Emily I M Collins,Joanne Hinds

DOI: https://doi.org/10.1089/cyber.2020.0631

Abstract:Employee behaviors remain at the center of the cybersecurity of workplaces, despite the challenges they face in doing so. Time pressures and competing demands mean that users tend to rely on habitual behaviors that often run counter to good cybersecurity practice. One possible solution may be to encourage positive habit formation. Designing such interventions, however, relies on knowledge of the perception and experience of habit formation in the context of cybersecurity. To this end, a qualitative survey containing open-ended questions was completed by 195 participants (mean age = 35.51, 53 percent female) recruited via an online participant panel. Participants were asked what cybersecurity behaviors they perform at work and how they believe any habits were prompted, formed, and maintained. Thematic analysis identified three over-arching themes: (a) forming habits unavoidably or unconsciously (some were mandated, or formed without conscious awareness), (b) consciously cultivating habits (including the roles of intrinsic motivation and external prompts), and (c) social and organizational influences (including the influence of occupational culture, social modeling, previous experiences, and information gathering practices). Based on these findings, we present guidelines for supporting workplace cybersecurity habit formation reflecting these subjective experiences, namely introducing automatic solutions, facilitating external cues, fostering interest in cybersecurity issues among employees, creating a positive cybersecurity occupational culture and highlighting positive behavior, and providing access to accessible cybersecurity information to employees. These results constitute a first step in identifying how habits can be exploited for positive cybersecurity behavior change in a way that accounts for the reliance on habitual behaviors in busy, time-pressured workplaces.

Marten de Bruin,Konstantinos Mersinas

2024-05-29

Abstract:Cyber security incidents are increasing and humans play an important role in reducing their likelihood and impact. We identify a skewed focus towards technical aspects of cyber security in the literature, whereas factors influencing the secure behaviour of individuals require additional research. These factors span across both the individual level and the contextual level in which the people are situated. We analyse two datasets of a total of 37,075 records from a) self-reported security behaviours across the EU, and b) observed phishing-related behaviours from the industry security awareness training programmes. We identify that national culture, industry type, and organisational security culture play are influential Variables (antecedents) of individuals' security behaviour at contextual level. Whereas, demographics (age, gender, and level or urbanisation) and security-specific factors (security awareness, security knowledge, and prior experience with security incidents) are found to be influential variables of security behaviour at individual level. Our findings have implications for both research and practice as they fill a gap in the literature and provide concrete statistical evidence on the variables which influence security behaviour. Moreover, findings provides practical insights for organisations regarding the susceptibility of groups of people to insecure behaviour. Consequently, organisations can tailor their security training and awareness efforts (e.g., through behaviour change interventions and/or appropriate employee group profiles), adapt their communications (e.g., of information security policies), and customise their interventions according to national culture characteristics to improve security behaviour.

Cryptography and Security

Sarah Sharifi

2023-01-23

Abstract:The Internet and cyberspace are inseparable aspects of everyone's life. Cyberspace is a concept that describes widespread, interconnected, and online digital technology. Cyberspace refers to the online world that is separate from everyday reality. Since the internet is a recent advance in human lives, there are many unknown and unpredictable aspects to it that sometimes can be catastrophic to users in financial aspects, high-tech industry, and healthcare. Cybersecurity failures are usually caused by human errors or their lack of knowledge. According to the International Business Machines Corporation (IBM) X-Force Threat Intelligence Index in 2020, around 8.5 billion records were compromised in 2019 due to failures of insiders, which is an increase of more than 200 percent compared to the compromised records in 2018. In another survey performed by the Ernst and Young Global Information Security during 2018-2019, it is reported that 34% of the organizations stated that employees who are inattentive or do not have the necessary knowledge are the principal vulnerabilities of cybersecurity, and 22% of the organizations indicated that phishing is the main threat to them. Inattentive users are one of the reasons for data breaches and cyberattacks. The National Cyber Security Centre (NCSC) in the United Kingdom observed that 23.2 million users who were victims of cybersecurity attacks used a carelessly selected password, which is 123456, as their account password. The Annual Cybersecurity Report published by Cisco in 2018 announced that phishing and spear phishing emails are the root causes of many cybersecurity attacks in recent years. Hence, enhancing the cybersecurity behaviors of both personal users and organizations can protect vulnerable users from cyber threats. Both human factors and technological aspects of cybersecurity should be addressed in organizations for a safer environment.

