Tutorial and Critical Analysis of Phishing Websites Methods

The Internet has become an essential component of our everyday social and financial activities. Internet is not important for individual users only but also for organizations, because organizations that offer online trading can achieve a competitive edge by serving worldwide clients. Internet facilitates reaching customers all over the globe without any market place restrictions and with effective use of e-commerce. As a result, the number of customers who rely on the Internet to perform procurements is increasing dramatically. Hundreds of millions of dollars are transferred through the Internet every day. This amount of money was tempting the fraudsters to carry out their fraudulent operations. Hence, Internet users may be vulnerable to different types of web threats, which may cause financial damages, identity theft, loss of private information, brand reputation damage and loss of customers’ confidence in e-commerce and online banking. Therefore, suitability of the Internet for commercial transactions becomes doubtful. Phishing is considered a form of web threats that is defined as the art of impersonating a website of an honest enterprise aiming to obtain user’s confidential credentials such as usernames, passwords and social security numbers. In this article, the phishing phenomena will be discussed in detail. In addition, we present a survey of the state of the art research on such attack. Moreover, we aim to recognize the up-to-date developments in phishing and its precautionary measures and provide a comprehensive study and evaluation of these researches to realize the gap that is still predominating in this area. This research will mostly focus on the web based phishing detection methods rather than email based detection methods

How WEIRD is Usable Privacy and Security Research? (Extended Version)

In human factor fields such as human-computer interaction (HCI) and psychology, researchers have been concerned that participants mostly come from WEIRD (Western, Educated, Industrialized, Rich, and Democratic) countries. This WEIRD skew may hinder understanding of diverse populations and their cultural differences. The usable privacy and security (UPS) field has inherited many research methodologies from research on human factor fields. We conducted a literature review to understand the extent to which participant samples in UPS papers were from WEIRD countries and the characteristics of the methodologies and research topics in each user study recruiting Western or non-Western participants. We found that the skew toward WEIRD countries in UPS is greater than that in HCI. Geographic and linguistic barriers in the study methods and recruitment methods may cause researchers to conduct user studies locally. In addition, many papers did not report participant demographics, which could hinder the replication of the reported studies, leading to low reproducibility. To improve geographic diversity, we provide the suggestions including facilitate replication studies, address geographic and linguistic issues of study/recruitment methods, and facilitate research on the topics for non-WEIRD populations.Comment: This paper is the extended version of the paper presented at USENIX SECURITY 202

Cyber security fear appeals:unexpectedly complicated

Cyber security researchers are starting to experiment with fear appeals, with a wide variety of designs and reported efficaciousness. This makes it hard to derive recommendations for designing and deploying these interventions. We thus reviewed the wider fear appeal literature to arrive at a set of guidelines to assist cyber security researchers. Our review revealed a degree of dissent about whether or not fear appeals are indeed helpful and advisable. Our review also revealed a wide range of fear appeal experimental designs, in both cyber and other domains, which confirms the need for some standardized guidelines to inform practice in this respect. We propose a protocol for carrying out fear appeal experiments, and we review a sample of cyber security fear appeal studies, via this lens, to provide a snapshot of the current state of play. We hope the proposed experimental protocol will prove helpful to those who wish to engage in future cyber security fear appeal research

Scoping the ethical principles of cybersecurity fear appeals

Fear appeals are used in many domains. Cybersecurity researchers are also starting to experiment with fear appeals, many reporting positive outcomes. Yet there are ethical concerns related to the use of fear to motivate action. In this paper, we explore this aspect from the perspectives of cybersecurity fear appeal deployers and recipients. We commenced our investigation by considering fear appeals from three foundational ethical perspectives. We then consulted the two stakeholder groups to gain insights into the ethical concerns they consider to be pertinent. We first consulted deployers: (a) fear appeal researchers and (b) Chief Information Security Officers (CISOs), and then potential cybersecurity fear appeal recipients: members of a crowdsourcing platform. We used their responses to develop an effects-reasoning matrix, identifying the potential benefits and detriments of cybersecurity fear appeals for all stakeholders. Using these insights, we derived six ethical principles to guide cybersecurity fear appeal deployment. We then evaluated a snapshot of cybersecurity studies using the ethical principle lens. Our contribution is, first, a list of potential detriments that could result from the deployment of cybersecurity fear appeals and second, the set of six ethical principles to inform the deployment of such appeals. Both of these are intended to inform cybersecurity fear appeal design and deployment

