A state of the art survey - Impact of cyber attacks on SME's

Corporations and end users are finding it hard to keep their devices safe from the ever evolving and complicated threat of cyber attacks. Currently, with the widespread adoption of the Internet of fiings (IoT), cyber threat is becoming an even greater challenge for both technology providers and consumers. This paper presents a review of the recent and significant cyber security issues a?ecting many areas of digital technology. From IoT devices and smart automobiles to commonly used computers and typical corporate servers, we focus our analysis on current a?ack trends and the e?ects of intrusion on Small and Medium sized Enterprises(SMEs). ?is paper helps to build awareness among non-technical experts, practitioners and researchers about attack and defense strategies in the current digital market. We have created a guide with input from our in-house security researchers and information gathered from the literature to help the reader understand the challenges faced by the IT industry in the future

POINTER:a GDPR-compliant framework for human pentesting (for SMEs)

Penetration tests have become a valuable tool in any organisation’s arsenal, in terms of detecting vulnerabilities in their technical defences. Many organisations now also “penetration test” their employees, assessing their resilience and ability to repel human-targeted attacks. There are two problems with current frameworks: (1) few of these have been developed with SMEs in mind, and (2) many deploy spear phishing, thereby invading employee privacy, which could be illegal under the new European General Data Protection Regulation (GDPR) legislation. We therefore propose the PoinTER (Prepare TEst Remediate) Human Pentesting Framework. We subjected this framework to expert review and present it to open a discourse on the issue of formulating a GDPR- compliant Privacy-Respecting Employee Pentest for SMEs

Refining the PoinTER “human firewall” pentesting framework

PurposePenetration tests have become a valuable tool in the cyber security defence strategy, in terms of detecting vulnerabilities. Although penetration testing has traditionally focused on technical aspects, the field has started to realise the importance of the human in the organisation, and the need to ensure that humans are resistant to cyber-attacks. To achieve this, some organisations “pentest” their employees, testing their resilience and ability to detect and repel human-targeted attacks. In a previous paper we reported on PoinTER (Prepare TEst Remediate), a human pentesting framework, tailored to the needs of SMEs. In this paper, we propose improvements to refine our framework. The improvements are based on a derived set of ethical principles that have been subjected to ethical scrutiny.MethodologyWe conducted a systematic literature review of academic research, a review of actual hacker techniques, industry recommendations and official body advice related to social engineering techniques. To meet our requirements to have an ethical human pentesting framework, we compiled a list of ethical principles from the research literature which we used to filter out techniques deemed unethical.FindingsDrawing on social engineering techniques from academic research, reported by the hacker community, industry recommendations and official body advice and subjecting each technique to ethical inspection, using a comprehensive list of ethical principles, we propose the refined GDPR compliant and privacy respecting PoinTER Framework. The list of ethical principles, we suggest, could also inform ethical technical pentests.OriginalityPrevious work has considered penetration testing humans, but few have produced a comprehensive framework such as PoinTER. PoinTER has been rigorously derived from multiple sources and ethically scrutinised through inspection, using a comprehensive list of ethical principles derived from the research literature

Experimentation methodology for evaluating operational INFOCON implementations

Information Operation Condition (INFOCON) implementations and specifically the impact these implementations can have on warfighting command and control processes are not yet widely understood or appreciated by the majority of the operating forces. INFOCON actions are designed to heighten or reduce defensive posture uniformly, to defend against computer network attacks, and to mitigate sustained damage to the DoD infrastructure. Experimentation is required to explore the effects on certain command and control processes under various INFOCON conditions. This thesis explored requirements for conducting these INFOCON experiments and resulted in the development of an INFOCON experimental design methodology that can be used as a framework for designing and conducting INFOCON experiments in the field. INFOCON experimentation will provide insights and a better understanding of the effects that these implementations will have on the ability of a commander to command and control his or her forces.http://archive.org/details/experimentationm109451088

Towards an Assessment of Judgment Errors in Social Engineering Attacks Due to Environment and Device Type

Phishing continues to be a significant invasive threat to computer and mobile device users. Cybercriminals continuously develop new phishing schemes using email, and malicious search engine links to gather personal information of unsuspecting users. This information is used for financial gains through identity theft schemes or draining financial accounts of victims. Users are often distracted and fail to fully process the phishing attacks then unknowingly fall victim to the scam until much later. Users operating mobile phones and computers are likely to make judgment errors when making decisions in distracting environments due to cognitive overload. Distracted users can fail to correctly distinguish the differences between legitimate and malicious emails or search engine results. Mobile phone users can have even a harder time identifying malicious content due to the smaller screen size and the limited security features in mobile phone applications. Thus, the main goal of this work-in-progress research study is to design, develop, and validate a set of field experiments to assess users judgment when exposed to two types of simulated social engineering attacks (phishing & possibly malicious search engine results (PMSER)), based on the interaction of the kind of environment (distracting vs. non-distracting) and type of device used (mobile vs. computer). In this paper, we outlines the Delphi methodology phase that this study will take using an expert panel to validate the proposed experimental procedures and recommend further steps for the empirical testing. The conclusions, study limitations and recommendations for future research are discussed. Keywords: Cybersecurity, social engineering, judgment error in cybersecurity, phishing email mitigation, distracting environment