Human-Computer Interaction,Cryptography and Security

Moti Zwilling,Galit Klien,Dušan Lesjak,Łukasz Wiechetek,Fatih Cetin,Hamdullah Nejat Basim

DOI: https://doi.org/10.1080/08874417.2020.1712269

2020-02-14

Journal of Computer Information Systems

Abstract:Cyber-attacks represent a potential threat to information security. As rates of data usage and internet consumption continue to increase, cyber awareness turned to be increasingly urgent. This study focuses on the relationships between cyber security awareness, knowledge and behavior with protection tools among individuals in general and across four countries: Israel, Slovenia, Poland and Turkey in particular. Results show that internet users possess adequate cyber threat awareness but apply only minimal protective measures usually relatively common and simple ones. The study findings also show that higher cyber knowledge is connected to the level of cyber awareness, beyond the differences in respondent country or gender. In addition, awareness is also connected to protection tools, but not to information they were willing to disclose. Lastly, findings exhibit differences between the explored countries that affect the interaction between awareness, knowledge, and behaviors. Results, implications, and recommendations for effective based cyber security training programs are presented and discussed.

computer science, information systems

Amy Ertan,Georgia Crossland,Claude Heath,David Denny,Rikke Jensen

DOI: https://doi.org/10.48550/arXiv.2004.11768

2020-04-24

Abstract:This review explores the academic and policy literature in the context of everyday cyber security in organisations. In so doing, it identifies four behavioural sets that influences how people practice cyber security. These are compliance with security policy, intergroup coordination and communication, phishing/email behaviour, and password behaviour. However, it is important to note that these are not exhaustive and they do not exist in isolation. In addition, the review explores the notion of security culture as an overarching theme that overlaps and frames the four behavioural sets. The aim of this review is therefore to provide a summary of the existing literature in the area of everyday cyber security within the social sciences, with a particular focus on organisational contexts. In doing so, it develops a series of suggestions for future research directions based on existing gaps in the literature. The review also includes a theoretical lens that will aid the understanding of existing studies and wider literatures. Where possible, the review makes recommendations for organisations in relation to everyday cyber security.

Computers and Society

Kenneth David Strang

DOI: https://doi.org/10.3390/bdcc8040037

2024-03-29

Big Data and Cognitive Computing

Abstract:A critical worldwide problem is that ransomware cyberattacks can be costly to organizations. Moreover, accidental employee cybercrime risk can be challenging to prevent, even by leveraging advanced computer science techniques. This exploratory project used a novel cognitive computing design with detailed explanations of the action-research case-study methodology and customized machine learning (ML) techniques, supplemented by a workflow diagram. The ML techniques included language preprocessing, normalization, tokenization, keyword association analytics, learning tree analysis, credibility/reliability/validity checks, heatmaps, and scatter plots. The author analyzed over 8 GB of employee behavior big data from a multinational Fintech company global intranet. The five-factor personality theory (FFPT) from the psychology discipline was integrated into semi-supervised ML to classify retrospective employee behavior and then identify cybercrime risk. Higher levels of employee neuroticism were associated with a greater organizational cybercrime risk, corroborating the findings in empirical publications. In stark contrast to the literature, an openness to new experiences was inversely related to cybercrime risk. The other FFPT factors, conscientiousness, agreeableness, and extroversion, had no informative association with cybercrime risk. This study introduced an interdisciplinary paradigm shift for big data cognitive computing by illustrating how to integrate a proven scientific construct into ML—personality theory from the psychology discipline—to analyze human behavior using a retrospective big data collection approach that was asserted to be more efficient, reliable, and valid as compared to traditional methods like surveys or interviews.

