Evaluating user susceptibility to phishing attacks

Purpose Phishing is a well-known cybersecurity attack that has rapidly increased in recent years. It poses risks to businesses, government agencies and all users due to sensitive data breaches and subsequent financial losses. To study the user side, this paper aims to conduct a literature review and user study. Design/methodology/approach To investigate phishing attacks, the authors provide a detailed overview of previous research on phishing techniques by conducting a systematic literature review of n = 367 peer-reviewed academic papers published in ACM Digital Library. Also, the authors report on an evaluation of a high school community. The authors engaged 57 high school students and faculty members (12 high school students, 45 staff members) as participants in research using signal detection theory (SDT). Findings Through the literature review which goes back to as early as 2004, the authors found that only 13.9% of papers focused on user studies. In the user study, through scenario-based analysis, participants were tasked with distinguishing phishing e-mails from authentic e-mails. The results revealed an overconfidence bias in self-detection from the participants, regardless of their technical background. Originality/value The authors conducted a literature review with a focus on user study which is a first in this field as far the authors know. Additionally, the authors conducted a detailed user study with high school students and faculty using SDT which is also an understudied area and population.

The effect of perceived organizational culture on employees’ information security compliance

Purpose This paper aims to investigate the connection between different perceived organizational cultures and information security policy compliance among white-collar workers. Design/methodology/approach The survey using the Organizational Culture Assessment Instrument was sent to white-collar workers in Sweden (n = 674), asking about compliance with information security policies. The survey instrument is an operationalization of the Competing Values Framework that distinguishes between four different types of organizational culture: clan, adhocracy, market and bureaucracy. Findings The results indicate that organizational cultures with an internal focus are positively related to employees’ information security policy compliance. Differences in organizational culture with regards to control and flexibility seem to have less effect. The analysis shows that a bureaucratic form of organizational culture is most fruitful for fostering employees’ information security policy compliance. Research limitations/implications The results suggest that differences in organizational culture are important for employees’ information security policy compliance. This justifies further investigating the mechanisms linking organizational culture to information security compliance. Practical implications Practitioners should be aware that the different organizational cultures do matter for employees’ information security compliance. In businesses and the public sector, the authors see a development toward customer orientation and marketization, i.e. the opposite an internal focus, that may have negative ramifications for the information security of organizations. Originality/value Few information security policy compliance studies exist on the consequences of different organizational/information cultures.

Value conflicts and information security – a mixed-methods study in high-risk industry

Purpose The purpose of this study is to investigate the influence of work-related value conflicts on information security in two organisations in nuclear power production and related industry. Design/methodology/approach A mixed-methods design was applied. Individual interviews were conducted with 24 employees of two organisations in Sweden and questionnaire data on information security climate were collected from 667 employees (62%) in the same two organisations. Findings The qualitative part of the study identified five different types of value conflicts influencing information security behaviour. The quantitative part of the study found that value conflicts relating to information security had a negative relationship with rule-compliant behaviour. The opposite was found for participative security behaviour where there was a positive relationship with value conflicts. A high climate of information security was positively related to both rule-compliant and participative information security behaviour. It also moderated the effect of value conflicts on compliant information security behaviour. Originality/value This paper highlights organisational contextual conditions that influence employees’ motivation and ability to manage value conflicts relating to information security in a high-risk industry. It also enables a better understanding of the influence of the information security climate on information security in the presence of value conflicts in this type of industry.

BioGames: a new paradigm and a behavioral biometrics collection tool for research purposes

Purpose The purpose of this paper is to present a new paradigm, named BioGames, for the extraction of behavioral biometrics (BB) conveniently and entertainingly. To apply the BioGames paradigm, the authors developed a BB collection tool for mobile devices named BioGames App. The BioGames App collects keystroke dynamics, touch gestures, and motion modalities and is available on GitHub. Interested researchers and practitioners may use it to create their datasets for research purposes. Design/methodology/approach One major challenge for BB and continuous authentication (CA) research is the lack of actual BB datasets for research purposes. The compilation and refinement of an appropriate set of BB data constitute a challenge and an open problem. The issue is aggravated by the fact that most users are reluctant to participate in long demanding procedures entailed in the collection of research biometric data. As a result, they do not complete the data collection procedure, or they do not complete it correctly. Therefore, the authors propose a new paradigm and introduce a BB collection tool, which they call BioGames, for the extraction of biometric features in a convenient way. The BioGames paradigm proposes a methodology where users play games without participating in an experimental painstaking process. The BioGames App collects keystroke dynamics, touch gestures, and motion modalities. Findings The authors proposed a new paradigm for the collection of BB on mobile devices and created the BioGames application. The BioGames App is an Android application that collects BB data on mobile devices and sends them to a database. The database design allows multiple users to store their sensor data at any time. Thus, there is no concern about data separation and synchronization. BioGames App is General Data Protection Regulation (GDPR) compliant as it collects and processes only anonymous data. Originality/value The BioGames App is a publicly available tool that combines the keystroke dynamics, touch gestures, and motion modalities. In addition, it uses a methodology where users play games without participating in an experimental painstaking process.

