Research Library

The world’s first globally accessible archive of research into the human aspect of cyber security and behavioural science as applied to cyber security awareness and online behavioural change.

To see the latest studies from pioneering academics, scroll down.

The nature of crime is changing — estimates suggest that at least half of all crime is now committed online. Once everyday objects (e.g. televisions, baby monitors, door locks) that are now internet connected, collectively referred to as the Internet of Things (IoT), have the potential to transform society, but this increase in connectivity may generate new crime opportunities. Here, we conducted a systematic review to inform understanding of these risks. We identify a number of high-level mechanisms through which offenders may exploit the consumer IoT including profiling, physical access control and the control of device audio/visual outputs. The types of crimes identified that could be facilitated by the IoT were wide ranging and included burglary, stalking, and sex crimes through to state level crimes including political subjugation. Our review suggests that the IoT presents substantial new opportunities for offending and intervention is needed now to prevent an IoT crime harvest.
Research   ,
Smartphones contain a significant amount of personal data. Additionally, they are always in the user’s possession, which allows them to be abused for tracking (e.g., GPS, Bluetooth or WiFi tracking). In order to not reveal private information, smartphone users should secure their devices by setting lock screen protection, using third party security applications, and choosing appropriate security settings (often, default settings are inadequate). In this paper, we mount a survey to explore user choices, awareness and education with respect to cybersecurity. In comparison with prior work, we take the user’s cybersecurity familiarity into consideration in the analysis of user practices as well as have a strong focus on the younger generations, Y and Z. Our survey findings suggest that most users have appropriate lock screen settings to protect their phones from physical access; however, they disregard other security best practices, e.g., not using a VPN when connecting to a public WiFi or turning off unused features (regardless of level of expertise). Compared to desktop computers, smartphones are less secured and fewer third party security products are installed.
Research   , ,
.In a world where artificial intelligence is one of the greatest assets, unmanned operations seem to be the future. The world of cybersecurity is witness to numerous system break-ins for the purpose of gaining access. One of the ways to gain access to systems is fulfilled by authentication, the process where an entity verifies who he or she claims to be to access a system. With network traffic increasing day by day, the bots form a huge chunk of the network traffic. Over the last few years, bots have been trained to imitate human beings to gain access to computer based systems. Traditional authentication methods are based on what we know, who we are and what we have, and can be bypassed easily these days. Bots have been known to imitate human beings in order to gain access to systems by identifying captchas and picture based authentication systems. A bot gaining access to sensitive data may have severe repercussions. Thus there is a need to introduce certain parameters that could easily tell apart a bot and a human being. One
Research   , ,
In recent times, the integration of technology in everyday tasks helps in making most of the cumbersome work more convenient. This integration has brought about a positive wave in aiding and assisting humans in various sectors such as the military, health, education, finance, etc. Conversely, convenience does come with a cost, i.e. it increases the concern for security in those systems. Attackers with various motives try to exploit these systems for personal gain. Some of the popular attacks like Man In The Middle, Cross-Site Request Forgery(CSRF), Phishing and Code Injection can be used to compromise the systems. However, the easiest way to gain control over a system is through Social engineering because it can be performed within a short time and without much technical expertise. Social Engineering targets humans by using various psychological weaknesses of human cognizance. Such attacks are often used to attack enterprises, as their weakest links are the human employees who are prone to be deceived and manipulated. Hence, the enterprise must be prepared for any kind of attack that may be deployed to exploit the weaknesses.
Research   ,
The privacy paradox states that people’s concerns about online privacy are unrelated to their online sharing of personal information. Using a representative sample of the German population, which includes 1403 respondents who were interviewed at three waves separated by 6 months, we investigate the privacy paradox from a longitudinal perspective, differentiating between-person relations from within-person effects. Results of a cross-lagged panel model with random intercepts revealed that people who were more concerned about their online privacy than others also shared slightly less personal information online and had substantially more negative attitudes toward information sharing (between-person level). Next, people who were more concerned than usual also shared slightly less information than usual (within-person level). At the same time, we found no long-term effects of privacy concerns on information sharing or attitudes 6 months later. Together, the results provide further evidence against the privacy paradox.
Research   , ,
Industrial Internet of Things (IIoT) is a fusion of industrial automation systems and IoT systems. It features comprehensive sensing, interconnected transmission, intelligent processing, self-organization and self-maintenance. Its applications span intelligent transportation, smart factories, and intelligence. Many areas such as power grid and intelligent environment detection. With the widespread application of IIoT technology, the cyber security threats to industrial IoT systems are increasing day by day, and information security issues have become a major challenge in the development process. In order to protect the industrial IoT system from network attacks, this paper aims to study the industrial IoT information security protection technology, and the typical architecture of industrial Internet of things system, and analyzes the network security threats faced by industrial Internet of things system according to the different levels of the architecture, and designs the security protection strategies applied to different levels of structures based on the specific means of network attack.
