No full-text available
To read the full-text of this research,
you can request a copy directly from the authors.
Emerging Threats for the Human Element and Countermeasures in Current Cyber Security Landscape
Abstract
The chapter presents an overview of emerging issues in the psychology of human behaviour and the evolving nature of cyber threats. It reflects on the role of social engineering as the entry point of many sophisticated attacks and highlights the relevance of the human element as the starting point of implementing cyber security programmes in organisations as well as securing individual online behaviour. Issues associated with the emerging trends in human behaviour research and ethics are presented for further discussion. The chapter concludes with a set of open research questions warranting immediate academic attention to avoid the exponential growth of information breaches in the future.
... Böylece iş süreçlerinde sayısal bilgi sistemlerine bağımlılık arttıkça örgütlerin sahip olduğu bilgi ve iletişim teknolojileri, bilgisayar ağları ve bu sistemlerin içerdiği veri ve bilgilerin ticari hayattaki değeri ve hassasiyeti artmaktadır. Bahse konu veri ve bilgilerin hem ulusal hem de uluslararası ticari rekabet ve başka maksatlarla bazı karanlık odaklarca erişilmesi, kopyalanması, çalınması, erişiminin engellenmesi, değiştirilmesi, ifşa edilmesi gibi yasadışı faaliyetler günümüzde sıklıkla görülen olaylar haline gelmiştir (Benson, McAlaney ve Frumkin, 2018). Sayısal bilgi sistemlerine bağımlılık arttıkça bu sistemleri suiistimal etmek maksadıyla değişen ve gelişen yöntem ve tekniklerle siber saldırıların nitelik ve nicelik olarak artarak devam edeceği görülmektedir. ...
... Bazıları siber psikolojiyi "eski işleri yeni yollarla yapmak" olarak görürken, diğerleri çevrimiçi davranışların siber güvenlik alanına yöntemsel yaklaşımlarda ne gibi değişiklikler gerektirdiğini önemsemektedir. Örneğin, internetin sebep olduğu "algılanan anonimlik" (Le Bon, 1895/1995) ve "şartlı refleks yitimi" (Berkowitz ve Rawlings, 1963)" gibi kuramsal yaklasimlara benzer durumlarin insan davranışlarında "risk algılarının değişmesi" ve "suç davranışlarına girişme arzusunun artması" gibi değişikliklere sebep olabildiği bilinmektedir (Benson, McAlaney ve Frumkin, 2018). ...
... Genellikle insanlar sosyal ortamdan izole olmak yerine sosyal ortamlarda çalışmakta ve ait oldukları sosyal grupların düşünce ve davranışlarına göre kendilerininkini değiştirme eğilimi göstermektedir. Bahse konu kuşatıcı ve etkili gruplar yerine göre sosyalleşme grupları, işyeri grupları, siber suçlu veya "hactivist" grupları olabilmektedir (Benson, McAlaney ve Frumkin, 2018). Bu yüzden hem saldırganların faaliyetleri hem de hedef olanların tepkileri ve karşı koyma davranışları parçası oldukları ve içinde çalıştıkları sosyal ortamdan bağımsız değerlendirilmemelidir (Kelman, 2006). ...
Özet: Sayısal teknolojilerin yaygınlaşması tüm sektörlerde ve kurumsal yapılarda bilgi ve veri işlemeye yönelik süreçleri örgütlerin önceliği ve en önemli varlığı haline getirmiştir. Bilgi ve verinin konumunun merkezileşmesi rekabetin arttığı dünyamızda bilgi varlıklarını ve bilgi sistemlerini her geçen gün daha fazla hedef haline getirmektedir. İnternetin yaygınlaşması ve internette bağlı canlı ve cansız oyuncuların sayısındaki büyük artış tüm sektörleri ve devlet hizmetlerini kuşatan sayısal ortamın “siber uzam” olarak isimlendirilmesine sebep olmuştur. Önceleri bilgi ve verisini korumaya çalışan örgütler günümüzde “siber uzam” bulunan tüm soyut ve somut varlıklarını ve değerlerini korumaya çalışmaktadır. Bu tehditkâr ortamda güvenliğin tesis edilmesinde örgüt çalışanlarının rolü çok önemlidir. Teknik tedbirler siber güvenlik ile ilgili dayanıklılığı bir yere kadar sağlamaktayken sürecin sosyal boyutu örgütsel dayanıklılığın en önemli öğesi olarak görülmektedir. Buradan hareketle, örgütsel iklimin siber güvenliğe yönelik tasarlanması, tesis ve idame edilmesi ve bu konuda yatırım çabalarının önemli olduğu düşünüldüğünden bu çalışmada örgütlerde siber güvenlik kavramı ilgili kuramlar ve uygulamalar ışığında ele alınmış ve tartışılmıştır.
