Developing and evaluating a five minute phishing awareness video

Confidence tricksters have always defrauded the unwary. The computer era has merely extended their range and made it possible for them to target anyone in the world who has an email address. Nowadays, they send phishing messages that are specially crafted to deceive. Improving user awareness has the potential to reduce their effectiveness. We have previously developed and empirically-validated phishing awareness programmes. Our programmes are specifically designed to neutralize common phish-related misconceptions and teach people how to detect phishes. Many companies and individuals are already using our programmes, but a persistent niggle has been the amount of time required to complete the awareness programme. This paper reports on how we responded by developing and evaluating a condensed phishing awareness video that delivered phishing awareness more efficiently. Having watched our video, participants in our evaluation were able to detect phishing messages significantly more reliably right after watching the video (compared to before watching the video). This ability was also demonstrated after a retention period of eight weeks after first watching the video

SOK:young children’s cybersecurity knowledge, skills & practice: a systematic literature review

The rise in children’s use of digital technology highlights the need for them to learn to act securely online. Cybersecurity skills require mature cognitive abilities which children only acquire after they start using technology. As such, this paper explores the guidance and current curriculum expectations on cybersecurity aspects in Scotland. Additionally, a systematic review was undertaken of the literature pertaining to cybersecurity education for children on a wider scale including papers from around the world, with 27 peer reviewed papers included in the final review. We discovered that most research focused on assessing children’s knowledge or investigating the efficacy of interventions to improve cybersecurity knowledge and practice. Very few investigated the skills required to carry out the expected cybersecurity actions. For example, high levels of literacy, mature short- and long-term memory, attention, and established meta cognition are all pre-requisites to be able to carry out cybersecurity activities. Our main finding is that empirical research is required to explore the ages at which children have developed essential cognitive abilities and thereby the potential to master cybersecurity skills

Reducing the risk of e-mail phishing in the state of Qatar through an effective awareness framework

In recent years, cyber crime has focused intensely on people to bypass existing sophisticated security controls; phishing is one of the most common forms of such attack. This research highlights the problem of e-mail phishing. A lot of previous research demonstrated the danger of phishing and its considerable consequences. Since users behaviour is unpredictable, there is no reliable technological protective solution (e.g. spam filters, anti-viruses) to diminish the risk arising from inappropriate user decisions. Therefore, this research attempts to reduce the risk of e-mail phishing through awareness and education. It underlines the problem of e-mail phishing in the State of Qatar, one of world s fastest developing countries and seeks to provide a solution to enhance people s awareness of e-mail phishing by developing an effective awareness and educational framework. The framework consists of valuable recommendations for the Qatar government, citizens and organisations responsible for ensuring information security along with an educational agenda to train them how to identify and avoid phishing attempts. The educational agenda supports users in making better trust decisions to avoid phishing that could complement any technical solutions. It comprises a collection of training methods: conceptual, embedded, e-learning and learning programmes which include a television show and a learning session with a variety of teaching components such as a game, quizzes, posters, cartoons and a presentation. The components were tested by trial in two Qatari schools and evaluated by experts and a representative sample of Qatari citizens. Furthermore, the research proves the existence and extent of the e-mail phishing problem in Qatar in comparison with the UK where people were found to be less vulnerable and more aware. It was discovered that Qatar is an attractive place for phishers and that a lack of awareness and e-law made Qatar more vulnerable to the phishing. The research identifies the factors which make Qatari citizens susceptible to e-mail phishing attacks such as cultural, country-specific factors, interests and beliefs, religion effect and personal characteristics and this identified the need for enhancing Qatari s level of awareness on phishing threat. Since literature on phishing in Qatar is sparse, empirical and non-empirical studies involved a variety of surveys, interviews and experiments. The research successfully achieved its aim and objectives and is now being considered by the Qatari Government

