Robert S. Gutzwiller,Hansol Rheem,Kimberly J. Ferguson-Walter,Christina M. Lewis,Chelsea K. Johnson,Maxine Major

DOI: https://doi.org/10.1177/15553434231217787

2023-11-30

Journal of Cognitive Engineering and Decision Making

Abstract:Journal of Cognitive Engineering and Decision Making, Ahead of Print. Attacker psychology is currently under-examined in cybersecurity research. A prior, large-scale study sought to understand attackers' behavior by testing both technological and psychological deception. Professional "red team" members participated over two days in various conditions. This data was examined for further evidence that cognitive biases, a potential disruption for attackers, may be present, and may be affecting the outcome. An applied, novel methodology for measuring confirmation bias and framing effects is presented using this realistic dataset. Both confirmation bias and the framing effect occurred in this interpretation. The framing effect appears to have reduced attacker interactions with systems in the network, which may benefit cyber defenders. These results provide additional, exploratory evidence that biases in the decision-making of cyber attackers could be used as part of a defensive cyber strategy. Limitations to the approach and directions for future study of attackers are discussed.

Maria Bada,Jason R. C. Nurse

DOI: https://doi.org/10.48550/arXiv.1909.13256

2019-09-29

Computers and Society

Abstract:Cyber-attacks have become as commonplace as the Internet itself. Each year, industry reports, media outlets and academic articles highlight this increased prevalence, spanning both the amount and variety of attacks and cybercrimes. In this article, we seek to further advance discussions on cyber threats, cognitive vulnerabilities and cyberpsychology through a critical reflection on the social and psychological aspects related to cyber-attacks. In particular, we are interested in understanding how members of the public perceive and engage with risk and how they are impacted during and after a cyber-attack has occurred. This research focuses on key cognitive issues relevant to comprehending public reactions to malicious cyber events including risk perception, protection motivation, culture, and attacker characteristics (e.g., attacker identity, target identity and scale of attack). To consider the applicability of our findings, we investigate two significant cyber-attacks over the last few years, namely the WannaCry attack of 2017 and the Lloyds Banking Group attack in the same year.

Bhagwant Singh,Dr. Sikander Singh Cheema

DOI: https://doi.org/10.35444/ijana.2024.16108

2024-01-01

International Journal of Advanced Networking and Applications

Abstract:This paper explores the link between psychology and cybersecurity, focusing on the vital role of cognitive shields in strengthening digital security. In the rapidly changing cyberspace, understanding and using psychological defenses are crucial for dealing with evolving threats. This paper stressing the need for a holistic cybersecurity approach that considers the human factor. By investigating how human thinking connects with cyber threats, this study builds a basic understanding of the complex landscape. The core of the review looks into cognitive shields, categorizing and explaining their various aspects. From the impact of cognitive biases to the use of threat intelligence guided by psychological principles, the study explores different applications of cognitive shields. Despite their importance, the paper acknowledges challenges in implementing cognitive shields and highlights the ongoing need for innovation.

Tim Scully

Abstract:The attitude that 'it won't happen to me' still prevails in the boardrooms of industry when senior executives consider the threat of targeted cyber intrusions. Not much has changed in the commercial world of cyber security over the past few years; hackers are not being challenged to find new ways to steal companies' intellectual property and confidential information. The consequences of even major security breaches seem not to be felt by the leaders of victim companies. Why is this so? Surely IT security practitioners are seeking new ways to detect and prevent targeted intrusions into companies' networks? Are the consequences of targeted intrusions so insignificant that the captains of industry tolerate them? Or do only others feel the pain of their failure? This paper initially explores the failure of cyber security in industry and contends that, while industry leaders should not be alone in accepting responsibility for this failure, they must take the initiative to make life harder for cyber threat actors. They cannot wait for government leadership on policy, strategy or coordination. The paper then suggests some measures that a CEO can adopt to build a new corporate approach to cyber security.

