Research Library

The world’s first globally accessible archive of research into the human aspect of cyber security and behavioural science as applied to cyber security awareness and online behavioural change.

To see the latest studies from pioneering academics, scroll down.

This paper examines online users’ perceived susceptibility to phishing attacks. We posit that an individual’s phishing susceptibility may be shaped by recent phishing encounters and, more importantly, that the effect of new experience on susceptibility will be heterogeneous among users. To facilitate our investigation, we focus on both the process and outcome of phishing detection. Survey data from college students confirms that one’s susceptibility is affected by detection process difficulty and detection outcome failures in the recent phishing encounter. Results also reveal the importance of personal attributes, such as past success in phishing detection and phishing desensitization, in regulating the effects of a recent phishing encounter. Finally, results show the relationship between detection process difficulty and outcome failures, in addition to confirming antecedents to the two detection components. Our research generates new knowledge that contributes to the phishing literature and it also sheds new insights that inform practitioners, although the use of college students limits the generalizability of the current findings.
Research   , ,
The role of the human in cyber security is well acknowledged. Many cyber security incidents rely upon targets performing specific behavioural actions, such as opening a link within a phishing email. Cyber adversaries themselves are driven by psychological processes such as motivation, group dynamics and social identity. Furthermore, both intentional and unintentional insider threats are associated with a range of psychological factors, including cognitive load, mental wellbeing, trust and interpersonal relations. By incorporating psychology into cyber security education, practitioners will be better equipped with the skills they need to address cyber security issues. However, there are challenges in doing so. Psychology is a broad discipline, and many theories, approaches and methods may have little practical significance to cyber security. There is a need to sift through the literature to identify what can be applied to cyber security. There are also pedagogical differences in how psychology and cyber security are taught and also psychological differences in the types of student that may typically study psychology and cyber security. To engage with cyber security students, it is important that these differences are
Research   , , , , ,
This study investigated the security gains of using a multilingual passphrase policy in user generated passphrases that are based on African and Indo-European languages. The research on passwords has been largely focused on the Global North where English is often the first or only language. Targeted password guessing of English and Chinese-based passwords shows that a user’s mother tongue language can influence password structure, something that reflects on security. Given a multilingual user group, for example in Africa, it is interesting to establish whether such a population can generate secure multilingual passphrases. Accordingly, the findings of this study could be extrapolated to other contexts with multilingual users. The results show that English language-oriented passwords dominated the short password corpora. Moreover, the use of a multilingual passphrase policy reduced the dominance of English language-oriented passwords. Further analysis shows that short passwords oriented towards an Indo-European language were easier to guess when compared to short passwords based on African languages. Hence, this study encourages orienting passwords to other languages, with the use of a multilingual passphrase policy expected to offer more security.
Research   , ,
This thesis investigates how simulation-based learning affects the knowledge of cybersecurity risk management. To this end, an experiment was set up, leveraging the simulation game CyberCIEGE. Thirteen undergraduate IT students were involved in the experiment and took part in the simulation game, by completing two questionnaires, one prior to playing the game and one after having played it. The methodology and design employed for the thesis’ purposes can be adapted and used in a larger scale study; given that the intervention was designed to be able to be re-used (be as sustainable as possible for further use), researchers and instructors can implement it to a program to explore the field of cybersecurity education which is currently advancing, and is in need of new challenges and systematic analysis.
Research  
The Internet of Things (IoT) is considered the next technological revolution. IoT devices include once everyday objects that are now internet connected, such as smart locks and smart fridges, but also new types of devices to include home assistants. However, while this increased interconnectivity brings considerable benefits, it can and does increase people’s exposure to crime risk. This is particularly the case as most devices are developed without security in mind. One reason for this is that there is little incentive for manufacturers to make devices secure by design, and the costs of so doing do not encourage it. The principle aim of the current paper was to estimate the extent to which consumers are willing to pay for improved security in internet connected products. The second aim was to examine whether this is conditioned by their exposure to security-related information. Using an experimental design, and a contingent valuation method, we find that people are willing to pay for improved security and that for some devices, this increases if they are exposed to information about security prior to stating their
Research   , ,
The Internet and connected technology platforms have enabled an increase of cyber influence activity. These actions target a range of personal to national level security and privacy attributes related to cybercrime, behavior, and identities. These emerging threats call for new indicators for improved awareness, decisions, and action. This research proposes a cyber-physical-human spectrum of identification with a prototyped classification method. Classifier goals are to aid in awareness of activity and potential harmful intent such as detection of identity feature acquisition, fraudulent identities and entities, and targeting or influential behavior. Emerging malicious influence actors prey on human social demographic groups and trends using the Internet infrastructure with social network platform access to large target populations as their attack surface. The methodology discusses how this problem could benefit from a combined human-technical approach to understand indicators of influencing human perception that persuade someone perform a desired action. This method is designed to aid in rapid influence awareness and introduce a counter-influence concept. A prototyped experiment trial demonstrates how awareness may be beneficial to balancing national security with personal privacy.