Work ethic and information security behavior

Purpose Information security is a growing issue that impacts organizations in virtually all industries, and data breaches impact millions of customers and cost organizations millions of dollars. Within the past several years alone, huge data breaches have been experienced by organizations such as Marriot, Equifax, eBay, JP Morgan Chase, Home Depot, Target and Yahoo, the latter of which impacted three billion users. This study aims to examine the utilization of pre-employment screening to identify potential hires that may require enhanced information security training to avoid such costs. Design/methodology/approach The authors hypothesize that an individual’s work ethic predicts a person’s information security behavior. The authors test this hypothesis using structural equation modeling with bootstrapping techniques. Findings Data analysis suggests that certain dimensions of work ethic do indeed predict information security posture, and thus, simple pre-employment screening techniques (i.e. questionnaires) can aid in identifying potential security threats. Practical implications The findings provide a tool for identifying problematic employee security posture prior to hiring, which may be useful in identifying training needs for new hires. Originality/value The findings provide a tool for identifying problematic employee security posture prior to hiring, which may be useful in identifying training needs for new hires.

Usability of the login authentication process: passphrases and passwords

Purpose The average employee spends a total of 18.6 h every two months on password-related activities, including password retries and resets. The problem is caused by the user forgetting or mistyping the password (usually because of character switching). The source of this issue is that while a password containing combinations of lowercase characters, uppercase characters, digits and special characters (LUDS) offers a reasonable level of security, it is complex to type and/or memorise, which prolongs the user authentication process. This results in much time being spent for no benefit (as perceived by users), as the user authentication process is merely a prerequisite for whatever a user intends to accomplish. This study aims to address this issue, passphrases that exclude the LUDS guidelines are proposed. Design/methodology/approach To discover constructs that create security and to investigate usability concerns relating to the memory and typing issues concerning passphrases, this study was guided by three theories as follows: Shannon’s entropy theory was used to assess security, chunking theory to analyse memory issues and the keystroke level model to assess typing issues. These three constructs were then evaluated against passwords and passphrases to determine whether passphrases better address the security and usability issues related to text-based user authentication. A content analysis was performed to identify common password compositions currently used. A login assessment experiment was used to collect data on user authentication and user – system interaction with passwords and passphrases in line with the constructs that have an impact on user authentication issues related to security, memory and typing. User–system interaction data was collected from a purposeful sample size of 112 participants, logging in at least once a day for 10 days. An expert review, which comprised usability and security experts with specific years of industry and/or academic experience, was also used to validate results and conclusions. All the experts were given questions and content to ensure sufficient context was provided and relevant feedback was obtained. A pilot study involving 10 participants (experts in security and/or usability) was performed on the login assessment website and the content was given to the experts beforehand. Both the website and the expert review content was refined after feedback was received from the pilot study. Findings It was concluded that, overall, passphrases better support the user during the user authentication process in terms of security, memory issues and typing issues. Originality/value This research aims at promoting the use of a specific type of passphrase instead of complex passwords. Three core aspects need to be assessed in conjunction with each other (security, memorisation and typing) to determine whether user-friendly passphrases can support user authentication better than passwords.

Understanding social media users’ privacy-protection behaviors

Purpose This study aims to identify the roles that privacy experiences and social media use play in influencing privacy-protection behaviors. As social media use expands in terms of the number of users and functionality; it is important to understand social media user privacy-protection behaviors and the users’ psychological underpinnings driving those behaviors. Among these, perceptions are the users’ evaluation of their privacy concerns and data sharing benefits inherent in social media use which influence the users’ behaviors to protect their privacy. Design/methodology/approach To research these issues, a theoretical model and hypotheses were developed, based on self-efficacy theory. The theoretical model was empirically tested using 193 questionnaire responses collected from students enrolled in business courses at a medium-sized university in the western USA. All the respondents reported that they routinely use social media. The empirical analysis was performed using structural equations modeling in PC SAS version 9.4, procedure Calis. Findings The estimation of the paths in the structural model indicates that privacy concerns positively influence social media users’ protection behaviors while the perceived benefits of data sharing negatively influence protection behaviors. Privacy experience positively influences privacy concerns. Alternatively, social media use positively influences social media self-efficacy and perceived usefulness, which, in turn, have meaningful influences on data sharing benefits. Originality/value Previous findings about the effect of self-efficacy on protection behaviors has been inconclusive. This study adds some clarity. Specifically, the findings suggest that the effect depends upon the foci of self-efficacy. While higher self-efficacy with respect to using privacy-related features of a specific technology tends to lead to greater privacy concerns, higher self-efficacy with respect to the more general technology (e.g. social media, computer) seems to affect protection behaviors through perceived benefits. Further, the results of this study offer conclusions about the roles that privacy experiences, social media use and perceived social media benefits play in affecting protection behaviors.

