Research Library

The world’s first globally accessible archive of research into the human aspect of cyber security and behavioural science as applied to cyber security awareness and online behavioural change.

To see the latest studies from pioneering academics, scroll down.

The exploitation of so-called insiders is increasingly recognised as a common vector for cyberattacks. Emerging work in this area has considered the phenomenon from various perspectives including the technological, the psychological and the sociotechnical. We extend this work by specifically examining unintentional forms of insider threat and report the outcomes of a series of detailed Critical Decision Method (CDM) led interviews with those who have experienced various forms of unwitting cybersecurity breaches. We also articulate factors likely to contribute firmly in the context of everyday work-as-done. CDM’s probing questions were used to elicit expert knowledge around how decision makin

Organizations often respond to cyber security breaches by blaming and shaming the employees who were involved. There is an intuitive natural justice to using such strategies in the belief that the need to avoid repeated shaming occurrences will encourage them to exercise more care. However, psychology highlights signifcant short- and long-term impacts and harmful consequences of felt shame. To explore and investigate this in the cyber domain, we asked those who had inadvertently triggered an adverse cyber security incident to tell us about their responses and to recount the emotions they experienced when this occurred. We also examined the impact of the organization’s management of the incid

Older adults are increasingly a target for cyber-attacks; however, very little research has investigated how they feel about engaging in protective cyber-security behaviors. We developed and applied a novel card-sorting task to elicit how older adults feel about protective cyber-security behaviors and to identify the factors that impact their confidence in executing these behaviors. Nineteen task-assisted interviews were conducted with UK older adults. A thematic analysis revealed that older adults see protective online behaviors as important, but their reasons for disengagement fell into three categories: I do not want to (essentially, because the costs outweigh the benefits), I do not need

There is interest in better understanding people’s cybersecurity (CS)-related attitudes and behaviors, which are ultimately impacted by their perceived vulnerability to CS risks. This study sought to examine the information security attitudes and behaviors that contribute to perceived CS vulnerability. A convenience sample of 612 college students sampled from two public universities in the United States completed a brief demographic survey and the Online Security Behavior and Beliefs Questionnaire. The instrument demonstrated good internal reliability with an index of perceived vulnerability significantly and positively correlating with multiple subscales. Linear regression indicated subscal

In order to strengthen Critical Infrastructure’s protection and resilience, it is central to invest in training and simulations, to spread a security culture and develop the awareness among all personnel involved in the Critical Infrastructure security. Nowadays, attackers represent a major threat due to the combination of both cyber and kinetic operations, targeting human factors vulnerabilities. It is also critical to develop and straighten a “human firewall” inside critical organizations through the enhancement of Security Education, Training and Awareness (SETA) and stresses the need for the development of a security culture inside organizations. In such scenarios, today, the awareness w

Phishing is an online scam where criminals trick users with various strategies, with the goal of obtaining sensitive information or compromising accounts, systems, and/or other personal or organisational Information Technology resources. Multiple studies have shown that human factors influence the success of phishing attempts. However, these studies were conducted before the COVID-19 pandemic, which is significant because security reports show that the numbers of phishing attacks have been rapidly increasing since the start of COVID-19. This study investigates the extent to which users’ fear, anxiety and stress levels regarding COVID-19, impact falling for common and COVID-19 themed phishing

Information technology has become an integral part of health care in the United Kingdom National Health Service (NHS). All health care professionals are required to have a certain level of cyber ethics and knowledge of computers. This is assured by regular mandatory training. The government of the United Kingdom has charted out a course to strengthen cyber security and prevent any crises like Wannacry. Simple things like leaving a computer unlocked can pose a potential threat to the cyber security of the whole NHS. These cannot be addressed with money alone, as they involve complex interactions of human factors. Such seemingly simple non-compliance r

Approximately 65% of the organizations in the United States have fallen victim to a successful phishing attack. Many organizations offer anti-phishing training to their employees to defend against phishing attacks. The purpose of this study is to examine factors impacting the effectiveness of anti-phishing training and study the relationship between personality traits and phishing susceptibility. Participants filled out pre- and post-training surveys that included questions on identifying phishing and legitimate URLs and questions to determine DISC (Dominant, Influence, Steadiness, and Conscientiousness) personality traits. An analysis of the survey data shows that the participants’ average

Cyber attacks are mostly caused by liabilities created due to the human error and social engineering. Therefore, it is of importance for organisations to find a way to manage security in an effective manner, by taking into account the interactions between the social and physical environment. Accordingly, there is a possibility that employees find complying to security rules and procedures to have higher costs than benefits to their company. Finally, it is fundamental to find aspects where the business and security processes clash, in order to improve the security and productivity of the organisation.

