Research Library

The world’s first globally accessible archive of research into the human aspect of cyber security and behavioural science as applied to cyber security awareness and online behavioural change.

To see the latest studies from pioneering academics, scroll down.

As cybersecurity (CS) threats become more sophisticated and diversified, organisations are urged to constantly adopt and update measures for contrasting different types of attacks. Particularly, as novel techniques (e.g., social engineering and phishing) are aimed at leveraging individual users’ vulnerabilities to attack and breach a larger system or an entire company, user awareness and behaviour have become key factors in preventing adverse events, mitigating their damage, and responding appropriately. As a result, the concept of Cyber Hygiene (CH) is becoming increasingly relevant to address the risk associated to an individual’s CS practices. Consequently, self-assessment tools are becoming more important for evaluating user’s literacy, implementing measures (e.g., training), and studying the effectiveness of interventions. This paper proposes a framework for including human factors in the design of self-assessment tools and for accurately modelling CH aspects that the root cause in CS issues.
Research   , ,
Android parental control applications are used by parents to monitor and limit their children’s mobile behaviour (e.g., mobile apps usage, web browsing, calling, and texting). In order to offer this service, parental control apps require privileged access to system resources and access to sensitive data. This may significantly reduce the dangers associated with kids’ online activities, but it raises important privacy concerns. We conduct the first in-depth study of the Android parental control app’s ecosystem from a privacy and regulatory point of view. In summary, parental control applications lack transparency and lack compliance with regulatory requirements. This holds even for those applications recommended by European and other national security centers.
Research   , , , ,
Every year online scams cause substantial emotional and financial adversity. A recently developed self-report measure of gullibility has the potential to provide insight into how individual differences in gullibility are related to susceptibility to scams. The current study investigated the behavioural validity of the Gullibility Scale and explored individual differences expected to be related to this construct. Undergraduate psychology students (N = 219) initially rated example phishing emails, and completed the HEXACO personality factors, Need for Cognition, Need for Closure, Sense of Self, and the Gullibility Scale. After six weeks, they were sent simulated phishing emails. Respondents who clicked on a link within the simulated phishing emails scored significantly higher on the Gullibility Scale compared to those who chose not to click, providing the first evidence for the behavioural validity of the Gullibility Scale. In addition, gullibility was associated with favourable ratings of the example emails, higher levels of emotionality, and a weaker sense of self. These findings provide further clarification of the psychometric properties of the Gullibility Scale and point to its utility in identifying those at risk of being scammed.
Research   , ,
This paper examines online users’ perceived susceptibility to phishing attacks. We posit that an individual’s phishing susceptibility may be shaped by recent phishing encounters and, more importantly, that the effect of new experience on susceptibility will be heterogeneous among users. To facilitate our investigation, we focus on both the process and outcome of phishing detection. Survey data from college students confirms that one’s susceptibility is affected by detection process difficulty and detection outcome failures in the recent phishing encounter. Results also reveal the importance of personal attributes, such as past success in phishing detection and phishing desensitization, in regulating the effects of a recent phishing encounter. Finally, results show the relationship between detection process difficulty and outcome failures, in addition to confirming antecedents to the two detection components. Our research generates new knowledge that contributes to the phishing literature and it also sheds new insights that inform practitioners, although the use of college students limits the generalizability of the current findings.
Research   , ,
Phishing e-mails are fraudulent e-mails used to gain access to sensitive information or secure computer systems. They persuade users to click on malicious links, download attachments, or provide sensitive information, such as usernames or passwords. One approach that aims to reduce people’s susceptibility to phishing is the provision of information to users regarding the phishing threat and the techniques used within phishing e-mails. In line with this, awareness campaigns are often used within organizations and wider society to raise awareness of phishing and encourage people to engage with protective information. In order to understand how current and future interventions regarding phishing may be consumed by users, as well as their potential impact on phishing susceptibility, it is important to conduct theoretically based research that provides a foundation to investigate these issues. This study provides a first step in addressing this by developing and validating a theoretically based survey measure across two studies centered upon the constructs of protection motivation theory (perceived vulnerability, severity, self-efficacy and response efficacy) to assess the factors that influence whether people choose to keep up to
Research   ,
The role of the human in cyber security is well acknowledged. Many cyber security incidents rely upon targets performing specific behavioural actions, such as opening a link within a phishing email. Cyber adversaries themselves are driven by psychological processes such as motivation, group dynamics and social identity. Furthermore, both intentional and unintentional insider threats are associated with a range of psychological factors, including cognitive load, mental wellbeing, trust and interpersonal relations. By incorporating psychology into cyber security education, practitioners will be better equipped with the skills they need to address cyber security issues. However, there are challenges in doing so. Psychology is a broad discipline, and many theories, approaches and methods may have little practical significance to cyber security. There is a need to sift through the literature to identify what can be applied to cyber security. There are also pedagogical differences in how psychology and cyber security are taught and also psychological differences in the types of student that may typically study psychology and cyber security. To engage with cyber security students, it is important that these differences are
Research   , , , , ,
This study investigated the security gains of using a multilingual passphrase policy in user generated passphrases that are based on African and Indo-European languages. The research on passwords has been largely focused on the Global North where English is often the first or only language. Targeted password guessing of English and Chinese-based passwords shows that a user’s mother tongue language can influence password structure, something that reflects on security. Given a multilingual user group, for example in Africa, it is interesting to establish whether such a population can generate secure multilingual passphrases. Accordingly, the findings of this study could be extrapolated to other contexts with multilingual users. The results show that English language-oriented passwords dominated the short password corpora. Moreover, the use of a multilingual passphrase policy reduced the dominance of English language-oriented passwords. Further analysis shows that short passwords oriented towards an Indo-European language were easier to guess when compared to short passwords based on African languages. Hence, this study encourages orienting passwords to other languages, with the use of a multilingual passphrase policy expected to offer more security.
