly. However, non-compliance with cybersecurity policy (CSP) is a growing concern for organizations. Technology alone cannot protect organizational cyber assets such as computer systems, networks, and data. Human aspects should be considered when designing and implementing a CSP. The lack of effective CSP training and awareness programs (CSPTAP) is attributable to employees’ non-compliance with the CSP. This paper aims to develop a framework to enhance employees’ compliance with the CSP by implementing effective CSPTAP. Drawing from the present literature and reflecting on the existing behavior change wheel (BCW) framework, and capability, opportunity, motivation, and behavior (COM-B) model, the cybersecurity policy compliance (CSPC) framework is developed. The CSPC framework comprises the following key concepts: learning existing policies, conducting employees’ gap analysis, reviewing existing policies/developing new policies, provision of relevant content and delivery mode, and periodic auditing. These key concepts are essential elements in cybersecurity policy compliance. The model indicates that the implementation of the essential elements will substantially influence employees’ compliance with CSP. Moreover, when organizations consider these key elements, cybersecurity policy training and awareness, can positively enhance employees’ CSP compliance. The proposed development of CSPTAP provides a firm base for future empirical work including action research.KeywordsCybersecurity awarenessCybersecurity policyCybersecurity trainingEmployee cybersecurity policy compliance

Incident response planning for small businesses against social engineering attacks

Article

Full-text available

Dec 2024

James Olaniyan

The Human Factor in Cybersecurity: An Analysis of Emerging Trends and Challenges

Conference Paper

Full-text available

Aug 2024

The increasing sophistication and prevalence of cyber threats necessitate a reevaluation of the human element in cybersecurity. While technological advances provide robust security measures, human behavior remains a critical vulnerability and, conversely, a potential strength within the cyber domain. This paper explores the multifaceted aspects of the human factor, examining contemporary trends such as the rise of social engineering tactics, inadvertent insider threats, and the ramifications of human-computer interaction. Additionally, it investigates the challenges presented by the evolving landscape of cyber threats, the heterogeneity of human actors involved, and the cultural contexts that influence cybersecurity behaviors. Through a systematic review of recent literature, this paper offers insights into the dynamic interaction between humans and technology within the cybersecurity domain, proposing recommendations to mitigate risks and cultivate a more secure digital environment.

Sentry of the Cyberspace during Covid-19 Pandemic: Experiences of Philippine National Police Cyber Cops

Article

May 2024

This study aimed to explore the life experiences of cyber cops as sentries in cyberspace during the COVID-19 pandemic in RACU 7. Specifically, this sought to answer the following specific problems: experiences of the informants as cyber cops during the COVID-19 pandemic, coping with the challenges they encountered, and how they tried to solve the situation and aspirations of the informants to improve quality service. The phenomenological and qualitative approach in this study was utilized through interviews as the critical process in gathering data. There were ten (10) selected police officers with a cyber cop badge. They were chosen randomly, but they met the minimum qualifications. The research location is at Cebu PPO Compound, Cebu City, where RACU 7 holds the office. A validated interview guide aided by the voice recorder to transcribe the informants' responses was used. Utilization of Colaizzi's method, a phenomenological analysis procedure, was used to analyze the responses of the informants during the interview. Results revealed that in the informants' experiences as cyber cops during the COVID-19 pandemic, the themes generated were Performing Duties Amidst the Pandemic, Maintaining a Good Image, and Encountering Insufficiency of Personnel and Supplies. In coping with the challenges encountered and how they try to solve the situation, the following themes were created: Expanding Cyber Cops Strategies and Having the Cyber Cops Initiative. For the aspirations of the informants, themes identified were the adaptation of advanced technology and the expansion of organizational support. It was recommended that PNP-ACG design a program that would address issues in times of crisis like the pandemic and extend services prospective complainants could easily access. Moreover, the PNP organization should produce more well-trained cyber cops.

Oversharing: The downside of data sharing in local government

Article

Full-text available

Mar 2024
PUBLIC ADMIN

Health crises, climate change, and technological hazards pose serious managerial and equity challenges for local governments. To effectively navigate the uncertainties and complexity, municipalities are increasingly collaborating with one another and sharing data and information to improve decision‐making. While data sharing fosters effectiveness in responding to threats, it also entails risks. One major concern is that local government managers often lack the knowledge and technical skills required for safe and effective data sharing, exposing municipalities to cyberthreats. Drawing on data sharing and cybersecurity scholarship, we investigate whether increased data sharing among local governments makes cities more or less vulnerable to cyberincidents. We test our hypotheses using data from two national surveys of U.S. local government managers conducted in 2016 and 2018. Our findings contribute to the literature on technology and risk in government by informing both public managers and researchers about the potential threats associated with data sharing.

Exploring the Relationship Between Protection Motivation and Addiction Severity Towards Secure Intention Behavior in Online Game Addiction Among Adolescents

Chapter

Jan 2024

Online game addiction refers to the excessive and compulsive use of online games, leading to negative consequences in various aspects of people’s life. One concerning aspect is that compulsive players may compromise their security and safety while engaging in gaming activities. Despite the growing concern about this issue, there is still much to understand about providing effective protections and interventions, particularly among adolescents. Thus, this paper aims to investigate the relationship between protection motivation and the severity of online game addiction, with a particular focus on secure intention behavior among adolescents affected by online game addiction. A survey was conducted involving 660 late adolescents (aged 17–19 years) from various Higher Learning Institutions (HLIs) in Peninsular Malaysia. The findings revealed that 35% of the participants were addicted to online games, as assessed by the Online Cognition Scale (OCS) and Online Game Addiction Scale (OGAS). The severity of online game addiction significantly impacted secure intention behavior within the online gaming environment. Additionally, protection motivation emerged as a significant predictor of positive security behavior. These results offer new insights and support the existing hypotheses, emphasizing the importance of investigating the impact of online game addiction severity on secure intention behavior. Understanding the relationship between protection motivation and the severity of online game addiction concerning security intention behavior is crucial to prevent adverse outcomes, such as insecure cyber behavior and vulnerability to cyber threats. The findings from this study can contribute to the development of effective interventions and prevention strategies against cyber threats in the context of online gaming.

