Informing, simulating experience, or both: A field experiment on phishing risks

Cybersecurity cannot be ensured with mere technical solutions. Hackers often use fraudulent emails to simply ask people for their password to breach into organizations. This technique, called phishing, is a major threat for many organizations. A typical prevention measure is to inform employees but is there a better way to reduce phishing risks? Experience and feedback have often been claimed to be effective in helping people make better decisions. In a large field experiment involving more than 10,000 employees of a Dutch ministry, we tested the effect of information provision, simulated experience, and their combination to reduce the risks of falling into a phishing attack. Both approaches substantially reduced the proportion of employees giving away their password. Combining both interventions did not have a larger impact

Don’t click : towards an effective anti-phishing training. A comparative literature review

Email is of critical importance as a communication channel for both business and personal matters. Unfortunately, it is also often exploited for phishing attacks. To defend against such threats, many organizations have begun to provide anti-phishing training programs to their employees. A central question in the development of such programs is how they can be designed sustainably and effectively to minimize the vulnerability of employees to phishing attacks. In this paper, we survey and categorize works that consider different elements of such programs via a clearly laid-out methodology, and identify key findings in the technical literature. Overall, we find that researchers agree on the answers to many relevant questions regarding the utility and effectiveness of anti-phishing training. However, we identified influencing factors, such as the impact of age on the success of anti-phishing training programs, for which mixed findings are available. Finally, based on our comprehensive analysis, we describe how a well-founded anti-phishing training program should be designed and parameterized with a set of proposed research directions

Adaptive Phishing Detection System using Machine Learning

Despite the availability of toolbars and studies in phishing, the number of phishing attacks has been increasing in the past years. It remains a challenge to develop robust phishing detection systems due to the continuous change of attack models. We attempt to address this by designing an adaptive phishing detection system with the ability to continually learn and detect phishing robustly. In the first work, we demonstrate a systematic way to develop a novel phishing detection approach using compression algorithm. We also propose the use of compression ratio as a novel machine learning feature, which significantly improves machine learning based phishing detection over previous studies. Our proposed method outperforms the use of best-performing HTML-based features in past studies, with a true positive rate of 80.04%. In the following work, we propose a feature-free method using Normalised Compression Distance (NCD), a metric which computes the similarity of two websites by compressing them, eliminating the need to perform any feature extraction. This method examines the HTML of webpages and computes their similarity with known phishing websites. Our approach is feasible to deploy in real systems with a processing time of roughly 0.3 seconds, and significantly outperforms previous methods in detecting phishing websites, with an AUC score of 98.68%, a G-mean score of 94.47%, a high true positive rate (TPR) of around 90%, while maintaining a low false positive rate (FPR) of 0.58%. We also discuss the implication of automation offered by AutoML frameworks towards the role of human experts and data scientists in the domain of phishing detection. Our work investigates whether models that are built using AutoML frameworks can outperform the results achieved by human data scientists in phishing datasets and analyses the relationship between the performances and various data complexity measures. There remain many challenges for building a real-world phishing detection system using AutoML frameworks due to the current support only for supervised classification problems, leading to the need for labelled data, and the inability to update the AutoML-based models incrementally. This indicates that experts with knowledge in the domain of phishing and cybersecurity are still essential in phishing detection

Misperceptions of Uncertainty and Their Applications to Prevention

This thesis studies how people misperceive risk and uncertainty, and how this cognitive bias affects individuals' preventive actions. Chapter 1, in a lab experiment, shows that how we present rare events affects how big people perceive those events. I show by means of a lab experiment that people perceive rare events bigger than what they actually are when those events are presented to them separately rather than all together. Chapter 2 shows theoretically that it is actually the same phenomenon that makes people both overinsure and prevent little, namely probability weighting. Chapter 3, with an application to cybersecurity, analyses an intervention aiming at increasing prevention at the organizational level in a field experiment. I test whether communicating information in a more effective way or letting employees experience a simulated phishing attack help to reduce falling for phishing attacks. Chapter 4 deals with the issue that people’s judgements of risk might differ in different contexts. In a lab experiment, it shows that sexual context has an impact on ambiguity attitudes

Human-centered Information Security and Privacy: Investigating How and Why Social and Emotional Factors Affect the Protection of Information Assets

