Conference Paper

A Review of Security Awareness Approaches With Special Emphasis on Gamification

Authors:
To read the full-text of this research, you can request a copy directly from the authors.

No full-text available

Request Full-text Paper PDF

To read the full-text of this research,
you can request a copy directly from the authors.

... There are several examples of gamified ISAT. The landscape includes multi-player competitive games, story-based single-player games, board games, role-playing games, quizzes, and more [28,40]. ...
Article
Full-text available
Cybersecurity is a pressing matter, and a lot of the responsibility for cybersecurity is put on the individual user. The individual user is expected to engage in secure behavior by selecting good passwords, identifying malicious emails, and more. Typical support for users comes from Information Security Awareness Training (ISAT), which makes the effectiveness of ISAT a key cybersecurity issue. This paper presents an evaluation of how two promising methods for ISAT support users in acheiving secure behavior using a simulated experiment with 41 participants. The methods were game-based training, where users learn by playing a game, and Context-Based Micro-Training (CBMT), where users are presented with short information in a situation where the information is of direct relevance. Participants were asked to identify phishing emails while their behavior was monitored using eye-tracking technique. The research shows that both training methods can support users towards secure behavior and that CBMT does so to a higher degree than game-based training. The research further shows that most participants were susceptible to phishing, even after training, which suggests that training alone is insufficient to make users behave securely. Consequently, future research ideas, where training is combined with other support systems, are proposed.
... Living Security's Cyber Escape Room is a significant technological advancement. The unique experience combines all of the critical components of a successful training program-handson and enjoyable learning paired with thorough and relevant instruction to improve cybersecurity awareness and evade threats in an entertaining way [25]. In a nutshell, gamification incorporates game components or a game framework into current learning activities; game-based learning creates innately game-like learning experiences. ...
Conference Paper
Full-text available
Learning was always an essential part of our lives to acquire knowledge and move forward. However, the increasing wages of on-campus learning leads to an increasing need for an alternate way of learning. With the outbreak of COVID-19, people needed to stay at home for safety. Therefore, finding an answer to this need became more dominant. Another major problem, especially in the ongoing decade, is the lack of enough cybersecurity knowledge by the common folk. This paper aims to look at a new platform that is carefully designed to teach cybersecurity to learners with any background. We design this system using gamification to increase the efficiency of learning. Because modern technologies are ubiquitous in our lives, particularly during the coronavirus outbreak, including practical work in teaching will be quite beneficial. The practical activity has a clear advantage, such as promoting experimental learning and improving student abilities and skills for the future professional career. Finally, we assess this method with a classic learning approach using two different groups.
... The widely documented 'weakest link phenomenon' highlights the importance of cybersecurity awareness training as ordinary users are most responsible for breaches to a system [8]. This is further evident in a business setting, as employees' behaviours present a threat to information security, with their behaviour affecting the privacy, availability and integrity of company data [9,10]. Therefore, awareness training is necessary for employees to make them aware of the impact of their behaviours and to begin to introduce protection methods. ...
Preprint
Full-text available
With the increase in cybersecurity breaches in UK companies, there has also been a rise in the employment of cybersecurity awareness training. This aims to improve an individual's understanding of various aspects of information security. This paper aims to consider how training programmes can be improved through the use of psychological behaviour change strategies to encourage long term improvements to cybersecurity behaviours. Through this research it has been observed that while incorporating psychological strategies can improve cyber safety, there is still a long way to go in increasing cybersecurity awareness within companies.
... Without data safety, eavesdroppers can illegally obtain private and secret information, which might cause serious harm to any organization [36]. That means that the data should be secure and protected from hackers while sharing confidential data [37]. ...
Article
Full-text available
Whether it's for work or personal well-being, keeping secrets or private information has become part of our everyday existence. Therefore, several researchers acquire an entire focus on secure transmitting secret information. Confidential information is collectively referred to as Steganography for inconspicuous digital media such as video, audio, and images. In disguising information, Steganography plays a significant role. Traditional Steganography faces a further concern of discovery as steganalysis develops. The safety of present steganographic technologies thus has to be improved. In this research, some of the techniques that have been used to hide information inside images have been reviewed. According to the hiding domain, these techniques can be divided into two main parts: The spatial Domain and Transform Domain. In this paper, three methods for each Domain have been chosen to be studied and evaluated. These are; Least Significant Bit (LSB), Pixel Value Difference (PVD), Exploiting Modification Direction (EMD), contourlet transform, Discrete Wavelet Transformation (DWT), and, Discrete Cosine Transformation (DCT). Finally, the best results that have been obtained in terms of higher PSNR, Capacity, and more robustness and security are discussed. Review Article Abdullah et al.; AJRCOS, 10(3): 33-52, 2021; Article no.AJRCOS.70381 34
... Web apps have adapted to the daily life of many people. Web applications' dangers have extended to include enormous expansion [81]. At the moment, the more vulnerabilities are reduced every day, the greater the number of threats [82]. ...
Article
Full-text available
The vulnerabilities in most web applications enable hackers to gain access to confidential and private information. Structured query injection poses a significant threat to web applications and is one of the most common and widely used information theft mechanisms. Where hackers benefit from errors in the design of systems or existing gaps by not filtering the user's input for some special characters and symbols contained within the structural query sentences or the quality of the information is not checked, whether it is text or numerical, which causes unpredictability of the outcome of its implementation. In this paper, we review PHP techniques and other techniques for protecting SQL from the injection, methods for detecting SQL attacks, types of SQL injection, causes of SQL injection via getting and Post, and prevention technology for SQL vulnerabilities.