Strengthening Resilience to Safeguard Women from Social Engineering Attacks in Afghanistan

Article

Full-text available

Dec 2023

This study explores cybersecurity awareness and resilience among women at Women Online University in Afghanistan, focusing on social engineering threats. The introduction highlights the dynamic cybersecurity landscape, emphasizing the potent threat of social engineering attacks exploiting human vulnerabilities. Addressing a gap in understanding nuanced factors influencing women's vulnerability in academia, the research provides valuable insights for targeted interventions and policies. Using a robust quantitative methodology, the study involves 170 women from various faculties, employing a stratified sampling technique. Self-administered questionnaires with closed and open-ended inquiries capture participants' perspectives. The investigation meticulously identifies variables, categorizing them into independent, dependent, and control variables, using precise instruments like questionnaires for accuracy. Results depict diverse cybersecurity awareness, revealing variations in awareness levels and program effectiveness. ANOVA tests highlight significant differences, emphasizing the need for tailored program design. Regression analyses explore factors influencing vulnerability perception, emphasizing limited impact from personal information sharing on social media. The study uncovers notable differences in risk perception across categories, necessitating further exploration. In conclusion, this research provides nuanced insights into social engineering vulnerabilities among women in online education, emphasizing tailored interventions and considering socio-cultural nuances. Implications extend to informing policies, practices, and future research, aiming to enhance defense against social engineering threats for Women Online University in Afghanistan.

VISTA: An inclusive insider threat taxonomy, with mitigation strategies

Article

Jan 2024
INFORM MANAGE-AMSTER

Insiders have the potential to do a great deal of damage, given their legitimate access to organisational assets and the trust they enjoy. Organisations can only mitigate insider threats if they understand what the different kinds of insider threats are, and what tailored measures can be used to mitigate the threat posed by each of them. Here, we derive VISTA (inclusiVe InSider Threat tAxonomy) based on an extensive literature review and a survey with C-suite executives to ensure that the VISTA taxonomy is not only scientifically grounded, but also meets the needs of organisations and their executives. To this end, we map each VISTA category of insider threat to tailored mitigations that can be deployed to reduce the threat.

Cybersecurity Breach Case Study

Chapter

Sep 2023

Jessica Parker

This cybersecurity case study provides a comprehensive remediation plan for an organization that recently experienced a data breach and lacks a risk management strategy. Starting with a current state analysis, the plan includes strategies to support the new organizational behaviors, understanding and aligning company culture, supporting changes with ethical decision-making and strong leadership, and ensuring changes are maintained and reinforced. Foundation theories and models are used to support the plan: human factors, theory of constraints, the plan-do-check-act cycle, Schein's model of organizational culture, the Deal and Kennedy culture model, Lewin's change management model, nudge theory, the duty-based approach to ethical decision-making, and transformational leadership. The resulting plan ensures that the organization is able to prevent most cyberattacks and has a ready response plan for dealing with any future breaches.

Understanding Human Factors of Cybersecurity: Drivers of Insider Threats

Conference Paper

Jul 2023

Cybersecurity Regrets: I’ve had a few.... Je Ne Regrette

Conference Paper

Jun 2023

Individual Processing of Phishing Emails: Towards a Phishing Detection Framework

Article

Full-text available

Jan 2022

There is a prevailing prejudice that technology can solve all problems in many fields, including cybercrime. Still, recent reports of increasing data breaches have shown that this belief is not always true. This paper investigated social engineering scenarios, particularly phishing attacks, to analyze the psychological deception schemes used by attackers alongside the heuristics that affect users' vulnerability. Indeed, the authors explain how hackers use various technical tools besides certain psychological factors to design clever and successful attacks against businesses or individuals. This research provides a decision-making framework for e-mail processing; it consists of several verification stages covering cognitive and technical factors that help users identify inconsistencies and different classes of phishing. Furthermore, it supports the security awareness field with a reliable framework that has demonstrated promising results and low false positives. The solution aims to reduce phishing threats and help organizations establish security-conscious behavior among their employees.

Human elements impacting risky habits in cybersecurity

Conference Paper

Full-text available

Oct 2022

Human elements in security or cybersecurity, in particular, have been an area, which has been less explored and underrated. Data leaks, Cyber-attacks, and malware attacks, which consequences of failures triggered by humans, are constantly raising. In fact, ninety-five percent of the cyber events are human-triggered or enabled. Several elements related to humans, such as (not limited to) psychological, situational, time pressure, characteristics, biases, influence cybersecurity habits. Through theme extraction using WordStar 8 and manual scanning of the chosen research papers, we fixated on such six significant human-related components or variables, which impact cybersecurity practices through a careful Systematic Literature Review. The paper shows how these components affect cybersecurity conduct and shows how these components are related and can often (all things are considered) lead to dangerous security practices. A significant research question investigated is how these elements affect cybersecurity conduct. We have drawn data for this study principally dependent on secondary research to create a theoretical framework that depicts the consequences of various human elements on one another, which influences cybersecurity propensities. We likewise clarify why a comprehension of human-related components or variables identified with digital security is significant and can add to fruitful innovations and programming. A thing to note here is that the study area, despite everything, remains not a completely examined field, and subsequently, specialized papers for this literature review were difficult to find. This examination is utilized as a base for more work to decrease the human variables driving cyber-attacks that have seen a sensational increment in the world of innovation, technology, and the web.

Identifying Failures in Mobile Devices

Article

Full-text available

Jun 2022

Mobile devices are well-known communication tools. People, especially young people, cannot go even one step without them. Technological advancements provide better features, but at the same time, such systems still face security risks. Protective layers do exist, but some systems are automated and engineered, while others rely on humans. This work begins with examining some critical points related to the weakest link in the security chain: the human factor. Errors are given in the view of the Swiss Cheese Model by emphasizing the role of latent conditions in "holes". We found that the Swiss Cheese Model has some limitations. In order to enhance it, we have used the Failure Mode and Effect Analysis risk matrix methodology. Thus, we represent its application on mobile devices to demonstrate that it can give us more accurate results by identifying the most critical points where manufacturers should focus on. This work is based on qualitative data, and it provides the basis for quantitative research. In the end, we suggest that in order to obtain more accurate findings, the Failure Mode and Effect Analysis can be further extended.

Addressing Human Factors in Cybersecurity Leadership

Article

Full-text available

Jul 2022

Will Triplett

This article identifies human factors in workplaces that contribute to the challenges faced by cybersecurity leadership within organizations and discusses strategic communication, human-computer interaction, organizational factors, social environments, and security awareness training. Cybersecurity does not simply focus on information technology systems; it also considers how humans use information systems and susceptible actions leading to vulnerabilities. As cyber leaders begin to identify human behavior and processes and collaborate with individuals of the same mind-set, an organization's strategy can improve substantially. Cybersecurity has been an expanding focal point from the viewpoint of human factors. Human inaccuracy can be unintentional due to an inaccurate strategic implementation or accurate unsatisfactory plan implementation. A systematic literature review was conducted to realize unintentional human factors in cybersecurity leadership. The results indicate that humans were the weakest link during the transmission of secure data. Furthermore , specific complacent and unintentional behaviors were observed, enabled by the ignorance of leaders and employees. Therefore, the enforcement of cybersecurity focuses on education, awareness , and communication. A research agenda is outlined, highlighting a further need for interdisci-plinary research. This study adopts an original approach by viewing security from a human perspective and assessing how people can reduce cybersecurity incidents.

