Understanding susceptibility to phishing emails: Assessing the impact of individual differences and culture

This study looked into how individual differences and national culture impacted participants’ responses to phishing and spear-phishing emails. The study found a national culture that promoted the needs of the individual (rather than the needs of society) increased the likelihood of phishing and spear-phishing emails being accurately identified. The same study found impulsiveness decreased the chances of phishing emails being identified but the same was not true of spear-phishing emails. Finally, the study found individual differences had an effect on user’s ability to spot malicious...

Securing Mobile Devices: Evaluating the Relationship between Risk Perception, Organisational Commitment and Information Security Awareness

This study examined the relationship between perception of risk, organisational commitment, and Information Security Awareness (ISA), finding both organisational commitment and perception of personal risk to be significant predictors of ISA. Surprisingly, frequency of workplace information security training negatively affected ISA.   Read full paper     Authors: A. Reeves, K. Parsons and D....

Phish Phinder: A Game Design Approach to Enhance User Confidence in Mitigating Phishing Attacks

This paper proposes and sets out the framework for the development of a game designed to help educate users about phishing attacks. The proposed game draws on academic research and would take the form a series of challenges that inherently educate users about phishing concepts.   Read full paper     Authors: Gaurav Misra, N.A.G. Arachchilage and Shlomo...

If someone is watching, I’ll do what I’m asked: mandatoriness, control, and information security

This research finds people are motivated to follow security procedures when they believe the procedures to be compulsory, and that both specifying policies and evaluating behaviors help position security policies as mandatory. It follows that specifying policies and evaluating behaviours is more likely to lead to security procedures being followed.   Read full paper     Authors: Scott R Boss, Laurie J Kirsch, Ingo Angermeier, Raymond A Shingler, R Wayne...

Social Cybersecurity: Applying Social Psychology to Cybersecurity

An introduction to the research of Jason Hong, Sauvik Das, Tiffany Hyun-Jin Kim and Laura Dabbish, who are investigating how social influence affects cyber security and testing how social influence techniques can improve people’s awareness and knowledge of cybersecurity, as well as their motivation to act securely.   Read full paper     Authors: Jason Hong, Sauvik Das, Tiffany Hyun-Jin Kim, Laura...

Human Behaviour as an aspect of Cyber Security Assurance

This paper considers existing research into cyber security assurance processes in an effort to identify elements of cyber security that would benefit from further research and development. It concludes the cyber security industry would benefit from more research into the human aspect of cyber security and proposes a new framework be developed that’d help shape new human cyber security assurance mechanisms and evaluate their effectveness.   Read full paper     Authors: Mark Evans, Leandros A. Maglaras, Ying He, Helge...

Nudging Online Security Behaviour with Warning Messages

Researchers tested the effectiveness of 9 different ways of warning users about cyber security threats. Making users aware of the steps they could take to minimise risk was effective in triggering more secure behaviour. Gain-framed messages, loss-framed messages and a message from a male anthropomorphic character triggered more secure behaviours. Interestingly, although the above interventions influenced behaviour, they did not effect participants’ self-reported knowledge of how to prevent cyberattacks.   Read full paper     Authors: René van Bavel, Nuria...

Awareness is only the first step

Improving cyber security awareness is often assumed to improve cyber security, however this paper suggests it’s necessary for people to be engaged in cyber security in order to make people a robust cyber defence. The paper builds a model for engaging people in cyber secuirty, which includes awareness profiling, awareness planning, transformation and optimisation.   Read full paper     Authors: Marcus Beyer, Sarah Ahmed, Katja Doerlemann, Simon Arnell, Simon Parkin, Prof. M. Angela Sasse, Neil...

Improving Your Security Awareness Campaigns: Examples From Behavioral Science

This short blog post suggests cyber security awareness campaigns should not be run by IT but by human resources or standalone departments; that companies should quantify risks to guide cyber security investments; that awareness campaign effectiveness should be measured and that goals of awareness campaigns should be long-term behaviour change.   Read full paper     Authors: Christophe...

Cyber Security Awareness Campaigns: Why do they fail to change behaviour?

The focus of this comprehensive paper is why cyber security awareness campaigns fail. The authors find changing behaviour requires more than simply offering people information about risks and best practices, such as people being willing to apply advice on security procedures – which requires a change in attitudes towards cyber security. The paper also reviews current persuasion techniques and finds fear is a successful behaviour change motivator when it comes to cyber security. Finally, the paper offers examples of awareness campaigns from around the world.   Read full paper...