Investigating the accessibility and impacts of cybersecurity programs on high-school girls’ long-term industry engagement

Purpose The purpose of this study is to investigate whether having accessible cybersecurity programs (CPs) for high-school students affected girls’ long-term engagement with the industry, given that they already had interests in technology. Although much research has been done to evaluate how high-school science, technology, engineering, and mathematics programs retain girls in computing fields, it is necessary to see if this same long-term engagement exists in cybersecurity-specific programs. Design/methodology/approach In total, 55 members were surveyed from the aspirations in computing community regarding their experience in and accessibility to high-school CPs. A quantitative analysis of such responses was then undertaken using inferential statistical tools and chi-squared tests for independence. Findings The results showed that the existence of CPs alone are not influential factors in increasing long-term engagement with the field, showcasing that the high-knowledge barrier of CPs affects many students (even those with prior interests in technology). Instead, by having multiple occurrences of these programs and providing more cybersecurity resources to areas that lacked them, girls were more likely to report an increased interest in the field. Practical implications Such information can support future program leaders to develop effective, accessible and more targeted cybersecurity initiatives for students of various communities. Originality/value By analyzing the unique interactions of tech-aspiring women with cybersecurity, this exploration was able to demonstrate that women of different computing experiences face a shared barrier when entering the cybersecurity field. Likewise, in comparing these perspectives across different age groups, the investigation highlighted the development and subsequent growth of cybersecurity programming over the years and why such initiatives should be supported into the future.

Cybersecurity capabilities for critical infrastructure resilience

Purpose For many innovative organisations, Industry 4.0 paves the way for significant operational efficiencies, quality of goods and services and cost reductions. One of the ways to realise these benefits is to embark on digital transformation initiatives that may be summed up as the intelligent interconnectivity of people, processes, data and cyber-connected things. Sadly, this interconnectivity between the enterprise information technology (IT) and industrial control systems (ICS) environment introduces new attack surfaces for critical infrastructure (CI) operators. As a result of the ICS cybersecurity risk introduced by the interconnectivity between the enterprise IT and ICS networks, the purpose of this study is to identify the cybersecurity capabilities that CI operators must have to attain good cybersecurity resilience. Design/methodology/approach A scoping literature review of best practice international CI protection frameworks, standards and guidelines were conducted. Similar cybersecurity practices from these frameworks, standards and guidelines were grouped together under a corresponding National Institute of Standards and Technology (NIST) cybersecurity framework (CF) practice. Practices that could not be categorised under any of the existing NIST CF practices were considered new insights, and therefore, additions. Findings A CI cybersecurity capability framework comprising 29 capability domains (cybersecurity focus areas) was developed as an adaptation of the NIST CF with an added dimension. This added dimension emphasises cloud computing and internet of things (IoT) security. Each of the 29 cybersecurity capability domains is executed through various capabilities (cybersecurity processes and procedures). The study found that each cybersecurity capability can further be operationalised by a set of cybersecurity controls derived from various frameworks, standards and guidelines, such as COBIT®, CIS®, ISA/IEC 62443, ISO/IEC 27002 and NIST Special Publication 800-53. Practical implications CI sectors are immediately able to adopt the CI cybersecurity capability framework to evaluate their levels of resilience against cyber-attacks, given new attack surfaces introduced by the interconnectivity of cyber-connected things between the enterprise and ICS levels. Originality/value The authors present an added dimension to the NIST framework for CI cyber protection. In addition to emphasising cryptography, IoT and cloud computing security aspects, this added dimension highlights the need for an integrated approach to CI cybersecurity resilience instead of a piecemeal approach.

Cybersecurity educational games: a theoretical framework

Purpose Computer games that teach cybersecurity concepts have been developed to help both individuals and organizations shore up their defence against cybercrimes. Evidence of the effectiveness of these games has been rather weak, however. This paper aims to guide the design and testing of more effective cybersecurity educational games by developing a theoretical framework. Design/methodology/approach A review of the literature is conducted to explore the dependent variable of this research stream, learning outcomes and its relationship with four independent variables, game characteristics, game context, learning theory and user characteristics. Findings The dependent variable can be measured by five learning outcomes: information, content, strategic knowledge, eagerness to learn/time spent and behavioral change. Game characteristics refer to features that contribute to a game’s usefulness, interactivity, playfulness or attractiveness. Game context pertains to factors that determine how a game is used, including the target audience, the skill involved and the story. Learning theory explains how learning takes place and can be classified as behaviorism, cognitivism, humanism, social learning or constructivism. User characteristics including gender, age, computer experience, knowledge and perception, are attributes that can impact users’ susceptibility to cybercrimes and hence learning outcomes. Originality/value The framework facilitates taking stock of past research and guiding future research. The use of the framework is illustrated in a critique of two research streams. Multiple research directions are discussed for continued research into the design and testing of next-generation cybersecurity computer games.