A Briefed Review on Phishing Attacks and Detection Approaches

Article

Jan 2022

A Design Thinking Approach on Information Security

Chapter

Mar 2022

More than ever before, the economic success of companies depends on the use of information and communication technologies. Along with this development, cyber security plays a vital role to ensure the continuous and secure operation of critical applications and IT-services. The human factor represents one especially important aspect for ensuring cyber security in organizations, which has taken a turn for the worse in recent time. Security awareness activities, such as security training, newsletters or quizzes, are often performed to try to improve the situation, but the effects are slow to materialize and often do not bring lasting change. This paper therefore gets to the root of the problem using a different approach, which is centered around the people involved. The introduced framework combines the domains of design thinking and information security and presents a creative and human-centered way towards cyber security. We highlight building blocks, tools and techniques, which support the implementation of the presented framework. In order to demonstrate the applicability of the approach, we present our evaluation results of start-up company, which used our approach.

A Study on Social Engineering Attacks in Cybersecurity

Chapter

Jan 2022

Due to improvements in data communication technology, humans can communicate with each other in the world instantly. Private and confidential information available on virtual community and e-services is not protected because of the absence of security procedures. Therefore, communication systems are more exposed and can be breached by malevolent users by means of social engineering attacks. These attacks are achieved by misleading people or organizations into performing activities that are advantageous to attackers or giving secret information like transaction codes, unique identification numbers, medical archives, and passwords. Social engineering attack is one of the major challenges in the field of security since it misuses the human inclination toward trust. This paper presents a detailed review on social engineering attacks, taxonomies, detection approaches, and prevention measures.KeywordsSocial Engineering AttacksCybersecurityPhishingScams

Cybersecurity Capabilities in Developing Nations and Its Impact on Global Security: A Survey of Social Engineering Attacks and Steps for Mitigation of These Attacks

Chapter

Full-text available

Jan 2022

Cybersecurity refers to the organizational practices followed by the different multinational companies to defend their computers, servers, mobile devices, and networks from malicious attacks. This data exploitation is usually done by accessing, changing, or destroying sensitive information or hacking the data for money extortion. It applies to systems and mechanisms aimed at stopping unauthorized entry, bugs, and cybercriminal threats to devices, networks, and records. It does not matter how many technologies are emerging to make our life easy; humans are the main vulnerability in every sector. In this chapter, the authors discussed social engineering techniques: how we are being attacked by unknown threats with simple manipulative actions.

Human Aspects of IoT Security and Privacy

Chapter

Dec 2021

This chapter provides a specific focus to IoT devices in a domestic scenario. It begins by looking into the nature of IoT devices and interactions within the user's home environment. Attention is then given to the nature of security issues of such devices, and more particularly, the related impact for their users. Next, the chapter examines the IoT security and privacy challenges from the human factors perspective, including the trade-offs that users may be expected to make in terms of providing and sharing their data, as well as the unexpected burden that may be faced as a result of the volume and range of smart devices that they find themselves using. The chapter concludes with a look toward what could be done to improve the situation from the user's perspective, bearing in mind the things that they need to achieve and how appropriate presentation of the technologies may assist them in doing so.

Online safety awareness and human factors: An application of the theory of human ecology

Article

Feb 2022
Tech Soc

Efforts have been made on large and small scales to reduce cybersecurity threats around the world, including in Malaysia. However, scholars have argued that, in spite of the technological preparations countries can take to shield themselves from attack, human factors may be the key reason behind increasing breaches in cybersafety in recent years. In this review, developed in a social sciences context, we argue that intra- and interpersonal human factors, such as biological, psychological, and cultural factors, must be considered holistically to effectively increase awareness of the importance of online safety. We also argue that these personal and psychological factors can be framed using Urie Bronfenbrenner's theory of human ecology, which, along with previous studies, points to the importance of examining the various layers of environmental factors that affect human behavior. Lastly, this paper also considers what types of education and training can effectively utilize the knowledge of human factors to increase online safety awareness.

A Conceptual Consumer Data Protection Maturity Model for Government Adoption: South African Context

Chapter

Full-text available

Nov 2021

In South Africa (SA), being a developing country, there is a significant gap between the level of trust consumers extend towards organizations they share personal information with whilst conducting everyday transactions and the degree to which that trust is justified by the Information Security (IS) compliance efforts of organizations. Consumers are lacking IS compliance awareness which influences their ability to make informed decisions on when to share or not to share their personal information with organizations. There is currently no government-led/sponsored IS compliance awareness training initiatives in SA and therefore no way to measure the progress/maturity of such framework implementation. This research problem called for the development of a Consumer Data Protection Framework (CDPF) in a prior study to assist the South African government with improving the IS compliance awareness of consumers through government-led awareness training initiatives [1]. This paper extends that work by proposing a Consumer Data Protection Maturity Model (CDPMM) to assist the South African government with evaluating the maturity of the aforementioned CDPF implementation. The evaluation results can be used to create an improvement plan which will guide the South African government to reach its target maturity level. The primary research objective of this paper is therefore to propose a CDPMM that can be used to measure the progress of the CDPF implementation in a South African government setting. The CDPMM is developed based on key components derived from literature and evaluated through expert reviews for improvement.

Identification of Factors Contributing to Online Game Addiction among Adolescents

Article

Full-text available

Sep 2021

Nowadays, there are growing views of potentially addictive behaviors such as digital addiction, especially Online Game Addiction (OGA). This study argues that all types of addictions are related to common components, such as salience, mood modification, tolerance, withdrawal, conflict, relapse, and problems. Despite the plethora of online game consequences, there is no standard or benchmark used to classify between addicted and non-addicted users. Therefore, this study is organized to identify the factors that contribute to OGA and examine the level of OGA especially among adolescents by utilizing the Online Game Addiction Scale (OGAS). Using the same scale, the adolescents were classified into addicted and non-addicted categories. Driven by previous studies of conventional game addiction, this study adopted all the distinct common components to measure seven underlying criteria related to OGA. The dimensional structure of the scale was analyzed based on the samples of adolescents among students of higher learning institutions (HLI) in Northern Malaysia. Data were collected from 389 participants who responded to an online survey. Based on OGAS, 35 percent of the participants were found to be addicted to online games. In addition, the findings demonstrated good concurrent validity as shown by the coherent associations between the time spent on playing games and the category of the games. This study contributes to the identification of factors that influence OGA among adolescents, which are significant in preventing the occurrence of other behavioral issues such as insecure cyber and emotional behaviors.

