Assessing Generational Differences in Susceptibility to Social Engineering Attacks. A Comparison Between Millennial and Baby Boomer Generations

Digitaalse ühiskonna ajastul on sotsiaalse manipuleerimise ründed (social engineering attacks)väga edukad ja kahjuks kasutajad ei suuda ennast selliste rünnakute vastu kaitsta. Sotsiaalne manipuleerimine (social engineering) on keeruline probleem, mistõttu on väga raske eristada kõige kaitsetumaid kasutajaid. Sellised ründed ei ole suunatud ainult noorte ja töötajate vastu, vaid on laiaulatuslikud sõltumata vanusest. Tehnoloogia kiire kasvu ja selle ebasihipärase kasutamise tõttu on kõik selliste rünnakute poolt mõjutatud, kõik on haavatavad (Purkait, 2012; Aggarwal et al., 2012). Kasutajaid peetakse turvalisuse "nõrgimaks lüliks" (Mohebzada et al., 2012; Mitnick and Simon, 2011), ja seega konfidentsiaalse info kaitsmine peaks olema kõikide inimeste eesmärk. Hoolimata sellest, et on olemas erinevaid lahendusi kasutajate koolitamiseks selliste rünnakute vältimiseks, andmepüük on jätkuvalt edukas (Dhamija et al., 2006). See on eelkõige seetõttu, et küberteadlikkuse koolitused, teoreetilised kursused või raamistikud eeldatakse olevat võrdselt efektiivsed kõikidele kasutajatele vaatamata nende vanusest, kuigi kogemus näitab et see ei ole tõsi (Alseadoon, 2014). Selleks, et koolitused saaksid olla efektiivsed, on oluline et need on koostatud lähtudes sotsiaalse manipuleerimise turvanõrkustest, mis on erinevatel vanusegruppidel erinevad. Käesoleva töö eesmärgiks on põlvkondade unikaalsete tunnuste (demograafilised ja isikulised) ja nende haavatavuste faktorite määratlemine. Sellealusel on loodud raamistik, mis on võimalik rakendada ja mis addresseerib neid nõrkusi. Arvesse võttes probleemi keerikust, käesolev uurimistöö näitab, et on vaja läbi viia edasisi uurimusi laiemast perspektiivist lähtuvalt lisades "põlvkondade" elemendi uurimiseesmärkidesse, et kas on erinevusi haavatuse riskide osas läbi põlvkondade. Käesolev uurimistöö kasutab nii kvalitatiivseid kui kvantitatiivseid meetodeid eesmärkide saavutamiseks. Andmekogumise rünnaku efektiivsuse hindamisel analüüsitakse kasutajate käitumist ning antakse sellele psühholoogiline tõlgendus. Esimene uurimisküsimus keskendub sotsiaalne manipulatsiooni haavatavuse faktorite määratlemisele ja kvantitatiivsed andmed (statistiline analüüs) näitavad, et põlvkond on oluline element potentsiaalsete sotsiaalse manipulatsiooni ohvrite eristamisel, kusjuures arvutikasutusoskus ja haridustase ei määra olulist rolli hindamaks kasutajate tõenäosust langeda selliste rünnakute ohvriks. Eelpool toodud faktorite ja ka eelnevate uuringute alusel, ei ole ka sugu määrav faktor haavatavuse ennustamisel (Parsons et al., 2013). Teine uurimisküsimus püüab selgitada, mis põhjustab põlvkondade haavatavuse erinevusi ning uuringu tulemused näitavad, et Y-põlvkonna isikuomadused, sh teadvus, ekstravertsus ja meeldivus on põhifaktorid, mis mõjutavad haavatavust. Viimasena, lisaks tugeva aluse loomisel edaspidiseks põlvkondade haavatavuse uurimisel, pakub käesolev töö välja raamistiku, milles on eeltoodud leiud arvesse võetud ja mille eesmärk on vähendada Y-põlvkonna haavatust sotsiaalse manipuleerimise rünnakutele. Käesoleva magistritöö unikaalsus seisneb üldises lähenemisviisis: alates ulatuslikus kirjanduse ülevaates "põlvkondade" haavatavuse faktorite määratlemisega, statistilise analüüsiga haavatavuste hindamiseks ja lõpetades lahenduse väljapakkumisega, mis aitab lahendada "põlvkondade" turvalisuse probleemi.In the age of digital society Social