English Else

Charlette Donalds,Kweku-Muata Osei-Bryson

DOI: https://doi.org/10.1016/j.ijinfomgt.2019.102056

IF: 18.958

2020-04-01

International Journal of Information Management

Abstract:Recent information and cybersecurity research have focused on improving individuals' security compliance behavior. However, improved security performance remains a challenge since individuals often fail to comply with security best practices. In this study, we investigate a new individual cybersecurity compliance behavior model proposed by Donalds and Osei-Bryson (2017). Specifically, we investigate the influence of individual decision styles on their cybersecurity compliance behavior and other antecedents of such behavior. To empirically validate the hypotheses in the Donalds & Osei-Bryson model, we used data collected from 248 individuals and then use multiple regression to examine the assertions of the model. Our findings confirm that individual's decision styles, specifically, dominant orientation and dominant decision style, influence their individual cybersecurity compliance behavior and other antecedents of such behavior. Our research offers new dimensions for investigating individual cybersecurity compliance behavior and new insights into factors that may influence individual's cybersecurity compliance behavior.

Carlos I. Torres,Robert E. Crossler

DOI: https://doi.org/10.1287/isre.2021.0563

IF: 4.9

2024-07-01

Information Systems Research

Abstract:Organizations worldwide face critical concerns related to cybersecurity threats and information security policy (ISP) compliance. Even though humans are the weakest link in the cybersecurity chain, information security professionals understand the importance of promoting individual information security behaviors because employees are also the first line of defense against ever-increasing cyber threats. Despite a recent trend of working from home, organizations do not make significant differences in their information security interventions for remote workers, relying mainly on VPNs as the only used tool, essentially making employees follow in-office standard information security policies because they are “virtually in-office.” Our study suggests that organizations need to recognize the unique context of remote work and consider personal motivations when shaping information security practices. Furthermore, our study indicates that in order to motivate remote employees to follow secure information security practices, organizations should consider personal characteristics instead of focusing on generic interventions. For instance, our study compares onsite and remote workers, suggesting that personal values are more relevant in remote work settings. Our findings exemplify just one of the many potential personal characteristics to be considered, highlighting how personal values are important motivators for ISP compliance and how they differ for onsite and remote workers in their importance when following information security rules.

information science & library science,management

Joseph Fenech,Deborah Richards,Paul Formosa

DOI: https://doi.org/10.1016/j.cose.2024.103795

IF: 5.105

2024-03-04

Computers & Security

Abstract:The human factor in information systems is a large vulnerability when implementing cybersecurity, and many approaches, including technical and policy driven solutions, seek to mitigate this vulnerability. Decisions to apply technical or policy solutions must consider how an individual's values and moral stance influence their responses to these implementations. Our research aims to evaluate how individuals prioritise different ethical principles when making cybersecurity sensitive decisions and how much perceived choice they have when doing so. Further, we sought to use participants' responses to cybersecurity scenarios to create profiles that describe their values and individual factors including personality. Participants (n = 193) in our study responded to five different ethically sensitive cybersecurity scenarios in random order, selecting their action in that scenario and rating and ranking of the ethical principles (i.e., Beneficence, Non-Maleficence, Justice, Autonomy, Explicability) behind that action. Using participants' demographics, personality, values, and cyber hygiene practices, we created profiles using machine learning to predict participants' choices and the principle of most importance to them across scenarios. Further, we found that, generalising, for our participants Autonomy was the most important ethical principle in our scenarios, followed by Justice. Our study also suggests that participants felt they had some agency in their decision making and they were able to weigh up different ethical principles.

computer science, information systems

Maria Bada,Jason R. C. Nurse

DOI: https://doi.org/10.48550/arXiv.2308.15948

2023-08-30

Cryptography and Security

Abstract:While modern society benefits from a range of technological advancements, it also is exposed to an ever-increasing set of cybersecurity threats. These affect all areas of life including business, government, and individuals. To complement technology solutions to this problem, it is crucial to understand more about cybercriminal perpetrators themselves, their use of technology, psychological aspects, and profiles. This is a topic that has received little socio-technical research emphasis in the technology community, has few concrete research findings, and is thus a prime area for development. The aim of this article is to explore cybercriminal activities and behavior from a psychology and human aspects perspective, through a series of notable case studies. We examine motivations, psychological and other interdisciplinary concepts as they may impact/influence cybercriminal activities. We expect this paper to be of value and particularly insightful for those studying technology, psychology, and criminology, with a focus on cybersecurity and cybercrime.

