Research Library

The world’s first globally accessible archive of research into the human aspect of cyber security and behavioural science as applied to cyber security awareness and online behavioural change.

To see the latest studies from pioneering academics, scroll down.

Remote working during the COVID-19 pandemic has had, and continues to have, a great impact on the workforce. Through interviews with senior cyber security professionals, this research explored how the traditional dynamics between employees and leadership have adapted in such times, responding to a rapidly evolving cyber threat landscape, as well as an unpredictable period for organisations and employees in terms of wellbeing and remote working culture. Focusing on the transition to remote working, cyber security, the psychological contract (relationship between employees and employers) and employee wellbeing, the research highlighted several key themes.

This paper analyses the COVID-19 pandemic from a cyber crime perspective and highlights the range of cyber attacks experienced globally during the pandemic. Cyber attacks are analysed and considered within the context of key global events to reveal the modus-operandi of cyber-attack campaigns. The analysis shows how following what appeared to be large gaps between the initial outbreak of the pandemic in China and the first COVID-19 related cyber attack, attacks steadily became much more prevalent to the point that on some days, three or four unique cyber attacks were being reported. The analysis proceeds to utilise the UK as a case study to demonstrate how cyber criminals leve

In this article, we critically analyse cyber security and privacy concerns arising due to remote working during the coronavirus pandemic. Through our work, we discover a series of security risks emerging because of the realities of this period. For instance, lack of remote-working security training, heightened stress and anxiety, rushed technology deployment, and the presence of untrusted individuals in a remote-working environment (e.g., in flatshares), can result in new cyber-risk. Simultaneously, we find that as organisations look to manage these and other risks posed by their remote workforces, employee’s privacy (including

Although the pandemic is certainly not the first occurrence of socially disruptive circumstances that drive cyber criminals to action, relevant academic scholarship has remained scarce. To fill this gap in literature, and propose the analytical framework of mazephishing that places particular emphasis on the importance of credible social context in the functioning of the online scam ecosystem, we carried out a content analysis of international news stories reporting on social engineering attacks. Our results indicate that criminals make heavy use of social context and impersonation to make scams seem more credible, including health information, personal protective equipment, cures, fi

Malicious scammers and social engineers are causing great harms to modern society. Knowledge about social engineering (SE) is wide-spread and it exits in non-academic papers and communication channels. Knowledge is mostly based on expert opinion and experience reports. Such knowledge, if articulated, can provide a valid source of knowledge and information. We performed the analysis of such sources and adopted grounded theory to extract the general knowledge behind SE. The study aims to understand the rationale of social engineers, capture the knowledge of SE attacks and extract important information from the sources, propose an activity for counteracting SE attacks, and how it can be used in

Social engineering is influencing someone to gain something to yourself but it can be used in a malicious and criminal purposes also. The task was to investigate what different methods are used and how it is used as a tool in cyber attacks. The statistics were analysed what attacks were used the most and how many attacks have been done compared to other years. Analysing the attacks should give more knowledge of what should be made different and how to avoid the situations in the future. Some guidelines were added at the end of study of how oneself could be protected against social engineering attacks.

In today’s digital world, everyone interacts with technology in one way or another, which leaves all technology users vulnerable to psyber security attacks. Because of the recent emergence of the subject of psyber security, and the infantile stage of research pertaining to it, the scope of future work in this area is quite plentiful. There are different directions of possible work in this topic, and one of the most relevant is healthcare field. The importance of psyber security is indeed synonymous with the need to validate information to earn credibility, therefore reducing anxiety, stress, and other psychological disorders. In this context, consider the case for authentication-based inform

To understand employee negative perceptions of SETA programs, researchers conducted in-depth interviews with 20 Australian employees regarding their experiences with both SETA programs and non-cybersecurity related workplace training. As expected, employees had a generally poor view of SETA programs. They reported that the same factors that are important for effective non-cybersecurity training are also important for SETA programs, such as management role modelling and well-designed workplace systems. From an applied perspective, these findings can explain why employees often do not engage with cybersecurity training material, and how their current beliefs can influ

Saudi Arabia has seen an enormous growth in Internet usage over the past few years. With increasing adoption of this technology has come a rise in cyber crime, often enabled through use of social engineering. Phishing is a prime example, aiming to deceive users into revealing personal data. The paper describes efforts to understand individuals’ responses to phishing attacks through application of the Theory of Planned Behaviour (TPB). It reports a survey that considers three common social engineering persuading strategies, Authority, Social Proof and Scarcity. Results show correlations between these strategies and TPB. In particular, between attitude and intention to respond under the Author

