Research Library

The world’s first globally accessible archive of research into the human aspect of cyber security and behavioural science as applied to cyber security awareness and online behavioural change.

To see the latest studies from pioneering academics, scroll down.

Social engineering cyberattacks are a major threat because they often prelude sophisticated and devastating cyberattacks. Social engineering cyberattacks are a kind of psychological attack that exploits weaknesses in human cognitive functions. Adequate defense against social engineering cyberattacks requires a deeper understanding of what aspects of human cognition are exploited by these cyberattacks, why humans are susceptible to these cyberattacks, and how we can minimize or at least mitigate their damage. In this paper, we review human cognition through the lens of social engineering cyberattacks. Then, we propose an extended framework of human cognitive function

The Coronavirus disease 2019 (COVID-19) pandemic continues to cause prevalent issues and risks relating to cybersecurity and data privacy in Malaysia, which should be viewed meticulously and tackled appropriately. Moreover, Malaysia’s ageing population is limited on cybersecurity awareness. The aim of this research is to explore the cybersecurity mindset of Malaysia’s older population and its impact on their well-being. For this purpose, this study used a qualitative methodology aimed at understanding the aging population’s cybersecurity mindset and developing a supporting policy framework. The issues of concern range from cybercriminals targeting a novice work from

Current world events have forced a sudden remote-working economy that many businesses were simply not prepared for. According to a Gartner survey of 229 human resources (HR) managers, 81% or more are working remotely, and 41% are likely to do so at least some of the time even once a return to normal working is permitted. This sudden rise in remote working is not only challenging employees to work in a way they had not previously, but it has also impacted the cyber-risk profile of enterprises worldwide. Organisations have built policies and procedures that protect i

Android parental control applications are used by parents to monitor and limit their children’s mobile behaviour (e.g., mobile apps usage, web browsing, calling, and texting). In order to offer this service, parental control apps require privileged access to system resources and access to sensitive data. This may significantly reduce the dangers associated with kids’ online activities, but it raises important privacy concerns. We conduct the first in-depth study of the Android parental control app’s ecosystem from a privacy and regulatory point of view. In summary, parental control applications lack transparency and lack compliance with regulatory requirements. This holds even for those appl

Cybersecurity is paramount in modern cyber defense. One important factor linked to reducing human-instigated breaches of cybersecurity includes cyber hygiene. Cyber hygiene is the adaptive knowledge and behavior to mitigate risky online activities that put an individual’s social, financial, and personal information at risk – a danger that is significantly compounded when discussing the risk to entire countries as opposed to a single individual. Interestingly, even though the human is the greatest risk to cybersecurity, very little research has examined the latent individual differences associated with developing cyber hygiene-related knowledge, attitudes, and behavi

Retirement is a major life transition, which leads to substantial changes across almost all aspects of day-to-day life. Although this transition has previously been seen as the normative marker for entry into older adulthood, its influence on later life has remained relatively unstudied in terms of technology use and cybersecurity behaviours. This is problematic as older adults are at particular risk of becoming victims of cyber-crime. This study aimed to investigate which factors associated with the retirement transition were likely to increase vulnerability to cyber-attack in a sample of 12 United Kingdom based older adults, all of whom had retired within t

In this chapter we use a social psychology approach to discuss people’s behaviour in relation to cybersecurity, by considering human errors, personality traits, the relationship between attitude and behaviour and the influence of social and situational factors. Human error has been widely studied in literature, especially in aviation and health care fields. Regardless of the area involved, analysing human factors is fundamental to understand the causes of accidents. With respect to cybersecurity, in fact, human errors—deriving from, e.g., work pressure, distraction, lack of awareness, organizational factors—can be considered one of the most important causes of secur

Every year online scams cause substantial emotional and financial adversity. A recently developed self-report measure of gullibility has the potential to provide insight into how individual differences in gullibility are related to susceptibility to scams. The current study investigated the behavioural validity of the Gullibility Scale and explored individual differences expected to be related to this construct. Undergraduate psychology students (N = 219) initially rated example phishing emails, and completed the HEXACO personality factors, Need for Cognition, Need for Closure, Sense of Self, and the Gullibility Scale. After six weeks, they were sent simulated phishing emails. Respo

Many theories from behavioural science like the theory of planned behaviour and protection motivation theory have been used to investigate the factors that affect the cybersecurity behaviour and practices of the end-user. In this paper, the researchers have used Fogg behaviour model (FBM) to study factors affecting the cybersecurity behaviour and practices of smartphone users. This study found that the odds of secure behaviour and practices by respondents with high motivation and high ability were 4.64 times more than the respondents with low motivation and low ability. This study describes how FBM may be used in the design and development of cybersecurity awareness

This paper examines online users’ perceived susceptibility to phishing attacks. We posit that an individual’s phishing susceptibility may be shaped by recent phishing encounters and, more importantly, that the effect of new experience on susceptibility will be heterogeneous among users. To facilitate our investigation, we focus on both the process and outcome of phishing detection. Survey data from college students confirms that one’s susceptibility is affected by detection process difficulty and detection outcome failures in the recent phishing encounter. Results also reveal the importance of personal attributes, such as past success in phishing detection and phishing desensitization, in re

