SUBJECT MATTER EXPERTS’ FEEDBACK ON EXPERIMENTAL PROCEDURES TO MEASURE USER’S JUDGMENT ERRORS IN SOCIAL ENGINEERING ATTACKS

Distracted users can fail to correctly distinguish the differences between legitimate and malicious emails or search engine results. Mobile phone users can have a more challenging time identifying malicious content due to the smaller screen size and the limited security features in mobile phone applications. Thus, the main goal of this research study was to design, develop, and validate a set of field experiments to assess user’s judgment when exposed to two types of simulated social engineering attacks: phishing and Potentially Malicious Search Engine Results (PMSER), based on the interaction of the environment (distracting vs. non-distracting) and type of device used (mobile vs. computer). In this paper, we provide the results from the Delphi methodology research we conducted using an expert panel consisting of 28 cybersecurity Subject Matter Experts (SMEs) who participated, out of 60 cybersecurity experts invited. Half of the SMEs were with over 10 years of experience in cybersecurity, the rest around five years. SMEs were asked to validate two sets of experimental tasks (phishing & PMSER) as specified in RQ1. The SMEs were then asked to identify physical and Audio/Visual (A/V) environmental factors for distracting and non-distracting environments. About 50% of the SMEs found that an airport was the most distracting environment for mobile phone and computer users. About 35.7% of the SMEs also found that a home environment was the least distracting environment for users, with an office setting coming into a close second place. About 67.9% of the SMEs chose “all” for the most distracting A/V distraction level, which included continuous background noise, visual distractions, and distracting/loud music. About 46.4% of the SMEs chose “all” for the least distracting A/V level, including a quiet environment, relaxing background music, and no visual distractions. The SMEs were then asked to evaluate a randomization table. This was important for RQ2 to set up the eight experimental protocols to maintain the validity of the proposed experiment. About 89.3% indicated a strong consensus that we should keep the randomization as it is. The SMEs were also asked whether we should keep, revise, or replace the number of questions for each mini-IQ test to three questions each. About 75% of the SMEs responded that we should keep the number of mini-IQ questions to three. Finally, the SMEs were asked to evaluate the proposed procedures for the pilot testing and experimental research phases conducted in the future. About 96.4% of the SMEs selected to keep the first pilot testing procedure. For second and third pilot testing procedures, the SMEs responded with an 89.3% strong consensus to keep the procedures. For the first experimental procedure, a strong consensus of 92.9% of the SMEs recommended keeping the procedure. Finally, for the third experimental procedure, there was an 85.7% majority to keep the procedure. The expert panel was used to validate the proposed experimental procedures and recommended adjustments. The conclusions, study limitations, and recommendations for future research are discussed

The Effect of Cybersecurity Training on Government Employee’s Knowledge of Cybersecurity Issues and Practices

There is an ever-pressing need for cybersecurity awareness and implementation of learning strategies in the workplace to mitigate the increased threat posed by cyber-attacks and exacerbated by an untrained workforce. The lack of cybersecurity knowledge amongst government employees has increased to critical levels due to the amount of sensitive information their agencies are responsible for. The digital compromise of a government entity often leads to a compromise of constituent data along with the disruption of public services (Axelrod, 2019; Yazdanpanahi, 2021). The need for awareness is further complicated by agencies looking to cater to a digital culture looking for a balance in government transparency and access by providing more services online. This act of modernizing services for a connected constituency adds further risk to the agency by exposing its workforce to threats associated with the internet-connected world. If their workforce is not prepared for the tactics used by cybercriminals, the consequences can be both fiscally and politically reprehensible. This study considers the knowledge enhancements resulting from the incorporation of cybersecurity training for local government employees in South Texas and the potential effects it will have on the cybersecurity awareness of the population. This study requires the collection and analysis of the following archival data: the results of a state-mandated cybersecurity awareness training and Cybersecurity Awareness Survey, which was adapted from the Pew Research Center’s (2016) Cybersecurity Knowledge Quiz. The purpose of this study is to analyze the effect of a cybersecurity awareness training program on government employees’ knowledge of cybersecurity issues and their ability to mitigate cybersecurity threats

