Gamification of Cyber Security Awareness : A Systematic Review of Games

The frequency and severity of cyber-attacks have increased over the years with damaging consequences such as financial loss, reputational damage, and loss of sensitive data. Most of these attacks can be attributed to user error. To minimize these errors, cyber security awareness training is conducted to improve user awareness. Cyber security awareness training that is engaging, fun, and motivating is required to ensure that the awareness message gets through to users. Gamification is one such method by which cyber security awareness training can be made fun, engaging, and motivating. This thesis presents the state of the art of games used in cyber security awareness. In this regard, a systematic review of games following PRISMA guidelines was conducted on the relevant papers published between 2010 to 2021. The games were analyzed based on their purpose, cyber security topics taught, target audience, deployment methods, game genres implemented and learning mechanics applied. Analysis of these games revealed that cyber security awareness games are mostly deployed as computer games, targeted at the general public to create awareness in a wide range of cyber security topics. Most of the games implement the role-playing genre and apply demonstration learning mechanics to deliver their cyber security awareness message effectively

Phishing Attacks: A Security Challenge for University Students Studying Remotely

The emergence of the deadly global respiratory coronavirus disease (COVID-19) in 2019 claimed many lives and altered the way people live and behave as well as how companies operated. Considerable pressure was exerted on Institutions of Higher Learning (universities) to salvage the academic projects through the process of business model reconfiguration. Students were required to study remotely and were, therefore, exposed to phishing and scamming cyber-attacks. The effects of these attacks were examined in this study with the support of literature and empirical research leading to appropriate recommendations being proposed. Data were obtained through semi-structured interviews from students at a selected public-funded university. Atlas.Ti was used for data analysis to identify usable and sensible themes. The study established that students were aware of the factors that exposed them to phishing and scamming attacks but lacked the skills to identify such attacks before becoming victims

How WEIRD is Usable Privacy and Security Research? (Extended Version)

In human factor fields such as human-computer interaction (HCI) and psychology, researchers have been concerned that participants mostly come from WEIRD (Western, Educated, Industrialized, Rich, and Democratic) countries. This WEIRD skew may hinder understanding of diverse populations and their cultural differences. The usable privacy and security (UPS) field has inherited many research methodologies from research on human factor fields. We conducted a literature review to understand the extent to which participant samples in UPS papers were from WEIRD countries and the characteristics of the methodologies and research topics in each user study recruiting Western or non-Western participants. We found that the skew toward WEIRD countries in UPS is greater than that in HCI. Geographic and linguistic barriers in the study methods and recruitment methods may cause researchers to conduct user studies locally. In addition, many papers did not report participant demographics, which could hinder the replication of the reported studies, leading to low reproducibility. To improve geographic diversity, we provide the suggestions including facilitate replication studies, address geographic and linguistic issues of study/recruitment methods, and facilitate research on the topics for non-WEIRD populations.Comment: This paper is the extended version of the paper presented at USENIX SECURITY 202

Adversarial behaviours knowledge area

The technological advancements witnessed by our society in recent decades have brought improvements in our quality of life, but they have also created a number of opportunities for attackers to cause harm. Before the Internet revolution, most crime and malicious activity generally required a victim and a perpetrator to come into physical contact, and this limited the reach that malicious parties had. Technology has removed the need for physical contact to perform many types of crime, and now attackers can reach victims anywhere in the world, as long as they are connected to the Internet. This has revolutionised the characteristics of crime and warfare, allowing operations that would not have been possible before. In this document, we provide an overview of the malicious operations that are happening on the Internet today. We first provide a taxonomy of malicious activities based on the attacker’s motivations and capabilities, and then move on to the technological and human elements that adversaries require to run a successful operation. We then discuss a number of frameworks that have been proposed to model malicious operations. Since adversarial behaviours are not a purely technical topic, we draw from research in a number of fields (computer science, criminology, war studies). While doing this, we discuss how these frameworks can be used by researchers and practitioners to develop effective mitigations against malicious online operations.Published versio

Sandboxed navigation and deep inspection of suspicious links reported by Humans as a Security Sensor (HaaSS)

This thesis is part of a long-lasting research carried out in the field of Humans as a Security Sensor. In this thesis, I propose a solution to help companies to fight back against phishing, in particular, targeted and highly-contextualized attacks also known as "spare phishing". The thesis aims to develop a deep inspection module of individual emails submitted to the system by human sensors. As soon as a suspicious email has been flagged, it is passed to the deep inspection module that takes care of navigating every URL while collecting evidence and marks of malicious activities. The characteristic of this project is that it mimics the behavior of a real human user while navigating. It does not stop at the initial page, instead, it follows the redirects and collects page links to further inspect them afterward. My work focuses only on the automated navigation and deep inspection part and integrates it with an existing project that provides emails to analyze and manages the human sensor network. The idea is related to the concept of a human honeypot and provides a toolset that can help gather precious information to augment phishing user reports. We design a system that can navigate potentially malicious URLs as a human user would do. It opens links and browses through the webpages while collecting data, with the crucial difference that all the navigation is carried out fully automatically and in a protected environment isolated from the rest, so that any infection remains confined

Impact and key challenges of insider threats on organizations and critical businesses

The insider threat has consistently been identified as a key threat to organizations and governments. Understanding the nature of insider threats and the related threat landscape can help in forming mitigation strategies, including non-technical means. In this paper, we survey and highlight challenges associated with the identification and detection of insider threats in both public and private sector organizations, especially those part of a nation’s critical infrastructure. We explore the utility of the cyber kill chain to understand insider threats, as well as understanding the underpinning human behavior and psychological factors. The existing defense techniques are discussed and critically analyzed, and improvements are suggested, in line with the current state-of-the-art cyber security requirements. Finally, open problems related to the insider threat are identified and future research directions are discussed

Command & Control: Understanding, Denying and Detecting - A review of malware C2 techniques, detection and defences

In this survey, we first briefly review the current state of cyber attacks, highlighting significant recent changes in how and why such attacks are performed. We then investigate the mechanics of malware command and control (C2) establishment: we provide a comprehensive review of the techniques used by attackers to set up such a channel and to hide its presence from the attacked parties and the security tools they use. We then switch to the defensive side of the problem, and review approaches that have been proposed for the detection and disruption of C2 channels. We also map such techniques to widely-adopted security controls, emphasizing gaps or limitations (and success stories) in current best practices.Comment: Work commissioned by CPNI, available at c2report.org. 38 pages. Listing abstract compressed from version appearing in repor