Game based cyber security training: are serious games suitable for cyber security training?

Security research and training is attracting a lot of investment and interest from governments and the private sector. Most efforts have focused on physical security, while cyber security or digital security has been given less importance. With recent high-profile attacks it has become clear that training in cyber security is needed. Serious Games have the capability to be effective tools for public engagement and behavioural change and role play games, are already used by security professionals. Thus cyber security seems especially well-suited to Serious Games. This paper investigates whether games can be effective cyber security training tools. The study is conducted by means of a structured literature review supplemented with a general web search. While there are early positive indications there is not yet enough evidence to draw any definite conclusions. There is a clear gap in target audience with almost all products and studies targeting the general public and very little attention given to IT professionals and managers. The products and studies also mostly work over a short period, while it is known that short-term interventions are not particularly effective at affecting behavioural change

A framework for cyber security awareness in small, medium and micro enterprises (SMMEs) in South Africa

In South Africa, there is a rapid increase of cyber attacks intended for organisations regardless of size and industry. Cyber attacks are directed at businesses of all sizes; however, small, medium and micro enterprises (SMMEs) are impacted most because of limited information technology (IT) skills and financial support to prevent cyber threats. There is a significant increase in SMMEs in South Africa which are important because of their contribution to the country’s economy. Organisations, including SMMEs, are converted gradually to depend on IT to sustain their competitive advantage and boost services. In South Africa, many organisations, including SMMEs, are still not effectively prepared to prevent cybercrimes. Therefore, there is a need to create cyber security awareness for SMMEs because they have a direct impact on the cyber security infrastructure of the country. Based on systematic literature review findings, a research gap has been identified whereby a cyber security awareness study has not been conducted for South African SMMEs where a suitable model and framework for raising cyber security awareness for SMMEs in South Africa have been developed. The main aim of the research study is to develop a framework for cyber security awareness for South African SMMEs (Csa4Smmes {RSA} framework). This research study follows the design science research methodology (DSRM) approach. This approach is most suitable and carefully selected to address the purpose of the study. Models and frameworks have been evaluated to develop components of the conceptual Csa4Smmes {RSA} framework which are used as building blocks to develop the intermediate Csa4Smmes {RSA} framework. Semi-structured interviews with experts in cyber security, science and technology awareness as well as SMMEs management and operation were conducted to demonstrate and evaluate the intermediate Csa4Smmes {RSA} framework. Consequently, this framework was produced as an artefact to enhance cyber security awareness levels within SMMEs in South Africa. Cyber security awareness has been demonstrated to be an effective approach to enhance cyber security awareness level. Therefore, the Csa4Smmes {RSA} framework can assist government in reducing cyber attacks associated with internet users.School of ComputingM. Sc. (Computing

Account Recovery Methods for Two-Factor Authentication (2FA): An Exploratory Study

System administrators have started to adopt two-factor authentication (2FA) to increase user account resistance to cyber-attacks. Systems with 2FA require users to verify their identity using a password and a second-factor authentication device to gain account access. This research found that 60% of users only enroll one second-factor device to their account. If a user’s second factor becomes unavailable, systems are using different procedures to ensure its authorized owner recovers the account. Account recovery is essentially a bypass of the system’s main security protocols and needs to be handled as an alternative authentication process (Loveless, 2018). The current research aimed to evaluate users’ perceived security for four 2FA account recovery methods. Using Renaud’s (2007) opportunistic equation, the present study determined that a fallback phone number recovery method provides user accounts with the most cyber-attack resistance followed by system-generated recovery codes, a color grid pattern, and graphical passcode. This study surveyed 103 participants about authentication knowledge, general risk perception aptitude, ability to correctly rank the recovery methods in terms of their attackr esistance, and recovery method perceptions. Other survey inquires related to previous 2FA, account recovery, and cybersecurity training experiences. Participants generally performed poorly when asked to rank the recovery methods by security strength. Results suggested that neither risk numeracy, authentication knowledge, nor cybersecurity familiarity impacted users’ ability to rank recovery methods by security strength. However, the majority of participants ranked either generated recovery codes, 39%, or a fallback phone number, 25%, as being most secure. The majority of participants, 45%, preferred the fallback phone number for account recovery, 38% expect it will be the easiest to use, and 46% expect it to be the most memorable. However, user’s annotative descriptions for recovery method preferences revealed that users are likely to disregard the setup instructions and use their phone number instead of an emergency contact number. Overall, this exploratory study offers information that researchers and designers can deploy to improve user’s 2FA- and 2FA account recovery- experiences

