Research Library

The world’s first globally accessible archive of research into the human aspect of cyber security and behavioural science as applied to cyber security awareness and online behavioural change.

To see the latest studies from pioneering academics, scroll down.

Approximately 65% of the organizations in the United States have fallen victim to a successful phishing attack. Many organizations offer anti-phishing training to their employees to defend against phishing attacks. The purpose of this study is to examine factors impacting the effectiveness of anti-phishing training and study the relationship between personality traits and phishing susceptibility. Participants filled out pre- and post-training surveys that included questions on identifying phishing and legitimate URLs and questions to determine DISC (Dominant, Influence, Steadiness, and Conscientiousness) personality traits. An analysis of the survey data shows that the participants’ average

Cyber attacks are mostly caused by liabilities created due to the human error and social engineering. Therefore, it is of importance for organisations to find a way to manage security in an effective manner, by taking into account the interactions between the social and physical environment. Accordingly, there is a possibility that employees find complying to security rules and procedures to have higher costs than benefits to their company. Finally, it is fundamental to find aspects where the business and security processes clash, in order to improve the security and productivity of the organisation.

This paper aims to improve the employees’ cyber security awareness by developing an interactive video game, a cyber shield game, that includes various embedded threat scenarios. The proposed game consists of four levels. The password complexity level educates players about password threats. The social engineering level aware employees about email attachments and trespass threats. The phishing attack level educates employees about phishing emails and ransomware threats. Finally, the physical security level aware employees about threats to storage and work documents’ disposal. Further, two surveys, pre-game and post-game, are conducted to estimate the players’ knowledge and experience in cyber

This study aims to examine the effect of cybersecurity threat and efficacy upon click-through, response to a phishing attack: persuasion and protection motivation in an organizational context. In a simulated field trial conducted in a financial institute, via PhishMe, employees were randomly sent one of five possible emails using a set persuasion strategy. Participants were then invited to complete an online survey to identify possible protective factors associated with clicking and reporting behavior (N = 2,918). The results indicate that response behaviors vary significantly

This study is an attempt to check the level of awareness of social engineering attacks among professionals who are working online. A survey of employees, who are working in Delhi NCR in different organizations and industries, was conducted. The results of the survey revealed the fact of awareness employees have for social engineering and protective policies. The study also analyzed the impact of demographic profile of employees based on their age, gender, education and internet usage on social engineering attacks

This study designed, developed, and empirically tested a Pause and Think (PAT) mobile app that presented a user with a warning dialog and either a countdown or count-up timer whenever an email with a link was opened. The user was not able to interact with the email until the timer expired. The main goal of this research study was to determine whether requiring e-mail users to pause and wait for a colored warning with a timer when they are presented with a potentially malicious link has any effect on the percentage of falling to phishing attempts. The experimental field study was completed in three phases in which 42 subject matter experts and 107 participants took part. The results indicated

Targeted phishing emails are a major cyber threat on the Internet today and are insufficiently addressed by current defences. In this paper, we leverage industrial-scale datasets from Sophos cloud email security service, which defends tens of millions of customer mailboxes, to propose a novel Transformer-based architecture for detecting targeted phishing emails. Using real-world targeted phishing data as well as millions of benign customer emails for training and evaluation, we show that our proposed CatBERT (Context-Aware Tiny Bert) model achieves a 87% detection rate at a false positive rate of 1%, as compared to DistilBERT [20], LSTM (Long Short-Term Memory) [13], and logistic regression

This research evaluated the Internet users’ proneness to fall prey to five most common types of social engineering attacks which are domain spoofing, email spoofing, search engine phishing, SMS phishing, and social media phishing. 350 volunteer participants participating in this research were presented with simulated images prepared by taking into account the social engineering attack that has taken place in recent years. Some of the images were legit and some of them were not. Participants were asked to identify these simulated scenarios as legit or cyber-attack. By utilizing the descriptive statistics techniques, this study reports the responses of the participants. This research presents

The application of social research methods in cyber security requires a multidisciplinary combination since the security of technologies and communication networks is made up of a set of uses, techniques, and results directly conditioned by the parameters of confidentiality, data availability, integrity, and privacy. However, each of these technological concepts is prepared and subject to conditions of use that involve ethical, sociological, economic, and legal aspects. Firstly, social engineering techniques in cybercrime tend to combine social investigation techniques with computational engineering and telecommunications elements. Secondly, research on cyber security phenomena in industrial

This study focuses on comparing the level of cyber security awareness, knowledge and behaviour among university students in general and between Hungary and Vietnam in particular. Research data was collected, using a set of questionnaires and the 313 responses from University Students, in different school years and fields of study, in Hungary and Vietnam. Results show that all respondents possess a lack of knowledge of cyber security, leading to a low level of cyber threat awareness, beyond the differences in respondent countries. However, there are minor differences in the behaviour, between respondents in Hungary and Vietnam, which were measured through four dimensions of cyber security: ma