Research   , , ,
Of the many challenges that continue to make detection of cyber-attack detection elusive, lack of training data remains the biggest one. Even though organizations and business turn to known network monitoring tools such as Wireshark, millions of people are still vulnerable because of lack of information pertaining to website behaviors and features that can amount to an attack. In fact, most of the attacks do not occur because of threat actors’ resort to complex coding and evasion techniques but because victims lack the basic tools to detect and avoid the attacks. Despite these challenges, machine learning is proving to revolutionize the understanding of the nature of cyber-attacks, and this study implemented machine learning techniques to Phishing Website data with the objective of comparing five algorithms and providing insight that the general public can use to avoid phishing pitfalls. The findings of the study suggest that Neural Network is the best performing algorithm and the model suggest that inclusion of an IP address in the domain name, longer URL, use of URL shortening services, inclusion of “@” symbol in the URL,
Research   , , , , ,
This review examines the current trends in understanding the impact of individuals’ decisions to either disclose information or continue to conceal it. As a whole, the evidence points to a relative benefit of disclosure over secret-keeping, but with clear cases, in which disclosure may be harmful. Advances in knowledge about factors that shape that impact, new research on the role verbal rumination with a partner following disclosure, and attention to the role of communal coping as an outcome of traumatic disclosures are addressed. In addition, recent re-conceptualization of secret-keeping, and investigations into the burden experienced by confidants are reviewed. Finally, a call for greater attention to the culture-specific impacts of disclosure decisions is made.
Research   ,
The evolution of technology over the years has allowed people to more easily store, access, and share information on the Internet. People can bank online, shop, and post their latest life news. Unfortunately, all this available information has attracted the attention of cybercriminals who want to use this personal information for fraudulent purposes. A common technique used by cybercriminals to obtain sensitive information is a scam called phishing. Criminals pose as a trusted entity in order to trick victims into revealing sensitive information that they will later use to commit illegal money transfers, identity theft, or other fraud. The consequences of phishing scams may lead to the loss of data, money, identity, reputation, and trust. As a result, organizations and individuals need to familiarize themselves with the process of a phishing attack and how to protect their systems and information. Organizations and individuals not only need the proper hardware and software to protect their information, but they also need to understand that cybercriminals prey on human psychology. Cybercriminals often use social engineering tactics to persuade people to willingly share their
Research  
The purpose of this study is to describe the effect of education in professional boundaries on the use and management of social media by using quantitative survey methods to ask “What are the social networking behaviours of student nurses following education in professional boundaries? Findings from this research indicate that student nurses are active SNS users, primarily for personal engagement. While students primarily used SNS for personal reasons, many reported SNS use for educational / professional purposes as well, including to discuss academic related topics. Most students responded that they were aware of privacy settings on SNS, however there is a discrepancy between awareness of privacy settings and the number of students implementing the privacy features.
Research  
Cybersecurity professionals in the federal government work on complex problems in organizations where they have multiple competing roles. In addition, the gap between workers with cyber skills and job openings means that current cybersecurity professionals must carry a heavy load. Combined, this can lead to stress that has negative consequences for their well-being. Positive psychology can help address this, particularly through enhancing positive experiences, leveraging character strengths, developing resilience skills, and building psychological safety. Resilience skills help cybersecurity professionals increase capacity their capacity to deal with uncertainty and build strong teams. Psychological safety supports and environment of innovation and professional development. These strategies are accessible ways for cybersecurity professionals to thrive in their work, improving their well-being as well as their ability to better address the emergent threats of a volatile world.
Research  
The paper with the help of reinforcement learning techniques and its method helps to find the best techniques that can be used in cyber security to help defender protect the data against the attackers. The techniques have been used in a cyber security game and resulted in a game of an unfriendly consecutive decision making problem played between agents i.e. an attacker and a defender.
Research   ,
Few studies have examined the relationship between personality traits and social networking sites (SNSs) with a dominant concentration on the personality alterations under SNSs influence. The relationship between personality and privacy control was less focused and discussed. In order to figure out the internal mechanism of such link among youth SNSs users, the Theory of Planned Behavior (TPB) was extended by including Five-Factor Model of Personality to explore how personality traits interact with privacy control behavior on SNSs. The investigation using the theoretical method mentioned led to several hypotheses which were later assessed by an online study conducted within randomly chosen college students (N = 201) from two randomly chosen universities in China. This sampling strategy was designed to mimic the situation of targeted research population in the most reasonable way. The results suggested neuroticism and openness predicted SNSs privacy. Neuroticism and openness predicted “networked privacy” was also found. Theoretical implications of these findings were addressed.