A Systematic Review of Multimedia Tools for Cybersecurity Awareness and Education

© {Leah Zhang-Kennedy, Sonia Chiasson ​| ACM} {2021}. This is the author's version of the work. It is posted here for your personal use. Not for redistribution. The definitive Version of Record was published in {ACM Computing Surveys}, https://doi.org/10.1145/3427920.We conduct a comprehensive review covering academic publications and industry products relating to tools for cybersecurity awareness and education aimed at non-expert end-users developed in the past 20 years. Through our search criteria, we identified 119 tools that we cataloged into five broad media categories. We explore current trends, assess their use of relevant instructional design principles, and review empirical evi dence of the tools’ effectiveness. From our review, we provide an evaluation checklist and suggest that a more systematic approach to the design and evaluation of cybersecurity educational tools would be beneficial

Adol-Safety: A Framework for Empowering Parents to be Aware of Social Network Threats Affecting Adolescents

The use of social networks has grown so much that adolescents have become active members of various social networks such as Twitter, Facebook, and Instagram, etc. The gradual change in how people choose to communicate, socialize and share ideas today has influenced adolescents to an extent that they find themselves wanting to engage more on social networks than they really should due to peer pressure. Whenever a person joins social networks or browses the Internet, they by default are exposed and become vulnerable to many cyber threats. Cyber threats are driven by users that have negative intentions on the Internet or social networks. Adolescents are no exception to these cyber threats. The findings of this research reveal that threats such as cyberbullying, harassment, and online predators to name a few are often designed to abuse and affect adolescents). Therefore, this research aims to prevent such threats from prevailing by empowering parents to be aware of the threats that affect their adolescents in an online environment, which typically includes social networks. To achieve this, this research starts by investigating the cyber threats that affect adolescents and then explores ways that can be used to empower parents. A framework is developed to handle this. The framework includes strategies that parents can adopt and ways in which safety on social networks can be increased, as well as guidelines that can be followed in order to prevent cyber threats. The framework also aims to enhance a parent-child relationship that can help in preventing social network threats. Lastly, the framework is implemented as a knowledgesharing website that can be used by parents to receive and give an insight into social network threats that influence adolescents on social networks

Analysis of a South African cyber-security awareness campaign for schools using interdisciplinary communications frameworks

To provide structure to cyber awareness and educational initiatives in South Africa, Kortjan and Von Solms (2014) developed a five-layer cyber-security awareness and education framework. The purpose of the dissertation is to determine how the framework layers can be refined through the integration of communication theory, with the intention to contribute towards the practical implications of the framework. The study is approached qualitatively and uses a case study for argumentation to illustrate how the existing framework can be further developed. Drawing on several comprehensive campaign planning models, the dissertation illustrates that not all important campaign planning elements are currently included in the existing framework. Proposed changes in the preparation layer include incorporating a situational and target audience analysis, determining resources allocated for the campaign, and formulating a communication strategy. Proposed changes in the delivery layer of the framework are concerned with the implementation, monitoring and adjustment, as well as reporting of campaign successes and challenges. The dissertation builds on, and adds to, the growing literature on the development of campaigns for cyber-security awareness and education aimed at children