Hussain Aldawood,Geoffrey Skinner

DOI: https://doi.org/10.3390/fi11030073

2019-03-18

Future Internet

Abstract:The idea and perception of good cyber security protection remains at the forefront of many organizations’ information and communication technology strategy and investment. However, delving deeper into the details of its implementation reveals that organizations’ human capital cyber security knowledge bases are very low. In particular, the lack of social engineering awareness is a concern in the context of human cyber security risks. This study highlights pitfalls and ongoing issues that organizations encounter in the process of developing the human knowledge to protect from social engineering attacks. A detailed literature review is provided to support these arguments with analysis of contemporary approaches. The findings show that despite state-of-the-art cyber security preparations and trained personnel, hackers are still successful in their malicious acts of stealing sensitive information that is crucial to organizations. The factors influencing users’ proficiency in threat detection and mitigation have been identified as business environmental, social, political, constitutional, organizational, economical, and personal. Challenges with respect to both traditional and modern tools have been analyzed to suggest the need for profiling at-risk employees (including new hires) and developing training programs at each level of the hierarchy to ensure that the hackers do not succeed.

DOI: https://doi.org/10.54060/a2zjournals.jase.42

2024-01-01

Abstract:Due to the quick development of technology, the digital age has brought with it ad-vantages never before seen, but it has also opened the door to a flood of new cyber security concerns. This study offers detailed analysis of the cyber threat environment in the digital era along with suggestions for doable protective measures. The report outlines a number of cyber threats, including malware, phishing scams, ransomware, and insider threats. It looks at the continually evolving tactics employed by cyber-criminals, such as social engineering, zero-day flaws, and sophisticated persistent threats. The growing hazards associated with cutting-edge technology, such as the Internet of Things (IoT), cloud computing, and artificial intelligence, are also exam-ined. The importance of a multi-layered security strategy to counter these attacks is emphasized in the article. Among the important preventative measures that are presented are robust network security, secure coding methodologies, user awareness training, encryption, access controls, and incident response planning. It also high-lights how crucial it is for people, businesses, and governments to collaborate in or-der to confront cyber risks. By using the recommended solutions and promoting a culture of cyber security awareness, people and organizations may navigate the dig-ital age with confidence and protect themselves from the continuously evolving environment of cyber risks.

Kenneth Lai,Helder C. R. Oliveira,Ming Hou,Svetlana N. Yanushkevich,Vlad Shmerko

DOI: https://doi.org/10.23919/eusipco47968.2020.9287384

2021-01-24

Abstract:Recognizing, assessing, countering, and mitigating the biases of different nature from heterogeneous sources is a critical problem in designing a cognitive Decision Support System (DSS). An example of such a system is a cognitive biometric-enabled security checkpoint. Biased algorithms affect the decision-making process in an unpredictable way, e.g. face recognition for different demographic groups may severely impact the risk assessment at a checkpoint. This paper addresses a challenging research question on how to manage an ensemble of biases? We provide performance projections of the DSS operational landscape in terms of biases. A probabilistic reasoning technique is used for assessment of the risk of such biases. We also provide a motivational experiment using face biometric component of the checkpoint system which highlights the discovery of an ensemble of biases and the techniques to assess their risks.

Sarah Sharifi

2023-01-23

Abstract:The Internet and cyberspace are inseparable aspects of everyone's life. Cyberspace is a concept that describes widespread, interconnected, and online digital technology. Cyberspace refers to the online world that is separate from everyday reality. Since the internet is a recent advance in human lives, there are many unknown and unpredictable aspects to it that sometimes can be catastrophic to users in financial aspects, high-tech industry, and healthcare. Cybersecurity failures are usually caused by human errors or their lack of knowledge. According to the International Business Machines Corporation (IBM) X-Force Threat Intelligence Index in 2020, around 8.5 billion records were compromised in 2019 due to failures of insiders, which is an increase of more than 200 percent compared to the compromised records in 2018. In another survey performed by the Ernst and Young Global Information Security during 2018-2019, it is reported that 34% of the organizations stated that employees who are inattentive or do not have the necessary knowledge are the principal vulnerabilities of cybersecurity, and 22% of the organizations indicated that phishing is the main threat to them. Inattentive users are one of the reasons for data breaches and cyberattacks. The National Cyber Security Centre (NCSC) in the United Kingdom observed that 23.2 million users who were victims of cybersecurity attacks used a carelessly selected password, which is 123456, as their account password. The Annual Cybersecurity Report published by Cisco in 2018 announced that phishing and spear phishing emails are the root causes of many cybersecurity attacks in recent years. Hence, enhancing the cybersecurity behaviors of both personal users and organizations can protect vulnerable users from cyber threats. Both human factors and technological aspects of cybersecurity should be addressed in organizations for a safer environment.