ABSTRACT
Prevalence of digital technologies in all sectors and echelons has promoted information and data related processes priority and the most critical assets of organisation. The centralised position of information and data has gradually increased information assets and information systems’ risk of being target. Widespread nature of the Internet and the immense increase in number of connected animate and inanimate players causes that the digital environment besetting all industries and public services has been named as cyber space. Organisations, trying to secure their information and data earlier, today struggle to defend all their tangible and intangible assets and values in this cyber space. In this deterrent environment the role of employees is considered critical. While technical measures can provide resilience toward cyber security to certain extend the social dimension of the process is seen as the most essential element of this resilience. Thus, since designing, developing and sustaining the organisational climate in accord with cyber security and investment efforts on this topic is thought to be significant, in this study the concept of cyber security in organisations is tackled and discussed in the light of the relevant theories and applications.
Keywords: Cyber security, organizational climate, cyber deterrence, social action theory, planned behaviour theory, deterrence theory, behavioural nudge theory
... O estudo sobre a influência que o descontentamento dos indivíduos em relação ao local de trabalho exerce sobre a motivação para a prática do crime cibernético ainda necessita atenção dos pesquisadores. A interação entre o invasor e a respectiva dinâmica ambiental está pouco explorada na literatura (Benson, McAlaney & Frumkin, 2018). A compreensão desta relação pode contribuir para a melhoria das práticas de segurança cibernética mediante a identificação de novas áreas relacionadas à salvaguarda da informação, da infraestrutura de tecnologia, das pessoas e seus respectivos interesses. ...
... Dinâmico e em constante evolução, o crime cibernético é um crime econômico com amplitude global, de complexa identificação e rastreamento, com impactos variados, cujos riscos e recompensas diferem do crime convencional (Benson, McAlaney & Frumkin, 2018). Sua definição não é precisa e definitiva, tampouco sua tipologia e classificação (Gercke, 2014). ...
... Com origem nos estudos sobre agressividade humana, a ideia de atos contraproducentes no âmbito das organizações vem sendo investigada a partir de diferentes abordagens comportamentais: abusos contra outrem, desvios de produção ou sabotagem, roubo ou furto, afastamentos ou algum tipo de ausência do trabalho (Benson, McAlaney & Frumkin, 2018). Em determinadas circunstâncias, aspectos organizacionais estimulam a violação das regras estabelecidas e a frustração de expectativas. ...
** ABSTRACT: This research analyzes how the perception of organizational injustice motivates the practice of cybercrimes in the workplace. In a qualitative and exploratory investigation, interviews have been carried out for 16 specialists in cybernetic security. Data were analyzed through the categorical content analysis technique. The results obtained suggest that the perception of injustice produces negative feelings, such as low self-esteem, frustration, and lack of guilt, and these emotions, in turn, motivate the practice of cybercrimes. Different perceptions have been identified among the interviewees of this study, which are associated with the literature review related to the theme, allowed the proposition of a conceptual model. ** RESUMO: Esta pesquisa analisou como a percepção de injustiça organizacional motiva a prática de crimes cibernéticos no local de trabalho. Em uma investigação qualitativa e exploratória, foram realizadas entrevistas com 16 especialistas em segurança cibernética. Os dados foram analisados através da técnica de análise de conteúdo categorial. Os resultados sugerem que a percepção de injustiça produz sentimentos negativos como a baixa-estima, a frustração e a ausência de culpa, e que essas emoções motivam a prática de crimes cibernéticos. Diferentes percepções identificadas entre os entrevistados deste estudo, associadas à revisão da literatura referente ao tema, permitiram a proposição de um modelo conceitual.
... In the context of some organisations, researchers have argued that there may be a culture of too much trust in the security systems. To this end, employees may believe that the IT systems in place protect them from any cyber-attack, and in doing so may feel less responsible for computer related security issues (Benson et al., 2018). This trust in security systems therefore may lead to misguided security practices such as trust in email providers to catch phishing emails. ...
... The theory of 'behavioural nudging' (Thaler & Sunstein, 2008) has also been studied in the cyber security context. The theory suggests that people can be nudged towards certain choices and behaviours, given certain environmental cues, without forcing outcomes on anyone (Benson et al., 2018;Coventry et al., 2014). Therefore, applying this theory to cyber security in the workplace may be useful in leading to more vigilant behaviours by employees. ...
