What Do They Really Think? Overcoming Social Acceptability Bias in Information Security Research

This study used two techniques to ensure people accurately reported attitudes on information security in the workplace. A key finding was those who believed information security to be the responsibility of the organisation felt security risks to be overstated, whereas those who believed information security to be the responsibility of individuals felt warnings over security risks were valid and justified.   Read full paper     Authors: D....

Securing Mobile Devices: Evaluating the Relationship between Risk Perception, Organisational Commitment and Information Security Awareness

This study examined the relationship between perception of risk, organisational commitment, and Information Security Awareness (ISA), finding both organisational commitment and perception of personal risk to be significant predictors of ISA. Surprisingly, frequency of workplace information security training negatively affected ISA.   Read full paper     Authors: A. Reeves, K. Parsons and D....

Deep Thought: A Cybersecurity Story

ideas42 aims to help solve difficult social problems using insights from behavioural science. In this instance, the problem in question is the human aspect of cyber security. The paper applies psychology and behavioural science principles to common cyber security issues such as phishing, unsecure public Wi-Fi and poor passwords.     Read full paper     Authors: Alex Blau, Alexandra Alhadeff, Michael Stern, Scott Stinson, Josh Wright,...

Phish Phinder: A Game Design Approach to Enhance User Confidence in Mitigating Phishing Attacks

This paper proposes and sets out the framework for the development of a game designed to help educate users about phishing attacks. The proposed game draws on academic research and would take the form a series of challenges that inherently educate users about phishing concepts.   Read full paper     Authors: Gaurav Misra, N.A.G. Arachchilage and Shlomo...

If someone is watching, I’ll do what I’m asked: mandatoriness, control, and information security

This research finds people are motivated to follow security procedures when they believe the procedures to be compulsory, and that both specifying policies and evaluating behaviors help position security policies as mandatory. It follows that specifying policies and evaluating behaviours is more likely to lead to security procedures being followed.   Read full paper     Authors: Scott R Boss, Laurie J Kirsch, Ingo Angermeier, Raymond A Shingler, R Wayne...

The Human Factor in Cybercrime and Cybersecurity

A Research Agenda publication aiming to stimulate research on the human factor in cyber crime and cyber security. This book offers examples of unanswered research questions and methods and datasets that could be used for future studies.   Read full paper     Authors: Mark Evans, Leandros A. Maglaras, Ying He, Helge...

Unwinding Ariadne’s Identity Thread: Privacy Risks with Fitness Trackers and Online Social Networks

The recent expansion of Internet of Things (IoT) and the growing trends towards a healthier lifestyle, have been followed by a proliferation in the use of fitness-trackers in our daily life. These wearable IoT devices combined with the extensive use by individuals of Online Social Networks (OSNs) have raised many security and privacy concerns. Individuals enrich the content of their online posts with their physical performance and attendance at sporting events, without considering the plausible risks that this may result in. This paper aims to examine the potential exposure of users’...

Social Cybersecurity: Applying Social Psychology to Cybersecurity

An introduction to the research of Jason Hong, Sauvik Das, Tiffany Hyun-Jin Kim and Laura Dabbish, who are investigating how social influence affects cyber security and testing how social influence techniques can improve people’s awareness and knowledge of cybersecurity, as well as their motivation to act securely.   Read full paper     Authors: Jason Hong, Sauvik Das, Tiffany Hyun-Jin Kim, Laura...

More Harm Than Good? How Messages That Interrupt Can Make Us Vulnerable

Paper highlighting how constant interrupting messages and updates from computers and phones can impair cognitive functioning due to an effect called dual-task interference (DTI). DTI suggests that 2 tasks can only be performed in unison if there is a loss in overall performance. Constant messages, updates and alerts mean humans are constantly performing numerous tasks, thus performing poorly.     Read full paper     Authors: Jeffrey L. Jenkins, Bonnie Brinton Anderson, Anthony Vance, C. Brock Kirwan, David...

Awareness is only the first step

Improving cyber security awareness is often assumed to improve cyber security, however this paper suggests it’s necessary for people to be engaged in cyber security in order to make people a robust cyber defence. The paper builds a model for engaging people in cyber secuirty, which includes awareness profiling, awareness planning, transformation and optimisation.   Read full paper     Authors: Marcus Beyer, Sarah Ahmed, Katja Doerlemann, Simon Arnell, Simon Parkin, Prof. M. Angela Sasse, Neil...

The Online dating romance scam: The psychological impact on victims – both financial and non-financial

This paper finds for most people, the loss of a relationship following the culmination of an online dating scam is more unsettling than any financial losses suffered. According to the paper, few victims of online dating scams find a sufficient way to cope following the scams ending. Researchers suggest the absence of a coping mechanism leaves victims vulnerable to a second wave of attack and make policy recommendations as a result.   Read full paper     Authors: Whitty, M. T. and Buchanan,...

Cyber Security Awareness Campaigns: Why do they fail to change behaviour?

The focus of this comprehensive paper is why cyber security awareness campaigns fail. The authors find changing behaviour requires more than simply offering people information about risks and best practices, such as people being willing to apply advice on security procedures – which requires a change in attitudes towards cyber security. The paper also reviews current persuasion techniques and finds fear is a successful behaviour change motivator when it comes to cyber security. Finally, the paper offers examples of awareness campaigns from around the world.   Read full paper...