Analysis of Unintentional Insider Threats Deriving from Social Engineering Exploits

This paper reports on the researchers’ efforts to collect and analyse data from unintentional insider threats, noting how difficult data collection and analysis is in this area. Researchers note overcoming data collection and analysis issues is and will be necessary when developing security recommendations.   Read full paper     Authors: Frank L. Greitzer, Jeremy R. Strozer, Sholom...

National Safety Management Society October 2013 Digest (O’Neill Exemplifies Safety Leadership)

The O’Neill Exemplifies Safety Leadership subsection of this NSMS Digest focuses on former secretary of the U.S. Treasury Paul O’Neill’s advocation of transparency in safety measures. O’Neill argues for real-time information on who may have had their safety compromised, how and when, as well as a philosophy of safety and security measures coming from the very top of an organisation.   Read full paper     Authors: National Safety Management...

Leveraging Behavioral Science to Mitigate Cyber Security Risk

A thorough paper reporting the findings of Shari Pfleeeger and Deanna Caputo’s research into blending behavioural science and cyber security. Following an introduction into the relationship between human behaviour and cyber security, the paper discusses proven and potential behavioral science findings that have cyber security relevance.   Read full paper     Authors: Shari Lawrence Pfleeger, Deanna D....

Security education against phishing: A modest proposal for a major re-think

Through qualitative interviews, this study found people tempted by a “good deal” when shopping online tend to look for signs of a site’s trustworthiness, even when warned that a site is risky. Study participants cited trust seals, ads, references to social networking sites and professional designs as signs of trustworthiness.   Read full paper     Authors: Iacovos Kirlappos, M. Angela...

You’ve Been Warned: An Empirical Study of the Effectiveness of Web Browser Phishing Warnings

Researchers studied the effectiveness of web browser phishing warnings by targeting 60 study participants with simulated email phishing attacks. 97% of study participants clicked a link in at least one simulated phishing email. When then presented with a passive web browser warning, just 13% closed their browser window – a result not significantly different from offering no warning whatsoever. When presented with an active warning, 79% of participants heeded the warning. The researchers conclude in-browser phishing warnings should interrupt a user’s primary task.   Read full paper...

Phishing IQ Tests Measure Fear, Not Ability

We argue that phishing IQ tests fail to measure susceptibility to phishing attacks. We conducted a study where 40 subjects were asked to answer a selection of questions from existing phishing IQ tests in which we varied the portion (from 25% to 100%) of the questions that corresponded to phishing emails. We did not find any correlation between the actual number of phishing emails and the number of emails that the subjects indicated were phishing. Therefore, the tests did not measure the ability of the subjects. To further confirm this, we exposed all the subjects to existing phishing...

Why phishing works

Researchers exploring why phishing continues to fool people asked 22 people to categorise 20 websites as either fraudulent or legitimate. They found 23% of participants did not look at browser-based security cues, leading to incorrect choices 40% of the time. They also found that some visual deception attacks can fool sophisticated users and concluded that because standard security indicators are often ineffective, alternative approaches are needed.   Read full paper     Authors: Rachna Dhamija, J. D. Tygar, Marti...

Assessing end-user awareness of social engineering and phishing

This experiment revolved around a web-based survey, which presented a mix of 20 legitimate and illegitimate emails to participants. Researchers asked participants to classify emails as either legitimate or illegitimate and explain their rationale. The 179 participants were 36% successful in identifying legitimate emails, versus 45% successful in spotting illegitimate ones. In many cases, the participants who identified illegitimate emails correctly could not provide convincing reasons for their selections.   Read full paper     Authors: A Karakasiliotis, S M. Furnell, M...

Transforming the “Weakest Link”: A Human-Computer Interaction Approach for Usable and Effective Security

This paper argues that simply blaming users for security breaches will not lead to more effective security systems and that security designers must address the causes of undesirable user behaviour to design effective security systems. Focusing on passwords in particular, the paper’s authors conclude that addressing the causes of undesirable security behaviours shouldn’t be too difficult given the knowledge and techniques necessary to do so largely already exist.   Read full paper     Authors: Martina Angela Sasse, Sacha Brostoff & Dirk...

Users are not the enemy

In the late 90’s, it was largely considered users were unmotivated and lazy when it came to cyber security. This UCL research suggested, actually, users compromised security systems through lack of security knowledge and non-user centric security mechanisms. Researchers concluded users needed greater cyber security education and security mechanisms needed to be more user-centric in order to decrease the risks introduced by people.   Read full paper     Authors: Anne Adams & Martina Angela...