Hacking the Human: The Prevalence Paradox in Cybersecurity

2018 ◽  
Vol 60 (5) ◽  
pp. 597-609 ◽  
Author(s):  
Ben D. Sawyer ◽  
Peter A. Hancock
Keyword(s):  
Information Security ◽  
Human Performance ◽  
Personal Information ◽  
General Information ◽  
Human Operator ◽  
Signal Probability ◽  
Security Design ◽  
Human Capability ◽  
Logarithmic Decay

Objective: This work assesses the efficacy of the “prevalence effect” as a form of cyberattack in human-automation teaming, using an email task. Background: Under the prevalence effect, rare signals are more difficult to detect, even when taking into account their proportionally low occurrence. This decline represents diminished human capability to both detect and respond. As signal probability (SP) approaches zero, accuracy exhibits logarithmic decay. Cybersecurity, a context in which the environment is entirely artificial, provides an opportunity to manufacture conditions enhancing or degrading human performance, such as prevalence effects. Email cybersecurity prevalence effects have not previously been demonstrated, nor intentionally manipulated. Method: The Email Testbed (ET) provides a simulation of a clerical email work involving messages containing sensitive personal information. Using the ET, participants were presented with 300 email interactions and received cyberattacks at rates of either 1%, 5%, or 20%. Results: Results demonstrated the existence and power of prevalence effects in email cybersecurity. Attacks delivered at a rate of 1% were significantly more likely to succeed, and the overall pattern of accuracy across declining SP exhibited logarithmic decay. Application: These findings suggest a “prevalence paradox” within human-machine teams. As automation reduces attack SP, the human operator becomes increasingly likely to fail in detecting and reporting attacks that remain. In the cyber realm, the potential to artificially inflict this state on adversaries, hacking the human operator rather than algorithmic defense, is considered. Specific and general information security design countermeasures are offered.

scholarly journals Factorial invariance of an information security culture assessment instrument for multinational organisations with operations across data protection jurisdictions

2015 ◽  
Vol 4 (4) ◽  
pp. 47-58 ◽  
Author(s):  
Nico Martins ◽  
Adéle da Veiga
Keyword(s):  
Information Security ◽  
Data Protection ◽  
Personal Information ◽  
Theoretical Perspective ◽  
Factorial Invariance ◽  
Assessment Instrument ◽  
Security And Privacy ◽  
Security Culture ◽  
The Uk ◽  
Information Security Culture

An information security culture is influenced by various factors, one being regulatory requirements. The United Kingdom (UK) has been regulated through the UK Data Protection Act since 1995, whereas South Africa (SA) only promulgated the Protection of Personal Information Act (PoPI) in 2013. Both laws stipulate requirements from an information security perspective with regard to the processing of personal information, however in the UK this has been regulated for a longer period. Consequently, it is to be expected that the information security culture for organisations in the UK will be significantly different from that of SA. This raises the question as to whether the same information security culture assessment (ISCA) instrument could be used in an organisation with offices in both jurisdictions, and whether it might be necessary to customise it according the particular country’s enforcement of information security and privacy-related conditions. This is reviewed, firstly from a theoretical perspective, and secondly a factorial invariance analysis was conducted in a multinational organisation with offices in both the UK and SA, using data from an ISCA questionnaire, to determine possible factorial invariances in terms of the ISCA.

scholarly journals Definition of actors of administrative and legal support of information security in the customs area

2020 ◽  
Vol 3 (3) ◽  
pp. 294-299
Author(s):  
Turhut Salayev
Keyword(s):  
Information Security ◽  
Local Governments ◽  
Legal Status ◽  
General Information ◽  
Legal Doctrine ◽  
Theoretical Understanding ◽  
The Subject ◽  
The Difference ◽  
Definition Of ◽  
Broad Approach