With the rise of technology in every facet of daily life, the increased conveniences come with multiple security risks. When imagining cyber security, the focus is generally on the protection of personal information, and the technology that stores this information. However, cyber-attacks can come in multiple forms. The term psyber security refers to the subject of securing the mental health, including protection of the human psychological wellbeing from the psychiatric consequences of technology usage. With 1,473 reported cybersecurity breaches, the aftermath of these attacks extends beyond the technical repercussions. Pertaining to the human wellbeing aspect, these incidents also translate

In this paper, we discuss phishing as one of the attack types used in social engineering. Phishing attacks will be discussed by simulating a process between two different devices in two different networks. An experimental penetration test was performed on one of the local network devices to obtain data and information of the victim. The experiment involves sending fake email containing a link to a fake website in order to persuade the victim to enter personal data logs into the fake website. The experiment illustrates the ways in which an attacker may defraud the victim. In addition, the experiment contributes to the protection from and avoidance to exposure of this type of attack.

This study is exploratory and descriptive research that aims to establish the human factors that make the standard user susceptible to cyber-attacks in times of pandemic. A literature review of cybersecurity attacks and conflict scenarios registered during the COVID-19 pandemic was first applied during the investigation. Several innovative strategies are proposed to minimize attacks by advanced threat actors and their impact on users. These strategies are useful for governments to improve communication with citizens and develop critical thinking on citizens to face fake news.

COVID-19 pandemic has changed the lifestyle of all aspects of life. As such, full dependence on the unsafe Internet network in running all aspects of life. These conditions have created a fertile environment for cyber criminals to grow their activity and exploit the pressures that affected human psychology to increase their attack success. The purpose of this paper is to analyse the data collected from global online fraud and cyber security service companies to demonstrate on how criminals exploit crisis, and for the need to develop strategies and to enhance user awareness for better detection and prevention of future cyber crimes.

Due to the Covid-19 pandemic, all citizens are required to stay at home and most of their times have been used on the internet leading to cyber criminal, especially on older adults. Using the Information Security Awareness Model (ISACM) and the Situation Awareness Cybersecurity Education Model (SAOCE), this study aims to develop a cyber security awareness model that can assist the elderly from attacks in cyber space. The result revealed that organisation factors significantly related to cybersecurity awareness, meanwhile for social and individual factors are found less significant to cybersecurity awareness. With the development of cybersecurity awareness model, we are confident that our mod

This paper proposes a conceptual model which provides an integrative and structural perspective to describe how social engineering attacks work. Three core entities (effect mechanism, human vulnerability and attack method) are identified to help the understanding of how social engineering attacks take effect. Then, beyond the familiar scope, we analyze and discuss the effect mechanisms involving 6 aspects (persuasion, social influence, cognition & attitude & behavior, trust and deception, language & thought & decision, emotion and decision-making) and the human vulnerabilities involving 6 aspects (cognition and knowledge, behavior and habit, emotions

This paper presents a set of statistical analyses on an empirical study of phishing email sorting by real online users. Participants were assigned to multitasking and/or incentive conditions in unattended web-based tasks that are the most realistic in any comparable study to date. Our three stages of analyses included logistic regression models to identify individual phishing “cues” contributing to successful classifications, statistical significance tests assessing the links between participants’ training experience and self-assessments of success to their actual performance, significance tests searching for significant demographic factors influencing task completi

The Cyber Security Breaches Survey is a quantitative and qualitative study of UK businesses, charities and education institutions. It helps these organisations to understand the nature and significance of the cyber security threats they face, and what others are doing to stay secure. It also supports the government to shape future policy in this area.

While training individuals on best practices in cybersecurity continues to be implemented, prior research has found that training people in the use of secure passwords has not proven to be effective. Developing profiles of individual who are likely to become victims of password hacking, phishing scams, and other types of breaches would be useful, as they could be used to identify individuals with the highest likelihood of engaging in insecure cybersecurity behaviors. The present research tested the hypothesis that in addition to self-reported cybersecurity knowledge, personal characteristics, such as personality traits and general risk-taking behavior not related to

This paper presents a cyber-security culture framework for assessing and evaluating the current security readiness of an organization’s workforce. Having conducted a thorough review of the most commonly used security frameworks, it identifies core security human-related elements and classifies them by constructing a domain agnostic security model. It then proceeds by presenting in detail each component of the model and attempt to quantify them in order to achieve a feasible assessment methodology. The paper thereafter presents the application of this methodology for the design and development of a security culture evaluation tool, that offers recommendations and alt

Previous studies have observed an intention-behavior gap that has been labeled the “privacy paradox”: people disclose personal information (behavior) despite expressing negative sharing intentions (in surveys). However, this phenomenon has not been studied in the Internet of Things (IoT) in which users’ personal information sharing is crucial for the functionality of the technology. We explore this phenomenon by comparing participants’ intentions (via a survey) with their actual behavior (via a privacy-setting interface) and controlling the data sharing device and storage. Furthermore, we explore the decision processes underlying these privacy decisions by measuring