Sarah Sharifi

2023-01-23

Abstract:The Internet and cyberspace are inseparable aspects of everyone's life. Cyberspace is a concept that describes widespread, interconnected, and online digital technology. Cyberspace refers to the online world that is separate from everyday reality. Since the internet is a recent advance in human lives, there are many unknown and unpredictable aspects to it that sometimes can be catastrophic to users in financial aspects, high-tech industry, and healthcare. Cybersecurity failures are usually caused by human errors or their lack of knowledge. According to the International Business Machines Corporation (IBM) X-Force Threat Intelligence Index in 2020, around 8.5 billion records were compromised in 2019 due to failures of insiders, which is an increase of more than 200 percent compared to the compromised records in 2018. In another survey performed by the Ernst and Young Global Information Security during 2018-2019, it is reported that 34% of the organizations stated that employees who are inattentive or do not have the necessary knowledge are the principal vulnerabilities of cybersecurity, and 22% of the organizations indicated that phishing is the main threat to them. Inattentive users are one of the reasons for data breaches and cyberattacks. The National Cyber Security Centre (NCSC) in the United Kingdom observed that 23.2 million users who were victims of cybersecurity attacks used a carelessly selected password, which is 123456, as their account password. The Annual Cybersecurity Report published by Cisco in 2018 announced that phishing and spear phishing emails are the root causes of many cybersecurity attacks in recent years. Hence, enhancing the cybersecurity behaviors of both personal users and organizations can protect vulnerable users from cyber threats. Both human factors and technological aspects of cybersecurity should be addressed in organizations for a safer environment.

Human-Computer Interaction,Cryptography and Security

Hussain Aldawood,Geoffrey Skinner

DOI: https://doi.org/10.3390/fi11030073

2019-03-18

Future Internet

Abstract:The idea and perception of good cyber security protection remains at the forefront of many organizations’ information and communication technology strategy and investment. However, delving deeper into the details of its implementation reveals that organizations’ human capital cyber security knowledge bases are very low. In particular, the lack of social engineering awareness is a concern in the context of human cyber security risks. This study highlights pitfalls and ongoing issues that organizations encounter in the process of developing the human knowledge to protect from social engineering attacks. A detailed literature review is provided to support these arguments with analysis of contemporary approaches. The findings show that despite state-of-the-art cyber security preparations and trained personnel, hackers are still successful in their malicious acts of stealing sensitive information that is crucial to organizations. The factors influencing users’ proficiency in threat detection and mitigation have been identified as business environmental, social, political, constitutional, organizational, economical, and personal. Challenges with respect to both traditional and modern tools have been analyzed to suggest the need for profiling at-risk employees (including new hires) and developing training programs at each level of the hierarchy to ensure that the hackers do not succeed.

Dimitra Papatsaroucha,Yannis Nikoloudakis,Ioannis Kefaloukos,Evangelos Pallis,Evangelos K. Markakis

DOI: https://doi.org/10.48550/arXiv.2106.09986

2021-06-24

Abstract:These days, cyber-criminals target humans rather than machines since they try to accomplish their malicious intentions by exploiting the weaknesses of end users. Thus, human vulnerabilities pose a serious threat to the security and integrity of computer systems and data. The human tendency to trust and help others, as well as personal, social, and cultural characteristics, are indicative of the level of susceptibility that one may exhibit towards certain attack types and deception strategies. This work aims to investigate the factors that affect human susceptibility by studying the existing literature related to this subject. The objective is also to explore and describe state of the art human vulnerability assessment models, current prevention, and mitigation approaches regarding user susceptibility, as well as educational and awareness raising training strategies. Following the review of the literature, several conclusions are reached. Among them, Human Vulnerability Assessment has been included in various frameworks aiming to assess the cyber security capacity of organizations, but it concerns a one time assessment rather than a continuous practice. Moreover, human maliciousness is still neglected from current Human Vulnerability Assessment frameworks; thus, insider threat actors evade identification, which may lead to an increased cyber security risk. Finally, this work proposes a user susceptibility profile according to the factors stemming from our research.