Phishing Website Detection Technique Using Machine Learning

The Internet has emerged as an indispensable tool in both our personal and professional life in our modern day. The Internet is crucial not just for individual users, but also for businesses, since enterprises who provide online commerce may gain a competitive advantage by serving customers all over the globe. This makes the Internet essential for everyone who uses it. The Internet enables companies to conduct effective e-commerce with customers located all over the globe without regard to the geographical constraints of individual markets. As a direct consequence of this, the number of customers who make their purchases over the internet is quickly increasing. Daily, transactions totaling hundreds of millions of dollars are carried out through the Internet. These dishonest individuals were tempted to participate in their fraudulent endeavors by this quantity of money. Internet users may be vulnerable to a wide variety of web threats because of this fact. These threats may result in monetary loss, fraudulent use of credit cards, the loss of personal data, potential damage to the reputation of a brand, and customer mistrust in e-commerce and online banking. Because of this, doing financial transactions through the Internet is fraught with potential risks. Phishing is a sort of cyber threat that may be defined as the practice of imitating a genuine website for the purpose of stealing sensitive information such as usernames, passwords, and credit card numbers. This article will devote considerable space to discussing the topic of phishing. In addition, we provide an update on the most recent findings from research conducted on the topic. In addition, we want to discover recent advancements in phishing and preventative measures, as well as carry out a full analysis and review of this research, all with the goal of bridging the knowledge gap that still exists in this field. This research focuses on strategies for detecting phishing attacks through the internet rather than ways for detecting attacks via email

Towards an Assessment of Judgment Errors in Social Engineering Attacks Due to Environment and Device Type

Phishing continues to be a significant invasive threat to computer and mobile device users. Cybercriminals continuously develop new phishing schemes using email, and malicious search engine links to gather personal information of unsuspecting users. This information is used for financial gains through identity theft schemes or draining financial accounts of victims. Users are often distracted and fail to fully process the phishing attacks then unknowingly fall victim to the scam until much later. Users operating mobile phones and computers are likely to make judgment errors when making decisions in distracting environments due to cognitive overload. Distracted users can fail to correctly distinguish the differences between legitimate and malicious emails or search engine results. Mobile phone users can have even a harder time identifying malicious content due to the smaller screen size and the limited security features in mobile phone applications. Thus, the main goal of this work-in-progress research study is to design, develop, and validate a set of field experiments to assess users judgment when exposed to two types of simulated social engineering attacks (phishing & possibly malicious search engine results (PMSER)), based on the interaction of the kind of environment (distracting vs. non-distracting) and type of device used (mobile vs. computer). In this paper, we outlines the Delphi methodology phase that this study will take using an expert panel to validate the proposed experimental procedures and recommend further steps for the empirical testing. The conclusions, study limitations and recommendations for future research are discussed. Keywords: Cybersecurity, social engineering, judgment error in cybersecurity, phishing email mitigation, distracting environment

Experimental Study to Assess the Role of Environment and Device Type on the Success of Social Engineering Attacks: The Case of Judgment Errors