Security awareness of computer users: A game based learning approach

This thesis was submitted for the degree of Doctor of Philosophy and awarded by Brunel University.The research reported in this thesis focuses on developing a framework for game design to protect computer users against phishing attacks. A comprehensive literature review was conducted to understand the research domain, support the proposed research work and identify the research gap to fulfil the contribution to knowledge. Two studies and one theoretical design were carried out to achieve the aim of this research reported in this thesis. A quantitative approach was used in the first study while engaging both quantitative and qualitative approaches in the second study. The first study reported in this thesis was focused to investigate the key elements that should be addressed in the game design framework to avoid phishing attacks. The proposed game design framework was aimed to enhance the user avoidance behaviour through motivation to thwart phishing attack. The results of this study revealed that perceived threat, safeguard effectiveness, safeguard cost, self-efficacy, perceived severity and perceived susceptibility elements should be incorporated into the game design framework for computer users to avoid phishing attacks through their motivation. The theoretical design approach was focused on designing a mobile game to educate computer users against phishing attacks. The elements of the framework were addressed in the mobile game design context. The main objective of the proposed mobile game design was to teach users how to identify phishing website addresses (URLs), which is one of many ways of identifying a phishing attack. The mobile game prototype was developed using MIT App inventor emulator. In the second study, the formulated game design framework was evaluated through the deployed mobile game prototype on a HTC One X touch screen smart phone. Then a discussion is reported in this thesis investigating the effectiveness of the developed mobile game prototype compared to traditional online learning to thwart phishing threats. Finally, the research reported in this thesis found that the mobile game is somewhat effective in enhancing the user’s phishing awareness. It also revealed that the participants who played the mobile game were better able to identify fraudulent websites compared to the participants who read the website without any training. Therefore, the research reported in this thesis determined that perceived threat, safeguard effectiveness, safeguard cost, self-efficacy, perceived threat and perceived susceptibility elements have a significant impact on avoidance behaviour through motivation to thwart phishing attacks as addressed in the game design framework

Gamification of Cyber Security Awareness : A Systematic Review of Games

The frequency and severity of cyber-attacks have increased over the years with damaging consequences such as financial loss, reputational damage, and loss of sensitive data. Most of these attacks can be attributed to user error. To minimize these errors, cyber security awareness training is conducted to improve user awareness. Cyber security awareness training that is engaging, fun, and motivating is required to ensure that the awareness message gets through to users. Gamification is one such method by which cyber security awareness training can be made fun, engaging, and motivating. This thesis presents the state of the art of games used in cyber security awareness. In this regard, a systematic review of games following PRISMA guidelines was conducted on the relevant papers published between 2010 to 2021. The games were analyzed based on their purpose, cyber security topics taught, target audience, deployment methods, game genres implemented and learning mechanics applied. Analysis of these games revealed that cyber security awareness games are mostly deployed as computer games, targeted at the general public to create awareness in a wide range of cyber security topics. Most of the games implement the role-playing genre and apply demonstration learning mechanics to deliver their cyber security awareness message effectively

Predicting the performance of users as human sensors of security threats in social media

While the human as a sensor concept has been utilised extensively for the detection of threats to safety and security in physical space, especially in emergency response and crime reporting, the concept is largely unexplored in the area of cyber security. Here, we evaluate the potential of utilising users as human sensors for the detection of cyber threats, specifically on social media. For this, we have conducted an online test and accompanying questionnaire-based survey, which was taken by 4,457 users. The test included eight realistic social media scenarios (four attack and four non-attack) in the form of screenshots, which the participants were asked to categorise as “likely attack” or “likely not attack”. We present the overall performance of human sensors in our experiment for each exhibit, and also apply logistic regression and Random Forest classifiers to evaluate the feasibility of predicting that performance based on different characteristics of the participants. Such prediction would be useful where accuracy of human sensors in detecting and reporting social media security threats is important. We identify features that are good predictors of a human sensor’s performance and evaluate them in both a theoretical ideal case and two more realistic cases, the latter corresponding to limited access to a user’s characteristics

A Layered Framework Approach to Mitigate Crimeware

Crimeware attacks are growing at such an alarming rate and are becoming so prevalent that the FBI now rank cybercrime among its top priorities after terrorism and espionage. New studies estimate cyber crimes cost firms an astounding $1 trillion annually. But the good news? Over 80% of them are preventable. Crimeware is not a purely technical threat but more or a socio-technical affair. This clearly brings out the fact that computers do not commit a crime, but we (humans) do! In this paper I propose a layered approach that involves all stakeholders from end-users to service-providers and law enforcement to greatly mitigate the recent proliferation of crimeware. Keywords: Crimeware, Jurisdiction, International spac