E-Commerce Challenges of SMMEs In South Africa During the Covid-19 Pandemic

During the Covid-19 pandemic, small and medium-sized enterprises (SMEs) have had to shift business operations to online, due to the lockdown protocols and government restrictions. The sudden need by SMEs to change the operations model to e-commerce, became a major challenge. Many SMEs were challenged by one or more of the four e-commerce resources to complete an e-commerce transaction, namely usage of reliable broadband, e-shop of products and services, digital payment, and logistics to the consumer. Thus, this study investigated the challenges experienced by SMEs when using e-commerce platforms during the Covid-19 pandemic. Through an extensive literature review, several hypotheses were postulated and data was collected from SME owners in Gauteng Province, South Africa to test them. Simple random sampling was used to identify participants for the survey and the questionnaires which were adaptation of previously developed ones were distributed via email to 307 retail SMEs in Edenvale, Gauteng. Inferential statistical analysis, through structural equation modelling, was used to analyse the data that was collected through the survey. The findings revealed that digital payments and logistics were significant predictors of e-commerce growth during the pandemic and dynamic skill capabilities moderated the relationship between digital payments and e-commerce growth. However, the usage of broadband and e-shop features were not significant in predicting the growth of e-commerce

Introducing the Game Design Matrix: A Step-by-Step Process for Creating Serious Games

The Game Design Matrix makes effective game design accessible to novice game designers. Serious Games are a powerful tool for educators seeking to boost the level of student engagement and application in academic environments, but the can be difficult to incorporate into existing courses due to availability and the cost of quality game design. The Game Design Matrix was used by two educators, novice game designers, to create a serious game. The games were assessed in an academic setting and observed to be effective in engagement, interaction, and achieving higher levels of learning

Experimental Study to Assess the Role of Environment and Device Type on the Success of Social Engineering Attacks: The Case of Judgment Errors

Phishing continues to be an invasive threat to computer and mobile device users. Cybercriminals continuously develop new phishing schemes using e-mail and malicious search engine links to gather the personal information of unsuspecting users. This information is used for financial gains through identity theft schemes or draining victims\u27 financial accounts. Many users of varying demographic backgrounds fall victim to phishing schemes at one time or another. Users are often distracted and fail to process the phishing attempts fully, then unknowingly fall victim to the scam until much later. Users operating mobile phones and computers are likely to make judgment errors when making decisions in distracting environments due to cognitive overload. Distracted users cannot distinguish between legitimate and malicious emails or search engine results correctly. Mobile phone users can have a harder time distinguishing malicious content due to the smaller screen size and the limited security features in mobile phone applications. The main goal of this research study was to design, develop, and validate experimental settings to empirically test if there are significant mean differences in users’ judgment when: exposed to two types of simulated social engineering attacks (phishing & Potentially Malicious Search Engine Results (PMSER)), based on the interaction of the kind of environment (distracting vs. non-distracting) and type of device used (mobile vs. computer). This research used field experiments to test whether users are more likely to fall for phishing schemes in a distracting environment while using mobile phones or desktop/laptop computers. The second phase included a pilot test with 10 participants testing the Subject Matter Experts (SME) validated tasks and measures. The third phase included the delivery of the validated tasks and measures that were revised through the pilot testing phase with 68 participants. The results of the first phase have SME validated two sets of experimental tasks and eight experimental protocols to assess the measures of users’ judgment when exposed to two types of simulated social engineering attacks (phishing & PMSER) in two kinds of environments (distracting vs. non-distracting) and two types of devices (mobile phone vs. computer). The second phase results, the phishing mini-IQ test results, do not follow what was initially indicated in prior literature. Specifically, it was surprising to learn that the non-distracting environment results for the Phishing IQ tests were overall lower than those of distracting environment, which is counter to what was envisioned. These Phishing IQ test results may be assumed to be because, during the distracting environment, the participants were monitored over zoom to enable the distracting sound file. In contrast, in the non-distracting environment, they have marked the selections independently and may have rushed to identify the phishing samples. In contrast, PMSER detection on a computer outperformed mobile devices. It is suspected that these results are more accurate as individuals’ familiarity with PMSER is much lower. Their habituation to such messages is more deficient, causing them to pay closer attention and be more precise in their detections. A two-way Analysis of Variance (ANOVA) was conducted on the results. While it appears that some variations do exist, none of the comparisons were significant for Phishing IQ tests by environment (F=3.714, p=0.061) or device type (F=0.380, p=0.541), and PMSER IQ tests by environment (F=1.383, p=0.247) or device type (F=0.228, p=0.636). The results for the final phase showed there were no significant differences among both groups for Phishing and PMSER (F=0.985, p=0.322) and PMSER (F=3.692, p=0.056) using a two-way ANOVA. The two-way ANOVA results also showed significant differences among both groups for Phishing and PMSER vs. Device Type and Environment, Phishing (F=3.685, p=0.013), PMSER (F=1.629, p=0.183). A two-way ANOVA was evaluated for significant differences between groups. The results of the two-way ANOVA showed there were significant differences among both groups for Phishing and PMSER vs. Device Type and Environment. Phishing (F=3.685, p=0.013), PMSER (F=1.629, p=0.183). The p-values of the F-test for the Phishing IQ vs. Device Type and Environment were lower than the .05 level of significance. The two-way Analysis of Covariance (ANCOVA) results showed significant differences between Phishing vs. Environment and Device Type plus PMSER vs. Environment and Device Type. Specifically, the Education covariate for Table 32(F=3.930, p=0.048), Table 33(F=3.951, p=0.048), Table 34(F=10.429, p=0.001), and Table 35(F=10.329, p=0.001) was lower than the .05 level of significance