Engineering attacks are very successful and unfortunately users still cannot protect themselves against these threats. Social Engineering is a very complex problem, which makes it difficult to differentiate among vulnerable users. These attacks not only target young users or employees, they select massively, regardless of the users' age. Due to the rapid growth of technology and its misuse, everyone is affected by these attacks, everyone is vulnerable to them (Purkait, 2012; Aggarwal et al., 2012). Users are considered the "weakest link" of security (Mohebzada et al., 2012; Mitnick and Simon, 2011) and as such, protecting confidential information should be the ultimate goal of all people. However, despite the fact that a number of different strategies exists to educate or train endusers to avoid these attacks, they still do, phishing still succeeds (Dhamija et al., 2006). This is mainly because the existing security awareness trainings, theoretical courses, or frameworks are expected to be equally effective for all users regardless of their age, but experience has shown that this is not true (Alseadoon, 2014). In order for these security trainings to be effective, it is essential that they are composed based on the Social Engineering security weaknesses attributed differently to different generations. Identifying unique characteristics (demographic and personality) of generations, determinants of their vulnerability is what this work aims to do. Then frameworks crafted based on that information (addressing these weaknesses) would be of use and worth implementing. Therefore, taking into consideration the complexity of this problem, this study suggests that there is a need to research it from a broader perspective, adding the "generation" element into the study focus to find out if there is indeed any difference in susceptibility among generational cohorts. In order to do so, this research will adapt both qualitative and quantitative methods towards reaching its objectives. Collected-data of users' performance in a phishing assessment are analyzed and psychological translation of results is provided. Thus, the first research question seeks to address what factors determinate endusers vulnerability to Social Engineering, and results from quantitative data (statistical analysis) show that generation is an important element to differentiate potential victims of Social Engineering, whilst computer-efficacy or educational level do not play any noteworthy role in predicting endusers' likelihood of falling for these threats. In consistency with the above elements and previous studies, also gender is shown no potentiality in predicting susceptibility (Parsons et al., 2013). The second research question deems to explain what makes generations differ in susceptibility and this study's findings propose that generation Y personality traits such as consciousness, extraversion and agreeableness are key influencers of their shown vulnerability. Finally, along with establishing strong foundations for future research in studying generations susceptibility to Social Engineering, this thesis employ these findings in proposing a framework aiming to lessen millennial likelihood to Social Engineering victimization. The originality of this study lies on its overall approach: starting with an exhaustive literature review towards identifying factors impacting generations' susceptibility level, then statistically measuring their vulnerability, to finish with a solution proposal crafted to suit the observed generational security weaknesses