The article deals with scientific and theoretical understanding and the provision of the definition of the category "actors of administrative and legal support of information security in the customs area". The author has disclosed and analyzed the provisions of the administrative and legal doctrine of the above questio, besides, the problematic issues of the definition of "subjects of administrative and legal support of information security in the customs sphere" are identified, andthe necessity of distinguishing this concept from other related concepts and categories is defined. Disclosing issues of actors of administrative and legal support of information security in the cus-toms sphere, it is necessary to avoid substitution of concepts and clearly understand the difference between the concepts of "institutional mechanism of administrative and legal support of information security in customs" and "state mechanism of administrative and legal support of information security in the customs sphere "from the concept of" subjects of administrative and legal support of information security in the customs sphere ". After all, the concept that is the subject of our study, of all the above, has the most comprehensive and broad scope and meaning. That is why, disclosing a set of subjects of administrative and legal support of information security in the customs sphere, it is advisable to apply a broad approach to understanding this category, given that among such subjects must be considered non-state subjects. objects - local governments, public organizations, etc. Because without their activities such a list will not be complete, and the mechanism of administrative and legal support of information security in the customs sphere will not be such that covers all possible spheres of public life and methods of information security. The current general information and administrative legislation, as well as special legislation gov-erning the procedure of customs, is considered in order to more clearly disclose the features and legal status of the actors of administrative and legal support of information security in the customs area. Each of these entities plays an appropriate role and occupies the necessary place in the system of national security of Ukraine, information security of Ukraine in general and information security in the customs area in particular. This role can be described as the implementation of general control over information security in the customs area, as well as taking measures to respond to violations of information legislation and the emergence of threats to information in the customs area within the powers defined by law. At the same time, the administrative and legal provision of information security is carried out directly by the customs authorities.

Social engineering as a threat to personal financial security

2021 ◽  
Vol 17 (1) ◽  
pp. 150-166
Author(s):  
Andrei L. LOMAKIN ◽  
Evgenii Yu. KHRUSTALEV ◽  
Gleb A. KOSTYURIN
Keyword(s):  
Information Security ◽  
Personal Information ◽  
Public Awareness ◽  
Social Engineering ◽  
Training System ◽  
Security Threats ◽  
Security Threat ◽  
Public And Private ◽  
Security Issues ◽  
The Government

Subject. As the socio-economic relationships are getting digitalized so quickly, the society faces more and more instances of cybercrime. To effectively prevent arising threats to personal information security, it is necessary to know key social engineering methods and security activities to mitigate consequences of emerging threats. Objectives. We herein analyze and detect arising information security threats associated with social engineering. We set forth basic guidelines for preventing threats and improving the personal security from social engineering approaches. Methods. The study relies upon methods of systems analysis, synthesis, analogy and generalization. Results. We determined the most frequent instances associated with social engineering, which cause personal information security threats and possible implications. The article outlines guidelines for improving the persona; security from social engineering approaches as an information security threat. Conclusions and Relevance. To make information security threats associated with social engineering less probable, there should be a comprehensive approach implying two strategies. First, the information security protection should be technologically improved, fitted with various data protection, antivirus, anti-fishing software. Second, people should be more aware of information security issues. Raising the public awareness, the government, heads of various departments, top executives of public and private organizations should set an integrated training system for people, civil servants, employees to proliferate the knowledge of information security basics.

Investigating personal determinants of phishing and the effect of national culture

2015 ◽  
Vol 23 (2) ◽  
pp. 178-199 ◽  
Author(s):  
Waldo Rocha Flores ◽  
Hannes Holm ◽  
Marcus Nohlberg ◽  
Mathias Ekstedt
Keyword(s):  
Information Security ◽  
National Culture ◽  
Social Engineering ◽  
Theoretical Models ◽  
General Information ◽  
Cultural Analysis ◽  
Firm Characteristics ◽  
Content Type ◽  
Swedish Sample ◽  
Culture Effects

Purpose – The purpose of the study was twofold: to investigate the correlation between a sample of personal psychological and demographic factors and resistance to phishing; and to investigate if national culture moderates the strength of these correlations. Design/methodology/approach – To measure potential determinants, a survey was distributed to 2,099 employees of nine organizations in Sweden, USA and India. Then, the authors conducted unannounced phishing exercises, in which a phishing attack targeted the same sample. Findings – Intention to resist social engineering, general information security awareness, formal IS training and computer experience were identified to have a positive significant correlation to phishing resilience. Furthermore, the results showed that the correlation between phishing determinants and employees’ observed that phishing behavior differs between Swedish, US and Indian employees in 6 out of 15 cases. Research limitations/implications – The identified determinants had, even though not strong, a significant positive correlation. This suggests that more work needs to be done to more fully understand determinants of phishing. The study assumes that culture effects apply to all individuals in a nation. However, differences based on cultures might exist based on firm characteristics within a country. The Swedish sample is dominating, while only 40 responses from Indian employees were collected. This unequal size of samples suggests that conclusions based on the results from the cultural analysis should be drawn cautiously. A natural continuation of the research is therefore to further explore the generalizability of the findings by collecting data from other nations with similar cultures as Sweden, USA and India. Originality/value – Using direct observations of employees’ security behaviors has rarely been used in previous research. Furthermore, analyzing potential differences in theoretical models based on national culture is an understudied topic in the behavioral information security field. This paper addresses both these issues.