Human-Computer Interaction,Cryptography and Security

Chinenye Cordelia Nnamani

DOI: https://doi.org/10.58578/ijemt.v2i3.3904

2024-10-05

Abstract:This Article thoroughly examines the revolutionary impact of Artificial Intelligence (AI) on improving threat detection and response tactics within the swiftly changing realm of cybersecurity. Conventional security measures, struggling against the complexity of contemporary cyber threats, fail to provide adequate protection. In response, AI, driven by machine learning algorithms and predictive analytics, becomes a dynamic and adaptive entity strengthening digital defenses. The investigation commences with a comprehensive analysis of the methods by which AI enhances danger detection. Behavioral analytics utilizes AI to assess user behaviors and network activity, creating a proactive baseline, while anomaly detection and predictive analysis harness machine learning to recognize deviations from the norm and forecast potential dangers. This comprehensive strategy enables organizations to remain proactive against emerging cyber threats. Moreover, the study explores the crucial function of AI in incident response. AI-driven automated incident analysis expedites reaction times by rapidly analyzing and prioritizing security warnings. The amalgamation of AI with threat intelligence streams guarantees a perpetually updated knowledge repository, enabling organizations to respond adeptly to emerging dangers. The dynamic flexibility of AI allows systems to evolve and learn from each incidence, hence enhancing their defensive capacities over time. The discourse recognizes the significant advantages of AI in cybersecurity while simultaneously addressing the obstacles associated with its application. False positives, a potential drawback, require a measured approach to prevent the perception of typical action as harmful. Ethical factors, including privacy concerns and responsible AI practices, highlight the necessity for a judicious and principled incorporation of AI in cybersecurity. The paper underscores the essential collaborative synergy between human expertise and AI technologies. The essay emphasizes the importance of continuous investment in AI training programs for cybersecurity professionals, acknowledging that AI is best successful when enhanced by human insights. Additionally, it advocates for routine security audits to assess and refine cybersecurity protocols, collaborative research efforts to tackle ethical issues, and user education activities to strengthen collective defenses. As the digital landscape evolves, the incorporation of AI in cybersecurity seems not as a cure-all but as a formidable ally. This partnership guarantees a robust protection against increasingly complex cyber-attacks, reinforcing the basis for a secure digital future.

David Paulus,Gerdien de Vries,Marijn Janssen,Bartel Van de Walle

DOI: https://doi.org/10.1016/j.ijdrr.2022.103379

IF: 4.842

2022-11-01

International Journal of Disaster Risk Reduction

Abstract:A crisis requires the affected population, governments or non-profit organizations, as well as crisis experts, to make urgent and sometimes life-critical decisions. With the urgency and uncertainty they create, crises are particularly amenable to inducing cognitive biases that influence decision-making. However, there is limited empirical evidence regarding the impact of cognitive biases on estimation, judgment, and decision-making tasks in crises. Possible biases occurring in crises are: (1) to be influenced by how information is framed (i.e., framing effect), (2) to overly rely on information that confirms rather than opposes preliminary assumptions (i.e., confirmation bias), (3) to rely heavily on a skewed informational cue when making estimations (i.e., anchoring bias), and (4) to see the own decision-making as less biased than decision-making of others (i.e., bias blind spot). We investigate these four cognitive biases using three online survey experiments targeting crisis-affected people of the general public (n = 460, mTurk workers), governmental and non-profit workers (n = 50, mTurk workers), and crisis experts (n = 21, purposefully sampled). Our findings show that crisis experts are the least biased group but are still significantly affected by anchoring, framing, and bias blind spot. Crisis-affected people from the general public showed the strongest susceptibility to all four biases studied. The findings have implications for future research on crisis information systems (IS) design. As crisis response is increasingly facilitated through IS, we propose debiasing functions that account for biased user behavior in crises.

geosciences, multidisciplinary,meteorology & atmospheric sciences,water resources

Gaudys L. Sanclemente

DOI: https://doi.org/10.1057/s41284-021-00321-2

2021-10-29

Security Journal

Abstract:Technology advances neither enhances nor detracts from cognitive human bias since its existence over thousands of years. However, skewness in conventional artificial intelligence mechanisms leads to algorithmic mishaps. Understanding the interconnection between human and machine, that algorithms are subject to bias through interactions, and the output of algorithmic bias forms a source of inspiration to the U.S. Intelligence Community (IC). As a result of emerging technologies such as artificial intelligence (AI) and its subset of machine learning, complex cybercrimes raises security concerns and highlights pertinent considerations for national security; infectious diseases can be a national security concern and facilitate bioterrorism and the production of biological weapons; and automation systems in the form of unmanned aerial systems (UAS) can have national security implications as an attractive tool for criminals and nefarious actors. This article uses grounded theory to analyse congressional hearing reports and related official documents. Increasing our understanding of the process leads to output attainment since AI operates at the speed of light and more data than we can humanly manage accessible. The present research intends to contribute to international relations, international studies, security and strategic studies, and science and technology studies.