Information systems (IS) are becoming increasingly integrated into the fabric of our everyday lives, for example, through cloud-based collaboration platforms, smart wearables, and social media. As a result, nearly every aspect of personal, social, and professional life relies on the constant exchange of information between users and online service providers. However, as users and organizations entrust more and more of their personal and sensitive information to IS, the challenges of ensuring information security and privacy become increasingly pressing, particularly given the rise of cybercrime and microtargeting capabilities. While the protection of information assets is a shared responsibility between technology providers, legislation, organizations, and individuals, previous research has emphasized the pivotal role of the user as the last line of defense. Whereas prior works on human-centered information security and privacy have primarily studied the human aspect from a cognitive perspective, it is important to acknowledge that security and privacy phenomena are deeply embedded within users’ social, emotional, and technological environment. Therefore, individual decision-making and organizational phenomena related to security and privacy need to be examined through a socio-emotional lens. As such, this thesis sets out to investigate how and why socio-emotional factors influence information security and privacy, while simultaneously providing a deeper understanding of how these insights can be utilized to design effective security and privacy-enhancing tools and interventions. This thesis includes five studies that have been published in peer-reviewed IS outlets. The first strand of this thesis investigates individual decision-making related to information security and privacy. Daily information disclosure decisions, such as providing login credentials to a phishing website or giving apps access to one’s address book, crucially affect information security and privacy. In an effort to support users in their decision-making, research and practice have begun to develop tools and interventions that promote secure and privacy-aware behavior. However, our knowledge on the design and effectiveness of such tools and interventions is scattered across a diverse research landscape. Therefore, the first study of this thesis (article A) sets out to systematize this knowledge. Through a literature review, the study presents a taxonomy of user-oriented information security interventions and highlights crucial shortcomings of current approaches, such as a lack of tools and interventions that provide users with long-term guidance and an imbalance regarding cyber attack vectors. Importantly, the study confirms that prior works in this field tend to limit their scope to a cognitive processing perspective, neglecting the influence of social and emotional factors. The second study (article B) examines how users make decisions on disclosing their peers’ personal information, a phenomenon referred to as privacy interdependence. Previous research has shown that users tend to have a limited understanding of the social ramifications of their decisions to share information, that is, the impact of their disclosure decisions on others’ privacy. The study is based on a theoretical framework that suggests that for a user, recognizing and respecting others’ privacy rights is heavily influenced by the perceived salience of others within their own socio-technical environment. The study introduces an intervention aimed at increasing the salience of others’ personal data during the decision-making process, resulting in a significant decrease of interdependent privacy infringements. These findings indicate that current interfaces do not allow users to make informed decisions about their peers’ privacy – a problem that is highly relevant for policymakers and regulators. Shifting the focus towards an organizational context of individual security decision-making, the third study (article C) investigates employees’ underlying motives for reporting cyber threats. With the aim to maximize employees’ adoption of reporting tools, the study examines the effect of two tool design features on users’ utilitarian and hedonic motivation to report information security incidents. The findings suggest that reporting tools that elicit a sense of warm glow, that is, a boost of self-esteem and personal satisfaction after performing an altruistic act, result in higher tool adoption compared to those that address solely users’ utilitarian motivation. This unlocks a new perspective on organizational information security as a whole and showcases new ways in which organizations can engage users in promoting information security. The second strand of this thesis focuses on the context of organizational information security. Beyond individual decision-making, organizations face the challenge of maintaining an information security culture, including, for example, employees’ awareness of security risks, top management commitment, and interdepartmental collaboration with regard to security issues. The fourth study (article D) presents a measurement instrument to assess employees’ security awareness. Complementary to the predominant method of self-reported surveys, the study introduces an index based on employees’ susceptibility to simulated social engineering attacks. As such, it presents a novel way to measure security awareness that closes the intention-behavior gap and enables information security officers to nonintrusively monitor human vulnerabilities in real-time. Furthermore, the findings indicate that security education, training and awareness (SETA) programs not only increase employees’ awareness of information security risks, but also improve their actual security behavior. Finally, the fifth study (article E) investigates the influence of external socio-emotional disruption on information security culture. Against the backdrop of the COVID-19 pandemic, the longitudinal study reveals novel inhibitors and facilitators of information security culture that emerged in the face of global socially and emotionally disruptive change over the course of 2020. Specifically, the study demonstrates that such disruptive events can influence information security culture negatively, or – counterintuitively – positively, depending on prerequisites such as digital maturity and economic stability. Overall, this thesis highlights the importance of considering socio-emotional factors in protecting information assets by providing a more comprehensive understanding of why and how such factors affect human behavior related to information security and privacy. By doing so, this thesis answers calls for research that urge scholars to consider security and privacy issues in a larger social and emotional context. The studies in this thesis contribute to IS research on information security and privacy by (1) uncovering social and emotional motives as hitherto largely neglected drivers of users decision-making, (2) demonstrating how tools and interventions can leverage these motives to improve users’ protection of information assets, and (3) revealing the importance of external socio-emotional factors as a thus far under-investigated influence on organizational information security. In practice, this thesis offers actionable recommendations for designers building tools and interventions to support decision-making with regard to information security and privacy. Likewise, it provides important insights to information security officers on how to build a strong and resilient information security culture, and guides policymakers in accounting for socially embedded privacy phenomena

Reducing the risk of e-mail phishing in the state of Qatar through an effective awareness framework