A framework to assist email users in the identification of phishing attacks

2015 ◽  
Vol 23 (4) ◽  
pp. 370-381 ◽  
Author(s):  
André Lötter ◽  
Lynn Futcher
Keyword(s):  
User Interface ◽  
Focus Group ◽  
Information Security ◽  
Personal Information ◽  
Future Research ◽  
Security Level ◽  
Literature Study ◽  
Content Type ◽  
Phishing Attacks ◽  
Research Students

Purpose – The purpose of this paper is to propose a framework to address the problem that email users are not well-informed or assisted by their email clients in identifying possible phishing attacks, thereby putting their personal information at risk. This paper therefore addresses the human weakness (i.e. the user’s lack of knowledge of phishing attacks which causes them to fall victim to such attacks) as well as the software related issue of email clients not visually assisting and guiding the users through the user interface. Design/methodology/approach – A literature study was conducted in the main field of information security with a specific focus on understanding phishing attacks and a modelling technique was used to represent the proposed framework. This paper argues that the framework can be suitably implemented for email clients to raise awareness about phishing attacks. To validate the framework as a plausible mechanism, it was reviewed by a focus group within the School of Information and Communication Technology (ICT) at the Nelson Mandela Metropolitan University (NMMU). The focus group consisted of academics and research students in the field of information security. Findings – This paper argues that email clients should make use of feedback mechanisms to present security related aspects to their users, so as to make them aware of the characteristics pertaining to phishing attacks. To support this argument, it presents a framework to assist email users in the identification of phishing attacks. Research limitations/implications – Future research would yield interesting results if the proposed framework were implemented into an existing email client to determine the effect of the framework on the user’s level of awareness of phishing attacks. Furthermore, the list of characteristics could be expanded to include all phishing types (such as clone phishing, smishing, vishing and pharming). This would make the framework more dynamic in that it could then address all forms of phishing attacks. Practical implications – The proposed framework could enable email clients to provide assistance through the user interface. Visibly relaying the security level to the users of the email client, and providing short descriptions as to why a certain email is considered suspicious, could result in raising the awareness of the average email user with regard to phishing attacks. Originality/value – This research presents a framework that email clients can use to identify common forms of normal and spear phishing attacks. The proposed framework addresses the problem that the average Internet user lacks a baseline level of online security awareness. It argues that the email client is the ideal place to raise the awareness of users regarding phishing attacks.

scholarly journals Mobile Context-Aware Systems: Technologies, Resources and Applications

2016 ◽  
Vol 10 (2) ◽  
pp. 25 ◽  
Author(s):  
Alejandro Rivero-Rodriguez ◽  
Paolo Pileggi ◽  
Ossi Antero Nykänen
Keyword(s):  
Personal Information ◽  
Contextual Information ◽  
General Information ◽  
Context Aware ◽  
User Privacy ◽  
Contextual Data ◽  
Potential Applications ◽  
Mobile Context ◽  
Available Information ◽  
Further Development

Mobile applications often adapt their behavior according to user context, however, they are often limited to consider few sources of contextual information, such as user position or language. This article reviews existing work in context-aware systems (CAS), e.g., how to model context, and discusses further development of CAS and its potential applications by looking at available information, methods and technologies. Social Media seems to be an interesting source of personal information when appropriately exploited. In addition, there are many types of general information, ranging from weather and public transport to information of books and museums. These information sources can be combined in previously unexplored ways, enabling the development of smarter mobile services in different domains. Users are, however, reluctant to provide their personal information to applications; therefore, there is a crave for new regulations and systems that allow applications to use such contextual data without compromising the user privacy.

Sign in / Sign up

Export Citation Format

Share Document