Gamification of Cyber Security Awareness : A Systematic Review of Games

The frequency and severity of cyber-attacks have increased over the years with damaging consequences such as financial loss, reputational damage, and loss of sensitive data. Most of these attacks can be attributed to user error. To minimize these errors, cyber security awareness training is conducted to improve user awareness. Cyber security awareness training that is engaging, fun, and motivating is required to ensure that the awareness message gets through to users. Gamification is one such method by which cyber security awareness training can be made fun, engaging, and motivating. This thesis presents the state of the art of games used in cyber security awareness. In this regard, a systematic review of games following PRISMA guidelines was conducted on the relevant papers published between 2010 to 2021. The games were analyzed based on their purpose, cyber security topics taught, target audience, deployment methods, game genres implemented and learning mechanics applied. Analysis of these games revealed that cyber security awareness games are mostly deployed as computer games, targeted at the general public to create awareness in a wide range of cyber security topics. Most of the games implement the role-playing genre and apply demonstration learning mechanics to deliver their cyber security awareness message effectively

Access Control In and For the Real World

Access control is a core component of any information-security strategy. Researchers have spent tremendous energy over the past forty years defining abstract access-control models and proving various properties about them. However, surprisingly little attention has been paid to how well these models work in real socio-technical systems (i.e., real human organizations). This dissertation describes the results of two qualitative studies (involving 52 participants from four companies, drawn from the financial, software, and healthcare sectors) and observes that the current practice of access control is dysfunctional at best. It diagnoses the broken assumptions that are at the heart of this dysfunction, and offers a new definition of the access-control problem that is grounded in the requirements and limitations of the real world

Cybersecurity and the Digital Health: An Investigation on the State of the Art and the Position of the Actors

Cybercrime is increasingly exposing the health domain to growing risk. The push towards a strong connection of citizens to health services, through digitalization, has undisputed advantages. Digital health allows remote care, the use of medical devices with a high mechatronic and IT content with strong automation, and a large interconnection of hospital networks with an increasingly effective exchange of data. However, all this requires a great cybersecurity commitment—a commitment that must start with scholars in research and then reach the stakeholders. New devices and technological solutions are increasingly breaking into healthcare, and are able to change the processes of interaction in the health domain. This requires cybersecurity to become a vital part of patient safety through changes in human behaviour, technology, and processes, as part of a complete solution. All professionals involved in cybersecurity in the health domain were invited to contribute with their experiences. This book contains contributions from various experts and different fields. Aspects of cybersecurity in healthcare relating to technological advance and emerging risks were addressed. The new boundaries of this field and the impact of COVID-19 on some sectors, such as mhealth, have also been addressed. We dedicate the book to all those with different roles involved in cybersecurity in the health domain

Phishing within e-commerce: reducing the risk, increasing the trust

E-Commerce has been plagued with problems since its inception and this study examines one of these problems: The lack of user trust in E-Commerce created by the risk of phishing. Phishing has grown exponentially together with the expansion of the Internet. This growth and the advancement of technology has not only benefited honest Internet users, but has enabled criminals to increase their effectiveness which has caused considerable damage to this budding area of commerce. Moreover, it has negatively impacted both the user and online business in breaking down the trust relationship between them. In an attempt to explore this problem, the following was considered: First, E-Commerce’s vulnerability to phishing attacks. By referring to the Common Criteria Security Model, various critical security areas within E-Commerce are identified, as well as the areas of vulnerability and weakness. Second, the methods and techniques used in phishing, such as phishing e-mails, websites and addresses, distributed attacks and redirected attacks, as well as the data that phishers seek to obtain, are examined. Furthermore, the way to reduce the risk of phishing and in turn increase the trust between users and websites is identified. Here the importance of Trust and the Uncertainty Reduction Theory plus the fine balance between trust and control is explored. Finally, the study presents Critical Success Factors that aid in phishing prevention and control, these being: User Authentication, Website Authentication, E-mail Authentication, Data Cryptography, Communication, and Active Risk Mitigation