Research Library

The world’s first globally accessible archive of research into the human aspect of cyber security and behavioural science as applied to cyber security awareness and online behavioural change.

To see the latest studies from pioneering academics, scroll down.

The nature of crime is changing — estimates suggest that at least half of all crime is now committed online. Once everyday objects (e.g. televisions, baby monitors, door locks) that are now internet connected, collectively referred to as the Internet of Things (IoT), have the potential to transform society, but this increase in connectivity may generate new crime opportunities. Here, we conducted a systematic review to inform understanding of these risks. We identify a number of high-level mechanisms through which offenders may exploit the consumer IoT including profiling, physical access control and the control of device audio/visual outputs. The types of crimes identified that could be facilitated by the IoT were wide ranging and included burglary, stalking, and sex crimes
  ,
Smartphones contain a significant amount of personal data. Additionally, they are always in the user’s possession, which allows them to be abused for tracking (e.g., GPS, Bluetooth or WiFi tracking). In order to not reveal private information, smartphone users should secure their devices by setting lock screen protection, using third party security applications, and choosing appropriate security settings (often, default settings are inadequate). In this paper, we mount a survey to explore user choices, awareness and education with respect to cybersecurity. In comparison with prior work, we take the user’s cybersecurity familiarity into consideration in the analysis of user practices as well as have a strong focus on the younger generations, Y and Z. Our survey findings suggest that most
  , ,
.In a world where artificial intelligence is one of the greatest assets, unmanned operations seem to be the future. The world of cybersecurity is witness to numerous system break-ins for the purpose of gaining access. One of the ways to gain access to systems is fulfilled by authentication, the process where an entity verifies who he or she claims to be to access a system. With network traffic increasing day by day, the bots form a huge chunk of the network traffic. Over the last few years, bots have been trained to imitate human beings to gain access to computer based systems. Traditional authentication methods are based on what we know, who we are and what we have, and can
  , ,
Of the many challenges that continue to make detection of cyber-attack detection elusive, lack of training data remains the biggest one. Even though organizations and business turn to known network monitoring tools such as Wireshark, millions of people are still vulnerable because of lack of information pertaining to website behaviors and features that can amount to an attack. In fact, most of the attacks do not occur because of threat actors’ resort to complex coding and evasion techniques but because victims lack the basic tools to detect and avoid the attacks. Despite these challenges, machine learning is proving to revolutionize the understanding of the nature of cyber-attacks, and this study implemented machine learning techniques to Phishing Website data with the
  , , , , ,
The evolution of technology over the years has allowed people to more easily store, access, and share information on the Internet. People can bank online, shop, and post their latest life news. Unfortunately, all this available information has attracted the attention of cybercriminals who want to use this personal information for fraudulent purposes. A common technique used by cybercriminals to obtain sensitive information is a scam called phishing. Criminals pose as a trusted entity in order to trick victims into revealing sensitive information that they will later use to commit illegal money transfers, identity theft, or other fraud. The consequences of phishing scams may lead to the loss of data, money, identity, reputation, and trust. As a result, organizations and
 
Cybersecurity professionals in the federal government work on complex problems in organizations where they have multiple competing roles. In addition, the gap between workers with cyber skills and job openings means that current cybersecurity professionals must carry a heavy load. Combined, this can lead to stress that has negative consequences for their well-being. Positive psychology can help address this, particularly through enhancing positive experiences, leveraging character strengths, developing resilience skills, and building psychological safety. Resilience skills help cybersecurity professionals increase capacity their capacity to deal with uncertainty and build strong teams. Psychological safety supports and environment of innovation and professional development. These strategies are accessible ways for cybersecurity professionals to thrive in their work, improving their well-being as well as
 