Research   , ,
Cognitive processes are broadly considered to be of vital importance to understanding phishing email feature detection or misidentification. This research extends the current literature by introducing the concept of cue utilization as a unique predictor of phishing feature detection. First year psychology students (n=127) undertook three tasks measuring cue utilization, phishing feature detection and phishing email detection. A multiple linear regression model provided evidence that those in a higher cue utilization typology (n=55) performed better at identifying phishing features than those in a lower cue utilization typology (n=72). Furthermore, as predicted by the Elaboration Likelihood Model (ELM) and Heuristic-Systematic Model (HSM), those who deliberated longer per email demonstrated an increased ability to correctly identify phishing features. However, these results did not translate into improved performance in the phishing email detection task. Possible explanations for these results are discussed, including possible limitations and areas of future research.
Research   , ,
This thesis investigates how simulation-based learning affects the knowledge of cybersecurity risk management. To this end, an experiment was set up, leveraging the simulation game CyberCIEGE. Thirteen undergraduate IT students were involved in the experiment and took part in the simulation game, by completing two questionnaires, one prior to playing the game and one after having played it. The methodology and design employed for the thesis’ purposes can be adapted and used in a larger scale study; given that the intervention was designed to be able to be re-used (be as sustainable as possible for further use), researchers and instructors can implement it to a program to explore the field of cybersecurity education which is currently advancing, and is in need of new challenges and systematic analysis.
Research  
The Internet of Things (IoT) is considered the next technological revolution. IoT devices include once everyday objects that are now internet connected, such as smart locks and smart fridges, but also new types of devices to include home assistants. However, while this increased interconnectivity brings considerable benefits, it can and does increase people’s exposure to crime risk. This is particularly the case as most devices are developed without security in mind. One reason for this is that there is little incentive for manufacturers to make devices secure by design, and the costs of so doing do not encourage it. The principle aim of the current paper was to estimate the extent to which consumers are willing to pay for improved security in internet connected products. The second aim was to examine whether this is conditioned by their exposure to security-related information. Using an experimental design, and a contingent valuation method, we find that people are willing to pay for improved security and that for some devices, this increases if they are exposed to information about security prior to stating their
Research   , ,
The Internet and connected technology platforms have enabled an increase of cyber influence activity. These actions target a range of personal to national level security and privacy attributes related to cybercrime, behavior, and identities. These emerging threats call for new indicators for improved awareness, decisions, and action. This research proposes a cyber-physical-human spectrum of identification with a prototyped classification method. Classifier goals are to aid in awareness of activity and potential harmful intent such as detection of identity feature acquisition, fraudulent identities and entities, and targeting or influential behavior. Emerging malicious influence actors prey on human social demographic groups and trends using the Internet infrastructure with social network platform access to large target populations as their attack surface. The methodology discusses how this problem could benefit from a combined human-technical approach to understand indicators of influencing human perception that persuade someone perform a desired action. This method is designed to aid in rapid influence awareness and introduce a counter-influence concept. A prototyped experiment trial demonstrates how awareness may be beneficial to balancing national security with personal privacy.
Research   ,
Cybersecurity became the third war in the world as it affects the privacy, security, availability, and access possibilities of user’s data. Lately, the statistics shows that the users prefer social media application to share their data and updates. Many users believe that only their followers can see their updates while the permissions of access possibilities terms and conditions provided some authority to access the data. To highlight this issue we did a survey in users awareness of accepting access possibility to their data and analyse the risks of allowing/accepting the access possibility of users’ data in social media applications. In this paper we propose a Reconnaissance Penetration Testing Methodology (RPTM) that aims to study the process of reconnaissance and information gathering of specific target to show the user’s data. In result and discussion we have did a statistical study to find out the level of users awareness in cybersecurity and access possibilities.