This review explores the academic and policy literature in the context of everyday cyber security in organisations. In so doing, it identifies four behavioural sets that influences how people practice cyber security. These are compliance with security policy, intergroup coordination and communication, phishing/email behaviour, and password behaviour. However, it is important to note that these are not exhaustive and they do not exist in isolation. In addition, the review explores the notion of security culture as an overarching theme that overlaps and frames the four behavioural sets. The aim of this review is therefore to provide a summary of the existing literature in the area of everyday cyber security within the social sciences, with a particular focus on organisational contexts. In doing so, it develops a series of suggestions for future research directions based on existing gaps in the literature. The review also includes a theoretical lens that will aid the understanding of existing studies and wider literatures. Where possible, the review makes recommendations for organisations in relation to everyday cyber security.
... This paper aims at contributing to a better understanding of cybercrime by proposing a construction-based representation of cybercrime that: 1) describes the highlights of a cybercrime episode and its possible components;2) provides a framework for the twolevel ordering of crimes based on common criteria. The suggested description can be done with a summary of the specified operations, pertinent steps [7][8][9]. ...
Cyber-crime analysis involves the combination of past network attacks with new illegal patterns/acts. Singular cybercrime incidents are cases of individual criminal offences which are increasingly expanding according to the misconduct report furnished by independent regional initiative. In 2014, the Internet Complaint Centre issued 269,422 complaints of internet wrong doing. According to the Federal Investigation Bureau, there prevails a rise of 1600 percent crimes as compared to the 16,838 grumbles remembered for the underlying study. In an overall report published by PricewaterhouseCoopers the amount of data protection seems much lesser and is in pitiful condition. Around 2014, the crime rate in globe rose by 48 percent, with an average of 117,339 assaults per day. The proposed system can be explained by a description of recommended operations, contrasting steps and effective tactics that align with the form of offense and with a particular sequences of patterns. Such collaboration would allow better tracing, care for and mitigate incidents of cyber-crime.
... Ante ao exposto, embora as legislações sejam de extrema importância, inclusive simbólica, não é uma condição definitiva para a erradicação dos crimes (Menezes & Cavalcanti, 2017). Dessa forma, é relevante levar em consideração as interações sociais entre indivíduos e máquinas e suas atitudes de segurança cibernética e comportamento (Benson et al. 2018) (tradução nossa). De modo que, "há uma grande necessidade de refletir o impacto da informação na sociedade digital e suas implicações diretas e indiretas no estabelecimento de novos padrões de moralidade e ética" (Azevedo et al, 2015) (tradução nossa). ...
Este estudo objetivou investigar a dinâmica de crimes cibernéticos ocorridos no município de Belém/PA no período de 2018 a 2020 fazendo o levantamento dos crimes cibernéticos mais prevalentes, classificando-os, além de identificar o perfil das vítimas deste tipo de crime. Para alcançar tal objetivo, usou-se neste estudo, procedimentos oriundos da pesquisa bibliográfica, documental e pesquisa de campo. Para a pesquisa de campo foi realizada coleta de dados estatísticos, referentes aos crimes cibernéticos, produzido pela Secretaria de Segurança Pública do Estado do Pará. Sendo que, a metodologia empregada para o desenvolvimento dos gráficos se baseia na utilização da linguagem de programação Python para processamento e análise de grande quantidade de dados. Assim sendo, o estudo se debruça em abordagem quantitativa, análise estatística e interpretação dos dados. Os dados possibilitaram identificar que o crime de maior destaque foi o crime de Estelionato, seguido dos crimes contra honra (calúnia, injúria e difamação) e o crime de invasão de dispositivo informático. Notou-se ao perfil das vítimas que, quanto ao sexo, a prevalência maior foi do sexo feminino; ao quesito profissão, foi identificado vítimas nos mais variados e independentes seguimentos profissionais; em relação a faixa etária, a maior prevalência está entre os adultos de 35 a 65 anos de idade; A região de Belém com maior ocorrência de crimes cibernéticos está no distrito central do município, onde se concentra os bairros de classe média alta da capital do Estado do Pará.
... Concerning RQ3, attackers consider humans as the primary target instead of devices or systems, which enables them to be hard to identify [11,41]. The studies reveal that humans are the weakest link in the security chain [6,8,24,26,42]. According to the Human Factor Report study of 2018 [15], it is determined that human vulnerabilities are much more dangerous in modern organizations than the same limitations or weaknesses in software security. Additionally, social networks, email, and website platforms have become attractive to attackers because their attacks can pass unnoticed in traditional intrusion detection systems (see Fig. 3.3). ...