Phishing continues to be an invasive threat to computer and mobile device users. Cybercriminals continuously develop new phishing schemes using e-mail and malicious search engine links to gather the personal information of unsuspecting users. This information is used for financial gains through identity theft schemes or draining victims\u27 financial accounts. Many users of varying demographic backgrounds fall victim to phishing schemes at one time or another. Users are often distracted and fail to process the phishing attempts fully, then unknowingly fall victim to the scam until much later. Users operating mobile phones and computers are likely to make judgment errors when making decisions in distracting environments due to cognitive overload. Distracted users cannot distinguish between legitimate and malicious emails or search engine results correctly. Mobile phone users can have a harder time distinguishing malicious content due to the smaller screen size and the limited security features in mobile phone applications. The main goal of this research study was to design, develop, and validate experimental settings to empirically test if there are significant mean differences in users’ judgment when: exposed to two types of simulated social engineering attacks (phishing & Potentially Malicious Search Engine Results (PMSER)), based on the interaction of the kind of environment (distracting vs. non-distracting) and type of device used (mobile vs. computer). This research used field experiments to test whether users are more likely to fall for phishing schemes in a distracting environment while using mobile phones or desktop/laptop computers. The second phase included a pilot test with 10 participants testing the Subject Matter Experts (SME) validated tasks and measures. The third phase included the delivery of the validated tasks and measures that were revised through the pilot testing phase with 68 participants. The results of the first phase have SME validated two sets of experimental tasks and eight experimental protocols to assess the measures of users’ judgment when exposed to two types of simulated social engineering attacks (phishing & PMSER) in two kinds of environments (distracting vs. non-distracting) and two types of devices (mobile phone vs. computer). The second phase results, the phishing mini-IQ test results, do not follow what was initially indicated in prior literature. Specifically, it was surprising to learn that the non-distracting environment results for the Phishing IQ tests were overall lower than those of distracting environment, which is counter to what was envisioned. These Phishing IQ test results may be assumed to be because, during the distracting environment, the participants were monitored over zoom to enable the distracting sound file. In contrast, in the non-distracting environment, they have marked the selections independently and may have rushed to identify the phishing samples. In contrast, PMSER detection on a computer outperformed mobile devices. It is suspected that these results are more accurate as individuals’ familiarity with PMSER is much lower. Their habituation to such messages is more deficient, causing them to pay closer attention and be more precise in their detections. A two-way Analysis of Variance (ANOVA) was conducted on the results. While it appears that some variations do exist, none of the comparisons were significant for Phishing IQ tests by environment (F=3.714, p=0.061) or device type (F=0.380, p=0.541), and PMSER IQ tests by environment (F=1.383, p=0.247) or device type (F=0.228, p=0.636). The results for the final phase showed there were no significant differences among both groups for Phishing and PMSER (F=0.985, p=0.322) and PMSER (F=3.692, p=0.056) using a two-way ANOVA. The two-way ANOVA results also showed significant differences among both groups for Phishing and PMSER vs. Device Type and Environment, Phishing (F=3.685, p=0.013), PMSER (F=1.629, p=0.183). A two-way ANOVA was evaluated for significant differences between groups. The results of the two-way ANOVA showed there were significant differences among both groups for Phishing and PMSER vs. Device Type and Environment. Phishing (F=3.685, p=0.013), PMSER (F=1.629, p=0.183). The p-values of the F-test for the Phishing IQ vs. Device Type and Environment were lower than the .05 level of significance. The two-way Analysis of Covariance (ANCOVA) results showed significant differences between Phishing vs. Environment and Device Type plus PMSER vs. Environment and Device Type. Specifically, the Education covariate for Table 32(F=3.930, p=0.048), Table 33(F=3.951, p=0.048), Table 34(F=10.429, p=0.001), and Table 35(F=10.329, p=0.001) was lower than the .05 level of significance

Through the Net: Investigating How User Characteristics Influence Susceptibility to Phishing

In the past 25 years, the internet has grown and evolved from a niche networking technology, used almost exclusively by researchers and enthusiasts, into the driving force of modern economies. Fraud has evolved too, with rates of cybercrime on the increase as criminals become increasingly sophisticated in using technology to deceive their victims. The world is an online place, and data is the new oil. Phishing is a form of social engineering that is not that different from traditional fraud. Phishing attackers try to trick their victims into revealing valuable private information, usually for financial gain, by posing as a legitimate, trusted entity through the use of technical and contentrelated deceptions. There have been several high profile data breaches in the last number of years, and these usually begin with a successful phishing attack. At the other end of the spectrum, private individuals regularly fall victim to smaller phishing crimes, the majority of which are never reported. A lot of research has been done to identify exactly who falls for a phishing scam, identifying four categories: 1. Demographics, 2. Experience, 3. Attitude to Privacy and 4. Computer SelfEfficacy. The existing body of knowledge, however, is inconclusive regarding what groups within these categories are most at risk. This study seeks to better understand what factors influence a person’s susceptibility to phishing attacks, revisiting existing research but in a climate where even the most basic internet user is now aware of cybercrime and using a large and diverse sample of participants. In addition, the study investigates if respondents from different groups rely more or less on technical or nontechnical slues when evaluating the legitimacy of an email. The study was conducted over a period of several weeks, and over two hundred participants completed a survey and phishing test where they were asked to evaluate the legitimacy of ten emails presented as screenshots and accompanied by a scenario describing the context within which the email was received. The results of the survey and test were analysed to identify any statistically significant information. Results from the study indicate that factors of demographics and computer self-efficacy may have a significant impact on user susceptibility to phishing. Information regarding the relevance of experience and attitude to privacy were inconclusive. The investigation into how respondents were processing information found no significant difference between the best and worst performers across all categories however the group of respondents, as a whole, were more successful at identifying content-based deception over technical deception by a marginal amount