This chapter will discuss the important topic of ethical hacking, also known as penetration testing. It will start by explaining the constituents of ethical hacking: scope and goal setting, exploitation, and documentation. The authors will define and explain the reasons for the rapid rise in cyber-crimes and their socio-economic impact. It will further discuss the steps involved in ethical hacking, who is allowed to conduct ethical hacking, its importance, and the role it plays in deterring future and potential hackers. The chapter will analyze the various types of malware and the steps to follow to become an ethical hacker. It will further describe social engineering, the types of cyber-att

Remote working during the COVID-19 pandemic has had, and continues to have, a great impact on the workforce. Through interviews with senior cyber security professionals, this research explored how the traditional dynamics between employees and leadership have adapted in such times, responding to a rapidly evolving cyber threat landscape, as well as an unpredictable period for organisations and employees in terms of wellbeing and remote working culture. Focusing on the transition to remote working, cyber security, the psychological contract (relationship between employees and employers) and employee wellbeing, the research highlighted several key themes.

This paper analyses the COVID-19 pandemic from a cyber crime perspective and highlights the range of cyber attacks experienced globally during the pandemic. Cyber attacks are analysed and considered within the context of key global events to reveal the modus-operandi of cyber-attack campaigns. The analysis shows how following what appeared to be large gaps between the initial outbreak of the pandemic in China and the first COVID-19 related cyber attack, attacks steadily became much more prevalent to the point that on some days, three or four unique cyber attacks were being reported. The analysis proceeds to utilise the UK as a case study to demonstrate how cyber criminals leve

This research aims to assess the level of Internet users’ security awareness among Palestinian learners. The study focuses on five fundamental security issues involving passwords, social media usage, email usage, security of mobile devices, and social engineering. A quantitative approach is employed in the study, where data was collected by means of pre-designed and tested questionnaires from a random sample of 200 participants. Data were collected, encoded, preprocessed and then analyzed using SPSS. Results emphasized the overall carelessness of Internet users in relation to security measures, knowledge and practices. Most of respondents did not try to gain any knowledge whatsoever by, for

Currently, the consumer electronics (CE) community largely ignore the humans in the loop, while framing cyber security solutions in the IoT context. In this work, we stress on the need towards a human-centric approach to cyber security by shifting focus from “humans as a problem” to “humans as a solution”. We propose a Security & Privacy Preserving (SPP) framework for illustrating how a human-centric approach can be initiated, what are its important components, and how security & privacy can be preserved with a human focus.

In this article, we critically analyse cyber security and privacy concerns arising due to remote working during the coronavirus pandemic. Through our work, we discover a series of security risks emerging because of the realities of this period. For instance, lack of remote-working security training, heightened stress and anxiety, rushed technology deployment, and the presence of untrusted individuals in a remote-working environment (e.g., in flatshares), can result in new cyber-risk. Simultaneously, we find that as organisations look to manage these and other risks posed by their remote workforces, employee’s privacy (including

This study reviewed number of factors such as the role of personal, social, socio-cognitive, environmental, & technological factors that may individually or collectively influence software engineers’ cyber hygiene behaviour. The positive and negative factors associated with the cyber hygiene behaviour of software engineers are also categorized. This study enriches the understanding of the potential factors related to software engineers’ cyber hygiene behaviours. It provides valuable insights to researchers, software development organizations, governments, and individuals associated with the field of Software Engineering. This research will assist in changing the software engineers’ behav

Security and Awareness Training (SAT) has been available for several decades and is commonly given as a suggestion for improving the cyber security behavior of end-users. However, attackers continue to exploit the human factor suggesting that current SAT methods are not enough. Researchers argue that providing knowledge alone is not enough, and some researchers suggest that many currently used SAT methods are, in fact, not empirically evaluated. This paper aims to examine how SAT has been evaluated in recent research using a structured literature review. The result is an overview of evaluation methods which describes what results that can be obtained using them. The study further suggests th

Seniors represent a group that, compared to other groups, lives in a digital exclusion to an excessive extent, mainly due to the fact that they lack the necessary knowledge to use digital technology and digital services. Based on empirical data collected from seniors partaking in digital training, we have analyzed their perceptions of why they and other seniors are digitally excluded. Our findings point out that a major barrier for seniors to be more digitally included is different variants of fear of using digital technology and digital services. The common denominator can be traced down the possibilities to be exposed to frauds, scams, viruses, and faulty handling, which in turn cause unde

Artificial intelligence (AI) has been widely adopted in various applications such as face detection, speech recognition, machine learning, etc. Due to the lack of theoretical explanation, recent works show that AI is vulnerable to adversarial attacks, especially deep neural networks could be easily fooled by adversarial examples that are in the form of subtle perturbations to the inputs. The intrinsic vulnerability of AI might incur severe security problems in areas like automatic driving, face payment, voice command control, etc. Adversarial learning is one typical defense method, which can migrate such security risk of AI by training with generated adversarial examples. However, this metho