Phishing e-mails are fraudulent e-mails used to gain access to sensitive information or secure computer systems. They persuade users to click on malicious links, download attachments, or provide sensitive information, such as usernames or passwords. One approach that aims to reduce people’s susceptibility to phishing is the provision of information to users regarding the phishing threat and the techniques used within phishing e-mails. In line with this, awareness campaigns are often used within organizations and wider society to raise awareness of phishing and encourage people to engage with protective information. In order to understand how current and future interventions regarding phishin

The role of the human in cyber security is well acknowledged. Many cyber security incidents rely upon targets performing specific behavioural actions, such as opening a link within a phishing email. Cyber adversaries themselves are driven by psychological processes such as motivation, group dynamics and social identity. Furthermore, both intentional and unintentional insider threats are associated with a range of psychological factors, including cognitive load, mental wellbeing, trust and interpersonal relations. By incorporating psychology into cyber security education, practitioners will be better equipped with the skills they need to address cyber security issues. However, there are chall

This study investigated the security gains of using a multilingual passphrase policy in user generated passphrases that are based on African and Indo-European languages. The research on passwords has been largely focused on the Global North where English is often the first or only language. Targeted password guessing of English and Chinese-based passwords shows that a user’s mother tongue language can influence password structure, something that reflects on security. Given a multilingual user group, for example in Africa, it is interesting to establish whether such a population can generate secure multilingual passphrases. Accordingly, the findings of this study could be extrapolated to othe

Cognitive processes are broadly considered to be of vital importance to understanding phishing email feature detection or misidentification. This research extends the current literature by introducing the concept of cue utilization as a unique predictor of phishing feature detection. First year psychology students (n=127) undertook three tasks measuring cue utilization, phishing feature detection and phishing email detection. A multiple linear regression model provided evidence that those in a higher cue utilization typology (n=55) performed better at identifying phishing features than those in a lower cue utilization typology (n=72). Furthermore, as predicted by the Elaboration Likelihood M

This thesis investigates how simulation-based learning affects the knowledge of cybersecurity risk management. To this end, an experiment was set up, leveraging the simulation game CyberCIEGE. Thirteen undergraduate IT students were involved in the experiment and took part in the simulation game, by completing two questionnaires, one prior to playing the game and one after having played it. The methodology and design employed for the thesis’ purposes can be adapted and used in a larger scale study; given that the intervention was designed to be able to be re-used (be as sustainable as possible for further use), researchers and instructors can implement it to a program to explore the field of

The Internet of Things (IoT) is considered the next technological revolution. IoT devices include once everyday objects that are now internet connected, such as smart locks and smart fridges, but also new types of devices to include home assistants. However, while this increased interconnectivity brings considerable benefts, it can and does increase people’s exposure to crime risk. This is particularly the case as most devices are developed without security in mind. One reason for this is that there is little incentive for manufacturers to make devices secure by design, and the costs of so doing do not encourage it. The principle aim of the current paper was to estimate the extent to which c

Many Indians have less experience in dealing with the Internet-enabled device and hence less experience in handling security threats like malware as compared to users of other countries who have gone through the learning curve of handling such security threats using other Internet-enabled devices such as laptop and desktop. Because of this, the inexperienced Indian smartphone user may be vulnerable to Internet-related security breaches, as compared to the citizens of developed economies. Hence, it is essential to understand the attitude, behaviour and security practices of smartphone u

This study explored potential human factors predictors of home user security intentions through the lens of past performance, perceived self-efficacy, and locus of control. While perceived self-efficacy and locus of control are elements in several organizational and individual security models, past performance has been less frequently studied. The variable, past performance, which has been referred to in other studies as prior experience, knowledge, and information security awareness, is usually a single question self-assessment of familiarity or comfort with technology. This study explores user technical prowess in further depth, using formal technical education, i

The Internet and connected technology platforms have enabled an increase of cyber influence activity. These actions target a range of personal to national level security and privacy attributes related to cybercrime, behavior, and identities. These emerging threats call for new indicators for improved awareness, decisions, and action. This research proposes a cyber-physical-human spectrum of identification with a prototyped classification method. Classifier goals are to aid in awareness of activity and potential harmful intent such as detection of identity feature acquisition, fraudulent identities and entities, and targeting or influential behavior. Emerging malicious influence actors prey o

Cybersecurity became the third war in the world as it affects the privacy, security, availability, and access possibilities of user’s data. Lately, the statistics shows that the users prefer social media application to share their data and updates. Many users believe that only their followers can see their updates while the permissions of access possibilities terms and conditions provided some authority to access the data. To highlight this issue we did a survey in users awareness of accepting access possibility to their data and analyse the risks of allowing/accepting the access possibility of users’ data in social media applications. In this paper we propose a Reconnaissance Penetration Te