An Empirical Assessment of Senior Citizens’ Cybersecurity Awareness, Computer Self-Efficacy, Perceived Risk of Identity Theft, Attitude, and Motivation to Acquire Cybersecurity Skills

Cyber-attacks on Internet users have caused billions of dollars in losses annually. Cybercriminals launch attacks via threat vectors such as unsecured wireless networks and phishing attacks on Internet users who are usually not aware of such attacks. Senior citizens are one of the most vulnerable groups who are prone to cyber-attacks, and this is largely due to their limited cybersecurity awareness and skills. Within the last decade, there has been a significant increase in Internet usage among senior citizens. It was documented that senior citizens had the greatest rate of increase in Internet usage over all the other age groups during the past decade. However, whenever senior citizens use the Internet, they are being targeted and exploited particularly for financial crimes, with estimation that one in five becoming a victim of financial fraud, costing more than $2.6 billion per year. Increasing the cybersecurity awareness and skills levels of Internet users have been recommended to mitigate the effects of cyber-attacks. However, it is unclear what motivates Internet users, particularly senior citizens, to acquire cybersecurity skills so that they can identify as well as mitigate the effects of the cyber-attacks. It is also not known how effective cybersecurity awareness training are on the cybersecurity skill level of senior citizens. Therefore, the main goal of this quantitative study was to empirically investigate the factors that contributed to senior citizens’ motivation to acquire cybersecurity skills so that they would be able to identify and mitigate cyber-attacks, as well as assess their actual cybersecurity skills level. This was done by assessing a model of contributing factors identified in prior literature (senior citizens’ cybersecurity awareness, computer self-efficacy, perceived risk of identity theft, & older adults’ computer technology attitude) on the motivation of senior citizens to acquire cybersecurity skills. This study utilized a Web-based survey to measure the contributing factors and a hands-on scenarios-based iPad app called MyCyberSkills™ that was developed and empirically validated in prior research to measure the cybersecurity skills level of the senior citizens. All study measures were done before and after cybersecurity awareness training (pre- & post-test) to uncover if there were any differences on the assessed models and scores due to such treatment. The study included a sample of 254 senior citizens with a mean age of about 70 years. Path analyses using Smart PLS 3.0 were done to assess the pre- and post-test models to determine the contributions of each contributing factor to senior citizens’ motivation to acquire cybersecurity skills. Additionally, analysis of variance (ANOVA) and analysis of covariance (ANCOVA) using SPSS were done to determine significant mean difference between the pre-and post-test levels of the senior citizens’ cybersecurity skill level. The path analysis results indicate that while all paths on both models were significant, many of the paths had very low path coefficients, which in turn, indicated weak relationships among the assessed paths. However, although the path coefficients were lower than expected, the findings suggest that both intrinsic and extrinsic motivation, along with antecedents such as senior citizens’ cybersecurity awareness, computer self-efficacy, perceived risk of identity theft, and older adults’ computer technology attitude significantly impact the cybersecurity skill levels of senior citizens. The analysis of variance results indicated that there was a significant increase in the mean cybersecurity skills scores from 59.67% to 64.51% (N=254) as a result of the cybersecurity awareness training. Hence, the cybersecurity awareness training was effective in increasing the cybersecurity skill level of the senior citizens, and empowered them with small but significant improvement in the requisite skills to take mitigating actions against cyberattacks. The analysis of covariance results indicated that, except for years using computers, all the other demographic indicators were not significant. Contributions from this study add to the body of knowledge by providing empirical results on the factors that motivate senior citizens to acquire cybersecurity skills, and thus, may help in reducing some of the billions of dollars in losses accrued to them because of cyber-attacks. Senior citizens will also benefit in that they will be better able to identify and mitigate the effects of cyber-attacks should they attend cybersecurity awareness trainings. Additionally, the recommendations from this study can be useful to law enforcement and other agencies that work with senior citizens in reducing the number of cases relating to cybersecurity issues amongst senior citizens, and thus, free up resources to fight other sources of cybercrime for law enforcement agencies