... Present-day's cyber configurations go beyond the hardware and software components. They also include systemic economic, social and political aspects that are so interconnected that it has become virtually impossible to isolate the human element from the IT systems (Benson, McAlaney, & Frumkin, 2019). Although existing literature provides a wealth of knowledge on the social facet's influence on cyber operations, it does little to explain its relationship to cybersecurity. ...
While cyber security has become a prominent concept of emerging information governance, the Kingdom of Saudi Arabia has been dealing with severe threats to individual and organizational IT systems for a long time. These risks have recently permeated into educational institutions, thereby undermining the confidentiality of information as well as the delivery of education. Recent research has identified various causes and possible solutions to the problem. However, most scholars have considered a reductionist approach, in which the ability of computer configurations to prevent unwanted intrusions is evaluated by breaking them down to their constituent parts. This method is inadequate at studying complex adaptive systems. Therefore, the proposed project is designed to utilize a holistic stance to assess the cybersecurity management and policies in Saudi Arabian universities. Qualitative research, entailing a thorough critical review of ten public universities, will be utilized to investigate the subject matter. The subsequent recommendations can be adopted to enhance the security of IT systems, not only in institutional settings but also in any other environment in which such structures are used.
... To increase better bits of knowledge in tending to developing difficulties of the digital world, cybersecurity progressively depends on propels in human conduct inquire about. While technology may regularly shape the centre of cyber-assaults, these occurrences are incited and reacted to by humans (Benson et al., 2019). Hence, this study is intended to understand the behavioural aspect of human towards cybersecurity, specifically the personality dimensions. ...
... For the past three years fraud and intrusion have become the highest security incidents reported in Malaysia [51]. Cybersecurity professionals agree that security depends on people more than technical control and countermeasures [54]. The socio-organisational factors are the main contributors of security failure and if not addressed properly, can slow down the progress of cloud adoption in the organisations. ...
Complying with the security rules and standard is important to safeguard valuable information in the organisation. Failure to prevent security breaches costs the organisation huge losses and bad reputation. Technical solutions are abundant but nonetheless still unsuccessful to deter information security incidents. The root cause of incompliance is humans as they are the weakest link of security chain. This paper examines the information security control management particularly on information security awareness, training and education, risk analysis and management, information security policies and procedures as well as physical security monitoring, and cognitive factors which give impact towards the employees’ information security compliant behaviour in the organization. Based on convenient sampling, a survey was conducted to employees of public and private sectors in Malaysia who are the Software as a Service (SaaS) cloud users. Data was collected online and was analysed using PLS-SEM. Result shows that information security control management and cognitive factors have high significant impact in deterring information security misbehaviour in the context of cloud users.
... At this juncture, it should be mentioned that malware attacks are not just targeting financial institutions, defense sectors, and occasional unsuspecting end users. According to [3], it is not completely possible for any anti-malware tool to detect the targeted and sophisticated cyber attacks of the modern age. ...
In today's world, the word malware is synonymous with mysterious programs that spread havoc and sow destruction upon the computing system it infects. These malware are analyzed and understood by malware analysts who reverse engineer the program in an effort to understand it and provide appropriate identifications or signatures that enable anti-malware programs to effectively combat and resolve threats. Malware authors develop ways to circumvent or prevent this analysis of their code thus rendering preventive measures ineffective. This paper discusses existing analysis subverting techniques and how they are overcome by modern analysis techniques. Further, this paper proposes a new method to resist traditional malware analysis techniques by creating a split-personality malware variant that uses a technique known as shadow attack. The proposal is validated by creating a malware dropper and testing this dropper in controlled laboratory conditions as a part of the concept of proactive defense.