Cryptography and Security

Rosana Montanez Rodriguez,Edward Golob,Shouhuai Xu

DOI: https://doi.org/10.48550/arXiv.2007.04932

2020-07-10

Abstract:Social engineering cyberattacks are a major threat because they often prelude sophisticated and devastating cyberattacks. Social engineering cyberattacks are a kind of psychological attack that exploits weaknesses in human cognitive functions. Adequate defense against social engineering cyberattacks requires a deeper understanding of what aspects of human cognition are exploited by these cyberattacks, why humans are susceptible to these cyberattacks, and how we can minimize or at least mitigate their damage. These questions have received some amount of attention but the state-of-the-art understanding is superficial and scattered in the literature. In this paper, we review human cognition through the lens of social engineering cyberattacks. Then, we propose an extended framework of human cognitive functions to accommodate social engineering cyberattacks. We cast existing studies on various aspects of social engineering cyberattacks into the extended framework, while drawing a number of insights that represent the current understanding and shed light on future research directions. The extended framework might inspire future research endeavors towards a new sub-field that can be called Cybersecurity Cognitive Psychology, which tailors or adapts principles of Cognitive Psychology to the cybersecurity domain while embracing new notions and concepts that are unique to the cybersecurity domain.

Cryptography and Security

Niroop Sugunaraj

2024-05-21

Abstract:This paper examines the complex nature of cyber attacks through an analysis of the LastPass breach. It argues for the integration of human-centric considerations into cybersecurity measures, focusing on mitigating factors such as goal-directed behavior, cognitive overload, human biases (e.g., optimism, anchoring), and risky behaviors. Findings from an analysis of this breach offers support to the perspective that addressing both the human and technical dimensions of cyber defense can significantly enhance the resilience of cyber systems against complex threats. This means maintaining a balanced approach while simultaneously simplifying user interactions, making users aware of biases, and discouraging risky practices are essential for preventing cyber incidents.

Human-Computer Interaction,Cryptography and Security

Moinescu R.

DOI: https://doi.org/10.21279/1454-864x-19-i1-022

2019-07-15

Scientific Bulletin of Naval Academy

Abstract:Along with the development of information technology in recent years, awareness about the security of computer systems is also increasing. Because the human factor is often guilty of the vulnerabilities to which an information system is exposed, this paper will research and evaluate disparate attack vectors which are being utilized today to successfully exploit human weaknesses. We will also try to create a mechanism to mitigate against these attack vectors.

Cenk Aksoy Bilen

DOI: https://doi.org/10.17261/pressacademia.2023.1735

2023-06-30

Pressacademia

Abstract:Purpose- With the rapid advancement of information and communication technologies, businesses are facing growing security risks. The prevalence, intensity, and complexity of cyber attacks worsen these vulnerabilities, leading to a rising focus on cybersecurity. Enterprises exposed to such cyberattacks might not only face considerable financial losses but also experience data breaches, operational interruptions, harm to their reputation, regulatory penalties, legal expenses, reduced competitive standing, and increased insurance premiums. In this concept study discusses the importance of human factors in cybersecurity management. While organizations spend billions on information technology systems and software to detect and prevent cyber threats, individuals play a critical role in managing these risks. Methodology- Through a review of literature and statistical data, study examines the factors contributing to cybersecurity breaches, the allocation of resources to address them, and proposes potential solutions. Findings- In the workplace, most research on cybersecurity focuses on employees as the most important source of vulnerability. In the literature review, it is understood that an employee’s carelessness and lack of awareness pose the greatest risk to cybersecurity. However, businesses often fail to show sufficient attention to human behavior in their efforts to keep organizational data secure and to plan security strategies. It is important to note that effective cybersecurity management requires not only technical controls but also the management of human factors. Meanwhile, security expenditures in enterprises are often disproportionately allocated to technology investments, with 97% being spent on technology investments, despite the fact that over 85% of breaches are attributable to human factors. Conclusion- In the literature review, it is understood that cybersecurity management is not only related to technical controls, but also the management of human factors is of critical importance. The management of individuals is also an essential cybersecurity responsibility. It is important to adopt a holistic approach to cybersecurity management includes both technical and human perspectives. Cybersecurity awareness has significant benefits for businesses to effectively manage cybersecurity which can be achieved by developing appropriate training programs and foster a cybersecurity culture. Keywords: Cybersecurity, cybersecurity management, cybersecurity awareness, technology investments, human factor JEL Codes: M12, M15, L86