... Vehicles communicate with (VANET) by wireless connections that are installed on each vehicle node [73]. The nodes communication to the other intermediate nodes which put in its own transmission extent, each node within (VANET) function as both router and network's participant [74]. ...
Article
Full-text available
Vehicular communications, referring to information exchange among vehicles, and infrastructures. It has attracted a lot of attention recently due to its great potential to support intelligent transportation, various safety applications, and on-road infotainment. The aim of technologies such as Vehicle-to-Vehicl (V2V) and Vehicle to-Every-thibg (V2X) Vehicle-to very-thing is to include models of connectivity that can be used in various application contexts by vehicles. However, the routing reliability of these ever-changing networks needs to be paid special attention. The link reliability is defined as the probability that a direct communication link between two vehicles will stay continuously available over a specified period. Furthermore, the link reliability value is accurately calculated using the location, direction and velocity information of vehicles along the road.
... This means long-term exposure to microgravity, isolation, isolation and other stresses, causing harm to both their bodies and brains, under severe environment. The longer an astronaut is exposed to the space, the higher the possibility of facing psychological issues [18]. ...
Article
With the exponential growth of the information on the Internet, there is a high demand for making this information readable and processable by machines. For this purpose, there is a need for the Natural Language Processing (NLP) pipeline. Natural language analysis is a tool used by computers to grasp, perceive, and control human language. This paper discusses various techniques addressed by different researchers on NLP and compares their performance. The comparison among the reviewed researches illustrated that good accuracy levels haved been achieved. Adding to that, the researches that depended on the Sentiment Analysis and ontology methods achieved small prediction error. The syntactic analysis or parsing or syntax analysis is the third stage of the NLP as a conclusion to use NLP technology. This step aims to accurately mean or, from the text, you may state a dictionary meaning. Syntax analysis analyzes the meaning of the text in comparison with the formal grammatical rules.
... Apache is lightweight, wholly featured, and more powerful than other web servers based on Unix. The architecture of Apache is thread-based, where the primary process (Multi-Processing Modules-MPM) is named at startup and performs child processes/threads (modules) to handle requests simultaneously [79,80]. Nginx, developed by Igor Sysoev and then by NginX Inc. in 2004, is a free, open-source, and highperformance web server. ...
Article
Full-text available
Today, web services rapidly increased and are accessed by many users, leading to massive traffic on the Internet. Hence, the web server suffers from this problem, and it becomes challenging to manage the total traffic with growing users. It will be overloaded and show response time and bottleneck, so this massive traffic must be shared among several servers. Therefore, the load balancing technologies and server clusters are potent methods for dealing with server bottlenecks. Load balancing techniques distribute the load among servers in the cluster so that it balances all web servers. The motivation of this paper is to give an overview of the several load balancing techniques used to enhance the efficiency of web servers in terms of response time, throughput, and resource utilization. Different algorithms are addressed by researchers and get good results like the pending job, and IP hash algorithms achieve better performance.
... This means that users can access online services that are generally accessible from any computer with an internet connection, regardless of the user's location, as illustrated in Fig. 9 below [50,71,72,73]. Cloud computing is classified into two models: service models and deployment models; in the following subsection, we will discuss both [74]. ...
Article
Full-text available
The Internet of Things (IoT) is a paradigm shift that enables billions of devices to connect to the Internet. The IoT's diverse application domains, including smart cities, smart homes, and e-health, have created new challenges, chief among them security threats. To accommodate the current networking model, traditional security measures such as firewalls and Intrusion Detection Systems (IDS) must be modified. Additionally, the Internet of Things and Cloud Computing complement one another, frequently used interchangeably when discussing technical services and collaborating to provide a more comprehensive IoT service. In this review, we focus on recent Machine Learning (ML) and Deep Learning (DL) algorithms proposed in IoT security, which can be used to address various security issues. This paper systematically reviews the architecture of IoT applications, the security aspect of IoT, service models of cloud computing, and cloud deployment models. Finally, we discuss the latest ML and DL strategies for solving various security issues in IoT networks.
Article
Full-text available
Background: Demographic transition has led to a rise in elderly population, their social security being a priority. Awareness and utilisation of these being less researched, we undertook this study. Aim & Objective: To find the awareness regarding existing social security schemes, the pattern of their utilisation and enlist the challenges faced in utilising them. Material and Methods: A cross-sectional study was conducted from January to March 2018, among randomly selected consenting elderly in the urban and rural field-practice areas of a medical college. Data was analysed using EpiInfo software. Results: A total of 540(270 each in urban and rural) participants were included.55.93% in urban and 51.48% in rural were aware and 33.38% in urban and 15.56% in rural utilised atleast one of the schemes. 27.78% in urban and 25.19% in rural expressed their dissatisfaction with the pension received. The differences in the awareness about property protection and old age pension had a statistically significant difference between the urban and rural population with better awareness among the urban elderly. Conclusions: The awareness levels were nearly the same in the urban and rural population, but utilisation rates had a marked difference. Lesser utilisation in rural areas needs to be researched, causes identified and addressed.