A primer on insider threats in cybersecurity

Article

Sep 2021

Though human factors are increasingly being acknowledged as a contributor to cybersecurity incidents, this domain is not widely understood by those in technical and applied disciplines. Humans can be influenced, are not always rational or predictable, and must be studied through psychology rather than technology. Consequently, this domain may represent uncharted territory for the technical practitioner leaving many promising areas of research and practice unexplored. This paper provides a broad primer on human factors in cybersecurity, specifically focusing on the threat posed by organizational insiders. We emphasize the pivotal role that users play in determining overall system security and aim to introduce non-experts to this field, stimulating new interest in this intersection of humans and computers.

A Case Study in Anticipating Insider Vulnerabilities Using Psychological Profiling

Conference Paper

May 2021

Data Analytics for Cyber Risk Analysis Utilizing Cyber Incident Datasets

Conference Paper

Apr 2021

A Conceptual Framework for Consumer IS Compliance Awareness: South African Government Context

Chapter

Full-text available

Jul 2021

The requirement for consumers to divulge personal data to obtain basic products/services from organizations, is becoming the norm. It has, to a large extent, benefitted consumers as it enabled organizations to profile their customers to provide them with relevant products/services and an improved shopping experience. Nevertheless, although profiling driven by big data, offers endless lists of opportunities/value through improved customer experience, it is also accompanied by many risks of which consumers are not always aware. In South Africa (SA), being a developing country, it became clear that there is a divide between the level of trust consumers extend towards organizations they transact/share personal data with and the extent to which that trust is warranted by organizational Information Security (IS) compliance efforts. Human factors significantly influence IS behaviour. Trust is a crucial human factor as it influences IS behaviour. Awareness is a powerful element that can in turn influence trust and IS behaviour. There is currently a definite lack of IS compliance awareness amongst consumers and a disregard of the cost/value benefit of IS compliance from an organizational perspective. The failure of realizing/addressing these issues in previous data protection frameworks emerged as key lessons. There is currently no government-led/sponsored IS compliance awareness and training initiatives in SA. The primary research objective of this paper is to propose a Consumer Data Protection Framework to assist the South African Government with creating IS compliance awareness amongst consumers. This Framework will be developed based on key building blocks derived from literature.

Privacy in Cloud-Based Computing

Chapter

Full-text available

Jan 2021

Cloud computing, internet of things (IoT), edge computing, and fog computing are gaining attention as emerging research topics and computing approaches in recent years. These computing approaches are rather conceptual and contextual strategies rather than being computing technologies themselves, and in practice, they often overlap. For example, an IoT architecture may incorporate cloud computing and fog computing. Cloud computing is a significant concept in contemporary computing and being adopted in almost every means of computing. All computing architectures incorporating cloud computing are termed as cloud-based computing (CbC) in general. However, cloud computing itself is the basis of CbC because it significantly depends on resources that are remote, and the remote resources are often under third-party ownership where the privacy of sensitive data is a big concern. This chapter investigates various privacy issues associated with CbC. The data privacy issues and possible solutions within the context of cloud computing, IoT, edge computing, and fog computing are also explored.

A Conceptual Model for Cybersecurity Governance

Article

Full-text available

May 2021

Cybersecurity is a growing problem associated with everything an individual or an organization does that is facilitated by the Internet. It is a multi-facetted program that can be addressed by cybersecurity governance. However, research has shown that many organizations face at least five basic challenges of cybersecurity. In this study, we developed a model for an effective cybersecurity governance that hopes to address these challenges, conceptualized as factors that must continuously be measured and evaluated. They are: (1) Cybersecurity strategy; (2) Standardized processes, (3) Compliance, (4) Senior leadership oversight, and (5) Resources.

Detecting Insider Threat via a Cyber-Security Culture Framework

Article

May 2021

Insider threat has been recognized by both scientific community and security professionals as one of the gravest security hazards for private companies, institutions, and governmental organizations. Extended research on the types, associated internal and external factors, detection approaches and mitigation strategies has been conducted over the last decades. Various frameworks have been introduced in an attempt to understand and reflect the danger posed by this threat, whereas multiple identified cases have been classified in private or public databases. This paper aims to present how a cyber-security culture framework with a clear focus on the human factor can assist in detecting possible threats of both malicious and unintentional insiders. We link current insider threat categories with specific security domains of the framework and introduce an assessment methodology of the core contributing parameters. Specific approach takes into consideration technical, behavioral, cultural, and personal indicators and assists in identifying possible security perils deriving from privileged individuals.

Risk and Protective Factors for Intuitive and Rational Judgment of Cybersecurity Risks in a Large Sample of K-12 Students and Teachers

Article

Mar 2021
COMPUT HUM BEHAV

K-12 students and teachers are a vulnerable population for cybersecurity risks. Identifying both risk factors and protective factors associated with intuitive and rational judgment of cybersecurity risks would help them develop strategies to tackle cyber risks. A total of 2703 K-12 students and teachers from 45 GenCyber Summer Camps participated in the survey study at the beginning of the camps, and a total of 1021 K-12 students and teachers participated in the follow-up survey at the end of the camps. The Cybersecurity Judgment Questionnaire was developed and administered to assess intuitive and rational judgments of cybersecurity risks. Two major findings of the study include: (1) three significant risk factors associated with both intuitive and rational cybersecurity judgment were Age Group, Region, and Prior GenCyber Camp Experience. That is, younger students, the campers from the West region, and participants attending the camps before tended to have a lower level of cybersecurity judgment; and (2) two significant protective factors were Cyber Use Length and Current GenCyber Camp Experience, i.e., the experiences of both using computers, Internet, cellphones and participating in the current camps having significant advantages in judging cybersecurity risks intuitively and rationally. Thus, it is critical to use both the push strategy to minimize the risk factors and the pull strategy to maximize the protective factors. It is concluded with a summary of limitations and future studies, i.e., replicating the findings in regular K-12 schools, examining more risk and protective factors, conducting longitudinal studies, and studying underlying mechanisms.

Human factors in cybersecurity; examining the link between Internet addiction, impulsivity, attitudes towards cybersecurity, and risky cybersecurity behaviours

Article

Full-text available

Jul 2017

Lee Hadlington

The present study explored the relationship between risky cybersecurity behaviours, attitudes towards cybersecurity in a business environment, Internet addiction, and impulsivity. 538 participants in part-time or full-time employment in the UK completed an online questionnaire, with responses from 515 being used in the data analysis. The survey included an attitude towards cybercrime and cybersecurity in business scale, a measure of impulsivity, Internet addiction and a ‘risky’ cybersecurity behaviours scale. The results demonstrated that Internet addiction was a significant predictor for risky cybersecurity behaviours. A positive attitude towards cybersecurity in business was negatively related to risky cybersecurity behaviours. Finally, the measure of impulsivity revealed that both attentional and motor impulsivity were both significant positive predictors of risky cybersecurity behaviours, with non-planning being a significant negative predictor. The results present a further step in understanding the individual differences that may govern good cybersecurity practices, highlighting the need to focus directly on more effective training and awareness mechanisms.