This paper aims to improve the employees’ cyber security awareness by developing an interactive video game, a cyber shield game, that includes various embedded threat scenarios. The proposed game consists of four levels. The password complexity level educates players about password threats. The social engineering level aware employees about email attachments and trespass threats. The phishing attack level educates employees about phishing emails and ransomware threats. Finally, the physical security level aware employees about threats to storage and work documents’ disposal. Further, two surveys, pre-game and post-game, are conducted to estimate the players’ knowledge and experience in cyber

This study aims to examine the effect of cybersecurity threat and efficacy upon click-through, response to a phishing attack: persuasion and protection motivation in an organizational context. In a simulated field trial conducted in a financial institute, via PhishMe, employees were randomly sent one of five possible emails using a set persuasion strategy. Participants were then invited to complete an online survey to identify possible protective factors associated with clicking and reporting behavior (N = 2,918). The results indicate that response behaviors vary significantly

This study is an attempt to check the level of awareness of social engineering attacks among professionals who are working online. A survey of employees, who are working in Delhi NCR in different organizations and industries, was conducted. The results of the survey revealed the fact of awareness employees have for social engineering and protective policies. The study also analyzed the impact of demographic profile of employees based on their age, gender, education and internet usage on social engineering attacks

This study designed, developed, and empirically tested a Pause and Think (PAT) mobile app that presented a user with a warning dialog and either a countdown or count-up timer whenever an email with a link was opened. The user was not able to interact with the email until the timer expired. The main goal of this research study was to determine whether requiring e-mail users to pause and wait for a colored warning with a timer when they are presented with a potentially malicious link has any effect on the percentage of falling to phishing attempts. The experimental field study was completed in three phases in which 42 subject matter experts and 107 participants took part. The results indicated

Targeted phishing emails are a major cyber threat on the Internet today and are insufficiently addressed by current defences. In this paper, we leverage industrial-scale datasets from Sophos cloud email security service, which defends tens of millions of customer mailboxes, to propose a novel Transformer-based architecture for detecting targeted phishing emails. Using real-world targeted phishing data as well as millions of benign customer emails for training and evaluation, we show that our proposed CatBERT (Context-Aware Tiny Bert) model achieves a 87% detection rate at a false positive rate of 1%, as compared to DistilBERT [20], LSTM (Long Short-Term Memory) [13], and logistic regression

This research evaluated the Internet users’ proneness to fall prey to five most common types of social engineering attacks which are domain spoofing, email spoofing, search engine phishing, SMS phishing, and social media phishing. 350 volunteer participants participating in this research were presented with simulated images prepared by taking into account the social engineering attack that has taken place in recent years. Some of the images were legit and some of them were not. Participants were asked to identify these simulated scenarios as legit or cyber-attack. By utilizing the descriptive statistics techniques, this study reports the responses of the participants. This research presents

The application of social research methods in cyber security requires a multidisciplinary combination since the security of technologies and communication networks is made up of a set of uses, techniques, and results directly conditioned by the parameters of confidentiality, data availability, integrity, and privacy. However, each of these technological concepts is prepared and subject to conditions of use that involve ethical, sociological, economic, and legal aspects. Firstly, social engineering techniques in cybercrime tend to combine social investigation techniques with computational engineering and telecommunications elements. Secondly, research on cyber security phenomena in industrial

This study focuses on comparing the level of cyber security awareness, knowledge and behaviour among university students in general and between Hungary and Vietnam in particular. Research data was collected, using a set of questionnaires and the 313 responses from University Students, in different school years and fields of study, in Hungary and Vietnam. Results show that all respondents possess a lack of knowledge of cyber security, leading to a low level of cyber threat awareness, beyond the differences in respondent countries. However, there are minor differences in the behaviour, between respondents in Hungary and Vietnam, which were measured through four dimensions of cyber security: ma

Cybersecurity appears to be the ultimate paradox: while cybersecurity budgets are increased every year, and a vast array of new security products and services appear in the market, cyber attacks have been increasing in scale and scope every year. 2020 will perhaps be remembered as the “Year of Ransomware” as malware authors rendered useless every technical attempt to block them from attacking critical systems and data.

Shipping is the sector of the economy via which approximately 85% of all world trade is transported and which is technologically developing with enormous leaps. Its digital transformation has highlighted new opportunities, but at the same time new threats. Due to the great demand from the maritime community for digital operations (specifically digitization and automation), maritime cyber security is becoming an issue of utmost importance. A protection framework through which shipping can be shielded against cyber-threats is absolutely necessary. As hackers are becoming increasingly aware of cyber-vulnerabilities within the maritime sector and shipping is undoubtedly a key pillar of the Greek

This chapter will discuss the important topic of ethical hacking, also known as penetration testing. It will start by explaining the constituents of ethical hacking: scope and goal setting, exploitation, and documentation. The authors will define and explain the reasons for the rapid rise in cyber-crimes and their socio-economic impact. It will further discuss the steps involved in ethical hacking, who is allowed to conduct ethical hacking, its importance, and the role it plays in deterring future and potential hackers. The chapter will analyze the various types of malware and the steps to follow to become an ethical hacker. It will further describe social engineering, the types of cyber-att