Heidi Wilcox,Maumita Bhattacharya

DOI: https://doi.org/10.48550/arXiv.2005.04049

2020-05-08

Cryptography and Security

Abstract:Social engineering through social media channels targeting organizational employees is emerging as one of the most challenging information security threats. Social engineering defies traditional security efforts due to the method of attack relying on human naivet\'e or error. The vast amount of information now made available to social engineers through online social networks is facilitating methods of attack which rely on some form of human error to enable infiltration into company networks. While, paramount to organisational information security objectives is the introduction of relevant comprehensive policy and guideline, perspectives and practices vary from global region to region. This paper identifies such regional variations and then presents a detailed investigation on information security outlooks and practices, surrounding social media, in Australian organisations (both public and private). Results detected disparate views and practices, suggesting further work is needed to achieve effective protection against security threats arsing due to social media adoption.

Sinchul Back,Jennifer LaPrade

DOI: https://doi.org/10.52306/02020119kdhz8339

2019-09-06

Abstract:New technology is rapidly emerging to fight increasing cybercrime threats, however, there is one important component of a cybercrime that technology cannot always impact and that is human behavior. Unfortunately, humans can be vulnerable and easily deceived making technological advances alone inadequate in the cybercrime fight. Instead, we must take a more holistic approach by using technology and better understanding the human factors that make cybercrime possible. In this issue of the International Journal of Cybersecurity Intelligence and Cybercrime, three studies contribute to our knowledge of human factors and emerging cybercrime technology so that more effective comprehensive cybercrime prevention strategies can be developed.

Adam M. Houser,Matthew L. Bolton,Adam M. HouserMatthew L. Boltona Johns Hopkins University Applied Physics Laboratory,Laurel,MD,USAb Department of Systems and Information Engineering,University of Virginia,Charlottesville,VA,USAAdam M. Houser received the Ph.D. in industrial engineering from the State University of New York at Buffalo in Buffalo,New York,USA in 2018. Since then,he has worked at the Johns Hopkins University Applied Physics Laboratory as a senior systems engineer.Matthew Bolton is an Associate Professor of Systems and Information Engineering at the University of Virginia. He obtained his Ph.D. in Systems Engineering from UVA in 2010. He previously held academic appointments at the University of Illinois in Chicago and the University at Buffalo.

DOI: https://doi.org/10.1080/10447318.2024.2314353

IF: 4.92

2024-03-08

International Journal of Human-Computer Interaction

Abstract:Human users are increasingly recognized as a vector of cybersecurity attack. One problem that contributes to this condition is the growing complexity of digital tools. Such complexity can make it difficult for users to understand how tools work and how their actions will impact security. This work sought to answer the research question: Can mental modeling analyses (from human factors engineering and human-automation interaction) be developed to effectively discover cybersecurity risks? To answer this, we extend mental models with cybersecurity-specific concepts. The resulting models are then incorporated into model checking analyses (an automated approach to formal verification) to discover if and when mismatches between human mental models and systems can cause security failures. We evaluated our approach by successfully applying it to a case study regarding the security configuration of a popular cloud data storage service. We ultimately discuss the results of this analysis and outline future research possibilities.

computer science, cybernetics,ergonomics

Susan Squires

DOI: https://doi.org/10.33552/oajaa.2020.02.000535

2020-05-12

Open Access Journal of Archaeology & Anthropology

Abstract:Between 70% and 97% of all cyber breaches can be attributed directly or indirectly to human errors (Ponemon Institute 2018) [1]. In this opinion piece, we explore the archeology of cyber-security embedded in 20th century legacy belief and its artifacts. During the “formative period” of the computer in the last quarter of the 20th century, computers became generally available to a few societies that existed at the time. Archaic documents, such as early advertisements and bills of sale, confirm the spread of these early tools from places of work to domestic spaces. From histories we know that such computers were primarily standalone devices. If connected, modem-mediated access to the early Internet was conducted through telephone lines, which provided a mechanism for sending emails to immediate kin, friends or workgroup members.