criminology & penology

Rosana Montanez Rodriguez,Edward Golob,Shouhuai Xu

DOI: https://doi.org/10.48550/arXiv.2007.04932

2020-07-10

Abstract:Social engineering cyberattacks are a major threat because they often prelude sophisticated and devastating cyberattacks. Social engineering cyberattacks are a kind of psychological attack that exploits weaknesses in human cognitive functions. Adequate defense against social engineering cyberattacks requires a deeper understanding of what aspects of human cognition are exploited by these cyberattacks, why humans are susceptible to these cyberattacks, and how we can minimize or at least mitigate their damage. These questions have received some amount of attention but the state-of-the-art understanding is superficial and scattered in the literature. In this paper, we review human cognition through the lens of social engineering cyberattacks. Then, we propose an extended framework of human cognitive functions to accommodate social engineering cyberattacks. We cast existing studies on various aspects of social engineering cyberattacks into the extended framework, while drawing a number of insights that represent the current understanding and shed light on future research directions. The extended framework might inspire future research endeavors towards a new sub-field that can be called Cybersecurity Cognitive Psychology, which tailors or adapts principles of Cognitive Psychology to the cybersecurity domain while embracing new notions and concepts that are unique to the cybersecurity domain.

Cryptography and Security

Simon Vrhovec,Blaž Markelj

DOI: https://doi.org/10.1371/journal.pone.0312266

IF: 3.7

2024-10-19

PLoS ONE

Abstract:Cyberattacks pose a significant business risk to organizations. Although there is ample literature focusing on why people pose a major risk to organizational cybersecurity and how to deal with it, there is surprisingly little we know about cyber and information security decision-makers who are essentially the people in charge of setting up and maintaining organizational cybersecurity. In this paper, we study cybersecurity awareness of cyber and information security decision-makers, and investigate factors associated with it. We conducted an online survey among Slovenian cyber and information security decision-makers ( N = 283) to (1) determine whether their cybersecurity awareness is associated with adoption of antimalware solutions in their organizations, and (2) explore which organizational factors and personal characteristics are associated with their cybersecurity awareness. Our findings indicate that awareness of well-known threats and solutions seems to be quite low for individuals in decision-making roles. They also provide insights into which threats (e.g., distributed denial-of-service (DDoS) attacks, botnets, industrial espionage, and phishing) and solutions (e.g., security operation center (SOC), advanced antimalware solutions with endpoint detection and response (EDR)/extended detection and response (XDR) capabilities, organizational critical infrastructure access control, centralized device management, multi-factor authentication, centralized management of software updates, and remote data deletion on lost or stolen devices) are cyber and information security decision-makers the least aware of. We uncovered that awareness of certain threats and solutions is positively associated with either adoption of advanced antimalware solutions with EDR/XDR capabilities or adoption of SOC. Additionally, we identified significant organizational factors (organizational role type) and personal characteristics (gender, age, experience with information security and experience with information technology (IT)) related to cybersecurity awareness of cyber and information security decision-makers. Organization size and formal education were not significant. These results offer insights that can be leveraged in targeted cybersecurity training tailored to the needs of groups of cyber and information security decision-makers based on these key factors.

multidisciplinary sciences

Temitayo Oluwaseun Abrahams,Sarah Kuzankah Ewuga,Samuel Onimisi Dawodu,Abimbola Oluwatoyin Adegbite,Azeez Olanipekun Hassan