Article
Full-text available
The emergence of cloud computing has changed perception of all regarding software delivery, development models and infrastructure. Cloud computing has a potential of providing elastic, easily manageable, powerful and cost-effective solutions. The rapid transition to cloud computing has fueled concerns on the security issues. The migration of the user's data and applications in a shared environment of a cloud, where there is a collocation of several users increases security related concerns. Several research efforts have been made in evaluating challenges related to security faced by the cloud computing environments, a number of solutions of such problems have also been proposed. Integrated security solutions should be devised to deal with the increasing security risks. In this paper, a detailed cloud computing survey, key services and concepts are being presented. This paper attempts to evaluate various security threats to cloud computing and a number of security solutions have also been discussed. Furthermore, a brief view of the cloud security regulatory bodies and compliance have also been presented. Despite the research efforts in cloud security field, there are still some open research problems and challenges which are discussed in this paper.
Article
Full-text available
For elementary students, security and privacy education is anticipated to be more joyful when the knowledge is delivered in the form of a digital game-based learning activity. This paper details on the development of a novel learning platform that comprises a web-based Learning Content Management Systems (LCMS) and a mobile client application (app) for educating and raising young learners’ awareness on basic cybersecurity and privacy issues. The app, which comprises a suite of quick games, can be played either in standalone or in client/server mode and it is especially destined to elementary students. Further, due to the anytime and anywhere characteristics of the app, it can be experienced as a classroom or an outdoor learning activity. Contrary to analogous studies found in the literature so far, during the design phase of the app, our focus was not solely on its technological aspects, but we uniformly paid special attention to the educational factor by applying the Attention, Relevance, Confidence, and Satisfaction (ARCS) model of motivation. A preliminary evaluation of the app, including learning effectiveness, usability, and user’s satisfaction was conducted with 52 elementary-aged students. Among others, the results show that the interaction with the app significantly increases the mean performance of the participants by almost 20%.
Article
Full-text available
Numerous organizations recognize that their workers, who are usually thought of the weakest link in information security, also can be great assets in the effort to reduce risk associated with data security. Information security has not been given enough consideration among the writing as far as the human issue impact; researchers have involved a lot of examination throughout this area. Human factors assume a noteworthy in computer security. all through this paper, we target the relationship of the human factor in information security showing the human weaknesses which can cause unintentional harm to the organization and discuss, be that as it may, information security awareness may be a major tool in overcoming these weaknesses.
Article
Full-text available
Purpose It is widely acknowledged that non-compliance of employees with information security polices is one of the major challenges facing organisations. This paper aims to propose a model that is intended to provide a comprehensive framework for raising the level of compliance amongst end-users, with the aim of monitoring, measuring and responding to users’ behaviour with an information security policy. Design/methodology/approach The proposed model is based on two main concepts: a taxonomy of the response strategy to non-compliant behaviour and a compliance points system. The response taxonomy comprises two categories: awareness raising and enforcement of the security policy. The compliance points system is used to reward compliant behaviour and penalise non-compliant behaviour. Findings A prototype system has been developed to simulate the proposed model and work as a real system that responds to the behaviour of users (reflecting both violations and compliance behaviour). In addition, the model has been evaluated by interviewing experts from academic and industry. They considered the proposed model to offers a novel approach for managing end users’ behaviour with the information security policies. Research limitations/implications Psychological factors were out of the research scope at this stage. The proposed model may have some psychological impacts upon users; therefore, this issue needs to be considered by studying the potential impacts and the best solutions. Originality/value Users being compliant with the information security policies of their organisation is the key to strengthen information security. Therefore, when employees have a good level of compliance with security policies, this positively affects the overall security of an organisation.
Conference Paper
Full-text available
Adversary thinking is an essential skill for cybersecurity experts, enabling them to understand cyber attacks and set up effective defenses. While this skill is commonly exercised by Capture the Flag games and hands-on activities, we complement these approaches with a key innovation: undergraduate students learn methods of network attack and defense by creating educational games in a cyber range. In this paper, we present the design of two courses, instruction and assessment techniques, as well as our observations over the last three semesters. The students report they had a unique opportunity to deeply understand the topic and practice their soft skills, as they presented their results at a faculty open day event. Their peers, who played the created games, rated the quality and educational value of the games overwhelmingly positively. Moreover, the open day raised awareness about cybersecurity and research and development in this field at our faculty. We believe that sharing our teaching experience will be valuable for instructors planning to introduce active learning of cybersecurity and adversary thinking.
Conference Paper
Full-text available
An increasing number of information security breaches in organisations presents a serious threat to the confidentiality of personal and commercially sensitive data. Recent research shows that humans are the weakest link in the security chain and the root cause of a great portion of security breaches. This paper draws on prior research on organisational culture to examine how cultural factors affect employee security behaviour. Data for this research project were collected in 15 organisations in the United States and Ireland through qualitative interviews. Our findings demonstrate that organisational culture values of solidarity and people-orientation promote information security compliance, while sociability and task-orientation have a negative effect on employee security behaviour.
Article
Full-text available
Maintaining Information Security and protecting data assets remains a principal concern for businesses. Many data breaches continue to result from accidental, intentional or malicious human factors, leading to financial or reputational loss. One approach towards improving behaviours and culture is with the application of on-going awareness activities. This paper presents an approach for identifying security related human factors by incorporating personas into information security awareness design and implementation. The personas, which are grounded in empirical data, offer a useful method for identifying audience needs and security risks, enabling a tailored approach to business-specific awareness activities. As a means for integrating personas, we present six on-going steps that can be embedded into business-as-usual activities with 90-day cycles of awareness themes, and evaluate our approach with a case study business. Our findings suggest a persona-centred information security awareness approach has the capacity to adapt to the time and resource required for its implementation within the business, and offer a positive contribution towards reducing or mitigating Information Security risks through security awareness.