The paper with the help of reinforcement learning techniques and its method helps to find the best techniques that can be used in cyber security to help defender protect the data against the attackers. The techniques have been used in a cyber security game and resulted in a game of an unfriendly consecutive decision making problem played between agents i.e. an attacker and a defender.
  ,
Even with clear and often strict policies in place, with clear sanctions, employees still are considered to be the weakest link in the field of information security (IS). This paper seeks to find one explanation to this phenomenon in military context by exploring military cadets’ attitudes towards IS, as well as their reasons and justifications for using neutralisation techniques in order to transgress from organisational IS regulations. These techniques are as follows: Condemnation of the condemners, The Metaphor of the ledger, Denial of injury, Denial of responsibility, Appeal to higher loyalties and Defence of necessity. 144 military cadets completed a survey assessing their use of neutralisation techniques (Siponen & Vance 2010) in addition to assessing their personality by the Five
  , ,
Cyberattacks have a growing effect on business management. Organisations are increasingly focusing on human factors – how to train and evaluate people to minimise potential losses. One of the most scalable and practical ways to measure the human factor is to conduct a phishing experiment. Phishing is a type of cyber-attack that uses socially engineered messages to persuade humans to perform certain actions for the attacker’s benefit. There is considerable amount of literature on the topic of phishing – e.g. how it works and how to fight against it. However, there is not much discussion on the particular methods nor the specific process of conducting simulated phishing experiments. This paper suggests a mixed methods approach for conducting phishing experiments and
  , , ,
The paper specifically discusses selected publications that relate artificial intelligence (AI) in general, or machine learning (ML) in particular, to cybersecurity and specifically to the cybersecurity of system development and life cycle environments (SDLE) and their products.
  , ,
Phishing has been a major problem for information systems managers and users for several years now. In 2008, it was estimated that phishing resulted in close to $50 billion in damages to U.S. consumers and businesses. Even so, research has yet to explore many of the reasons why Internet users continue to be exploited. The goal of this paper is to better understand the behavioral factors that may increase one’s susceptibility for complying with a phisher’s request for personal information. Using past research on deception detection, a research model was developed to help explain compliant phishing responses. The model was tested using a field study in which each participant received a phishing e-mail asking for sensitive information. It was found
  ,
The present paper focuses on Cyber Security Awareness Campaigns, and aims to identify key factors regarding security which may lead them to failing to appropriately change people’s behaviour. Past and current efforts to improve information-security practices and promote a sustainable society have not had the desired impact. It is important therefore to critically reflect on the challenges involved in improving information-security behaviours for citizens, consumers and employees. In particular, our work considers these challenges from a Psychology perspective, as we believe that understanding how people perceive risks is critical to creating effective awareness campaigns. Changing behaviour requires more than providing information about risks and reactive behaviours – firstly, people must be able to understand and apply the advice, and secondly,
  , ,
Most business organizations lack a human factors program and remain inattentive to human-centric issues and human-related problems that are leading to cybersecurity incidents, significant financial losses, reputational damage, and lost production. Other industries such as aviation, nuclear power, healthcare, and industrial safety leverage human factors problems as platforms to reduce human errors. The underappreciation and under-exploration of human factors in cybersecurity threatens the existence of every business. Cybersecurity operations are becoming increasingly abstruse and technologically sophisticated resulting in heightened opportunities for human errors. A human factors program can provide the foundation to address and mitigate human-centric issues, properly train the workforce, and integrate psychology-based professionals as stakeholders to remediate human factors-based problems.
 
The cybersecurity of autonomous vehicles (AVs) is an important emerging area of research in traffic safety. Because human failure is the most common reason for a successful cyberattack, human-factor researchers and psychologists might improve AV cybersecurity by researching how to decrease the probability of a successful attack. We review some areas of research connected to the human factor in cybersecurity and find many potential issues. Psychologists might research the characteristics of people prone to cybersecurity failure, the types of scenarios they fail in and the factors that influence this failure or over-trust of AV. Human behavior during a cyberattack might be researched, as well as how to educate people about cybersecurity. Multitasking has an effect on the ability to defend
  , , ,
Social engineering is a method that has been used by criminals and scammers for centuries in order to manipulate people in order to manipulate people into performing a particular action or into giving up sensitive or confidential information. Today, social engineering is a tactic employed by cybercriminals who carry out phishing attacks, one of the most pervasive forms of cyber-attacks. Phishing attacks exploit one of cybersecurity’s greatest vulnerabilities, people, by leveraging both technology and the art of human deception in order to turn targets into victims. Social engineering and phishing rely on human behavior and emotion, factors that technology has yet to find a defense for, making social engineering and phishing a lucrative avenue for cybercriminals. Secure protocols, security awareness
 
Personality may better predict cybersecurity behavior relative to an individual’s stated intentions; however, people often behave in ways that are discordant with what they intend. Assuming most people have the intention of complying with safe practices, it is still no surprise that people violate policies and put sensitive data at risk regularly. Previous research has investigated all of the “Big Five” personality factors in relation to cybersecurity behavior, although there is no consensus regarding which factors are most important. In this study, data were collected from 676 undergraduate students who were administered the Employees’ Online Security Behavior and Beliefs questionnaire and the Big Five Inventory–44. Significant correlations were observed between self-reported cybersecurity behaviors and some, but not all, personality constructs.
  , ,
The present report is concerned with human aspects of cybersecurity including not only psychology and sociology, but also ethnography, anthropology, human biology, behavioural economics and any other subject that takes humans as its main focal point.     Read full paper     Authors: ENISA
 
As internet technology and mobile applications increase in volume and complexity, malicious cyber-attacks are evolving, and as a result, society is facing greater security risks in cyberspace more than ever before. This study has extended the published literature on cybersecurity by theoretically defining the conceptual domains of employees’ security behavior, and developed and tested operational measures to advance information security behavior research in the workplace. A conceptual framework is proposed and tested using survey results from579 business managers and professionals. Structural equation modelling and ANOVA procedures are employed totest the proposed hypotheses. The results show that when employees are aware of their company’s informationsecurity policy and procedures, they are more competent to manage cybersecurity tasks than those who are not
  , , , , ,
Security advice is one key way that consumers learn security behaviors. However, prior work has shown that this advice may not always be helpful and may be less accessible to those with lower internet skill or less education. As a first step toward improving the quality of security advice, we analyzed the readability of 1878 internet security advice documents drawn from crowdsourced search queries and expert recommendations. We measured readability via the commonly used Flesch Reading Ease Score. Our results provide the first characterization, to our knowledge, of the readability of a large corpus of security advice. We find that less than 25% of security advice meets or exceeds the “Standard” (e.g., Reader’s Digest) reading level. Preliminary results suggest that
  , , , , , ,
This paper proposes 10 cyber security challenges that need to be addressed, in an attempt to spark discussion about the global approach to cyber security.     Read full paper     Authors: Richard Horne PwC