Building a Self-Regulatory Model of Sleep Deprivation and Deception: The Role of Caffeine and Social Influence

This study first examines the role that caffeine plays in moderating the depletion of self-regulatory resources, finding caffeine does indeed boost self-regulatory resources. The study also examines how social influence impacts deceptive behaviours at work, finding those with depleted self-regulatory resources succumb to social influence, fall in line with others around them and typically engage in more deceptive behaviours.   Read full paper     Authors: David T. Welsh, Aleksander P. J. Ellis, Michael S. Christian, and Ke Michael...

Using behavioural insights to improve the public’s use of cyber security best practices

Behavioural change theory suggests influencers of behavioural change include environmental factors (such as technological design), social influencers (such as peers or family) and personal influencers (such as what we know and believe). Using the MINDSPACE framework helps design behaviour change interventions built on sound theories, maximising the chances of behaviour change. Interestingly, this paper notes messages of fear can backfire if they begin to be perceived as scaremongering (ie, if users never actually experience attacks first hand).   Read full paper    ...

A Review of Young People’s Vulnerabilities to Online Grooming

According to this study: adolescents appear to be the age group most vulnerable to online grooming; parental involvement in a child’s internet use protects against online grooming; and the more risk-taking behaviors a young person carries out, the more vulnerable they are likely to be to online grooming attempts.   Read full paper     Authors: Helen Whittle, Catherine Hamilton-Giachritsisa, Anthony Beecha, Guy...

A Study of Social Engineering in Online Frauds

Researchers analyse 200 scam emails in search of patterns, and find alert and account verification, urgency, potential monetary gain, business proposals and mentions of large, unclaimed funds are repeatedly used in scam emails.   Read full paper     Authors: Brandon Atkins, Wilson Huang

European Online Grooming Project: Final Report

A report on the findings of an ambitious project aiming to understand the behaviours involved in online grooming across Europe. The report concludes groomers’ behaviours vary wildly and that, by facilitating anonymity, technology helps groomers justify their actions. It also suggests campaigns aimed at protecting children online should take care to avoid being anti-internet in nature.   Read full paper     Authors: Stephen Webster, Julia Davidson, Antonia Bifulco, Petter Gottschalk, Vincenzo Caretti, Thierry Pham, Julie Grove-Hills, Caroline Turley, Charlotte Tompkins;...

Leveraging Behavioral Science to Mitigate Cyber Security Risk

A thorough paper reporting the findings of Shari Pfleeeger and Deanna Caputo’s research into blending behavioural science and cyber security. Following an introduction into the relationship between human behaviour and cyber security, the paper discusses proven and potential behavioral science findings that have cyber security relevance.   Read full paper     Authors: Shari Lawrence Pfleeger, Deanna D....

Security education against phishing: A modest proposal for a major re-think

Through qualitative interviews, this study found people tempted by a “good deal” when shopping online tend to look for signs of a site’s trustworthiness, even when warned that a site is risky. Study participants cited trust seals, ads, references to social networking sites and professional designs as signs of trustworthiness.   Read full paper     Authors: Iacovos Kirlappos, M. Angela...

Don’t Work. Can’t Work? Why It’s Time to Rethink Security Warnings

In this study, 120 participants were asked to test an (arbitrary) online tool. During testing, participants encountered a PDF download warning. All participants noticed the warning, but 81.7% downloaded the PDF file that triggered it regardless. The authors’ attribute failure to heed security warnings to frequent exposure and false alarms. They conclude that security warnings in their current forms are largely ineffective, and will remain so unless the number of false positives can be reduced.   Read full paper     Authors: Kat Krol, Matthew Moroz, M. Angela...

Why do people get phished? Testing individual differences in phishing vulnerability within an integrated, information processing model

Researchers build a model to explain phishing susceptibility which explains close to 50% of the variance of individual phishing susceptibility. In line with other research, the results indicate that individuals make decisions based on simple cues embedded in phishing emails.   Read full paper     Authors: Arun Vishwanath, Tejaswini Herath, Rui Chen, Jingguo Wang, H. Raghav...

Indirect Warnings and Instructions Produce Behavioral Compliance

In this study, participants performed a computer memory task while compliance to three safety measures was monitored. Compling with indirect warnings – that is, warnings triggered by entities other than researchers – was not significantly different to compliance with direct warnings. The research suggests there are effective ways to warn people other than from the top down.   Read full paper     Authors: Michael S. Wogalter and Eric...

School of Phish: A Real-World Evaluation of Anti-Phishing Training

PhishGuru is a training system that helps users stop falling for phishing emails by sending them a training message when they click the URL of a simulated phishing email. The authors of this paper analysed PhishGuru training and found trained users retained knowledge for 28 days. Authors also found incorporating a second training message into training reduced the likelihood of a user giving away sensitive information, and that, perhaps surprisingly, training did not reduce the likelihood of a user clicking the link in a legitimate email.     Read full paper    ...

The psychology of scams: Provoking and committing errors of judgement

This comprehensive report seeks to understand the persuasion techniques employed by scammers that successfully provoke human errors in judgement. It finds a successful scam involves all the standard elements of the ‘marketing mix’ – although scams differ from conventional marketing in their illegal and illegitimate nature.   Read full paper     Authors: Lea, Stephen E. G; Fischer, Peter; Evans, Kath...

Fraud typologies and victims of fraud: literature review

This comprehensive review seeks to report on fraud in a wide variety of forms, with a particular focus on mass marketing, identity and small business fraud. It finds fraud is often innovative, comes in a wide variety of forms and that fraudsters use a combination of tactics to avoid detection. It also notes victim profiles vary considerably.   Read full paper     Authors: Mark Button, Chris Lewis and Jacki...