The Cybercrime Triangle

Information technology can increase the convergence of three dimensions of the crime triangle due to the spatial and temporal confluence in the virtual world. In other words, its advancement can lead to facilitating criminals with more chances to commit a crime against suitable targets living in different real-world time zones without temporal and spatial orders. However, within this mechanism, cybercrime can be discouraged “…if the cyber-adversary is handled, the target/victim is guarded, or the place is effectively managed” (Wilcox & Cullen, 2018, p. 134). In fact, Madensen and Eck (2013) assert that only one effective controller is enough to prevent a crime. Given this condition of the crime triangle, it must be noted that each of these components (the offender, the target, and the place) or controllers (i.e., handler, guardian, and manager) can play a pivotal role in reducing cybercrime. To date, scholars and professionals have analyzed the phenomenon of cybercrime and developed cybercrime prevention strategies relying predominantly on cybercrime victimization (suitable targets) but have yet to utilize the broader framework of the crime triangle commonly used in the analysis and prevention of crime. More specifically, the dimensions of cybercrime offenders, places, or controllers have been absent in prior scientific research and in guiding the establishment and examination of cybercrime prevention strategies. Given this gap, much remains to be known as to how these conceptual entities operate in the virtual realm and whether they share similarities with what we know about other crimes in the physical world. Thus, the purpose of this study is to extend the application of the “Crime Triangle,” a derivative of Routine Activity Theory, to crime events in the digital realm to provide scholars, practitioners, and policy makers a more complete lens to improve understanding and prevention of cybercrime incidents. In other words, this dissertation will endeavor to devise a comprehensive framework for our society to use to form cybersecurity policies to implement a secure and stable digital environment that supports continued economic growth as well as national security. The findings of this study suggest that both criminological and technical perspectives are crucial in comprehending cybercrime incidents. This dissertation attempts to independently explore these three components in order to portray the characteristics of cybercriminals, cybercrime victims, and place management. Specifically, this study first explores the characteristics of cybercriminals via a criminal profiling method primarily using court criminal record documents (indictments/complaints) provided by the FIU law library website. Second, the associations between cybercrime victims, digital capable guardianship, perceived risks of cybercrime, and online activity are examined using Eurobarometer survey data. Third, the associations between place management activities and cybercrime prevention are examined using “Phishing Campaign” and “Cybersecurity Awareness Training Program” data derived from FIU’s Division of Information Technology

The Role of Time Pressure, Cue Utilisation, and Information Security Awareness on Phishing Email Susceptibility

This item is only available electronically.Phishing emails are emails which attempt to solicit sensitive information from unsuspecting users. Phishing represents a major threat to information security. To develop interventions aimed at reducing phishing susceptibility, an understanding of how emails are evaluated to determine their legitimacy, and individual differences that may predict phishing email susceptibility is required. The current study aims to examine the relationship between phishing susceptibility and time pressure, along with individual differences in cue utilisation and information security awareness (ISA). In an online study, 127 participants were randomly assigned to either a 7-second or 15-second time condition and were presented with 60 emails (40 genuine and 20 phishing). Emails were presented one at a time for the duration corresponding with each participant’s time condition. Participants were required to sort each email into one of ten categories. The ‘phishing’ category was considered a hit when chosen following a phishing email, and a false alarm when following a genuine email. Participants also completed an assessment of cue utilisation in the domain of phishing, and the Human Aspects of Information Security Questionnaire (HAIS-Q). Statistical analyses revealed that a higher level of cue utilisation, a shorter email exposure duration and higher ISA resulted in reduced ability to differentiate between phishing and genuine emails. Furthermore, a positive correlation was found between cue utilisation and ISA, however, there was no interaction between time pressure and cue utilisation on phishing susceptibility. This study’s outcomes may aid in the development of training and education programs aimed at reducing phishing susceptibility.Thesis (B.PsychSc(Hons)) -- University of Adelaide, School of Psychology, 202