Usable Security: Why Do We Need It? How Do We Get It?

Chapter

Full-text available

Jan 2005

Security experts frequently refer to people as “the weakest link in the chain” of system security. Famed hacker Kevin Mitnick revealed that he hardly ever cracked a password, because it “was easier to dupe people into revealing it” by employing a range of social engineering techniques. Often, such failures are attributed to users’ carelessness and ignorance. However, more enlightened researchers have pointed out that current security tools are simply too complex for many users, and they have made efforts to improve user interfaces to security tools. In this chapter, we aim to broaden the current perspective, focusing on the usability of security tools (or products) and the process of designing secure systems for the real-world context (the panorama) in which they have to operate. Here we demonstrate how current human factors knowledge and user-centered design principles can help security designers produce security solutions that are effective in practice.

Developing an Ontology for Individual and Organizational Sociotechnical Indicators of Insider Threat Risk

Conference Paper

Full-text available

Nov 2016

Human behavioral factors are fundamental to understanding, detecting and mitigating insider threats, but to date insufficiently represented in a formal ontology. We report on the design and development of an ontology that emphasizes individual and or-ganizational sociotechnical factors, and incorporates technical indicators from previous work. We compare our ontology with previous research and describe use cases to demonstrate how the ontology may be applied. Our work advances current efforts to-ward development of a comprehensive knowledge base to sup-port advanced reasoning for insider threat mitigation.

Scaling the Security Wall Developing a Security Behavior Intentions Scale (SeBIS)

Conference Paper

Full-text available

Apr 2015

Despite the plethora of security advice and online education materials offered to end-users, there exists no standard measurement tool for end-user security behaviors. We present the creation of such a tool. We surveyed the most common computer security advice that experts offer to end-users in order to construct a set of Likert scale questions to probe the extent to which respondents claim to follow this advice. Using these questions, we iteratively surveyed a pool of 3,619 computer users to refine our question set such that each question was applicable to a large percentage of the population, exhibited adequate variance between respondents, and had high reliability (i.e., desirable psychometric properties). After performing both exploratory and confirmatory factor analysis, we identified a 16-item scale consisting of four sub-scales that measures attitudes towards choosing passwords, device securement, staying up-to-date, and proactive awareness.

Cyberloafing Phenomenon in Organizations: Determinants and Impacts

Article

Full-text available

Jul 2012

Cyberloafing Phenomenon in Organizations: Determinants and Impacts

Nudging Towards security: Developing an Application for Wireless Network Selection for Android Phones

Conference Paper

Full-text available

Jul 2015

People make security choices on a daily basis without fully considering the security implications of those choices. In this paper we present a prototype application which promotes the choice of secure wireless network options, specifically when users are unfamiliar with the wireless networks available. The app was developed based on behavioural theory, choice architecture and good practices informed by HCI design. The app includes several options to 'nudge' users towards selecting more secure public wireless networks. This paper outlines the development and the results of an evaluation of some of the potential app nudges (specifically, presentation order and colour coding). Colour coding was found to be a powerful influence, less so with the order in which we listed the Wi-Fi networks, although the colour x order combination was most effective. The paper contributes to the body of evidence on the effectiveness of cyber-security interventions to empower the user to make more informed security decisions.

Cyber Security Awareness Campaigns: Why do they fail to change behaviour?

Conference Paper

Full-text available

Jan 2015

Predicting privacy and security attitudes

Article

Full-text available

Feb 2015
Comput Soc

While individual differences in decision-making have been examined within the social sciences for several decades, this research has only recently begun to be applied by computer scientists to examine privacy and security attitudes (and ultimately behaviors). Specifically, several researchers have shown how different online privacy decisions are correlated with the "Big Five" personality traits. However, in our own research, we show that the five factor model is actually a weak predictor of privacy preferences and behaviors, and that other well-studied individual differences in the psychology literature are much stronger predictors. We describe the results of several experiments that showed how decision-making style and risk-taking attitudes are strong predictors of privacy attitudes, as well as a new scale that we developed to measure security behavior intentions. Finally, we show that privacy and security attitudes are correlated, but orthogonal.

Nudging whom how: IT proficiency, impulse control and secure behaviour

Conference Paper

Full-text available

Apr 2014

This paper considers the utility of employing behavioural nudges to change security-related behaviours. We examine the possibility that the effectiveness of nudges may depend on individual user characteristics – which represents a starting point for more personalized behaviour change in security. We asked participants to select from a menu of public wireless networks, using colour and menu order to ‘nudge’ participants towards making more secure choices. The preliminary results from 67 participants suggest that while nudging can be an effective tool to help non-experts to select more secure networks, certain user differences may also play a role. Lower (novice level) IT proficiency and diminished impulse control led to poorer security decisions. At the same time, we were able to demonstrate that our nudge effectively changed the behaviour of participants with poor impulse control. We discuss these implications and pose several questions for future research.

SCENE: A Structured Means for Creating and Evaluating Behavioral Nudges in a Cyber Security Environment

Conference Paper

Full-text available

Jun 2014
Lect Notes Comput Sci

Behavior-change interventions are common in some areas of human-computer interaction, but rare in the domain of cybersecurity. This paper introduces a structured approach to working with organisations in order to develop such behavioral interventions or ‘nudges’. This approach uses elements of co-creation together with a set of prompts from the behavior change literature (MINDSPACE) that allows resesarchers and organisational stakeholders to work together to identify a set of nudges that might promote best behavioral practice. We describe the structured approach or framework, which we call SCENE, and follow this description with a worked example of how the approach has been utilised effectively in the development of a nudge to mitigate insecure behaviors around selection of wireless networks.

Trustworthy and Effective Communication of Cybersecurity Risks: A Review

Article

Full-text available

Sep 2011

Slowly but surely, academia and industry are fully accepting the importance of the human element as it pertains to achieving security and trust. Undoubtedly, one of the main motivations for this is the increase in attacks (e.g., social engi-neering and phishing) which exploit humans and exemplify why many authors regard them as the weakest link in the security chain. As research in the socio-technical security and trust fields gains momentum, it is crucial to intermittently pause and reflect on their progress while also considering related domains to determine whether there are any established principles which may be transferred. Comparison of the states-of-the-arts may assist in planning work going forward and identifying useful future directions for the less mature socio-technical field. This paper seeks to fulfil several of these goals, particularly as they relate to the emerging cybersecurity-risk communication domain. The literature reviews which we conduct here are beneficial and indeed noteworthy as they pull together a number of the key aspects which may affect the trustworthiness and effectiveness of communications on cybersecurity risks. In particular, we draw on information-trustworthiness research and the established field of risk communication. An appreciation of these aspects and precepts is imperative if systems are to be designed that play to individuals' strengths and assist them in maintaining security and protecting their applications and information.