The Cybercrime Triangle

Information technology can increase the convergence of three dimensions of the crime triangle due to the spatial and temporal confluence in the virtual world. In other words, its advancement can lead to facilitating criminals with more chances to commit a crime against suitable targets living in different real-world time zones without temporal and spatial orders. However, within this mechanism, cybercrime can be discouraged “…if the cyber-adversary is handled, the target/victim is guarded, or the place is effectively managed” (Wilcox & Cullen, 2018, p. 134). In fact, Madensen and Eck (2013) assert that only one effective controller is enough to prevent a crime. Given this condition of the crime triangle, it must be noted that each of these components (the offender, the target, and the place) or controllers (i.e., handler, guardian, and manager) can play a pivotal role in reducing cybercrime. To date, scholars and professionals have analyzed the phenomenon of cybercrime and developed cybercrime prevention strategies relying predominantly on cybercrime victimization (suitable targets) but have yet to utilize the broader framework of the crime triangle commonly used in the analysis and prevention of crime. More specifically, the dimensions of cybercrime offenders, places, or controllers have been absent in prior scientific research and in guiding the establishment and examination of cybercrime prevention strategies. Given this gap, much remains to be known as to how these conceptual entities operate in the virtual realm and whether they share similarities with what we know about other crimes in the physical world. Thus, the purpose of this study is to extend the application of the “Crime Triangle,” a derivative of Routine Activity Theory, to crime events in the digital realm to provide scholars, practitioners, and policy makers a more complete lens to improve understanding and prevention of cybercrime incidents. In other words, this dissertation will endeavor to devise a comprehensive framework for our society to use to form cybersecurity policies to implement a secure and stable digital environment that supports continued economic growth as well as national security. The findings of this study suggest that both criminological and technical perspectives are crucial in comprehending cybercrime incidents. This dissertation attempts to independently explore these three components in order to portray the characteristics of cybercriminals, cybercrime victims, and place management. Specifically, this study first explores the characteristics of cybercriminals via a criminal profiling method primarily using court criminal record documents (indictments/complaints) provided by the FIU law library website. Second, the associations between cybercrime victims, digital capable guardianship, perceived risks of cybercrime, and online activity are examined using Eurobarometer survey data. Third, the associations between place management activities and cybercrime prevention are examined using “Phishing Campaign” and “Cybersecurity Awareness Training Program” data derived from FIU’s Division of Information Technology

In Quest of information security in higher education institutions : security awareness, concerns and behaviour of students