Conference Paper
Full-text available
Recent research has begun to focus on the factors that cause people to respond to phishing attacks as well as affect user behavior on social networks. This study examines the correlation between the Big Five personality traits and email phishing response. Another aspect examined is how these factors relate to users' tendency to share information and protect their privacy on Facebook (which is one of the most popular social networking sites). This research shows that when using a prize phishing email, neuroticism is the factor most correlated to responding to this email, in addition to a gender-based difference in the response. This study also found that people who score high on the openness factor tend to both post more information on Facebook as well as have less strict privacy settings, which may cause them to be susceptible to privacy attacks. In addition, this work detected no correlation between the participants estimate of being vulnerable to phishing attacks and actually being phished, which suggests susceptibility to phishing is not due to lack of awareness of the phishing risks and that real-time response to phishing is hard to predict in advance by online users. The goal of this study is to better understand the traits that contribute to online vulnerability, for the purpose of developing customized user interfaces and secure awareness education, designed to increase users' privacy and security in the future.
Article
Full-text available
Employees’ poor compliance with information security policies is a perennial problem. Current information security analysis methods do not allow information security managers to capture the rationalities behind employees’ compliance and non-compliance. To address this shortcoming, this design science research paper suggests: (a) a Value-Based Compliance analysis method and (b) a set of design principles for methods that analyse different rationalities for information security. Our empirical demonstration shows that the method supports a systematic analysis of why employees comply/do not comply with policies. Thus we provide managers with a tool to make them more knowledgeable about employees’ information security behaviours.
Article
Full-text available
Because violations of information security (ISec) and privacy have become ubiquitous in both personal and work environments, academic attention to ISec and privacy has taken on paramount importance. Consequently, a key focus of ISec research has been discovering ways to motivate individuals to engage in more secure behaviors. Over time, the protection motivation theory (PMT) has become a leading theoretical foundation used in ISec research to help motivate individuals to change their security-related behaviors to protect themselves and their organizations. Our careful review of the foundation for PMT identified three opportunities for improving ISec PMT research. First, extant ISec studies do not use the full nomology of PMT constructs. Second, only one study uses fear-appeal manipulations, even though these are a core element of PMT, and virtually no ISec study models or measures fear. Third, whereas these studies have made excellent progress in predicting security intentions, none of them have addressed actual security behaviors. This article describes the theoretical foundation of these three opportunities for improvement. We tested the nomology of PMT, including manipulated fear appeals, in two different ISec contexts that model PMT’s modern theoretical treatment more closely than do extant ISec studies. The first data collection was a longitudinal study in the context of data backups. The second study was a short-term cross-sectional study in the context of anti-malware software. Our new model demonstrated better results and stronger fit than the existing models and confirmed the efficacy of the three potential improvements we identified.
Article
Full-text available
Current approaches to cyber-security are not working. Rather than producing more security, we seem to be facing less and less. The reason for this is a multi-dimensional and multi-faceted security dilemma that extends beyond the state and its interaction with other states. It will be shown how the focus on the state and "its" security crowds out consideration for the security of the individual citizen, with detrimental effects on the security of the whole system. The threat arising from cyberspace to (national) security is presented as possible disruption to a specific way of life, one building on information technologies and critical functions of infrastructures, with relatively little consideration for humans directly. This non-focus on people makes it easier for state actors to militarize cyber-security and (re-)assert their power in cyberspace, thereby overriding the different security needs of human beings in that space. Paradoxically, the use of cyberspace as a tool for national security, both in the dimension of war fighting and the dimension of mass-surveillance, has detrimental effects on the level of cyber-security globally. A solution out of this dilemma is a cyber-security policy that is decidedly anti-vulnerability and at the same time based on strong considerations for privacy and data protection. Such a security would have to be informed by an ethics of the infosphere that is based on the dignity of information related to human beings.
Article
Full-text available
Gamification is the use of game design elements and game mechanics in non-game contexts. This idea has been used successfully in many web based businesses to increase user engagement. Some researchers suggest that it could also be used in web based education as a tool to increase student motivation and engagement. In an attempt to verify those theories, we have designed and built a gamification plugin for a well-known e-learning platform. We have made an experiment using this plugin in a university course, collecting quantitative and qualitative data in the process. Our findings suggest that some common beliefs about the benefits obtained when using games in education can be challenged. Students who completed the gamified experience got better scores in practical assignments and in overall score, but our findings also suggest that these students performed poorly on written assignments and participated less on class activities, although their initial motivation was higher.
Article
This paper by Dr. Maria Bada and Professor Angela Sasse focuses on Security Awareness Campaigns, trying to identify factors which potentially lead to failure of these in changing the information security behaviours of consumers and employees. Past and current efforts to improve information security practices have not had the desired effort. In this paper, we explain the challenges involved in improving information security behaviours. Changing behaviour requires more than giving information about risks and correct behaviours – firstly, the people must be able to understand and apply the advice, and secondly, they must be willing to do – and the latter requires changes to attitudes and intentions. These antecedents of behaviour change are identified in several psychological models of behaviour (e.g. theory of reasoned action, theory of planned behaviour, protection motivation theory). We review the suitability of persuasion techniques, including the widely used fear appeals. Essential components for an awareness campaign as well as factors which can lead to a campaign’s failure are also discussed. In order to enact change, the current sources of influence-whether they are conscious or unconscious, personal, environmental or social, which are keeping people from enacting vital behaviours, need to be identified. Cultural differences in risk perceptions can also influence the maintenance of a particular way of life. Finally, since the vast majority of behaviours are habitual, the change from existing habits to better information security habits requires support. Finally, we present examples of existing awareness campaigns in U.K., in Australia, in Canada and Africa.