Research   ,
Cybersecurity became the third war in the world as it affects the privacy, security, availability, and access possibilities of user’s data. Lately, the statistics shows that the users prefer social media application to share their data and updates. Many users believe that only their followers can see their updates while the permissions of access possibilities terms and conditions provided some authority to access the data. To highlight this issue we did a survey in users awareness of accepting access possibility to their data and analyse the risks of allowing/accepting the access possibility of users’ data in social media applications. In this paper we propose a Reconnaissance Penetration Testing Methodology (RPTM) that aims to study the process of reconnaissance and information gathering of specific target to show the user’s data. In result and discussion we have did a statistical study to find out the level of users awareness in cybersecurity and access possibilities.
Research   , ,
We have studied the cybersecurity readiness for organizations in Kuwait to get a more information about how to build the cybersecurity readiness model. Cybersecurity readiness model is conceived from investigating the relationship among employee expertise, awareness, organization investment, compliance with standards and risk assessment on organizational cyber security readiness. The results show that investment, compliance with standards and risk assessments have significant effect on organization cyber security readiness.
Research  
This paper reports an in-depth investigation on how different evidence-based cybersecurity training methods impact employees’ perceptions of susceptibility, severity, self-efficacy, security intention as well as on their self-reported cybersecurity behaviors.
Research   , , , , , ,
The objective of this work is to propose a new perspective in understanding the phenomenon of online behaviors, termed the privacy paradox, i.e., worry on preserving personal data and contents, but a little attention to disclose them, and thus introducing the new definition of e-people. The provocative hypothesis of this study regards the internet users who, in the Big Data era, are affected by a common covariation of being e-popular/e-visible, e-narcissist, e-(socially)-accepted, e-remembered. These e-behaviors will be conceptually gathered under the term of Achilles’ paradigm. A structured web-questionnaire was submitted to a convenience sample of 198 internet users. First and second-order confirmatory factor analyses together with latent means models concretely supported the existence of the Achilles’ paradigm and its impact on the privacy paradox concerns. As a result, the privacy paradox is not an effective paradox anymore: self-disclosing privacy online seems to be a well-accepted behavior.
Research  
Scholars and commentators often argue that individuals do not care about their privacy, and that users routinely trade privacy for convenience. This ignores the cognitive biases and design tactics platforms use to manipulate users into disclosing information. This essay highlights some of those cognitive biases – from hyperbolic discounting to the problem of overchoice – and discusses the ways in which platform design can manipulate disclosure. It then explains how current law allows this manipulative and anti-consumer behavior to continue and proposes a new approach to reign in the phenomenon.
Research  
This study applies social contract theory to examine whether perceptions of a social contract explains adaptive behavior to safeguard online privacy. We (1) identify and (2) estimate the prevalence of subgroups that differ in their perceived “social contract” (based on privacy concerns, trust, and risk), and (3) measure how this perceived social contract affects adaptive online behavior. Using a representative two-wave panel survey (N = 1,222), we distinguished five subgroups of internet users; the highly-concerned, wary, ambivalent, neutral (the largest group), and carefree users. The former three were more likely to adapt their behavior than the latter two subgroups. We argue that the implied social contract represents an important construct that helps to identify whether individuals engage in privacy protection behavior.
Research  
Most often, security breaches are related to internal employees due to their indirect or direct actions leading to information security policy (ISP) violations. Therefore, understanding employees’ intrinsic motivation and security behaviour towards ISP compliance is critical. Previous studies have identified different types of extrinsic motivation, such as complying with an ISP to avoid sanctions. This research adds an important contribution: intrinsic motivation is a more effective motivator because deterrence does not have a significant effect on employee behaviour. This thesis proposes a model which predicts that intrinsic motivation influences intentions towards ISP compliance. A combination of qualitative and quantitative approaches was used to evaluate the model via five stages.
Research  
The escalation in the numbers of cyber incidents shows no sign of abating, and it seems appropriate to take a look at the way cybersecurity is conceptualised and to consider whether there is a need for a mindset change. Benefiting from research in other fields, we propose a new mindset i.e. “Cybersecurity, Differently”. This approach rests on recognition of the fact that the problem is actually the high complexity, interconnectedness and emergent qualities of socio-technical systems. The “differently” mindset acknowledges the well-intentioned human’s ability to be an important contributor to organisational cybersecurity, as well as their potential to be “part of the solution” rather than “the problem”. In essence, this new approach initially treats all humans in the system as if they are well-intentioned. The focus is on enhancing factors that contribute to positive outcomes and resilience. We conclude by proposing a set of key principles and, with the help of a prototypical fictional organisation, consider how this mindset could enhance and improve cybersecurity across the socio-technical system.
