The idea that people should form positive security habits is gaining increasing attention amongst security practitioners. Habit is a well-studied concept in psychology, but the extent to which the richness of that literature has been fully utilised for security is currently unclear. In order to address this gap, we compared usage of the term ”habit”...
Is cybersecurity research missing a trick? Integrating insights from the psychology of habit into research and practice.
Don’t click: towards an effective anti-phishing training. A comparative literature review
Email is of critical importance as a communication channel for both business and personal matters. Unfortunately, it is also often exploited for phishing attacks. To defend against such threats, many organizations have begun to provide anti-phishing training programs to their employees. A central question in the development of such programs is how they can be...
Measuring the security cult organizations: a systematic existing tools
There has been an increase in research into the security culture in organizations in recent years. This growing interest has been accompanied by the development of tools to measure the level of security culture in order to identify potential threats and formulate solutions. This article provides a systematic overview of the existing tools. A total...
A methodology for quantifying the level of cybersecurity awareness
According to the yearly publication of Dutch National Cyber Security Center of the current cyber security situation of the country ( Cyber Security Beeld Nederland -CSBN- 2017) a cyber-attack originated in 91% of the investigated cases from some form of phishing. This is in line with data from the SysAdmin, Audit, Network and Security (SANS)...
Human Factors Knowledge Area
over the past 20 years, there has been a growing body of research into the underlying causes of security failures and the role of human factors. The insight that has emerged is that security measures are not adopted because humans are treated as components whose behaviour can be specified through security policies, and controlled through...
Developing cybersecurity culture to influence employee behavior: A practice perspective
This paper identifies and explains five key initiatives that three Australian organizations have implemented to improve their respective cyber security cultures. The five key initiatives are: identifying key cyber security behaviors, establishing a ’cyber security champion’ network, developing a brand for the cyber team, building a cyber security hub, and aligning security awareness activities with...
Human systems integration approach to cyber security
The NATO Science and Technology Organization (STO) Human Factors and Medicine (HFM) Panel 259 Research Task Group (RTG), titled Human Systems Integration Approach to Cyber Security, was established to promote cooperative human-centred research activities in a NATO framework on the complex phenomenon of cyber security as a socio-technical system. The idea was to implement a...
2022 Cost of insider threats global report
The first Cost of Insider Threats: Global study was conducted in 2016 and focused exclusively on companies in North America. Since then, the research has expanded to include organizations in Europe, Middle East, Africa and Asia-Pacific with a global headcount of 500 to more than 75,000. In this year’s study, we interviewed 1,004 IT and...
Blind Spot: Do You Know the Effectiveness of Your Information Security Awareness-Raising Program?
Information and IT security awareness-raising measures and the evaluation of these measures are an indispensable part of today’s information and knowledge society. While the number of firms that apply such measures is increasing, surveys of corporations show that it is unusual for these measures to be accompanied by specific in-depth evaluations of their effectiveness. Since...
Contextual security awareness: A context-based approach for assessing the security awareness of users
Assessing the information security awareness (ISA) of users is crucial for protecting systems and organizations from social engineering attacks. Current methods do not consider the context of use when assessing users’ ISA, and therefore they cannot accurately reflect users’ actual behavior, which often depends on that context. In this study, we propose a novel context-based,...
Online safety awareness and human factors: An application of the theory of human ecology
Efforts have been made on large and small scales to reduce cybersecurity threats around the world, including in Malaysia. However, scholars have argued that, in spite of the technological preparations countries can take to shield themselves from attack, human factors may be the key reason behind increasing breaches in cybersafety in recent years. In this...
A zero-shot deep metric learning approach to Brain–Computer Interfaces for image retrieval
In this paper we propose a deep learning based approach for image retrieval using EEG. Our approach makes use of a multi-modal deep neural network based on metric learning, where the EEG signal from a user observing an image is mapped together with visual information extracted from the image. The inspiration behind this work is...
From awareness to influence: toward a model for improving employees’ security behaviour
This paper argues that a conventional approach to cybersecurity awareness is not effective in influencing employees and creating sustainable behaviour change. The increase in security incidents caused by employees is evidence that providing information to raise employees’ awareness does not necessarily result in improving their security behaviour, and organisations must transform their security awareness program...
About the Measuring of Information Security Awareness: A Systematic Literature Review
To make employees aware of their important role for information security, companies typically carry out security awareness campaigns. The success and effectiveness of those campaigns has to be measured to justify the budget for example. Therefore, we did a systematic literature review in order to learn how information security awareness (ISA) is measured in theory...
Developing metrics to assess the effectiveness of cybersecurity awareness program
Cybersecurity awareness (CSA) is not just about knowing, but also transforming things learned into practice. It is a continuous process that needs to be adjusted in subsequent iterations to improve its usability as well as sustainability. This is possible only if a CSA program is reviewed and evaluated timely. Review and evaluation of an awareness...
A systematic review of current cybersecurity training methods
Cybersecurity continues to be a growing issue, with cyberattacks causing financial losses and loss of productivity and reputation. Especially in an organisational setting, end-user behaviour plays an essential role in achieving a high level of cybersecurity. One way to improve end-user cybersecurity behaviour is through comprehensive training programmes.There are many contradictory statements and findings with...
Developing a cyber security culture: Current practices and future needs
While the creation of a strong security culture has been researched and discussed for decades, it continues to elude many businesses. Part of the challenge faced is distilling pertinent, recent academic findings and research into useful guidance. In this article, we aim to tackle this issue by conducting a state-of-the-art study into organisational cyber security...
Conceptualization of a cybersecurity awareness quiz
Recent approaches to raise security awareness have improved a lot in terms of user-friendliness and user engagement. However, since social engineering attacks on employees are evolving fast, new variants arise very rapidly. To deal with recent changes, our serious game Cyber- Security Awareness Quiz provides a quiz on recent variants to make employees aware of...
A pond full of phishing games – analysis of learning games for anti-phishing education
Game-based learning is a promising approach to anti-phishing education, as it fosters motivation and can help reduce the perceived difficulty of the educational material. Over the years, several prototypes for game-based applications have been proposed, that follow different approaches in content selection, presentation, and game mechanics. In this paper, a literature and product review of...
Research on the effectiveness of cyber security awareness in ICS Risk Assessment Frameworks
Evaluating the awareness of security among users plays a critical role in safeguarding Industrial Control Systems (ICSs) against social engineering attacks. This study was conducted to assess the impact of cybersecurity awareness on the response to cybersecurity incidents within ICSs. Furthermore, this research has incorporated various measures and frameworks related to cybersecurity emergency response processes,...