DOI: https://doi.org/10.51594/csitrj.v5i1.699

2024-01-09

Computer Science & IT Research Journal

Abstract:In an era where digital threats are increasingly pervasive, understanding the evolution and efficacy of cybersecurity strategies in modern organizations is paramount. This study provides a comprehensive analysis of the dynamic landscape of cybersecurity, exploring its progression from traditional methods to innovative, technology-driven approaches. The digital age has ushered in complex cyber threats, necessitating robust cybersecurity measures. This study examines cybersecurity strategies' historical development, current trends, and future directions across different organizational contexts and industries. The primary aim is to assess the evolution and effectiveness of cybersecurity measures, identify existing gaps, and understand the interplay between human behavior, technology, and policy in cybersecurity. The paper encompasses a comprehensive methodological framework for cybersecurity analysis, exploring the effectiveness of traditional versus modern approaches, the role of AI and ML, and the impact of international policies. It also presents case studies to illustrate successes and failures in cybersecurity implementation. Key findings reveal a significant shift towards advanced technologies like AI and ML in cybersecurity, the critical role of human factors in shaping cybersecurity outcomes, and the influence of international policies in standardizing cybersecurity practices. The study concludes that effective cybersecurity strategies require a balanced approach, combining technological advancements with understanding human factors and adherence to international standards. Recommendations include continuous education and training, adopting holistic cybersecurity strategies, and aligning with international policies. Keywords: Cybersecurity, Artificial Intelligence, Machine Learning, International Policies, Human Factors, Cyber Threats.

Ahmed Sleem,

DOI: https://doi.org/10.54216/jcim.100204

2022-01-01

Journal of Cybersecurity and Information Management

Abstract:The digital age has ushered in a new era of connectivity and opportunity. However, it has also made us more vulnerable to cyber threats. In recent years, we have seen a rise in the number and sophistication of cyberattacks. These attacks can have a devastating impact on businesses, governments, and individuals. This paper provides a comprehensive overview of cybersecurity threats and countermeasures. It begins by discussing the different types of cybersecurity threats, including malware, phishing, denial-of-service attacks, and data breaches. The paper then discusses the different types of cybersecurity countermeasures, including firewalls, antivirus software, and intrusion detection systems. The paper concludes by discussing strategies for mitigating risks in the digital age including 1) Investing in cybersecurity solutions, 2) Educating employees about cybersecurity best practices, and 3) Having a plan in place to respond to cyberattacks. By following these strategies, businesses, governments, and individuals can help to protect themselves from cyber threats.

Sunan Zhang

DOI: https://doi.org/10.70267/9p9ktb67

2024-07-09

Abstract:In the context of the growing prevalence of the Internet, the incidence of cybercrime is increasing at a rapid pace. This has led to the emergence of cybercrime helpers, who have become a significant and pervasive phenomenon that cannot be overlooked. This paper addresses the psychological characteristics of those who engage in cybercrime. A combination of literature study and empirical research allows for a preliminary analysis of the risk-taking psychology and risk perception bias of cybercrime helpers. It also provides new ideas and directions for the study of curbing cybercrime and offers prevention and intervention strategies targeting the psychological level of low-age and social individuals. The study revealed that the risk-taking psychology and risk perception bias of cybercrime helpers are closely intertwined, influencing each other to prompt criminal behaviour. The findings offer implementation strategies with practical value for cybercrime governance.

Maria Bada,Angela M. Sasse,Jason R. C. Nurse

DOI: https://doi.org/10.48550/arXiv.1901.02672

2019-01-09

Abstract:The present paper focuses on Cyber Security Awareness Campaigns, and aims to identify key factors regarding security which may lead them to failing to appropriately change people's behaviour. Past and current efforts to improve information-security practices and promote a sustainable society have not had the desired impact. It is important therefore to critically reflect on the challenges involved in improving information-security behaviours for citizens, consumers and employees. In particular, our work considers these challenges from a Psychology perspective, as we believe that understanding how people perceive risks is critical to creating effective awareness campaigns. Changing behaviour requires more than providing information about risks and reactive behaviours - firstly, people must be able to understand and apply the advice, and secondly, they must be motivated and willing to do so - and the latter requires changes to attitudes and intentions. These antecedents of behaviour change are identified in several psychological models of behaviour. We review the suitability of persuasion techniques, including the widely used 'fear appeals'. From this range of literature, we extract essential components for an awareness campaign as well as factors which can lead to a campaign's success or failure. Finally, we present examples of existing awareness campaigns in different cultures (the UK and Africa) and reflect on these.