Research   ,
This paper explained the role of AI in cyber security and proposes recommendation how organizations are benefitting from AI in cybersecurity. Machine learning, a component of AI, applies existing data to constantly improve its functions and strategies over time. It learns and understands normal user behaviour and can identify even the slightest variation from that pattern. But besides gathering information to detect and identify threats, AI can use this data to improve its own functions and strategies as well. In this paper, we research existing obfuscation and de-obfuscation techniques which currently are applied to the android applications, then suggest the de-obfuscation platform based on LLVM (Low-Level Virtual Machine) to perform de-obfuscation process more efficiently. Also, AndrODet solution, an online learning system to detect three common types of obfuscation techniques in Android applications, known as identifier renaming, string encryption, and control flow obfuscation is investigated.
Research  
The nature of crime is changing — estimates suggest that at least half of all crime is now committed online. Once everyday objects (e.g. televisions, baby monitors, door locks) that are now internet connected, collectively referred to as the Internet of Things (IoT), have the potential to transform society, but this increase in connectivity may generate new crime opportunities. Here, we conducted a systematic review to inform understanding of these risks. We identify a number of high-level mechanisms through which offenders may exploit the consumer IoT including profiling, physical access control and the control of device audio/visual outputs. The types of crimes identified that could be facilitated by the IoT were wide ranging and included burglary, stalking, and sex crimes through to state level crimes including political subjugation. Our review suggests that the IoT presents substantial new opportunities for offending and intervention is needed now to prevent an IoT crime harvest.
Research   ,
Smartphones contain a significant amount of personal data. Additionally, they are always in the user’s possession, which allows them to be abused for tracking (e.g., GPS, Bluetooth or WiFi tracking). In order to not reveal private information, smartphone users should secure their devices by setting lock screen protection, using third party security applications, and choosing appropriate security settings (often, default settings are inadequate). In this paper, we mount a survey to explore user choices, awareness and education with respect to cybersecurity. In comparison with prior work, we take the user’s cybersecurity familiarity into consideration in the analysis of user practices as well as have a strong focus on the younger generations, Y and Z. Our survey findings suggest that most users have appropriate lock screen settings to protect their phones from physical access; however, they disregard other security best practices, e.g., not using a VPN when connecting to a public WiFi or turning off unused features (regardless of level of expertise). Compared to desktop computers, smartphones are less secured and fewer third party security products are installed.
Research   , ,
.In a world where artificial intelligence is one of the greatest assets, unmanned operations seem to be the future. The world of cybersecurity is witness to numerous system break-ins for the purpose of gaining access. One of the ways to gain access to systems is fulfilled by authentication, the process where an entity verifies who he or she claims to be to access a system. With network traffic increasing day by day, the bots form a huge chunk of the network traffic. Over the last few years, bots have been trained to imitate human beings to gain access to computer based systems. Traditional authentication methods are based on what we know, who we are and what we have, and can be bypassed easily these days. Bots have been known to imitate human beings in order to gain access to systems by identifying captchas and picture based authentication systems. A bot gaining access to sensitive data may have severe repercussions. Thus there is a need to introduce certain parameters that could easily tell apart a bot and a human being. One
Research   , ,
In recent times, the integration of technology in everyday tasks helps in making most of the cumbersome work more convenient. This integration has brought about a positive wave in aiding and assisting humans in various sectors such as the military, health, education, finance, etc. Conversely, convenience does come with a cost, i.e. it increases the concern for security in those systems. Attackers with various motives try to exploit these systems for personal gain. Some of the popular attacks like Man In The Middle, Cross-Site Request Forgery(CSRF), Phishing and Code Injection can be used to compromise the systems. However, the easiest way to gain control over a system is through Social engineering because it can be performed within a short time and without much technical expertise. Social Engineering targets humans by using various psychological weaknesses of human cognizance. Such attacks are often used to attack enterprises, as their weakest links are the human employees who are prone to be deceived and manipulated. Hence, the enterprise must be prepared for any kind of attack that may be deployed to exploit the weaknesses.
Research   ,
The privacy paradox states that people’s concerns about online privacy are unrelated to their online sharing of personal information. Using a representative sample of the German population, which includes 1403 respondents who were interviewed at three waves separated by 6 months, we investigate the privacy paradox from a longitudinal perspective, differentiating between-person relations from within-person effects. Results of a cross-lagged panel model with random intercepts revealed that people who were more concerned about their online privacy than others also shared slightly less personal information online and had substantially more negative attitudes toward information sharing (between-person level). Next, people who were more concerned than usual also shared slightly less information than usual (within-person level). At the same time, we found no long-term effects of privacy concerns on information sharing or attitudes 6 months later. Together, the results provide further evidence against the privacy paradox.
Research   , ,