Princely Ifinedo

DOI: https://doi.org/10.1080/08874417.2022.2065553

2022-04-20

Journal of Computer Information Systems

Abstract:Organizations whose employees participate in risky cybersecurity behaviors (RCySecB) could suffer disastrous consequences either directly or indirectly from actions linked to such behaviors. This study used conceptualizations facilitated by Attribution Theory to examine the effects of dispositional factors (self-control and knowledge of IS security threats/risks and their potential consequences) and situational factors (security, education, training, and awareness (SETA) programs and computer monitoring) in reducing employee participation in RCySecB. Data was collected from a survey of working professionals in India, and relevant hypotheses were formulated. The PLS technique was used for data analysis. This study investigated the direct effects of the factors on the dependent construct and analyzed the interacting effects of the constructs as well. The results indicate that all factors reduce employee participation in RCySecB. However, the joint effects of the situational factor elements and the dispositional factor of personal knowledge security threats/risks and their potential consequences were insignificant in the model.

computer science, information systems

Ying Li,Tong Xin,Mikko Siponen

DOI: https://doi.org/10.1109/MSEC.2021.3117371

IF: 3.105

2022-01-01

IEEE Security & Privacy

Abstract:Citizens’ cybersecurity behaviors are an important concern in the modern age. This work discusses the challenges of studying citizen cybersecurity behaviors and the directions for future research.

Steve Goliath,Pitso Tsibolane,Dirk Snyman

2024-11-06

Abstract:Cyberattacks frequently target higher educational institutions, making cybersecurity awareness and resilience critical for students. However, limited research exists on cybersecurity awareness, attitudes, and resilience among students in higher education. This study addresses this gap using the Theory of Planned Behavior as a theoretical framework. A modified Human Aspects of Information Security Questionnaire was employed to gather 266 valid responses from undergraduate and postgraduate students at a South African higher education institution. Key dimensions of cybersecurity awareness and behavior, including password management, email usage, social media practices, and mobile device security, were assessed. A significant disparity in cybersecurity awareness and practices, with postgraduate students demonstrating superior performance across several dimensions was noted. This research postulates the existence of a Cybersecurity-Education Inflection Point during the transition to postgraduate studies, coined as the Cybersecurity-Resilience Gap. These concepts provide a foundation for developing targeted cybersecurity education initiatives in higher education, particularly highlighting the need for earlier intervention at the undergraduate level.

Cryptography and Security

Naresh Kshetri,Vasudha,Denisa Hoxha

2023-10-19

Abstract:Technology has advanced dramatically in the previous several years. There are also cyber assaults. Cyberattacks pose a possible danger to information security and the general public. Since data practice and internet consumption rates continue to upswing, cyber awareness has become progressively important. Furthermore, as businesses pace their digital transformation with mobile devices, cloud services, communal media, and Internet of Things services, cybersecurity has appeared as a critical issue in corporate risk management. This research focuses on the relations between cybersecurity awareness, cyber knowledge, computer ethics, cyber ethics, and cyber behavior, as well as protective tools, across university students in general. The findings express that while internet users are alert of cyber threats, they only take the most elementary and easy-to-implement precautions. Several knowledge and awareness have been proposed to knob the issue of cyber security. It also grants the principles of cybersecurity in terms of its structure, workforces, and evidence pertaining to the shield of personal information in the cyber world. The first step is for people to educate themselves about the negative aspects of the internet and to learn more about cyber threats so that they can notice when an attack is taking place. To validate the efficiency of the suggested analysis between CS and non-CS university students, case study along with several comparisons are provided.