Cryptography and Security,Computers and Society,Human-Computer Interaction

Marshall S. Rich

DOI: https://doi.org/10.3390/analytics2030035

2023-08-11

Analytics

Abstract:The rapid proliferation of cyberthreats necessitates a robust understanding of their evolution and associated tactics, as found in this study. A longitudinal analysis of these threats was conducted, utilizing a six-year data set obtained from a deception network, which emphasized its significance in the study’s primary aim: the exhaustive exploration of the tactics and strategies utilized by cybercriminals and how these tactics and techniques evolved in sophistication and target specificity over time. Different cyberattack instances were dissected and interpreted, with the patterns behind target selection shown. The focus was on unveiling patterns behind target selection and highlighting recurring techniques and emerging trends. The study’s methodological design incorporated data preprocessing, exploratory data analysis, clustering and anomaly detection, temporal analysis, and cross-referencing. The validation process underscored the reliability and robustness of the findings, providing evidence of increasingly sophisticated, targeted cyberattacks. The work identified three distinct network traffic behavior clusters and temporal attack patterns. A validated scoring mechanism provided a benchmark for network anomalies, applicable for predictive analysis and facilitating comparative study of network behaviors. This benchmarking aids organizations in proactively identifying and responding to potential threats. The study significantly contributed to the cybersecurity discourse, offering insights that could guide the development of more effective defense strategies. The need for further investigation into the nature of detected anomalies was acknowledged, advocating for continuous research and proactive defense strategies in the face of the constantly evolving landscape of cyberthreats.

Cenk Aksoy Bilen

DOI: https://doi.org/10.17261/pressacademia.2023.1735

2023-06-30

Pressacademia

Abstract:Purpose- With the rapid advancement of information and communication technologies, businesses are facing growing security risks. The prevalence, intensity, and complexity of cyber attacks worsen these vulnerabilities, leading to a rising focus on cybersecurity. Enterprises exposed to such cyberattacks might not only face considerable financial losses but also experience data breaches, operational interruptions, harm to their reputation, regulatory penalties, legal expenses, reduced competitive standing, and increased insurance premiums. In this concept study discusses the importance of human factors in cybersecurity management. While organizations spend billions on information technology systems and software to detect and prevent cyber threats, individuals play a critical role in managing these risks. Methodology- Through a review of literature and statistical data, study examines the factors contributing to cybersecurity breaches, the allocation of resources to address them, and proposes potential solutions. Findings- In the workplace, most research on cybersecurity focuses on employees as the most important source of vulnerability. In the literature review, it is understood that an employee’s carelessness and lack of awareness pose the greatest risk to cybersecurity. However, businesses often fail to show sufficient attention to human behavior in their efforts to keep organizational data secure and to plan security strategies. It is important to note that effective cybersecurity management requires not only technical controls but also the management of human factors. Meanwhile, security expenditures in enterprises are often disproportionately allocated to technology investments, with 97% being spent on technology investments, despite the fact that over 85% of breaches are attributable to human factors. Conclusion- In the literature review, it is understood that cybersecurity management is not only related to technical controls, but also the management of human factors is of critical importance. The management of individuals is also an essential cybersecurity responsibility. It is important to adopt a holistic approach to cybersecurity management includes both technical and human perspectives. Cybersecurity awareness has significant benefits for businesses to effectively manage cybersecurity which can be achieved by developing appropriate training programs and foster a cybersecurity culture. Keywords: Cybersecurity, cybersecurity management, cybersecurity awareness, technology investments, human factor JEL Codes: M12, M15, L86

Marten de Bruin,Konstantinos Mersinas

2024-05-29

Abstract:Cyber security incidents are increasing and humans play an important role in reducing their likelihood and impact. We identify a skewed focus towards technical aspects of cyber security in the literature, whereas factors influencing the secure behaviour of individuals require additional research. These factors span across both the individual level and the contextual level in which the people are situated. We analyse two datasets of a total of 37,075 records from a) self-reported security behaviours across the EU, and b) observed phishing-related behaviours from the industry security awareness training programmes. We identify that national culture, industry type, and organisational security culture play are influential Variables (antecedents) of individuals' security behaviour at contextual level. Whereas, demographics (age, gender, and level or urbanisation) and security-specific factors (security awareness, security knowledge, and prior experience with security incidents) are found to be influential variables of security behaviour at individual level. Our findings have implications for both research and practice as they fill a gap in the literature and provide concrete statistical evidence on the variables which influence security behaviour. Moreover, findings provides practical insights for organisations regarding the susceptibility of groups of people to insecure behaviour. Consequently, organisations can tailor their security training and awareness efforts (e.g., through behaviour change interventions and/or appropriate employee group profiles), adapt their communications (e.g., of information security policies), and customise their interventions according to national culture characteristics to improve security behaviour.

Cryptography and Security