TECHNOLOGY THREAT AVOIDANCE FACTORS AS PREDICTORS OF RISKY CYBERSECURITY BEHAVIOR WITHIN THE ENTERPRISE

Recent research of information technology (IT) end-user cybersecurity-related risky behaviors has focused on items such as IT user decision-making, impulsiveness, and internet use as predictors of human cyber vulnerability. Theories which guide user human behavioral intent, such as protection motivation theory (PMT, introduced by Rogers, 1975) and technology threat avoidance theory (TTAT, introduced by Liang and Xue, 2009) have not been widely investigated as antecedents of risky cybersecurity behavior (RScB). This dissertation describes exploratory research that analyzed and evaluated PMT/TTAT factors as predictors of RScB by enterprise IT users. This work uniquely contributes to the literature by investigating associations between accepted behavioral motivation models and RScB. Findings are intended to provide human resource development (HRD) practitioners and researchers innovative techniques to identify factors which may compel enterprise IT users to avoid risky cybersecurity behaviors in the workplace. Findings, based on survey responses by 184 working professionals in the United States, were largely consistent with previous TTAT-focused works. New insights arose regarding the predictive impact of perceived cost as a predictor of RScB (p = .003) with small-to-medium effect sizes. Predictability was further leveraged using discriminant analysis to predict RScB category membership derived from k-means clustering. Significant outcomes were noted with practical utility. An overarching goal of this study was to more fully inform the HRD community of scholar-practitioners of the urgent need to design, deliver, implement, and evaluate initiatives that could be utilized to diminish inappropriate and costly cybersecurity behaviors in various workplace environments

Blurring Safety Between Online and Offline Worlds: Archival, Correlational, and Experimental Evidence of Generalized Threat in the Digital Age

abstract: Decades of research in cyberpsychology and human-computer interaction has pointed to a strong distinction between the online and offline worlds, suggesting that attitudes and behaviors in one domain do not necessarily generalize to the other. However, as humans spend increasing amounts of time in the digital world, psychological understandings of safety may begin to influence human perceptions of threat while online. This dissertation therefore examines whether perceived threat generalizes between domains across archival, correlational, and experimental research methods. Four studies offer insight into the relationship between objective indicators of physical and online safety on the levels of nation and state; the relationship between perceptions of these forms of safety on the individual level; and whether experimental manipulations of one form of threat influence perceptions of threat in the opposite domain. In addition, this work explores the impact of threat perception-related personal and situational factors, as well as the impact of threat type (i.e., self-protection, resource), on this hypothesized relationship. Collectively, these studies evince a positive relationship between physical and online safety in macro-level actuality and individual-level perception. Among individuals, objective indicators of community safety—as measured by zip code crime data—were a positive reflection of perceptions of physical safety; these perceptions, in turn, mapped onto perceived online safety. The generalization between perceived physical threat and online threat was stronger after being exposed to self-protection threat manipulations, possibly underscoring the more dire nature of threats to bodily safety than those to valuable resources. Most notably, experimental findings suggest that it is not the physical that informs the digital, but rather the opposite: Online threats blur more readily into physical domains, possibly speaking to the concern that dangers specific to the digital world will bleed into the physical one. This generalization of threat may function as a strategy to prepare oneself for future dangers wherever they might appear; and indeed, perceived threat in either world positively influenced desires to act on recommended safety practices. Taken together, this research suggests that in the realm of threat perception, the boundaries between physical and digital are less rigid than may have been previously believed.Dissertation/ThesisDoctoral Dissertation Psychology 201

Phishing: message appraisal and the exploration of fear and self-confidence

Phishing attacks have threatened the security of both home users and organizations in recent years. Phishing uses social engineering to fraudulently obtain information that is confidential or sensitive. Individuals are targeted to take action by clicking on a link and providing information. This research explores fear arousal and self-confidence in subjects confronted by phishing attacks. The study collected data from multiple sources (including an attempted phishing attack). The survey results indicated that when individuals had a high level of fear arousal related to providing login credentials they had a decreased intention to respond to a phishing attack. Self-confidence did not significantly moderate the relationship between fear arousal and intention to respond to a phishing attack but it did have a significant direct positive influence on intention. The results from the experiment indicated that 18% of individuals overall clicked on the link. The combined data indicated that higher level of fear arousal resulted in a decreased intention to respond to a phishing attack and a decreased actual click behaviour. The research explores how fear of providing login credentials influences both intention to respond and actual response to a phishing attack. When fear arousal is high, individuals are less likely to respond