In recent years, cyber crime has focused intensely on people to bypass existing sophisticated security controls; phishing is one of the most common forms of such attack. This research highlights the problem of e-mail phishing. A lot of previous research demonstrated the danger of phishing and its considerable consequences. Since users behaviour is unpredictable, there is no reliable technological protective solution (e.g. spam filters, anti-viruses) to diminish the risk arising from inappropriate user decisions. Therefore, this research attempts to reduce the risk of e-mail phishing through awareness and education. It underlines the problem of e-mail phishing in the State of Qatar, one of world s fastest developing countries and seeks to provide a solution to enhance people s awareness of e-mail phishing by developing an effective awareness and educational framework. The framework consists of valuable recommendations for the Qatar government, citizens and organisations responsible for ensuring information security along with an educational agenda to train them how to identify and avoid phishing attempts. The educational agenda supports users in making better trust decisions to avoid phishing that could complement any technical solutions. It comprises a collection of training methods: conceptual, embedded, e-learning and learning programmes which include a television show and a learning session with a variety of teaching components such as a game, quizzes, posters, cartoons and a presentation. The components were tested by trial in two Qatari schools and evaluated by experts and a representative sample of Qatari citizens. Furthermore, the research proves the existence and extent of the e-mail phishing problem in Qatar in comparison with the UK where people were found to be less vulnerable and more aware. It was discovered that Qatar is an attractive place for phishers and that a lack of awareness and e-law made Qatar more vulnerable to the phishing. The research identifies the factors which make Qatari citizens susceptible to e-mail phishing attacks such as cultural, country-specific factors, interests and beliefs, religion effect and personal characteristics and this identified the need for enhancing Qatari s level of awareness on phishing threat. Since literature on phishing in Qatar is sparse, empirical and non-empirical studies involved a variety of surveys, interviews and experiments. The research successfully achieved its aim and objectives and is now being considered by the Qatari Government

Human Computer Interaction and Emerging Technologies

The INTERACT Conferences are an important platform for researchers and practitioners in the field of human-computer interaction (HCI) to showcase their work. They are organised biennially by the International Federation for Information Processing (IFIP) Technical Committee on Human–Computer Interaction (IFIP TC13), an international committee of 30 member national societies and nine Working Groups. INTERACT is truly international in its spirit and has attracted researchers from several countries and cultures. With an emphasis on inclusiveness, it works to lower the barriers that prevent people in developing countries from participating in conferences. As a multidisciplinary field, HCI requires interaction and discussion among diverse people with different interests and backgrounds. The 17th IFIP TC13 International Conference on Human-Computer Interaction (INTERACT 2019) took place during 2-6 September 2019 in Paphos, Cyprus. The conference was held at the Coral Beach Hotel Resort, and was co-sponsored by the Cyprus University of Technology and Tallinn University, in cooperation with ACM and ACM SIGCHI. This volume contains the Adjunct Proceedings to the 17th INTERACT Conference, comprising a series of selected papers from workshops, the Student Design Consortium and the Doctoral Consortium. The volume follows the INTERACT conference tradition of submitting adjunct papers after the main publication deadline, to be published by a University Press with a connection to the conference itself. In this case, both the Adjunct Proceedings Chair of the conference, Dr Usashi Chatterjee, and the lead Editor of this volume, Dr Fernando Loizides, work at Cardiff University which is the home of Cardiff University Press

Learning representations for information mining from text corpora with applications to cyber threat intelligence

Doctor of PhilosophyDepartment of Computer ScienceWilliam H HsuThis research develops learning representations and architectures for natural language understanding, within an information mining framework for analysis of open-source cyber threat intelligence (CTI). Both contextual (sequential) and topological (graph-based) encodings of short text documents are modeled. To accomplish this goal, a series of machine learning tasks are defined, and learning representations are developed to detect crucial information in these documents: cyber threat entities, types, and events. Using hybrid transformer-based implementations of these learning models, CTI-relevant key phrases are identified, and specific cyber threats are classified using classification models based upon graph neural networks (GNNs). The central scientific goal here is to learn features from corpora consisting of short texts for multiple document categorization and information extraction sub-tasks to improve the accuracy, precision, recall, and F1 score of a multimodal framework. To address a performance gap (e.g., classification accuracy) for text classification, a novel multi-dimensional Feature Attended Parametric Kernel Graph Neural Network (APKGNN) layer is introduced to construct a GNN model in this dissertation where the text classification task is transformed into a graph node classification task. To extract key phrases, contextual semantic tagging with text sequences as input to transformers is used which improves a transformer's learning representation. By deriving a set of characteristics ranging from low-level (lexical) natural language features to summative extracts, this research focuses on reducing human effort by adopting a combination of semi-supervised approaches for learning syntactic, semantic, and topological feature representation. The following central research questions are addressed: can CTI-relevant key phrases be identified effectively with reduced human effort; whether threats be classified into different types; and can threat events be detected and ranked from social media like Twitter data and other benchmark data sets. Developing an integrated system to answer these research questions showed that user-specific information in shared social media content, and connections (followers and followees) are effective and crucial for algorithmically tracing active CTI user accounts from open-source social network data. All these components, used in combination, facilitate the understanding of key analytical tasks and objectives of open-source cyber-threat intelligence