Most of the research carried out in cybersecurity considers the technical aspects of the security of an organisation’s systems. This work highlights the importance of considering the ‘softer’ social side of cybersecurity that looks at the lived experiences of phishing attack victims and the effect of such attacks on work engagement. In order to understand these effects, the study adopted the grounded theory (GT) approach to collecting and analysing data elicited from participants. The participants were theoretically sampled from the metropole area of Johannesburg and presented lived experiences of phishing attacks in their unique contexts. The data were transcribed and coded using GT techniques. From the codes, categories derived, and substantive theory that explains the effects of phishing attack victims on work engagement was generated. The implications of this theory to previous theories and scholars and practitioners are discussed.KeywordsCybersecurityPhishingWork engagementGrounded theory
Persuasive techniques and persuasive technologies have been suggested as a means to improve user cybersecurity behaviour, but there have been few quantitative studies in this area. In this paper, we present a large scale evaluation of persuasive messages designed to encourage University staff to complete security training. Persuasive messages were based on Cialdini’s principles of persuasion, randomly assigned, and transmitted by email. The training was real, and the messages sent constituted the real campaign to motivate users during the study period. We observed statistically significant variations, but with mild effect sizes, in participant responses to the persuasive messages. ‘Unity’ persuasive messages that had increased emphasis on the collaborative role of individual users as part of an organisation-wide team effort towards cybersecurity were more effective compared to ‘Authority’ messages that had increased emphasis on a mandatory obligation of users imposed by a hierarchical authority. Participant and organisational factors also appear to impact upon participant responses. The study suggests that the use of messages emphasising different principles of persuasion may have different levels of effectiveness in encouraging users to take particular security actions. In particular, it suggests that the use of social capital, in the form of increased emphasis of ‘unity’, may be more effective than increased emphasis of ‘authority’. These findings motivate further studies of how the use of Social capital may be beneficial for encouraging individuals to adopt similar positive security behaviours.
While cyber security has become a prominent concept of emerging information governance, the Kingdom of Saudi Arabia has been dealing with severe threats to individual and organizational IT systems for a long time. These risks have recently permeated into educational institutions, thereby undermining the confidentiality of information as well as the delivery of education. Recent research has identified various causes and possible solutions to the problem. However, most scholars have considered a reductionist approach, in which the ability of computer configurations to prevent unwanted intrusions is evaluated by breaking them down to their constituent parts. This method is inadequate at studying complex adaptive systems. Therefore, the proposed project is designed to utilize a holistic stance to assess the cybersecurity management and policies in Saudi Arabian universities. Qualitative research, entailing a thorough critical review of ten public universities, will be utilized to investigate the subject matter. The subsequent recommendations can be adopted to enhance the security of IT systems, not only in institutional settings but also in any other environment in which such structures are used.KeywordsCybersecurityPublic universitiesCybercrimeEducational institutes
The Internet of Things (IoT) is an important emerging technology that enables (usually) pervasive ubiquitous devices to connect to the Internet. Medical and Healthcare Internet of Things (MHIoT) represents one of the application areas for IoT that has revolutionized the healthcare sector. In this study, a systematized literature review on the adoption of MHIoT for diabetes management is done to investigate the application of IoT in the monitoring of diabetes, key challenges, what has been done, in which context, and the research gap using Denyer and Transfield’s systematic literature review methodology. The key findings reveal that developing nations are lagging despite the greater benefits of MHIoT in such resource-constrained contexts. The findings suggest that infrastructure costs, security, and privacy issues are most important in the adoption of MHIoT for diabetes management. The opportunities presented by MHIoT surpass the challenges as healthcare costs are reduced in a resource-constrained context. Further research in infrastructural needs and privacy concerns is needed to take full advantage of these benefits and address the challenges.KeywordsHealth careDeveloping countriesDeveloped countriesSensorsGlucoseBlood sugarActuatorsRemote health monitoring
IT is being increasingly used in most areas of life. With the IoT, this technology is set to be in a state of continuous evolution in urban and regional settings. The ongoing development of digitalization processes also increases the possibilities of abuse—both at the technical and interpersonal level. Better information security (IS) awareness (ISA) and knowledge about the dangers that accompany digitalization and the corresponding protective measures are important in private and work life. However, ISA is often overlooked. Training the relevant awareness and skills should also be included in urban and regional planning for citizens. This article thus provides a review of the scientific literature of leading academic journals in the area of IS and the transfer of scientific knowledge for practical purposes. The article presents Serious Games as a way to achieve a deeper understanding of how to promote sustainable ISA using creative methods. Furthermore, ideas of how to apply the Fun Theory and its practice to integrate awareness into modern urban and regional planning will be discussed.
To ensure the achievement of quality security to safeguard business objectives, implementing, and maintaining an effective Cyber Security Strategy (CSS) is crucial. Inevitably, we need to recognize and evaluate the essential factors, such as technological, cultural, regulatory, economic, and others, that may hinder the efficacy of a CSS development and implementation. From the literature review, it is evident that such factors are either abstractly stated, or only assessed from singular viewpoint and are scattered across the literature. Moreover, there is a lack of holistic studies that could assist us in comprehending the critical factors affecting a CSS. In this paper, we present a systematic classification of distinct, structured, and comprehensive list of key factors covering multiple aspects of an organization's CSS, including organizational, cultural, economic, legal and political, and security, to provide a more complete view of understanding the essentials and analyzing the aptitude of a planned or given CSS. The proposed classification is further evaluated to examine the critical factors verified by conducting semi-structured interviews from security experts in different public sector organizations. Furthermore, we present a comparison of our work with the recent attempts that reflects that a significant accumulation of essential factors have been holistically identified in this study.