Security awareness of computer users: A game based learning approach

This thesis was submitted for the degree of Doctor of Philosophy and awarded by Brunel University.The research reported in this thesis focuses on developing a framework for game design to protect computer users against phishing attacks. A comprehensive literature review was conducted to understand the research domain, support the proposed research work and identify the research gap to fulfil the contribution to knowledge. Two studies and one theoretical design were carried out to achieve the aim of this research reported in this thesis. A quantitative approach was used in the first study while engaging both quantitative and qualitative approaches in the second study. The first study reported in this thesis was focused to investigate the key elements that should be addressed in the game design framework to avoid phishing attacks. The proposed game design framework was aimed to enhance the user avoidance behaviour through motivation to thwart phishing attack. The results of this study revealed that perceived threat, safeguard effectiveness, safeguard cost, self-efficacy, perceived severity and perceived susceptibility elements should be incorporated into the game design framework for computer users to avoid phishing attacks through their motivation. The theoretical design approach was focused on designing a mobile game to educate computer users against phishing attacks. The elements of the framework were addressed in the mobile game design context. The main objective of the proposed mobile game design was to teach users how to identify phishing website addresses (URLs), which is one of many ways of identifying a phishing attack. The mobile game prototype was developed using MIT App inventor emulator. In the second study, the formulated game design framework was evaluated through the deployed mobile game prototype on a HTC One X touch screen smart phone. Then a discussion is reported in this thesis investigating the effectiveness of the developed mobile game prototype compared to traditional online learning to thwart phishing threats. Finally, the research reported in this thesis found that the mobile game is somewhat effective in enhancing the user’s phishing awareness. It also revealed that the participants who played the mobile game were better able to identify fraudulent websites compared to the participants who read the website without any training. Therefore, the research reported in this thesis determined that perceived threat, safeguard effectiveness, safeguard cost, self-efficacy, perceived threat and perceived susceptibility elements have a significant impact on avoidance behaviour through motivation to thwart phishing attacks as addressed in the game design framework