Effectiveness of information security awareness methods based on psychological theories

Article

Full-text available

Oct 2011
AFR J BUS MANAGE

Effective user security awareness campaign can greatly enhance the information assurance posture of an organization. Information security includes organizational aspects, legal aspects, institutionalization and applications of best practices in addition to security technologies. User awareness represents a significant challenge in the security domain, with the human factor ultimately being the element that is exploited in a variety of attack scenarios. Information security awareness program is a critical component in any organizations strategy. In contrast to other information security awareness work which mostly explains methods and techniques for raising information security awareness; this paper discusses and evaluates the effectiveness of different information security awareness tools and techniques on the basis of psychological theories and models. Finally, it describes how to measure information security awareness in an organization.

Determining Employee Awareness Using the Human Aspects of Information Security Questionnaire (HAIS-Q)

Article

Full-text available

May 2014
COMPUT SECUR

It is increasingly acknowledged that many threats to an organisation’s computer systems can be attributed to the behaviour of computer users. To quantify these human-based information security vulnerabilities, we are developing the Human Aspects of Information Security Questionnaire (HAIS-Q). The aim of this paper was twofold. The first aim was to outline the conceptual development of the HAIS-Q, including validity and reliability testing. The second aim was to examine the relationship between knowledge of policy and procedures, attitude towards policy and procedures and behaviour when using a work computer. Results from 500 Australian employees indicate that knowledge of policy and procedures had a stronger influence on attitude towards policy and procedure than self-reported behaviour. This finding suggests that training and education will be more effective if it outlines not only what is expected (knowledge) but also provides an understanding of why this is important (attitude). Plans for future research to further develop and test the HAIS-Q are outlined.

Identifying at-risk employees: A behavioral model for predicting potential insider threats

Technical Report

Full-text available

Jan 2010

A psychosocial model was developed to assess an employees behavior associated with an increased risk of insider abuse. The model is based on case studies and research literature on factors/correlates associated with precursor behavioral manifestations of individuals committing insider crimes. In many of these crimes, managers and other coworkers observed that the offenders had exhibited signs of stress, disgruntlement, or other issues, but no alarms were raised. Barriers to using such psychosocial indicators include the inability to recognize the signs and the failure to record the behaviors so that they could be assessed by a person experienced in psychosocial evaluations. We have developed a model using a Bayesian belief network with the help of human resources staff, experienced in evaluating behaviors in staff. We conducted an experiment to assess its agreement with human resources and management professionals, with positive results. If implemented in an operational setting, the model would be part of a set of management tools for employee assessment that can raise an alarm about employees who pose higher insider threat risks. In separate work, we combine this psychosocial models assessment with computer workstation behavior to raise the efficacy of recognizing an insider crime in the making.

Decision-Making Style: The Development and Assessment of a New Measure

Article

Full-text available

Oct 1995
EDUC PSYCHOL MEAS

A multistage, four sample study was conducted to develop a conceptually consistent and psychometrically sound measure of decision-making style. Construct definitions were developed from prior theory, and items were written to assess rational, avoidant, intuitive, and dependent decision-making styles. A series of principal-axis factor analyses with varimax rotation and subsequent item analyses were conducted to develop four conceptually distinct scales with acceptable internal consistency (alpha ranging from .68 to .94) and a stable factor structure. In the process of scale development, a fifth style (spontaneous) was identified. Tests for independence among the five decision-making style scales and concurrent validity analyses were conducted. Finally, discussion of the new instrument with reference to the extant literature is provided.

Promotion Orientation Explains Why Future-Oriented People Exercise and Eat Healthy

Article

Full-text available

Jul 2012
Pers Soc Psychol Bull

The authors extended research linking individual differences in consideration of future consequences (CFC) with health behaviors by (a) testing whether individual differences in regulatory focus would mediate that link and (b) highlighting the value of a revised, two-factor CFC-14 scale with subscales assessing concern with future consequences (CFC-Future) and concern with immediate consequences (CFC-Immediate) proper. Exploratory and confirmatory factor analyses of the revised CFC-14 scale supported the presence of two highly reliable factors (CFC-Future and CFC-Immediate; αs from .80 to .84). Moreover, structural equation modeling showed that those high in CFC-Future engage in exercise and healthy eating because they adopt a promotion orientation. Future use of the two-factor CFC-14 scale is encouraged to shed additional light on how concern with future and concern with immediate consequences (proper) differentially impact the way people resolve a host of intertemporal dilemmas (e.g., health, financial, and environmental behavior).

Defining the Insider Threat

Article

Full-text available

May 2008

Many diverse groups have studied the insider threat problem, including government organizations such as the Secret Service, federally-funded research organizations such as RAND and CERT, and university researchers. In addition, many industry participants are interested in the problem, such as those in the financial sector. However, despite this interest, no consistent definition of an insider has emerged.

Compliance with Information Security Policies: An Empirical Investigation

Article

Full-text available

Mar 2010

Information security was the main topic in this paper. An investigation of the compliance to information security policies were discussed. The author mentions that the insignificant relationship between rewards and actual compliance with information security policies does not make sense. Quite possibly this relationship results from not applying rewards for security compliance. Also mentions that based on the survey conducted, careless employee behavior places an organization's assets and reputation in serious jeopardy. The major threat to information security arises from careless employees who fail to comply with organizations' information security policies and procedures.

Improving user security behavior

Article

Full-text available

Dec 2003
COMPUT SECUR

John Leach

Many organisations suspect that their internal security threat is more pressing than their external security threat. The internal threat is predominantly the result of poor user security behaviour. Yet, despite that, security awareness programmes often seem more likely to put users to sleep than to improve their behaviour. This article discusses the influences that affect a user's security behaviour and outlines how a well structured approach focused on improving behaviour could be an excellent way to take security slack out of an organisation and to achieve a high return for a modest, low-risk investment.