Article
In this study, we use the attentional phase of social learning theory to link workplace security-related experiences and observations to employees’ security awareness. The responses of 398 organizational employees serve to test our research model using structural equational modeling with AMOS 22.0. The results show security awareness arises from both explicit and subjective security experiences in the workplace. Our respondents indicate knowledge of a physical system has little, if any, effect on security awareness. However, security education, policy, visibility and managerial security participation are important for producing security awareness. Furthermore, managerial participation strengthens the links between organizational security efforts and security awareness. We discuss the implications of our study for future security compliance research and practice.
Chapter
Due to the prevalence of online services in modern society, such as internet banking and social media, it is important for users to have an understanding of basic security measures in order to keep themselves safe online. However, users often do not know how to make their online interactions secure, which demonstrates an educational need in this area. Gamification has grown in popularity in recent years and has been used to teach people about a range of subjects. This paper presents an exploratory study investigating the use of gamification techniques to educate average users about password security, with the aim of raising overall security awareness. To explore the impact of such techniques, a role-playing quiz application (RPG) was developed for the Android platform to educate users about password security. Results gained from the work highlighted that users enjoyed learning via the use of the password application, and felt they benefitted from the inclusion of gamification techniques. Future work seeks to expand the prototype into a full solution, covering a range of security awareness issues.
Article
Purpose This paper aims to examine the influence of response awareness on behavioral intent, and introduces instructional self-efficacy, a construct rarely examined within the context of information security (ISec). Design/methodology/approach A Web-based survey was conducted and a total of 211 valid responses were analyzed. The relationships among response awareness, instructional self-efficacy and behavioral intent were examined through a three-phase structural equation modeling analysis. Findings The results indicate that even at low levels, response awareness has a strong influential effect on the behavioral intent to perform the secure response and on the self-efficacy to instruct others to perform the response. Instructional self-efficacy was also found to be a significant predictor of behavioral intent to perform the response. Finally, evidence was found indicating instructional self-efficacy fully mediates the response awareness to the behavioral intent relationship. Research limitations/implications Because of the characteristics of the population, the focus on a single ISec response and the dependent variable of behavioral intent rather than actual behavior, the generalizability of the findings is impacted. Practical implications The results contribute to practice by confirming the importance of response awareness and of instructional self-efficacy within an ISec context. Specific implications include the indication that informal communications about ISec issues among peers should be encouraged and that instructional self-efficacy should be targeted within ISec awareness training programs. Originality/value This paper’s parsimonious model defined response awareness as vicarious experience with a response and presented instructional self-efficacy, a construct novel to ISec studies that was found to be a significant influence within the relationship between response awareness and behavioral intent.
Conference Paper
A shortage of cyber security personnel is a major problem which is exacerbated by an increase in cyber attacks and the possible demotivation of the mentioned personnel. This shortage could be ameliorated by providing cyber security training to more people; meanwhile, it is crucial to maintain motivations among the cyber security team members within a given organization in order to appropriately address evolving and changing cyber attacks. To overcome the above problems, we propose a cyber security game exercise tool, which focuses on the areas already demonstrated by the existing tools of the same genre. To validate our tool, we conducted cyber security game exercises and evaluated the achievement of our design policy by analyzing the results of our questionnaire provided by the participants. Our analysis shows that our tool is useful for obtaining knowledge and assessing the level of each player.
Article
As internet technology and mobile applications increase in volume and complexity, malicious cyber-attacks are evolving, and as a result society is facing greater security risks in cyberspace more than ever before. This study has extended the published literature on cybersecurity by theoretically defining the conceptual domains of employees’ security behavior, and developed and tested operational measures to advance information security behavior research in the workplace. A conceptual framework is proposed and tested using survey results from 579 business managers and professionals. Structural equation modeling and ANOVA procedures are employed to test the proposed hypotheses. The results show that when employees are aware of their company’s information security policy and procedures, they are more competent to manage cybersecurity tasks than those who are not aware of their companies’ cybersecurity policies. The study also indicates that an organizational information security environment positively influences employees’ threat appraisal and coping appraisal abilities, which in turn, positively contribute to their cybersecurity compliance behavior.
Article
The cyber awareness of online video game players (n = 183) was investigated by examining their online safety practices and the degree to which they were exposed to threats. With findings revealing that gamers engaged in poor online practices, despite expressing concern for their safety, this investigation supports the view that gamers are unaware of the possible consequences of their online actions, and/or continue to show resistance to cybersecurity practices perceived to hinder gameplay. While the findings should be regarded as preliminary, game developers and publishers, policymakers, and researchers may find them valuable in obtaining a clearer understanding of gamers' cyber awareness and online practices. Coupled with ongoing research, these findings may also prove valuable for the identification of strategies that may be used to curb risky online behavior.