Giampaolo Bella

DOI: https://doi.org/10.48550/arXiv.2112.12790

2021-12-18

Cryptography and Security

Abstract:Security ceremonies still fail despite decades of efforts by researchers and practitioners. Attacks are often a cunning amalgam of exploits for technical systems and of forms of human behaviour. For example, this is the case with the recent news headline of a large-scale attack against Electrum Bitcoin wallets, which manages to spread a malicious update of the wallet app. I therefore set out to look at things through a different lens. I make the (metaphorical) hypothesis that human ancestors arrived on Earth along with security ceremonies from a very far planet, the Cybersecurity planet. My hypothesis continues, in that studying (by huge telescopes) the surface of Cybersecurity in combination with the logical projection on that surface of what happens on Earth is beneficial for us earthlings. I have spotted four cities so far on the remote planet. Democratic City features security ceremonies that allow inhabitants to follow personal paths of practice and, for example, make errors or be driven by emotions. By contrast, security ceremonies in Dictatorial City compel inhabitants to comply, thus behaving like programmed automata. Security ceremonies in Beautiful City are so beautiful that inhabitants just love to follow them precisely. Invisible City has security ceremonies that are not perceivable, hence inhabitants feel like they never encounter any. Incidentally, we use the words "democratic" and "dictatorial" without any political connotation. A key argument I shall develop is that all cities but Democratic City address the human factor, albeit in different ways. In the light of these findings, I will also discuss security ceremonies of our planet, such as WhatsApp web login and flight boarding, and explore room for improving them based upon the current understanding of Cybersecurity.

Dennik Baltuttis,Timm Teubner,Marc T.P. Adam

DOI: https://doi.org/10.1016/j.cose.2024.103741

IF: 5.105

2024-02-01

Computers & Security

Abstract:While the cybersecurity literature on behavioral factors has expanded, current countermeasures often overlook employee-specific behavioral differences, leading to generic solutions. This study addresses this gap by introducing a typology of knowledge worker cybersecurity behaviors through cluster analysis. Based on online survey data (n=264), we identify six main dimensions of cybersecurity attitude and behavior and, based on these, four behavioral cybersecurity types with distinct characteristics and demographic profiles: Naïve Greenhorns, Traditional Examiners, Flexible Mavericks, and Reliable Troupers. Contrary to common beliefs, the study found that older employees demonstrate high cybersecurity resilience, while younger ones pose a higher risk. These findings underscore the importance of tailored, human-centered cybersecurity approaches.

computer science, information systems

Bhagwant Singh,Dr. Sikander Singh Cheema

DOI: https://doi.org/10.35444/ijana.2024.16108

2024-01-01

International Journal of Advanced Networking and Applications

Abstract:This paper explores the link between psychology and cybersecurity, focusing on the vital role of cognitive shields in strengthening digital security. In the rapidly changing cyberspace, understanding and using psychological defenses are crucial for dealing with evolving threats. This paper stressing the need for a holistic cybersecurity approach that considers the human factor. By investigating how human thinking connects with cyber threats, this study builds a basic understanding of the complex landscape. The core of the review looks into cognitive shields, categorizing and explaining their various aspects. From the impact of cognitive biases to the use of threat intelligence guided by psychological principles, the study explores different applications of cognitive shields. Despite their importance, the paper acknowledges challenges in implementing cognitive shields and highlights the ongoing need for innovation.

Luca Caviglione,Jean-Francois Lalande,Wojciech Mazurczyk,Steffen Wendzel

DOI: https://doi.org/10.48550/arXiv.1502.00868

2015-02-03

Abstract:Smart environments integrate Information and Communication Technologies (ICT) into devices, vehicles, buildings and cities to offer an increased quality of life, energy efficiency and economical sustainability. In this perspective, the individual has a core role and so has networking, which enables such entities to cooperate. However, the huge amount of sensitive data, social aspects and the mixed set of protocols offer many opportunities to inject hazards, exfiltrate information, mass profiling of citizens, or produce a new wave of attacks. This work reviews the major risks arising from the usage of ICT-techniques for smart environments, with emphasis on networking. Its main contribution is to explain the role of different stakeholders for causing a lack of security and to envision future threats by considering human aspects.

Computers and Society,Cryptography and Security

Brett Borghetti,Gregory Funke,Robert Pastel,Robert Gutzwiller

DOI: https://doi.org/10.1177/1541931213601569

2017-09-01

Proceedings of the Human Factors and Ergonomics Society Annual Meeting

Abstract:Historically, cyber security research has largely focused on improving the tools that cyber operators use in their daily jobs. As the main focus is on these tools, the cyber operator has been an afterthought in the human-machine-team. Human research in the cyber operation domain is difficult due to operations tempo and the often-sensitive information associated with the operational domain. As a result, human research in this field is under-represented, and it is a great challenge to better understand and address the needs of cyber operators. This panel brings cyber operators to the human factors community at the annual meeting to discuss their operational workflow, needs, and desires – at a publically consumable level. Our goal is to bridge the notable gap and open opportunities for human factors research in cyber security.