Cryptography and Security

Dimitra Papatsaroucha,Yannis Nikoloudakis,Ioannis Kefaloukos,Evangelos Pallis,Evangelos K. Markakis

DOI: https://doi.org/10.48550/arXiv.2106.09986

2021-06-24

Abstract:These days, cyber-criminals target humans rather than machines since they try to accomplish their malicious intentions by exploiting the weaknesses of end users. Thus, human vulnerabilities pose a serious threat to the security and integrity of computer systems and data. The human tendency to trust and help others, as well as personal, social, and cultural characteristics, are indicative of the level of susceptibility that one may exhibit towards certain attack types and deception strategies. This work aims to investigate the factors that affect human susceptibility by studying the existing literature related to this subject. The objective is also to explore and describe state of the art human vulnerability assessment models, current prevention, and mitigation approaches regarding user susceptibility, as well as educational and awareness raising training strategies. Following the review of the literature, several conclusions are reached. Among them, Human Vulnerability Assessment has been included in various frameworks aiming to assess the cyber security capacity of organizations, but it concerns a one time assessment rather than a continuous practice. Moreover, human maliciousness is still neglected from current Human Vulnerability Assessment frameworks; thus, insider threat actors evade identification, which may lead to an increased cyber security risk. Finally, this work proposes a user susceptibility profile according to the factors stemming from our research.

Cryptography and Security

Marshall S. Rich

DOI: https://doi.org/10.3390/analytics2030035

2023-08-11

Analytics

Abstract:The rapid proliferation of cyberthreats necessitates a robust understanding of their evolution and associated tactics, as found in this study. A longitudinal analysis of these threats was conducted, utilizing a six-year data set obtained from a deception network, which emphasized its significance in the study’s primary aim: the exhaustive exploration of the tactics and strategies utilized by cybercriminals and how these tactics and techniques evolved in sophistication and target specificity over time. Different cyberattack instances were dissected and interpreted, with the patterns behind target selection shown. The focus was on unveiling patterns behind target selection and highlighting recurring techniques and emerging trends. The study’s methodological design incorporated data preprocessing, exploratory data analysis, clustering and anomaly detection, temporal analysis, and cross-referencing. The validation process underscored the reliability and robustness of the findings, providing evidence of increasingly sophisticated, targeted cyberattacks. The work identified three distinct network traffic behavior clusters and temporal attack patterns. A validated scoring mechanism provided a benchmark for network anomalies, applicable for predictive analysis and facilitating comparative study of network behaviors. This benchmarking aids organizations in proactively identifying and responding to potential threats. The study significantly contributed to the cybersecurity discourse, offering insights that could guide the development of more effective defense strategies. The need for further investigation into the nature of detected anomalies was acknowledged, advocating for continuous research and proactive defense strategies in the face of the constantly evolving landscape of cyberthreats.

Hussain Aldawood,Geoffrey Skinner

DOI: https://doi.org/10.3390/fi11030073

2019-03-18

Future Internet

Abstract:The idea and perception of good cyber security protection remains at the forefront of many organizations’ information and communication technology strategy and investment. However, delving deeper into the details of its implementation reveals that organizations’ human capital cyber security knowledge bases are very low. In particular, the lack of social engineering awareness is a concern in the context of human cyber security risks. This study highlights pitfalls and ongoing issues that organizations encounter in the process of developing the human knowledge to protect from social engineering attacks. A detailed literature review is provided to support these arguments with analysis of contemporary approaches. The findings show that despite state-of-the-art cyber security preparations and trained personnel, hackers are still successful in their malicious acts of stealing sensitive information that is crucial to organizations. The factors influencing users’ proficiency in threat detection and mitigation have been identified as business environmental, social, political, constitutional, organizational, economical, and personal. Challenges with respect to both traditional and modern tools have been analyzed to suggest the need for profiling at-risk employees (including new hires) and developing training programs at each level of the hierarchy to ensure that the hackers do not succeed.