Conference Paper
This paper introduces a Competence Developing Game (CDG) for the purpose of a cybersecurity awareness training for businesses. The target audience will be discussed in detail to understand their requirements. It will be explained why and how a mix of business simulation and serious game meets these stakeholder requirements. It will be shown that a tablet and touchscreen based approach is the most suitable solution. In addition, an empirical study will be briefly presented. The study was carried out to examine how an interaction system for a 3D-tablet based CDG has to be designed, to be manageable for non-game experienced employees. Furthermore, it will be explained which serious content is necessary for a Cybersecurity awareness training CDG and how this content is wrapped in the game. https://www.thinkmind.org/index.php?view=article&articleid=achi_2018_5_10_20057
Article
Modern organizations face significant information security threats, to which they respond with various managerial techniques. It is widely believed that “one size does not fit all” for achieving employee information security policy compliance; nevertheless, it is yet to be determined which techniques work best to different organizational employees. We further this research stream by finding that different levels of users might be effectively motivated by different types of coercive and empowering techniques that are suitable to their level and position in the organizational chart. Our results suggest that participation in the ISP decision-making process might prove to be a more effective approach to motivate lower-level employees toward compliance and that enhancing the meaningfulness of policy compliance could be the preferred method among higher levels of management. Members within each level of the organization can be effectively influenced to comply with ISPs when such strategies are customized for their level.
Article
Information security awareness (ISA) is integral to protecting an organisation from cyber threats. The aim of this paper is to further establish the validity of the Human Aspects of Information Security Questionnaire (HAIS-Q), as an effective instrument for measuring ISA. We present two studies to further establish the construct validity of this instrument. In Study 1, 112 university students completed the HAIS-Q and also took part in an empirical lab-based phishing experiment. Results indicated that participants who scored more highly on the HAIS-Q had better performance in the phishing experiment. This means the HAIS-Q can predict an aspect of information security behaviour, and provides evidence for its convergent validity. In Study 2, the HAIS-Q was administered to a larger and more representative population of 505 working Australians to further establish the construct validity of the instrument. The results of a factor analysis and other statistical techniques provide evidence for the validity of the HAIS-Q as a robust measure of ISA. We also describe the practical implications of the HAIS-Q, particularly how it could be used by information security practitioners.
Article
Organizations are trying to induce employees to comply with information security policy (ISP) as organizational damage of information breach incidents gets serious. Many previous approaches to ISP compliance have focused on security technologies. However, researchers in this area agree that technology approach is not sufficient so that other approaches such as behavioral and social are required. This study suggests the integrated research model including ISP compliance antecedents and psychological contract fulfillment. The study investigates the mediating effect of psychological contract fulfillment between perceived costs and ISP compliance intention comparing supervisor and supervisee groups. The results show that psychological contract fulfillment can mitigate the negative effect of costs on ISP compliance intention in supervisor group. Employees also anticipate complying with ISP when they recognize the benefits of ISP compliance. This study could shed more lights on the ISP compliance area by integrating and examining ISP compliance research model with psychological contract as a social factor.
Conference Paper
Cloud networking is the next generation architecture of IT. Clouds are very complex architectures. They have a replicated thousands of times, and common functional units and can be reduced to simple primitives. many issues related to security were created by complexity of cloud networking as well as all aspects of Cloud networking. Data security is one of the most important issues. The Cloud usually has a one security architecture but has many customers with variety requests. There are new risks introduced by clouds, like multi-tenancy, virtualization and data outsourcing in additional to existing security risks related to Cloud service providers (CSPs) and cloud customers (CCs). information security and their conformity with cloud networking security challenges targeted by Several international and industrial standards. Since there is a continuous increase in the field of communication regarding advanced data, there is an increase in need for time and statistical overhead that is associated with the application of cryptographic. Parallelizing the computation of cryptographic algorithms on many-core computing platforms can be a promising approach to reduce the execution time and eventually the energy consumption of such algorithms. In this paper we will analyze and compare a some of cryptosystems security evaluation approaches worked in cloud networking environment and depended on variety parameters to explain these approaches and show how it work in the few last years with the great modifying in cloud and great data growing.
Chapter
Every organization is as frail as its frailest human link in the cyber security of Industry Control System (ICS), which is without predisposition to conceivable technological solutions for enforcing security. Noticeably, human-involved systems are becoming more chaotic, and gravely under attacks due to irregular actions or inactions of human entities in the constituent chain. Many industrial cyber-attacks have successfully defeated technological security solutions through preying on human weaknesses in knowledge and skills, and manipulating insiders within organizations into unsuspectingly delivering entry and access to sensitive industrial assets. In order to help enterprises assess the level of employees’ cyber security awareness and responsiveness, and enhance ICS Cyber security knowledge and skills for ICS protection, a Workforce Cyber Security Capability evaluation model is presented, and theoretically validated. A capability evaluation will allow industries to have a better understanding of the potential state of consciousness, readiness and diagnostic abilities of the industries; thus improve the prevention, detection, and response to any cyber-specific incidents.
Conference Paper
The weakest link in the field of information security that has been identified in the literature is the organisation’s employees. Information security policy compliance is one of the main challenges facing organisations today. Although implementing technical and procedural measures clearly helps to improve an organisation's information security, the human factor or the employees' compliance with these measures is the key to success. However, organisations are now having some issues regarding the extent of employee adherence to policy. The problem of employees being unaware or ignorant of their responsibilities in relation to information security is still an open issue. The proposed idea in this paper will seek to enhance end user adherence to information security policies by proposing a framework for security policy compliance monitoring and targeted awareness raising. The foremost aim of this framework is to increase users’ awareness of the importance of following information security policies. Continuously subjecting users to targeted awareness and monitoring their adherence to information security policies should enhance the effectiveness of such awareness efforts. The proposed framework is a part of on-going research and is intended to provide a foundation for future research on a dynamic adaption of users’ behaviour with information security policies.