The Cybercrime Triangle

Information technology can increase the convergence of three dimensions of the crime triangle due to the spatial and temporal confluence in the virtual world. In other words, its advancement can lead to facilitating criminals with more chances to commit a crime against suitable targets living in different real-world time zones without temporal and spatial orders. However, within this mechanism, cybercrime can be discouraged “…if the cyber-adversary is handled, the target/victim is guarded, or the place is effectively managed” (Wilcox & Cullen, 2018, p. 134). In fact, Madensen and Eck (2013) assert that only one effective controller is enough to prevent a crime. Given this condition of the crime triangle, it must be noted that each of these components (the offender, the target, and the place) or controllers (i.e., handler, guardian, and manager) can play a pivotal role in reducing cybercrime. To date, scholars and professionals have analyzed the phenomenon of cybercrime and developed cybercrime prevention strategies relying predominantly on cybercrime victimization (suitable targets) but have yet to utilize the broader framework of the crime triangle commonly used in the analysis and prevention of crime. More specifically, the dimensions of cybercrime offenders, places, or controllers have been absent in prior scientific research and in guiding the establishment and examination of cybercrime prevention strategies. Given this gap, much remains to be known as to how these conceptual entities operate in the virtual realm and whether they share similarities with what we know about other crimes in the physical world. Thus, the purpose of this study is to extend the application of the “Crime Triangle,” a derivative of Routine Activity Theory, to crime events in the digital realm to provide scholars, practitioners, and policy makers a more complete lens to improve understanding and prevention of cybercrime incidents. In other words, this dissertation will endeavor to devise a comprehensive framework for our society to use to form cybersecurity policies to implement a secure and stable digital environment that supports continued economic growth as well as national security. The findings of this study suggest that both criminological and technical perspectives are crucial in comprehending cybercrime incidents. This dissertation attempts to independently explore these three components in order to portray the characteristics of cybercriminals, cybercrime victims, and place management. Specifically, this study first explores the characteristics of cybercriminals via a criminal profiling method primarily using court criminal record documents (indictments/complaints) provided by the FIU law library website. Second, the associations between cybercrime victims, digital capable guardianship, perceived risks of cybercrime, and online activity are examined using Eurobarometer survey data. Third, the associations between place management activities and cybercrime prevention are examined using “Phishing Campaign” and “Cybersecurity Awareness Training Program” data derived from FIU’s Division of Information Technology

A Systematic Review of Multimedia Tools for Cybersecurity Awareness and Education

© {Leah Zhang-Kennedy, Sonia Chiasson ​| ACM} {2021}. This is the author's version of the work. It is posted here for your personal use. Not for redistribution. The definitive Version of Record was published in {ACM Computing Surveys}, https://doi.org/10.1145/3427920.We conduct a comprehensive review covering academic publications and industry products relating to tools for cybersecurity awareness and education aimed at non-expert end-users developed in the past 20 years. Through our search criteria, we identified 119 tools that we cataloged into five broad media categories. We explore current trends, assess their use of relevant instructional design principles, and review empirical evi dence of the tools’ effectiveness. From our review, we provide an evaluation checklist and suggest that a more systematic approach to the design and evaluation of cybersecurity educational tools would be beneficial

Nurturing a Digital Learning Environment for Adults 55+

Being digitally competent means having competences in all areas of DigComp: Information and data literacy, Communication and collaboration, Digital content creation, Safety and Problem-solving. More than other demographic categories, adults 55+ have a wide range of levels of digitalization. Depending on their level of competences, individuals may join self-administered online courses to improve their skills, or they may need guidance from adult educators. Taking into consideration the above situation and willing to address adult learners regardless of their initial skill levels, the proposed educational programme is carefully designed for both: self-administrated and educator-led training. It comprises five totally innovative courses that can be separately taught or can be integrated into a complex programme delivered by adult education organizations. These courses are the result of an ERASMUS+ project “Digital Facilitator for Adults 55+”. Chapter 1 introduces the methodology for designing attractive and engaging educational materials for adults’ digital skills improvement. The methodology clarifies the inputs, the development process and the expected results. An ample explanation of the five phases of the 5E instructional strategy is presented to help adult educators build a sequence of coherent and engaging learning stages. With this approach, learners are supported to think, work, gather ideas, identify their own skill levels and needs, analyse their progress, and communicate with others under the guidance of educators. Following up on the proposed methodology, in Chapter 2 researchers from Formative Footprint (Spain), TEAM4Excellence (Romania), Voluntariat Pentru Viata (Romania) and Saricam Halk Egitimi Merkezi (Turkey) developed five course modules in line with the DIGCOMP - Digital Competence Framework for Citizens. These modules address the competence areas of information and data literacy, communication and collaboration, digital content creation, safety, and problem-solving. Each course module comprises digital textbooks, videos, interactive activities and means for evaluation developed using the 5E instructional model strategy. Understanding that accessibility is one of the main components of lifelong learning education, Chapter 3 of the manual provides an overview of the integration of educational materials, tools, instruments, video tutorials as well as DIFA55+ web app in the digital educational ecosystem. Finally, the authors formulate recommendations for usability and transferability that go beyond individuals, ensuring that educational materials are user-friendly and effective while making it easier to apply successful pedagogical approaches in other complementary educational contexts or projects.Grant Agreement—2021-1-RO01-KA220-ADU-000035297, Digital Facilitator for Adults 55