Personalized question-based cybersecurity recommendation systems

En ces temps de pandémie Covid19, une énorme quantité de l’activité humaine est modifiée pour se faire à distance, notamment par des moyens électroniques. Cela rend plusieurs personnes et services vulnérables aux cyberattaques, d’où le besoin d’une éducation généralisée ou du moins accessible sur la cybersécurité. De nombreux efforts sont entrepris par les chercheurs, le gouvernement et les entreprises pour protéger et assurer la sécurité des individus contre les pirates et les cybercriminels. En raison du rôle important joué par les systèmes de recommandation dans la vie quotidienne de l'utilisateur, il est intéressant de voir comment nous pouvons combiner les systèmes de cybersécurité et de recommandation en tant que solutions alternatives pour aider les utilisateurs à comprendre les cyberattaques auxquelles ils peuvent être confrontés. Les systèmes de recommandation sont couramment utilisés par le commerce électronique, les réseaux sociaux et les plateformes de voyage, et ils sont basés sur des techniques de systèmes de recommandation traditionnels. Au vu des faits mentionnés ci-dessus, et le besoin de protéger les internautes, il devient important de fournir un système personnalisé, qui permet de partager les problèmes, d'interagir avec un système et de trouver des recommandations. Pour cela, ce travail propose « Cyberhelper », un système de recommandation de cybersécurité personnalisé basé sur des questions pour la sensibilisation à la cybersécurité. De plus, la plateforme proposée est équipée d'un algorithme hybride associé à trois différents algorithmes basés sur la connaissance, les utilisateurs et le contenu qui garantit une recommandation personnalisée optimale en fonction du modèle utilisateur et du contexte. Les résultats expérimentaux montrent que la précision obtenue en appliquant l'algorithme proposé est bien supérieure à la précision obtenue en utilisant d'autres mécanismes de système de recommandation traditionnels. Les résultats suggèrent également qu'en adoptant l'approche proposée, chaque utilisateur peut avoir une expérience utilisateur unique, ce qui peut l'aider à comprendre l'environnement de cybersécurité.With the proliferation of the virtual universe and the multitude of services provided by the World Wide Web, a major concern arises: Security and privacy have never been more in jeopardy. Nowadays, with the Covid 19 pandemic, the world faces a new reality that pushed the majority of the workforce to telecommute. This thereby creates new vulnerabilities for cyber attackers to exploit. It’s important now more than ever, to educate and offer guidance towards good cybersecurity hygiene. In this context, a major effort has been dedicated by researchers, governments, and businesses alike to protect people online against hackers and cybercriminals. With a focus on strengthening the weakest link in the cybersecurity chain which is the human being, educational and awareness-raising tools have been put to use. However, most researchers focus on the “one size fits all” solutions which do not focus on the intricacies of individuals. This work aims to overcome that by contributing a personalized question-based recommender system. Named “Cyberhelper”, this work benefits from an existing mature body of research on recommender system algorithms along with recent research on non-user-specific question-based recommenders. The reported proof of concept holds potential for future work in adapting Cyberhelper as an everyday assistant for different types of users and different contexts

Phishing website detection using intelligent data mining techniques. Design and development of an intelligent association classification mining fuzzy based scheme for phishing website detection with an emphasis on E-banking.

Phishing techniques have not only grown in number, but also in sophistication. Phishers might have a lot of approaches and tactics to conduct a well-designed phishing attack. The targets of the phishing attacks, which are mainly on-line banking consumers and payment service providers, are facing substantial financial loss and lack of trust in Internet-based services. In order to overcome these, there is an urgent need to find solutions to combat phishing attacks. Detecting phishing website is a complex task which requires significant expert knowledge and experience. So far, various solutions have been proposed and developed to address these problems. Most of these approaches are not able to make a decision dynamically on whether the site is in fact phished, giving rise to a large number of false positives. This is mainly due to limitation of the previously proposed approaches, for example depending only on fixed black and white listing database, missing of human intelligence and experts, poor scalability and their timeliness. In this research we investigated and developed the application of an intelligent fuzzy-based classification system for e-banking phishing website detection. The main aim of the proposed system is to provide protection to users from phishers deception tricks, giving them the ability to detect the legitimacy of the websites. The proposed intelligent phishing detection system employed Fuzzy Logic (FL) model with association classification mining algorithms. The approach combined the capabilities of fuzzy reasoning in measuring imprecise and dynamic phishing features, with the capability to classify the phishing fuzzy rules. Different phishing experiments which cover all phishing attacks, motivations and deception behaviour techniques have been conducted to cover all phishing concerns. A layered fuzzy structure has been constructed for all gathered and extracted phishing website features and patterns. These have been divided into 6 criteria and distributed to 3 layers, based on their attack type. To reduce human knowledge intervention, Different classification and association algorithms have been implemented to generate fuzzy phishing rules automatically, to be integrated inside the fuzzy inference engine for the final phishing detection. Experimental results demonstrated that the ability of the learning approach to identify all relevant fuzzy rules from the training data set. A comparative study and analysis showed that the proposed learning approach has a higher degree of predictive and detective capability than existing models. Experiments also showed significance of some important phishing criteria like URL & Domain Identity, Security & Encryption to the final phishing detection rate. Finally, our proposed intelligent phishing website detection system was developed, tested and validated by incorporating the scheme as a web based plug-ins phishing toolbar. The results obtained are promising and showed that our intelligent fuzzy based classification detection system can provide an effective help for real-time phishing website detection. The toolbar successfully recognized and detected approximately 92% of the phishing websites selected from our test data set, avoiding many miss-classified websites and false phishing alarms