Conference Paper
Information Security professionals have been attempting to convince senior management for many years that humans represent a major risk to the security of an organization’s computer systems and the information that these systems process. This major threat relates to the behavior of employees whilst they are using a computer at work. This paper examines the non-malicious computer-based behavior and how it is influenced by a mixture of individual, organizational and interventional factors. The specific factors reported herein include an employee’s age; education level; ability to control impulsivity; familiarity with computers; and personality. This research utilized the Qualtrics online web-based survey software to develop and distribute a questionnaire that resulted in 500 valid responses. The major conclusions of this research are that an employee’s accidental-naive behavior is likely to be less risky if they are more conscientious; older; more agreeable; less impulsive; more open; and, surprisingly, less familiar with computers.
Conference Paper
The purpose of this paper is to study information security awareness (ISA) among university students and further analyze how different individual factors impact it. Through descriptive survey approach, a questionnaire consisting of 30 items was circulated in our university, resulting in 614 usable responses. Here the ISA is considered as a combination of knowledge and behavior. Factors such as age, gender, level of education, field of study, nationality, area of living, working experience and ISA training are considered as individual factors. Perceived ISA level among the students is also examined. For the overall study, arithmetic mean and standard deviation are used. For analyzing the effect of different individual factors, Pearson's coefficient of correlation is computed. Gender, living place and information security related training have statistically significant correlation with attained ISA level, whereas, factors such as age, nationality, discipline and level of education have statistically insignificant correlation with attained ISA level. Furthermore, gender and training have statistical significant correlation with the perceived ISA as well as the dimensions of ISA, that is, knowledge and behavior. Factors such as age and experience have significant correlation with perceived ISA, whereas, living area correlates with knowledge only.
Article
Incident handling strategy is one key strategy to mitigate risks to the confidentiality, integrity and availability (CIA) of organisation assets, as well as minimising loss (e.g. financial, reputational and legal) particularly as organisations move to the cloud. In this paper, we surveyed existing incident handling and digital forensic literature with the aims of contributing to the knowledge gap(s) in handling incidents in the cloud environment. 139 English language publications between January 2009 and May 2014 were located by searching various sources including the websites of standard bodies (e.g. National Institute of Standards and Technology) and academic databases (e.g. Google Scholar, IEEEXplore, ACM Digital Library, Springer and ScienceDirect). We then propose a conceptual cloud incident handling model that brings together incident handling, digital forensic and the Capability Maturity Model for Services to more effectively handle incidents for organisations using the cloud. A discussion of open research issues concludes this survey.
Article
Cyber situational awareness is attracting much attention. It features prominently in the national cyber strategies of many countries, and there is a considerable body of research dealing with it. However, until now, there has been no systematic and up-to-date review of the scientific literature on cyber situational awareness. This article presents a review of cyber situational awareness, based on systematic queries in four leading scientific databases. 102 articles were read, clustered, and are succinctly described in the paper. The findings are discussed from the perspective of both national cyber strategies and science, and some directions for future research are examined.
Article
Organisations increasingly rely on information and related systems, which are also a source of risk. Unfortunately, employees represent the greatest risk to organisational information, because they are the most frequent source of information security breaches. To address this ‘weak link’ in organisational security, most organisations have strict information security policies (ISPs) designed to thwart employee information abuses. Regrettably, these ISPs are only partially effective, because employees often ignore them, circumvent them, or even do the opposite of what management desires. Research on attempts to increase ISP compliance has produced similarly mixed results. Lack of compliance with ISPs is a widespread organisational issue that increasingly bears disproportionately large direct and qualitative costs that undermine strategy. Consequently, the purpose of our study was to contribute to the understanding of both motivations to comply with new ISPs and motivations to react negatively against them. To do so, we proposed an innovative model, the control-reactance compliance model (CRCM), which combines organisational control theory—a model that explains ISP compliance—with reactance theory—a model used to explain ISP noncompliance. To test CRCM, we used a sample of 320 working professionals in a variety of industries to examine the likely organisational outcomes of the delivery of a new ISP to employees in the form of a typical memo sent throughout an organisation. We largely found support for CRCM, and this study concludes with an explanation of the model’s contributions to research and practice related to organisational ISP compliance.
Conference Paper
Recent research has begun to focus on the factors that cause people to respond to phishing attacks as well as affect user behavior on social networks. This study examines the correlation between the Big Five personality traits and email phishing response. Another aspect examined is how these factors relate to users' tendency to share information and protect their privacy on Facebook (which is one of the most popular social networking sites). This research shows that when using a prize phishing email, neuroticism is the factor most correlated to responding to this email, in addition to a gender-based difference in the response. This study also found that people who score high on the openness factor tend to both post more information on Facebook as well as have less strict privacy settings, which may cause them to be susceptible to privacy attacks. In addition, this work detected no correlation between the participants estimate of being vulnerable to phishing attacks and actually being phished, which suggests susceptibility to phishing is not due to lack of awareness of the phishing risks and that real-time response to phishing is hard to predict in advance by online users. The goal of this study is to better understand the traits that contribute to online vulnerability, for the purpose of developing customized user interfaces and secure awareness education, designed to increase users' privacy and security in the future.