Aristotle Onumo,Irfan Ullah-Awan,Andrea Cullen

DOI: https://doi.org/10.1145/3424282

2021-06-01

ACM Transactions on Management Information Systems

Abstract:The increase in cybersecurity threats and the challenges for organisations to protect their information technology assets has made adherence to organisational security control processes and procedures a critical issue that needs to be adequately addressed. Drawing insight from organisational theory literature, we develop a multi-theory model, combining the elements of the theory of planned behaviour, competing value framework, and technology—organisational and environmental theory to examine how the organisational mechanisms interact with espoused cultural values and employee cognitive belief to influence cybersecurity control procedures. Using a structured questionnaire, we deployed structural equation modelling (SEM) to analyse the survey data obtained from public sector information technology organisations in Nigeria to test the hypothesis on the relationship of socio-organisational mechanisms and techno-cultural factors with other key determinants of employee security behaviour. The results showed that knowledge of cybersecurity and employee cognitive belief significantly influence the employees’ intentions to comply with organisational cybersecurity control mechanisms. The research further noted that the influence of organisational elements such as leadership on employee security behaviour is mediated by espoused cultural values while the impact of employee cognitive belief is moderated by security technologies. For effective cybersecurity compliance, leaders and policymakers are therefore to promote organisational security initiatives that ensure incorporation of cybersecurity principles and practices into job descriptions, routines, and processes. This study contributes to behavioural security research by highlighting the critical role of leadership and cultural values in fostering organisational adherence to prescribed security control mechanisms.

Cenk Aksoy Bilen

DOI: https://doi.org/10.17261/pressacademia.2023.1735

2023-06-30

Pressacademia

Abstract:Purpose- With the rapid advancement of information and communication technologies, businesses are facing growing security risks. The prevalence, intensity, and complexity of cyber attacks worsen these vulnerabilities, leading to a rising focus on cybersecurity. Enterprises exposed to such cyberattacks might not only face considerable financial losses but also experience data breaches, operational interruptions, harm to their reputation, regulatory penalties, legal expenses, reduced competitive standing, and increased insurance premiums. In this concept study discusses the importance of human factors in cybersecurity management. While organizations spend billions on information technology systems and software to detect and prevent cyber threats, individuals play a critical role in managing these risks. Methodology- Through a review of literature and statistical data, study examines the factors contributing to cybersecurity breaches, the allocation of resources to address them, and proposes potential solutions. Findings- In the workplace, most research on cybersecurity focuses on employees as the most important source of vulnerability. In the literature review, it is understood that an employee’s carelessness and lack of awareness pose the greatest risk to cybersecurity. However, businesses often fail to show sufficient attention to human behavior in their efforts to keep organizational data secure and to plan security strategies. It is important to note that effective cybersecurity management requires not only technical controls but also the management of human factors. Meanwhile, security expenditures in enterprises are often disproportionately allocated to technology investments, with 97% being spent on technology investments, despite the fact that over 85% of breaches are attributable to human factors. Conclusion- In the literature review, it is understood that cybersecurity management is not only related to technical controls, but also the management of human factors is of critical importance. The management of individuals is also an essential cybersecurity responsibility. It is important to adopt a holistic approach to cybersecurity management includes both technical and human perspectives. Cybersecurity awareness has significant benefits for businesses to effectively manage cybersecurity which can be achieved by developing appropriate training programs and foster a cybersecurity culture. Keywords: Cybersecurity, cybersecurity management, cybersecurity awareness, technology investments, human factor JEL Codes: M12, M15, L86

Elissa M. Redmiles

DOI: https://doi.org/10.48550/arXiv.1808.08177

2019-01-10

Abstract:Digital security technology is able to identify and prevent many threats to users accounts. However, some threats remain that, to provide reliable security, require human intervention: e.g., through users paying attention to warning messages or completing secondary authentication procedures. While prior work has broadly explored people's mental models of digital security threats, we know little about users' precise, in-the-moment response process to in-the-wild threats. In this work, we conduct a series of qualitative interviews (n=67) with users who had recently experienced suspicious login incidents on their real Facebook accounts in order to explore this process of account security incident response. We find a common process across participants from five countries -- with differing online and offline cultures -- allowing us to identify areas for future technical development to best support user security. We provide additional insights on the unique nature of incident-response information seeking, known attacker threat models, and lessons learned from a large, cross-cultural qualitative study of digital security.

Cryptography and Security,Computers and Society,Human-Computer Interaction