Research   , ,
We have studied the cybersecurity readiness for organizations in Kuwait to get a more information about how to build the cybersecurity readiness model. Cybersecurity readiness model is conceived from investigating the relationship among employee expertise, awareness, organization investment, compliance with standards and risk assessment on organizational cyber security readiness. The results show that investment, compliance with standards and risk assessments have significant effect on organization cyber security readiness.
Research  
This paper reports an in-depth investigation on how different evidence-based cybersecurity training methods impact employees’ perceptions of susceptibility, severity, self-efficacy, security intention as well as on their self-reported cybersecurity behaviors.
Research   , , , , , ,
The objective of this work is to propose a new perspective in understanding the phenomenon of online behaviors, termed the privacy paradox, i.e., worry on preserving personal data and contents, but a little attention to disclose them, and thus introducing the new definition of e-people. The provocative hypothesis of this study regards the internet users who, in the Big Data era, are affected by a common covariation of being e-popular/e-visible, e-narcissist, e-(socially)-accepted, e-remembered. These e-behaviors will be conceptually gathered under the term of Achilles’ paradigm. A structured web-questionnaire was submitted to a convenience sample of 198 internet users. First and second-order confirmatory factor analyses together with latent means models concretely supported the existence of the Achilles’ paradigm and its impact on the privacy paradox concerns. As a result, the privacy paradox is not an effective paradox anymore: self-disclosing privacy online seems to be a well-accepted behavior.
Research  
Scholars and commentators often argue that individuals do not care about their privacy, and that users routinely trade privacy for convenience. This ignores the cognitive biases and design tactics platforms use to manipulate users into disclosing information. This essay highlights some of those cognitive biases – from hyperbolic discounting to the problem of overchoice – and discusses the ways in which platform design can manipulate disclosure. It then explains how current law allows this manipulative and anti-consumer behavior to continue and proposes a new approach to reign in the phenomenon.
Research  
This study applies social contract theory to examine whether perceptions of a social contract explains adaptive behavior to safeguard online privacy. We (1) identify and (2) estimate the prevalence of subgroups that differ in their perceived “social contract” (based on privacy concerns, trust, and risk), and (3) measure how this perceived social contract affects adaptive online behavior. Using a representative two-wave panel survey (N = 1,222), we distinguished five subgroups of internet users; the highly-concerned, wary, ambivalent, neutral (the largest group), and carefree users. The former three were more likely to adapt their behavior than the latter two subgroups. We argue that the implied social contract represents an important construct that helps to identify whether individuals engage in privacy protection behavior.
Research  
Most often, security breaches are related to internal employees due to their indirect or direct actions leading to information security policy (ISP) violations. Therefore, understanding employees’ intrinsic motivation and security behaviour towards ISP compliance is critical. Previous studies have identified different types of extrinsic motivation, such as complying with an ISP to avoid sanctions. This research adds an important contribution: intrinsic motivation is a more effective motivator because deterrence does not have a significant effect on employee behaviour. This thesis proposes a model which predicts that intrinsic motivation influences intentions towards ISP compliance. A combination of qualitative and quantitative approaches was used to evaluate the model via five stages.
Research  
The escalation in the numbers of cyber incidents shows no sign of abating, and it seems appropriate to take a look at the way cybersecurity is conceptualised and to consider whether there is a need for a mindset change. Benefiting from research in other fields, we propose a new mindset i.e. “Cybersecurity, Differently”. This approach rests on recognition of the fact that the problem is actually the high complexity, interconnectedness and emergent qualities of socio-technical systems. The “differently” mindset acknowledges the well-intentioned human’s ability to be an important contributor to organisational cybersecurity, as well as their potential to be “part of the solution” rather than “the problem”. In essence, this new approach initially treats all humans in the system as if they are well-intentioned. The focus is on enhancing factors that contribute to positive outcomes and resilience. We conclude by proposing a set of key principles and, with the help of a prototypical fictional organisation, consider how this mindset could enhance and improve cybersecurity across the socio-technical system.
Research   ,
This paper explained the role of AI in cyber security and proposes recommendation how organizations are benefitting from AI in cybersecurity. Machine learning, a component of AI, applies existing data to constantly improve its functions and strategies over time. It learns and understands normal user behaviour and can identify even the slightest variation from that pattern. But besides gathering information to detect and identify threats, AI can use this data to improve its own functions and strategies as well. In this paper, we research existing obfuscation and de-obfuscation techniques which currently are applied to the android applications, then suggest the de-obfuscation platform based on LLVM (Low-Level Virtual Machine) to perform de-obfuscation process more efficiently. Also, AndrODet solution, an online learning system to detect three common types of obfuscation techniques in Android applications, known as identifier renaming, string encryption, and control flow obfuscation is investigated.
Research