Research   , , ,
Understanding how computer users allocate attention to features of potentially dangerous emails could help mitigate costly errors. Which features are salient? How stable is attention allocation across variation in email features? We attempted to measure the mental salience of several email features common in spam and/or phishing emails. We created two email sets: one in which messages contained company logos and urgent actionable links and one without these features. Participants rated pairwise similarity of emails within each set. Multidimensional scaling (MDS) analysis was conducted to quantify psychological similarity between emails. A separate group rated the same emails for presence of five other features: important downloadable content, collecting personal information, account deletion or suspension, advertisement, and large images with clickable content. Regressing feature ratings onto the MDS coordinates revealed that similarity judgments were influenced mostly by advertisement/large images and collecting personal information, regardless of presence or absence of company logos and urgent actionable links.
Research   , , , , ,
Even with clear and often strict policies in place, with clear sanctions, employees still are considered to be the weakest link in the field of information security (IS). This paper seeks to find one explanation to this phenomenon in military context by exploring military cadets’ attitudes towards IS, as well as their reasons and justifications for using neutralisation techniques in order to transgress from organisational IS regulations. These techniques are as follows: Condemnation of the condemners, The Metaphor of the ledger, Denial of injury, Denial of responsibility, Appeal to higher loyalties and Defence of necessity. 144 military cadets completed a survey assessing their use of neutralisation techniques (Siponen & Vance 2010) in addition to assessing their personality by the Five Factor (Konstabel, et. al. 2012) and the Dark Triad (Jones & Paulhus, 2014) models of personality. The results suggest that a more individualised approach in IS education could be useful. Understanding how one’s personality can sensitise oneself to certain kinds of neutralisation techniques can help an individual to acknowledge his or her strengths and vulnerabilities in IS behaviour.
Research   , ,
Cyberattacks have a growing effect on business management. Organisations are increasingly focusing on human factors – how to train and evaluate people to minimise potential losses. One of the most scalable and practical ways to measure the human factor is to conduct a phishing experiment. Phishing is a type of cyber-attack that uses socially engineered messages to persuade humans to perform certain actions for the attacker’s benefit. There is considerable amount of literature on the topic of phishing – e.g. how it works and how to fight against it. However, there is not much discussion on the particular methods nor the specific process of conducting simulated phishing experiments. This paper suggests a mixed methods approach for conducting phishing experiments and describes the experimental procedure including various technological, ethical and legal aspects. The suggested approach is based on related academic work and practical experience in both public and private sector organisations. Multiple opportunities and challenges regarding phishing experiments are discussed, providing guidelines for future research. 
Research   , , ,
Digital natives have become significant users of social network sites (SNSs); therefore, their disclosed personal information can be misused by SNS providers and/or other users. The purpose of this paper is to understand how digital natives make their self-disclosure decisions on SNSs, as well as whether the concept of culture can still be relevant to digital natives. The results show that trust in SNSs and trust in SNS users are positively related to social rewards. Social rewards are positively related to intention to self-disclose, while privacy risk is positively related to privacy concerns. Further, culture significantly moderates the relationship between trust and social rewards.
Research   , ,
The paper specifically discusses selected publications that relate artificial intelligence (AI) in general, or machine learning (ML) in particular, to cybersecurity and specifically to the cybersecurity of system development and life cycle environments (SDLE) and their products.
Research   , , ,
Phishing has been a major problem for information systems managers and users for several years now. In 2008, it was estimated that phishing resulted in close to $50 billion in damages to U.S. consumers and businesses. Even so, research has yet to explore many of the reasons why Internet users continue to be exploited. The goal of this paper is to better understand the behavioral factors that may increase one’s susceptibility for complying with a phisher’s request for personal information. Using past research on deception detection, a research model was developed to help explain compliant phishing responses. The model was tested using a field study in which each participant received a phishing e-mail asking for sensitive information. It was found that four behavioral factors were influential as to whether the phishing e-mails were answered with sensitive information. The paper concludes by suggesting that the behavioral aspect of susceptible users be integrated into the current tools and materials used in antiphishing efforts.
Research   ,
The present paper focuses on Cyber Security Awareness Campaigns, and aims to identify key factors regarding security which may lead them to failing to appropriately change people’s behaviour. Past and current efforts to improve information-security practices and promote a sustainable society have not had the desired impact. It is important therefore to critically reflect on the challenges involved in improving information-security behaviours for citizens, consumers and employees. In particular, our work considers these challenges from a Psychology perspective, as we believe that understanding how people perceive risks is critical to creating effective awareness campaigns. Changing behaviour requires more than providing information about risks and reactive behaviours – firstly, people must be able to understand and apply the advice, and secondly, they must be motivated and willing to do so – and the latter requires changes to attitudes and intentions. These antecedents of behaviour change are identified in several psychological models of behaviour. We review the suitability of persuasion techniques, including the widely used ‘fear appeals’. From this range of literature, we extract essential components for an awareness campaign as well
Research   , ,