All security outcomes in cyberspace are determined by individual people, whose behaviour is shaped by their social setting, either organisational or cultural. Yet there has been little evidence globally of the necessary adjustment of policy or practice that gives due weight to the social science dimensions. There is a sharp imbalance between investments in technology for security in cyber space as against social science at almost every level: national government, business enterprise or academia.
This shortcoming is compounded by three others of equal or greater importance. First, the further socio-technical threat of unintended system failures, which may be dubbed “cyber incompetence”, is also largely unstudied outside the technical realm. Yet it may be even more costly and far more common than the more prominent concern for addressing cyber-attacks. Second, decisions for digital transformation in all organisations can undermine or enhance security, and are in turn impacted by the competence levels of the decision-makers. Third, the susceptibility of leaders, managers and users to be swayed by disinformation generated by the media or even vendors in fast-moving situations is an equally important threat to business and security.
We see these four problem sets as inextricably linked, and argue that we can only analyse any one of them by reference to the idea of the “social cyber ecosystem” in which they all exist. It is their interaction in the shared ecosystem that determines all security and welfare outcomes dependent on cyber space.
We argue for the centrality of social science in cyber space management at all levels of national policy, enterprise development and human welfare. We introduce a novel concept to help achieve this reorientation: “creating social cyber value”. This refers to optimised information ecosystem performance: maximizing benefit while minimising insecurity and incompetence. Moreover, it argues that this can only be attained when the human use and misuse of relevant technology is recognised as central.
The new spirit might be based on the conviction that a social retooling at a system level is not only feasible but a social imperative and moral duty. The benefit of addressing social cyber system value in this proposed comprehensive fashion (insecurity, incompetence, digital transformation, disinformation threats) is that it creates the conditions for the appropriate reflection on important new ethical questions (especially privacy but also worker values) that are raised afresh in the information age. The paper imagines how a process of radical adjustment to the social and systemic influences of security in cyber space might be undertaken to deliver more viable social cyber ecosystems that can match the escalating novel threats, while exploiting more effectively untapped potential of the technology-driven information revolution, still in its early stages.
Cybersecurity is a growing concern for private individuals and professional entities. Reports have shown that the majority of cybersecurity incidents occur because users fail to behave securely. Research on human cybersecurity (HCS) behavior suggests that time pressure is one of the important driving factors behind non-secure HCS behavior. However, there is limited conceptual work to guide researchers and practitioners in this regard. Against this backdrop, we investigate how the impact of time pressure on HCS behavior can be conceptualized within an integrative framework and which countermeasures can be used to reduce its negative impact. Altogether, we conducted 35 interviews with cybersecurity experts, non-security professionals, and private users. The results of our study shed light on the theoretical pathways through which time pressure can affect different types of security behaviors and identify a range of operational, human, technical, and physical countermeasures with important implications for research and practice.
Cybersecurity is a growing concern for private individuals and professional entities. Reports have shown that the majority of cybersecurity incidents occur because users fail to behave securely. Research on human cybersecurity (HCS) behavior suggests that time pressure is one of the important driving factors behind non-secure HCS behavior. However, there is limited conceptual work to guide researchers and practitioners in this regard. Against this backdrop, we investigate how the impact of time pressure on HCS behavior can be conceptualized within an integrative framework and which countermeasures can be used to reduce its negative impact. Altogether, we conducted 35 interviews with cybersecurity experts, non-security professionals, and private users. The results of our study shed light on the theoretical pathways through which time pressure can affect different types of security behaviors and identify a range of operational, human, technical, and physical countermeasures with important implications for research and practice.