A Domain-Specific Risk-Taking (DOSPERT) scale for adult populations

Article

Full-text available

Feb 2006
JUDGM DECIS MAK

This paper proposes a revised version of the original Domain-Specific Risk-Taking (DOSPERT) scale developed by Weber, Blais, and Betz (2002) that is shorter and applicable to a {broader range of ages, cultures, and educational levels}. It also provides a French translation of the revised scale. Using multilevel modeling, we investigated the risk-return relationship between apparent risk taking and risk perception in 5 risk domains. The results replicate previously noted differences in reported degree of risk taking and risk perception at the mean level of analysis. The multilevel modeling shows, more interestingly, that within-participants variation in risk taking across the 5 content domains of the scale was about 7 times as large as between-participants variation. We discuss the implications of our findings in terms of the person-situation debate related to risk attitude

Transforming the ‘Weakest Link’ — a Human/Computer Interaction Approach to Usable and Effective Security

Article

Full-text available

Aug 2001

The security research community has recently recognised that user behaviour plays a part in many security failures, and it has become common to refer to users as the 'weakest link in the security, chain'. We argue that simply blaming users will not lead to more effective security systems. Security designers must identify the causes of undesirable user behaviour, and address these to design effective security systems. We present examples of how undesirable user behaviour with passwords can be caused by failure to recognise the characteristics of human memory, unattainable or conflicting task demands, and lack of support, training and motivation. We conclude that existing human/computer interaction knowledge and techniques can be used to prevent or address these problems, and outline a vision of a holistic design approach for usable and effective security.

Can Cyberloafing and Internet Addiction Affect Organizational Information Security?

Article

Sep 2017

Researchers have noted potential links between Internet addiction, the use of work computers for nonwork purposes and an increased risk of threat to the organization from breaches in cybersecurity. However, much of this research appears conjectural in nature and lacks clear empirical evidence to support such claims. To fill this knowledge gap, a questionnaire-based study explored the link between cyberloafing, Internet addiction, and information security awareness (ISA). A total of 338 participants completed an online questionnaire, which comprised of the Online Cognition Scale, Cyberloafing Scale, and the Human Aspects of Information Security Questionnaire. Participants who reported higher Internet addiction and cyberloafing tendencies had lower ISA, and Internet addiction and cyberloafing predicted a significant 45 percent of the variance in ISA. Serious cyberloafing, such as the propensity to visit adult websites and online gambling, was shown to be the significant predictor for poorer ISA. Implications for organizations and recommendations to reduce or manage inappropriate Internet use are discussed.

The Human Aspects of Information Security Questionnaire (HAIS-Q): Two further validation studies

Article

Jan 2017
COMPUT SECUR

Information security awareness (ISA) is integral to protecting an organisation from cyber threats. The aim of this paper is to further establish the validity of the Human Aspects of Information Security Questionnaire (HAIS-Q), as an effective instrument for measuring ISA. We present two studies to further establish the construct validity of this instrument. In Study 1, 112 university students completed the HAIS-Q and also took part in an empirical lab-based phishing experiment. Results indicated that participants who scored more highly on the HAIS-Q had better performance in the phishing experiment. This means the HAIS-Q can predict an aspect of information security behaviour, and provides evidence for its convergent validity. In Study 2, the HAIS-Q was administered to a larger and more representative population of 505 working Australians to further establish the construct validity of the instrument. The results of a factor analysis and other statistical techniques provide evidence for the validity of the HAIS-Q as a robust measure of ISA. We also describe the practical implications of the HAIS-Q, particularly how it could be used by information security practitioners.

Behavior Change Interventions for Cybersecurity

Chapter

Jan 2017

While behavior change methods have become relatively commonplace in the health domain, they have only recently been applied to the cybersecurity field. In this chapter we review two fundamentally different approaches to behavior change in cybersecurity. First we explore “nudging” and behavioral interventions arising from the MINDSPACE framework. Second we explore the more theoretically based Protection Motivation Theory (PMT) as a framework for introducing behavior change. Finally we consider the relationship between these two approaches.

Gender difference and employees' cybersecurity behaviors

Article

Dec 2016
COMPUT HUM BEHAV

Security breaches are prevalent in organizations and many of the breaches are attributed to human errors. As a result, the organizations need to increase their employees' security awareness and their capabilities to engage in safe cybersecurity behaviors. Many different psychological and social factors affect employees' cybersecurity behaviors. An important research question to explore is to what extent gender plays a role in mediating the factors that affect cybersecurity beliefs and behaviors of employees. In this vein, we conducted a cross-sectional survey study among employees of diverse organizations. We used structural equation modelling to assess the effect of gender as a moderator variable in the relations between psychosocial factors and self-reported cybersecurity behaviors. Our results show that gender has some effect in security self-efficacy (r = -0.435, p < 0.001), prior experience (r = -0.235, p < 0.001) and computer skills (r = -0.198, p < 0.001) and little effect in cues-to-action (r = -0.152, p < 0.001) and self-reported cybersecurity behaviors (r = -0.152, p < 0.001).

Individual differences and Information Security Awareness

Article

Dec 2016
COMPUT HUM BEHAV

The main purpose of this study was to examine the relationship between individuals' Information Security Awareness (ISA) and individual difference variables, namely age, gender, personality and risk-taking propensity. Within this study, ISA was defined as individuals' knowledge of what policies and procedures they should follow, their understanding of why they should adhere to them (their attitude) and what they actually do (their behaviour). This was measured using the Human Aspects of Information Security Questionnaire (HAIS-Q). Individual difference variables were examined via a survey of 505 working Australians. It was found that conscientiousness, agreeableness, emotional stability and risk-taking propensity significantly explained variance in individuals’ ISA, while age and gender did not. Knowledge of, and attitude towards information security (InfoSec) policies and procedures, explained the most variance in self-reported InfoSec behaviour. Findings highlighted the need for future research to examine individual differences and their impact on ISA. Results of the study can be applied by industry to develop tailored InfoSec training programs.

Users Really Do Plug in USB Drives They Find

Conference Paper

May 2016

Insiders and insider threats an overview of definitions and mitigation techniques

Article

Mar 2011

Threats from the inside of an organization's perimeters are a significant problem, since it is difficult to distinguish them from benign activity. In this overview article we discuss defining properties of insiders and insider threats. After presenting definitions of these terms, we go on to discuss a number of approaches from the technological, the sociological, and the socio-technical domain. We draw two main conclusions. Tackling insider threats requires a combination of techniques from the technical, the sociological, and the socio-technical domain, to enable qualified detection of threats, and their mitigation. Another important observation is that the distinction between insiders and outsiders seems to loose significance as IT infrastructure is used in performing insider attacks.

Insider threat study: Computer system sabotage in critical infrastructure sectors

Book

Jan 2005

Michelle Keeney

Countering Insider Threats

Article

This article summarizes the objectives and structure of a seminar with the same title, held from July 20th to July 25th, 2008, at Schloss Dagstuhl, Germany. The seminar brought together researchers and policy-makers from all involved communities, to clarify what it is that identifies an insider threat, and to develop a common vision of how an insider can be categorized as well as an integrated approach that allows a qualitative reasoning about the threat and the possibilities of attacks. This report gives an overview of the discussions and presenta-tions during the week, as well as the outcome of these discussions.