Steven Furnell

DOI: https://doi.org/10.1093/iwc/iwad035

2024-01-23

Interacting with Computers

Abstract:Abstract Encounters and interactions with cybersecurity are now regular and routine experiences for information technology users across a variety of devices, systems and services. Unfortunately, however, despite long-term recognition of the importance of usability in the technology context, the user experience of cybersecurity and privacy is by no means guaranteed to address this criterion. This paper presents an outline of usability issues and challenges in the cybersecurity context, with examples of how it has (or indeed has not) evolved in some established contexts (looking in particular at web browsing and user authentication), as well as consideration of the extent to which any better attention is apparent within more recent and emerging technology contexts (considering the presentation of related features in scenarios including app stores and smart devices). Based on the evidence, cybersecurity is clearly yet to reach a stage where its mention would naturally imply usability, but at the same time the two concepts do not have to represent a contradiction in terms. The resulting requirement is for the increasing recognition of the issue to translate into a greater level of resulting attention and action.

computer science, cybernetics,ergonomics

Marcel Böhme

2024-09-03

Abstract:Research in cybersecurity may seem reactive, specific, ephemeral, and indeed ineffective. Despite decades of innovation in defense, even the most critical software systems turn out to be vulnerable to attacks. Time and again. Offense and defense forever on repeat. Even provable security, meant to provide an indubitable guarantee of security, does not stop attackers from finding security flaws. As we reflect on our achievements, we are left wondering: Can security be solved once and for all? In this paper, we take a philosophical perspective and develop the first theory of cybersecurity that explains what precisely and *fundamentally* prevents us from making reliable statements about the security of a software system. We substantiate each argument by demonstrating how the corresponding challenge is routinely exploited to attack a system despite credible assurances about the absence of security flaws. To make meaningful progress in the presence of these challenges, we introduce a philosophy of cybersecurity.

Cryptography and Security,Software Engineering

Rebekah Rousi

DOI: https://doi.org/10.48550/arXiv.2304.06825

IF: 6.4588

2023-04-13

Human-Computer Interaction

Abstract:In an ever more connected world, awareness has grown towards the hazards and vulnerabilities that the networking on sensitive digitized information pose for all parties involved. This vulnerability rests in a number of factors, both human and technical.From an ethical perspective, this means people seeking to maximise their own gain, and accomplish their goals through exploiting information existing in cyber space at the expense of other individuals and parties. One matter that is yet to be fully explored is the eventuality of not only financial information and other sensitive material being globally connected on the information highways, but also the people themselves as physical beings. Humans are natural born cyborgs who have integrated technology into their being throughout history. Issues of cyber security are extended to cybernetic security, which not only has severe ethical implications for how we, policy makers, academics, scientists, designers etc., define ethics in relation to humanity and human rights, but also the security and safety of merged organic and artificial systems and ecosystems.

Blake C. Stacey,Yaneer Bar-Yam

DOI: https://doi.org/10.48550/arXiv.1303.2682

2013-03-11

Cryptography and Security

Abstract:Cybersecurity attacks are a major and increasing burden to economic and social systems globally. Here we analyze the principles of security in different domains and demonstrate an architectural flaw in current cybersecurity. Cybersecurity is inherently weak because it is missing the ability to defend the overall system instead of individual computers. The current architecture enables all nodes in the computer network to communicate transparently with one another, so security would require protecting every computer in the network from all possible attacks. In contrast, other systems depend on system-wide protections. In providing conventional security, police patrol neighborhoods and the military secures borders, rather than defending each individual household. Likewise, in biology, the immune system provides security against viruses and bacteria using primarily action at the skin, membranes, and blood, rather than requiring each cell to defend itself. We propose applying these same principles to address the cybersecurity challenge. This will require: (a) Enabling pervasive distribution of self-propagating securityware and creating a developer community for such securityware, and (b) Modifying the protocols of internet routers to accommodate adaptive security software that would regulate internet traffic. The analysis of the immune system architecture provides many other principles that should be applied to cybersecurity. Among these principles is a careful interplay of detection and action that includes evolutionary improvement. However, achieving significant security gains by applying these principles depends strongly on remedying the underlying architectural limitations.