This study developed a socio-technical management process to optimise both technical and non-technical security measures to provide optimal, rather than adequate, enterprise security safeguards. The rationale was that over the last decade, studies have consistently shown that the human being remains the weakest link in the entire enterprise security chain. As a result, the majority of cyberattacks have resulted from human behaviour or error. Despite this, evidence suggests that many enterprises are still taking overly technocentric approaches to cybersecurity risk and this has increased the chances of missing the bigger picture. Thus, a mechanism to optimise both technical and non-technical security measures by identifying and closing socio-technical security gaps in existing enterprise security frameworks was required. The mechanism was derived from the literature and validated by industry practitioners where it was found that practitioners could categorise security controls into social (human included), technical and environmental dimensions. Through this, it was found that there were mainly non-technical (social and environmental dimensions) security gaps at practitioners’ organisations. To further demonstrate how this security challenge can be identified and addressed, a desktop application of the management process was carried out on the COBIT 5 for Information Security framework. The results reveal the non-technical security gaps on COBIT 5 and the management process demonstrates how these could be closed and optimised. The importance of this study is to highlight that taking overly technocentric approaches to enterprise security risk does not yield significantly positive results in protecting assets. A new approach is required and the socio-technical management process is this paper's contribution to address that security challenge.
There has been a tremendous increase in research in the area of cyber security to support cyber applications and to avoid key security threats faced by these applications. The goal of this study is to identify and analyze the common cyber security vulnerabilities. To achieve this goal, a systematic mapping study was conducted, and in total, 78 primary studies were identified and analyzed. After a detailed analysis of the selected studies, we identified the important security vulnerabilities and their frequency of occurrence. Data were also synthesized and analyzed to present the venue of publication, country of publication, key targeted infrastructures and applications. The results show that the security approaches mentioned so far only target security in general, and the solutions provided in these studies need more empirical validation and real implementation. In addition, our results show that most of the selected studies in this review targeted only a few common security vulnerabilities such as phishing, denial-of-service and malware. However, there is a need, in future research, to identify the key cyber security vulnerabilities, targeted/victimized applications, mitigation techniques and infrastructures, so that researchers and practitioners could get a better insight into it.
IT is being increasingly used in most areas of life. With the IoT, this technology is set to be in a state of continuous evolution in urban and regional settings. The ongoing development of digitalization processes also increases the possibilities of abuse—both at the technical and interpersonal level. Better information security (IS) awareness (ISA) and knowledge about the dangers that accompany digitalization and the corresponding protective measures are important in private and work life. However, ISA is often overlooked. Training the relevant awareness and skills should also be included in urban and regional planning for citizens. This article thus provides a review of the scientific literature of leading academic journals in the area of IS and the transfer of scientific knowledge for practical purposes. The article presents Serious Games as a way to achieve a deeper understanding of how to promote sustainable ISA using creative methods. Furthermore, ideas of how to apply the Fun Theory and its practice to integrate awareness into modern urban and regional planning will be discussed.
Technologies brought about by the fourth industrial revolution (4IR) will have a transformational impact on the global scale. Some of these changes are positive; others carry a disproportionately high risk. The importance of cyber security continues to grow as organisations enable their operations with technology and turn to digital solutions when engaging with stakeholders. While 2016 was a year of the largest data breach and DDoS attack, the start of the 2017 delivered a truly global wave of ransomware. In this report we look at the landscape of cyber security attacks across industries, highlight the weakest links and recommend ways to address them. Here are some of the report key findings: ü The World Economic Forum Report 2017 places technology threats in the top 5 societal and economic risks by likelihood and scale of impact, next to weapons of mass destruction. ü Public sector continues to dominate as the primary target of cyberattacks followed by the financial services. ü An average data breach costs large organizations £1.46M and as much as £300,000 for small business. ü 40% of SMEs that experienced data breach due to cyber security attacks are likely to close within a year. ü The largest data breach and largest DDoS attack in history were surpassed by the record-setting events of the WannaCry ransomware in 2017. ü Propelled by the computing power of unsecured smart appliances, the Mirai botnet activity continued to expand in 2016. ü In the pre-WannaCry timeframe, 36% of organizations were reporting botnet activity related to ransomware. WannaCry affected 150 countries in 72 hours. ü The U.S. Presidential " election hacking " scandal exposed the rising scale of information security breaches by hostile governments. ü Nearly 90% of RMS (Microsoft Rights Management System) registered attacks targeted vulnerabilities which are over a decade old. ü Mobile malware is gaining ground with over a third of organizations affected in Africa; while the highest volumes of unique botnet families are reported in the Middle East and Latin America. ü Cloud solutions and the IoT fears remain at the top of organizational security concerns, hindering their widespread adoption. ü 56% organizations admit shortage of cyber security skilled personnel, taking up to six months to recruit. ü More organizations are relying on threat intelligence to transform cyber security from reactive to proactive.