Humans, often suggested as the weakest link in information security, require security education, training and awareness (SETA) programs to strengthen themselves against information security threats. These SETA programs improve security awareness (also called information security awareness or ISA) which makes users conscious about the information security threats and risks and motivates them to learn knowledge and measures to safeguard their information security. Studies have shown that most of the SETA programs do not achieve their desired objectives and been proven ineffective. This ineffectiveness is probably because: 1) current SETA programs are designed as a one-fits-all solution and are not tailored as per users’ needs, 2) users are not included in the design phase of the SETA programs and 3) the SETA programs lack theory-grounded approaches. Nonetheless, the relationship between ISA and security behaviour also needs explanation. This thesis sets out to address the issues mentioned above. In this thesis, four separate studies grounded in both quantitative and qualitative methods are conducted. Cross-sectional data from students of a single case was collected using online surveys, with one exception in which data was collected as part of a class assignment. The results showed that, in general, students believed they know more than they actually did. The impacts of gender, previous training, and educational discipline were evident on security knowledge, behaviour, perceived awareness and actual awareness. Students have a wide range of security concerns, related to their personal, social, technological, non-technological and institutional dimensions of everyday life, and not just technological and non-technological aspects as shown in the existing literature. Further, students differ significantly from security experts in terms of their security practices. However, aware students (having training in information security) were more similar in security practices to security experts than the unaware students (having no formal or informal information security training). Lastly, it was found that the relationship between ISA and security behaviour can be explained using Information-Motivation-Behavioural Skills (IMB) model. The research presented in this thesis has implications for faculty members who teach students and the security professionals responsible for information security of higher education institutions.Ihminen mielletään usein tietoturvan heikoimmaksi lenkiksi. Jotta tietoturvauhkilta osattaisiin suojautua, tarvitaan erillistä tietoturvakoulutusta, -harjoitusta sekä -tietoisuutta. Erilaiset tietoturvakoulutukset lisäävät henkilön tietoisuutta erilaisista tietoturvauhkista ja -riskeistä sekä motivoivat oppimaan tapoja ja toimenpiteitä, jotka parantavat henkilökohtaista tietoturvaa. Tutkimuksissa on kuitenkin ilmennyt, että useimmat tietoturvakoulutukset eivät saavuta toivottuja tavoitteita, ja ne ovatkin osoittautuneet tehottomiksi. Tehottomuus johtuu todennäköisesti siitä, että (1) koulutuksia ei ole räätälöity käyttäjien tarpeiden mukaisiksi vaan yleisluontoisiksi, (2) käyttäjiä ei ole otettu mukaan koulutusten suunnitteluun, ja (3) koulutuksilta puuttuvat teoriapohjaiset lähestymistavat. Tässä väitöskirjassa tutkitaan yllä mainittuja epäkohtia ja selvitetään ihmisen tietoturvakäyttäytymisen ja -tietoisuuden suhdetta. Väitöskirjassa esitetyt tulokset saavutettiin tekemällä neljä erillistä tutkimusta kvantitatiivisin (määrällisin) ja kvalitatiivisin (laadullisin) menetelmin. Tietoa kerättiin tutkimusten kohteina olleilta opiskelijoilta verkkokyselyillä, paitsi yhdessä tapauksessa, jossa kysely toteutettiin osana kurssitehtävää. Tulokset osoittavat, että yleisesti opiskelijat mielsivät tietävänsä enemmän kuin todellisuudessa tiesivät. Sukupuolella, aiemmalla koulutuksella ja tieteenalalla oli selkeä vaikutus vastaajien tietoturvakäytökseen - sekä miellettyyn että varsinaiseen tietoisuuteen. Opiskelijoilla on monenlaisia tietoturvaan liittyviä huolenaiheita, jotka liittyvät persoonallisiin, sosiaalisiin, teknologisiin, ei-teknologisiin sekä arkisiin ulottuvuuksiin. Tämä poikkeaa nykyisen kirjallisuuden näkemyksestä, joka käsittää vain teknologisen ja ei-teknologisen ulottuvuuden. Opiskelijat eroavat merkittävästi tietoturvaasiantuntijoista tietoturvakäytäntöjensä suhteen. Tietoturvakoulutusta saaneet, tietoisemmat opiskelijat olivat käyttäytymiseltään lähempänä tietoturva-asiantuntijoita kuin vähemmän tietoiset ja vähemmän koulutusta aiheesta saaneet opiskelijat. Tutkimuksessa kävi ilmi myös, että tietoturvatietoisuuden ja -käyttäytymisen välistä suhdetta voidaan selittää käyttäen IMB-mallia (Information-Motivation- Behavioural Skills model). Tässä väitöskirjassa esitetty tutkimus ja sen tulokset ovat korkeakoulujen opetushenkilöstön ja tietoturvasta vastaavien ammattilaisten suoraan hyödynnettävissä