Conference Paper
Cybersecurity awareness and cyber skills training are vitally important and challenging. A huge number of attacks against everyday users occur routinely. Prevention techniques and responses are wide ranging but are only effective if used effectively. The objective of this research is to teach everyday users the requisite cybersecurity skills through gaming, beyond the current state of practice. Because the skill level of the trainees is also wide ranging, from causal computer users to software engineers to system administrators to managers, the games must also be capable of training this wide range of computer users. Computer games can provide a media for delivering training in an engaging format at levels appropriate for the individual trainees. In this paper we (1) describe the state of practice by describing the gaming tool used in most cyber challenges at high schools and colleges in the U.S, i.e., the cybersecurity gaming tool CyberNEXS™ (Science Applications International Corporation), (2) outline some of the additional topics that should be addressed in cybersecurity training and (3) note some other approaches to game design that might prove useful for future cybersecurity training game development beyond CyberNEXS.
Article
This study investigated employees’ information systems security policy (ISSP) compliance behavioural intentions in organisations from the theoretical lenses of social bonding, social influence, and cognitive processing. Given that previous research on ISSP compliance has been based on deterrence theory, this study seeks to augment and diversify research on ISSP compliance through its theoretical perspective. Relevant hypotheses were developed to test the research conceptualisation. Data from a survey of business managers and IS professionals confirmed that social bonds that are formed at work largely influence attitudes towards compliance and subjective norms, with both constructs positively affecting employees’ ISSP compliance. Employees’ locus of control and capabilities and competence related to IS security issues also affect ISSP compliance behavioural intentions. Overall, the constructs in the research model enhance our understanding of the social-organisational and psychological factors that might encourage or accentuate employees’ ISSP compliance in the workplace.
Article
Operating systems and programmes are more protected these days and attackers have shifted their attention to human elements to break into the organisation's information systems. As the number and frequency of cyber-attacks designed to take advantage of unsuspecting personnel are increasing, the significance of the human factor in information security management cannot be understated. In order to counter cyber-attacks designed to exploit human factors in information security chain, information security awareness with an objective to reduce information security risks that occur due to human related vulnerabilities is paramount. This paper discusses and evaluates the effects of various information security awareness delivery methods used in improving end-users’ information security awareness and behaviour. There are a wide range of information security awareness delivery methods such as web-based training materials, contextual training and embedded training. In spite of efforts to increase information security awareness, research is scant regarding effective information security awareness delivery methods. To this end, this study focuses on determining the security awareness delivery method that is most successful in providing information security awareness and which delivery method is preferred by users. We conducted information security awareness using text-based, game-based and video-based delivery methods with the aim of determining user preferences. Our study suggests that a combined delivery methods are better than individual security awareness delivery method.
Article
Security education can be a daunting task. Many IT professionals and senior managers feel it is an uphill battle to make everyone understand that they have a part to play in the overall security of the organisation. As more reports of incidents involving the loss of sensitive information hit the press, you would think that the job of education had been half done. Certainly, these incidents have raised awareness of security in everyone's minds; but the assumption that this will be enough is a problem. Many employees have little idea of what information is and is not important to their employer. Obviously good communication is vital and there is a great deal to be gained from an effective information security awareness programme.
Article
Information technology has become an integral part of modern life. Today, the use of information permeates every aspect of both business and private lives. Most organizations need information systems to survive and prosper and thus need to be serious about protecting their information assets. Many of the processes needed to protect these information assets are, to a large extent, dependent on human cooperated behavior. Employees, whether intentionally or through negligence, often due to a lack of knowledge, are the greatest threat to information security. It has become widely accepted that the establishment of an organizational sub-culture of information security is key to managing the human factors involved in information security. This paper briefly examines the generic concept of corporate culture and then borrows from the management and economical sciences to present a conceptual model of information security culture. The presented model incorporates the concept of elasticity from the economical sciences in order to show how various variables in an information security culture influence each other. The purpose of the presented model is to facilitate conceptual thinking and argumentation about information security culture.
Article
Secure management of information systems is crucially important in information intensive organizations. Although most organizations have long been using security technologies, it is well known that technology tools alone are not sufficient. Thus, the area of end-user security behaviors in organizations has gained an increased attention. In information security observing end-user security behaviors is challenging. Moreover, recent studies have shown that the end users have divergent security views. The inability to monitor employee IT security behaviors and divergent views regarding security policies, in our view, provide a setting where the principal agent paradigm applies. In this paper, we develop and test a theoretical model of the incentive effects of penalties, pressures and perceived effectiveness of employee actions that enhances our understanding of employee compliance to information security policies. Based on 312 employee responses from 77 organizations, we empirically validate and test the model. Our findings suggest that security behaviors can be influenced by both intrinsic and extrinsic motivators. Pressures exerted by subjective norms and peer behaviors influence employee information security behaviors. Intrinsic motivation of employee perceived effectiveness of their actions was also found to play an important role in security policy compliance intentions. In analyzing the penalties, certainty of detection was found to be significant while surprisingly, severity of punishment was found to have a negative effect on security behavior intentions. We discuss the implications of our findings for theory and practice.
Article
Although many of the concepts included in cyber security awareness training are universal, such training often must be tailored to address the policies and requirements of a particular organization. In addition, many forms of training fail because they are rote and do not require users to think about and apply security concepts. A flexible, highly interactive video game, CyberCIEGE, is described as a security awareness tool that can support organizational security training objectives while engaging typical users in an engaging security adventure. The game is now being successfully utilized for information assurance education and training by a variety of organizations. Preliminary results indicate the game can also be an effective addition to basic information awareness training programs for general computer users (e.g., annual awareness training.)