Little is known about the context sensitivity of users' online security perceptions and behaviors to national and individual attributes, and there is inadequate research about the spectrum of users' behaviors in dealing with online security threats. In addressing this gap, this paper draws on two complementary theoretical bases: (1) the contextualization of the protection motivation theory (PMT) to online security behavior and (2) a polycontextual lens for the cross-national comparison of users' security behaviors in the United States and China. The conceptualized model is tested based on 718 survey observations collected from the United States and China. The results support our model and show the divergence between the United States, an exemplar of modern Western society, and China, an exemplar of traditional Eastern society, in forming threat perceptions and in seeking help and avoidance as coping behaviors. Our results also uncovered the significant moderating impacts of espoused culture on the way perceptions of security threats and coping appraisals influence security behaviors. Our findings underline the importance of context-sensitive theory building in security research and provide insights into the motivators and moderators of individuals' online security behaviors in the two nations.
Recent advances in understanding prejudice and intergroup behavior have made clear that emotions help explain people's reactions to social groups and their members. Intergroup emotions theory (D. M. Mackie, T. Devos, & E. R. Smith, 2000; E. R. Smith, 1993) holds that intergroup emotions are experienced by individuals when they identify with a social group, making the group part of the psychological self. What differentiates such group-level emotions from emotions that occur purely at the individual level? The authors argue that 4 key criteria define group-level emotions: Group emotions are distinct from the same person's individual-level emotions, depend on the person's degree of group identification, are socially shared within a group, and contribute to regulating intragroup and intergroup attitudes and behavior. Evidence from 2 studies supports all 4 of these predictions and thus points to the meaningfulness, coherence, and functionality of group-level emotions.
Purpose
– The purpose of this paper is to bridge the gap in the existing literature by exploring the antecedents of information disclosure of social media users. In particular, the paper investigates the link between information disclosure, control over personal information, user awareness and security notices in the social context, all of which are shown to be different from existing studies in e-commerce environments.
Design/methodology/approach
– The authors collected and analysed data from 514 social network users. The model is estimated using ordinary least squares and robust standard errors are estimated using the Huber-White sandwich estimators.
Findings
– The results show that in social networking contexts, control over personal information is negatively and statistically associated with information disclosure. However, both user awareness and security notices have a positive statistical effect on information disclosure.
Originality/value
– Whilst research on issues of individual information privacy in e-commerce is plentiful, the area of social networking and privacy protection remains under-explored. This paper provides a useful model for analysing information disclosure behaviour on social networks. The authors discuss the practical implications of the findings for actors in social media interactions.
COLLEGE SS OVERHEARD AN EPILEPTIC SIEZURE. THEY BELIEVED EITHER THAT THEY ALONE HEARD THE EMERGENCY, OR THAT 1 OR 4 UNSEEN OTHERS WERE ALSO PRESENT. AS PREDICTED, THE PRESENCE OF OTHER BYSTANDERS REDUCED THE INDIVIDUAL'S FEELINGS OF PERSONAL RESPONSIBILITY AND LOWERED HIS SPEED OF REPORTING (P < .01). IN GROUPS OF 3, MALES REPORTED NO FASTER THAN FEMALES, AND FEMALES REPORTED NO SLOWER WHEN THE 1 OTHER BYSTANDER WAS A MALE RATHER THAN A FEMALE. IN GENERAL, PERSONALITY AND BACKGROUND MEASURES WERE NOT PREDICTIVE OF HELPING. BYSTANDER INACTION IN REAL LIFE EMERGENCIES IS OFTEN EXPLAINED BY APATHY, ALIENATION, AND ANOMIE. RESULTS SUGGEST THAT THE EXPLANATION MAY LIE IN THE BYSTANDER'S RESPONSE TO OTHER OS THAN IN HIS INDIFFERENCE TO THE VICTIM.
This chapter begins with a summary of a model, developed half a century ago, that distinguishes three qualitatively different processes of social influence: compliance, identification, and internalization. The model, originally geared to and experimentally tested in the context of persuasive communication, was subsequently applied to influence in the context of long-term relationships, including psychotherapy, international exchanges, and the socialization of national/ethnic identity. It has been extended to analysis of the relationship of individuals to social systems. Individuals' rule, role, and value orientations to a system--conceptually linked to compliance, identification, and internalization--predict different reactions to their own violations of societal standards, different patterns of personal involvement in the political system, and differences in attitude toward authorities and readiness to obey. In a further extension of the model, three approaches to peacemaking in international or intergroup conflicts are identified--conflict settlement, conflict resolution, and reconciliation--which, respectively, focus on the accommodation of interests, relationships, and identities, and are conducive to changes at the level of compliance, identification, and internalization.