A malware threat avoidance model for online social network users

This thesis was submitted for the award of Doctor of Philosophy and was awarded by Brunel University LondonThe main purpose of this thesis is to develop a malware threat avoidance model for users of online social networks (OSNs). To understand the research domain, a comprehensive and systematic literature review was conducted and then the research scope was established. Two design science iterations were carried out to achieve the research aim reported in this thesis. In the first iteration, the research extended the Technology Threat Avoidance Theory (TTAT) to include a unique characteristic of OSN – Mass Interpersonal Persuasion (MIP). The extended model (TTAT-MIP), focused on investigating the factors that needs to be considered in a security awareness system to motivate OSN users to avoid malware threats. Using a quantitative approach, the results of the first iteration suggests perceived severity, perceived threat, safeguard effectiveness, safeguard cost, self-efficacy and mass interpersonal persuasion should be included in a security awareness system to motivate OSN users to avoid malware threats. The second iteration was conducted to further validate TTAT-MIP through a Facebook video animation security awareness system (referred in this thesis as Social Network Criminal (SNC)). SNC is a Web-based application integrated within Facebook to provide security awareness to OSN users. To evaluate TTAT-MIP through SNC, three research techniques were adopted: lab experiments, usability study and semi-structured interviews. The results suggest that participants perceived SNC as a useful tool for malware threat avoidance. In addition, SNC had a significant effect on the malware threat avoidance capabilities of the study participants. Moreover, the thematic analysis of the semi-structured interviews demonstrated that the study participants‘ found SNC to be highly informative; persuasive; interpersonally persuasive; easy to use; relatable; fun to use; engaging; and easy to understand. These findings were strongly related to the constructs of TTAT-MIP. The research contributes to theory by demonstrating a novel approach to design and deploy security awareness systems in a social context. This was achieved by including users‘ behavioural characteristic on the online platform where malware threats occur within a security awareness system. Besides, this research shows how practitioners keen on developing systems to improve security behaviours could adopt the TTAT-MIP model for other related contexts

A Novel Framework for Improving Cyber Security Management and Awareness for Home Users

A wide and increasing range of different technologies, devices, platforms, applications and services are being used every day by home users. In parallel, home users are also experiencing a range of different online threats and attacks. Indeed, home users are increasingly being targeted as they lack the knowledge and awareness about potential threats and how to protect themselves. The increase in technologies and platforms also increases the burden upon a user to understand how to apply security across the differing technologies, operating systems and applications. This results in managing the security across their technology portfolio increasingly more troublesome and time-consuming. Thus, it is apparent that a more innovative, convenient and usable security management solution is vital. This thesis investigates current online awareness tools and reviews studies which try to enhance cybersecurity awareness and education among the home users. It is evident from the analysis that most of the studies which have made efforts in proposing “one-fits-all” solutions do not have the ability to provide the users with a tailored awareness content based on a number of criteria such as the current needs, prior knowledge, and security priorities for each user. The thesis proposes an approach for improving security management and awareness for home users by providing them with a customised security awareness. A design science research methodology has been used for understanding the current problem, creating and developing an artefact which can enhance security management and awareness for home users. A number of security controls and requirements were identified which need to be managed and monitored for different technologies and services. In addition, the research designed several preliminary interfaces which can show the main components and aspects in the proposed solution based on HCI principles. A participant-based study was undertaken to get feedback on the initial design requirements and interfaces. A survey of 434 digital device users was undertaken and reveal result that there is a positive correlation between the security concern, knowledge and management amongst home users towards different security aspects. Positive feedback and some valuable comments were received about the preliminary interface designs in terms of the usability and functionality aspects. This builds into a final design phase which proposes a novel architecture for enhancing security management and awareness for home users. The proposed framework is capable of creating and assigning different security policies for different digital devices. These assigned policies are monitored, checked and managed in order to review the user’s compliance with the assigned policies and provide bespoke security awareness. In addition. A mockup design was developed to simulate the proposed framework to show different interactions with different components and sections in order to visualise the main concepts and the functions which might be performed when it is deployed in a real environment. Ultimately, two separate focus group discussions, involving experts and end-users have been conducted in order to provide a comprehensive evaluation of the identified research problem, the feasibility and the effectiveness of the proposed approach. The overall feedback of the two discussions can be considered as positive, constructive and encouraging. The experts agreed that the identified research problem is very important and a real problem. In addition, the participants agreed that the proposed framework is feasible and effective in improving security management and awareness for home users. The outcomes have also shown a reasonable level of satisfaction from the participants towards different components and aspects of the proposed design.Saudi governmen