Influencing behavior: The mindspace way

Article

Feb 2012
J ECON PSYCHOL

The ability to influence behaviour is central to many of the key policy challenges in areas such as health, finance and climate change. The usual route to behaviour change in economics and psychology has been to attempt to ‘change minds’ by influencing the way people think through information and incentives. There is, however, increasing evidence to suggest that ‘changing contexts’ by influencing the environments within which people act (in largely automatic ways) can have important effects on behaviour. We present a mnemonic, MINDSPACE, which gathers up the nine most robust effects that influence our behaviour in mostly automatic (rather than deliberate) ways. This framework is being used by policymakers as an accessible summary of the academic literature. To motivate further research and academic scrutiny, we provide some evidence of the effects in action and highlight some of the significant gaps in our knowledge.

Leveraging behavioral science to mitigate cyber security risk

Article

Jun 2012
COMPUT SECUR

Most efforts to improve cyber security focus primarily on incorporating new technological approaches in products and processes. However, a key element of improvement involves acknowledging the importance of human behavior when designing, building and using cyber security technology. In this survey paper, we describe why incorporating an understanding of human behavior into cyber security products and processes can lead to more effective technology. We present two examples: the first demonstrates how leveraging behavioral science leads to clear improvements, and the other illustrates how behavioral science offers the potential for significant increases in the effectiveness of cyber security. Based on feedback collected from practitioners in preliminary interviews, we narrow our focus to two important behavioral aspects: cognitive load and bias. Next, we identify proven and potential behavioral science findings that have cyber security relevance, not only related to cognitive load and bias but also to heuristics and behavioral science models. We conclude by suggesting several next steps for incorporating behavioral science findings in our technological design, development and use.

Insider Threats in Cyber Security

Book

Jan 2010

Insider Threats in Cyber Security is a cutting edge text presenting IT and non-IT facets of insider threats together. This volume brings together a critical mass of well-established worldwide researchers, and provides a unique multidisciplinary overview. Monica van Huystee, Senior Policy Advisor at MCI, Ontario, Canada comments "The book will be a must read, so of course Ill need a copy." Insider Threats in Cyber Security covers all aspects of insider threats, from motivation to mitigation. It includes how to monitor insider threats (and what to monitor for), how to mitigate insider threats, and related topics and case studies. Insider Threats in Cyber Security is intended for a professional audience composed of the military, government policy makers and banking; financing companies focusing on the Secure Cyberspace industry. This book is also suitable for advanced-level students and researchers in computer science as a secondary text or reference book.

BFI Modern Classics. Blue Velvet . Michael Atkinson. ; BFI Modern Classics. The Thing . Anne Billson. ; BFI Modern Classics. Blade Runner . Scott Bukatman. ; BFI Modern Classics. The Right Stuff . Tom Charity. ; BFI Modern Classics. The Crying Game . Jean Giles. ; BFI Modern Classics. The Exorcist . Mark Kermode. ; BFI Film Classics. High Noon . Phillip Drummond

Article

Jul 1998

John Fell

Conscientiousness and the Incidence of Alzheimer Disease and Mild Cognitive Impairment

Article

Nov 2007
ARCH GEN PSYCHIAT

The personality trait of conscientiousness has been related to morbidity and mortality in old age, but its association with the development of Alzheimer disease is not known. To test the hypothesis that a higher level of conscientiousness is associated with decreased risk of Alzheimer disease. Longitudinal clinicopathologic cohort study with up to 12 years of annual follow-up. The Religious Orders Study. A total of 997 older Catholic nuns, priests, and brothers without dementia at enrollment, recruited from more than 40 groups across the United States. At baseline, they completed a standard 12-item measure of conscientiousness. Those who died underwent a uniform neuropathologic evaluation from which previously established measures of amyloid burden, tangle density, Lewy bodies, and chronic cerebral infarction were derived. Clinical diagnosis of Alzheimer disease and change in previously established measures of global cognition and specific cognitive functions. Conscientiousness scores ranged from 11 to 47 (mean, 34.0; SD, 5.0). During follow-up, 176 people developed Alzheimer disease. In a proportional hazards regression model adjusted for age, sex, and education, a high conscientiousness score (90th percentile) was associated with an 89% reduction in risk of Alzheimer disease compared with a low score (10th percentile). Results were not substantially changed by controlling for other personality traits, activity patterns, vascular conditions, or other risk factors. Conscientiousness was also associated with decreased incidence of mild cognitive impairment and reduced cognitive decline. In those who died and underwent brain autopsy, conscientiousness was unrelated to neuropathologic measures, but it modified the association of neurofibrillary pathologic changes and cerebral infarction with cognition proximate to death. Level of conscientiousness is a risk factor for Alzheimer disease.

Usability of Security: A Case Study

Article

Jan 1999

Human factors are perhaps the greatest current barrier to effective computer security. Most security mechanisms are simply too difficult and confusing for the average computer user to manage correctly. Designing security software that is usable enough to be effective is a specialized problem, and user interface design strategies that are appropriate for other types of software will not be sufficient to solve it. In order to gain insight and better define this problem, we studied the usability of PGP 5.0, which is a public key encryption program mainly intended for email privacy and authentication. We chose PGP 5.0 because it has a good user interface by conventional standards, and we wanted to discover whether that was sufficient to enable non-programmers who know little about security to actually use it effectively. After performing both user testing and a cognitive walkthrough analysis, we conclude that PGP 5.0 is not sufficiently usable to provide effective security for most users. In the course of our study, we developed general principles for evaluating the usability of computer security utilities and systems. This study is of interest not only because of the conclusions that we reach, but also because it can serve as an example of how to evaluate the usability of computer security software. This publication was supported by Contract No. 102590-98-C-3513 from the United States Postal Service. The contents of this publication are solely the responsibility of the authors and do not necessarily represent the official views of the United States Postal Service. Keywords: security, human-computer interaction, usability, public key cryptography, electronic mail, PGP. 1.

The CERT Guide to Insider threats

D Cappelli
A Moore
R Trzeciak

Unintentional insider threats: A foundational study

Cert

Unintentional Insider Threats: Social Engineering

Cert

Wasted Time At Work Costing Companies Billions. Asian Enterprise

D Malachowski

Patton Factor Structure of the BIS.pdf.

Jan 1995

J. H.Patton

The Insider Threat to Information Sytems

R Shaw
K Ruby
J Post

Test-retest reliability and internal consistency of the Human Aspects of Information Security Questionnaire (HAIS-Q)

A Mccormac
K Parsons
T Zwaans
M Butavicius
M Pattinson

The “Human Factor” in Cybersecurity: Exploring the Accidental Insider

Abstract

No full-text available

Recommended publications

The “Human Factor” in Cybersecurity: Exploring the Accidental Insider