The Effect of Security Education and Expertise on Security Assessments: the Case of Software Vulnerabilities

In spite of the growing importance of software security and the industry demand for more cyber security expertise in the workforce, the effect of security education and experience on the ability to assess complex software security problems has only been recently investigated. As proxy for the full range of software security skills, we considered the problem of assessing the severity of software vulnerabilities by means of a structured analysis methodology widely used in industry (i.e. the Common Vulnerability Scoring System (\CVSS) v3), and designed a study to compare how accurately individuals with background in information technology but different professional experience and education in cyber security are able to assess the severity of software vulnerabilities. Our results provide some structural insights into the complex relationship between education or experience of assessors and the quality of their assessments. In particular we find that individual characteristics matter more than professional experience or formal education; apparently it is the \emph{combination} of skills that one owns (including the actual knowledge of the system under study), rather than the specialization or the years of experience, to influence more the assessment quality. Similarly, we find that the overall advantage given by professional expertise significantly depends on the composition of the individual security skills as well as on the available information.Comment: Presented at the Workshop on the Economics of Information Security (WEIS 2018), Innsbruck, Austria, June 201

A Research Framework and Initial Study of Browser Security for the Visually Impaired

The growth of web-based malware and phishing attacks has catalyzed significant advances in the research and use of interstitial warning pages and modals by a browser prior to loading the content of a suspect site. These warnings commonly use visual cues to attract users\u27 attention, including specialized iconography, color, and an absence of buttons to communicate the importance of the scenario. While the efficacy of visual techniques has improved safety for sighted users, these techniques are unsuitable for blind and visually impaired users. This is likely not due to a lack of interest or technical capability by browser manufactures, where universal design is a core tenet of their engineering practices, but instead a reflection of the very real dearth of research literature to inform best practices, exacerbated by a deficit of clear methodologies for conducting studies with this population. Indeed, the challenges are manifold. In this paper, we present the results of our study analyzing the experiences of the visually impaired with browser security warnings, detail the development and advancement of the methodological best practices when conducting a study of this kind, and ultimately identify some initial approaches that could improve the security for this population

Towards a framework to promote the development of secure and usable online information security applications

The proliferation of the internet and associated online activities exposes users to numerous information security (InfoSec) threats. Such online activities attract a variety of online users who include novice computer users with no basic InfoSec awareness knowledge. Information systems that collect and use sensitive and confidential personal information of users need to provide reliable protection mechanisms to safeguard this information. Given the constant user involvement in these systems and the notion of users being the weakest link in the InfoSec chain, technical solutions alone are insufficient. The usability of online InfoSec systems can play an integral role in making sure that users use the applications effectively, thereby improving the overall security of the applications. The development of online InfoSec systems calls for addressing the InfoSec problem as a social problem, and such development must seek to find a balance between technical and social aspects. The research addressed the problem of usable security in online InfoSec applications by using an approach that enabled the consideration of both InfoSec and usability in viewing the system as a socio-technical system with technical and social sub-systems. Therefore, the research proposed a socio-technical framework that promotes the development of usable security for online information systems using online banking as a case study. Using a convergent mixed methods research (MMR) design, the research collected data from online banking users through a survey and obtained the views of online banking developers through unstructured interviews. The findings from the two research methods contributed to the selection of 12 usable security design principles proposed in the sociotechnical information security (STInfoSec) framework. The research contributed to online InfoSec systems theory by developing a validated STInfoSec framework that went through an evaluation process by seven field experts. Although intended for online banking, the framework can be applied to other similar online InfoSec applications, with minimum adaptation. The STInfoSec framework provides checklist items that allow for easy application during the development process. The checklist items can also be used to evaluate existing online banking websites to identify possible usable security problems.Computer ScienceD. Phil. (Computer Science

An Empirical Assessment of Senior Citizens’ Cybersecurity Awareness, Computer Self-Efficacy, Perceived Risk of Identity Theft, Attitude, and Motivation to Acquire Cybersecurity Skills

Cyber-attacks on Internet users have caused billions of dollars in losses annually. Cybercriminals launch attacks via threat vectors such as unsecured wireless networks and phishing attacks on Internet users who are usually not aware of such attacks. Senior citizens are one of the most vulnerable groups who are prone to cyber-attacks, and this is largely due to their limited cybersecurity awareness and skills. Within the last decade, there has been a significant increase in Internet usage among senior citizens. It was documented that senior citizens had the greatest rate of increase in Internet usage over all the other age groups during the past decade. However, whenever senior citizens use the Internet, they are being targeted and exploited particularly for financial crimes, with estimation that one in five becoming a victim of financial fraud, costing more than $2.6 billion per year. Increasing the cybersecurity awareness and skills levels of Internet users have been recommended to mitigate the effects of cyber-attacks. However, it is unclear what motivates Internet users, particularly senior citizens, to acquire cybersecurity skills so that they can identify as well as mitigate the effects of the cyber-attacks. It is also not known how effective cybersecurity awareness training are on the cybersecurity skill level of senior citizens. Therefore, the main goal of this quantitative study was to empirically investigate the factors that contributed to senior citizens’ motivation to acquire cybersecurity skills so that they would be able to identify and mitigate cyber-attacks, as well as assess their actual cybersecurity skills level. This was done by assessing a model of contributing factors identified in prior literature (senior citizens’ cybersecurity awareness, computer self-efficacy, perceived risk of identity theft, & older adults’ computer technology attitude) on the motivation of senior citizens to acquire cybersecurity skills. This study utilized a Web-based survey to measure the contributing factors and a hands-on scenarios-based iPad app called MyCyberSkills™ that was developed and empirically validated in prior research to measure the cybersecurity skills level of the senior citizens. All study measures were done before and after cybersecurity awareness training (pre- & post-test) to uncover if there were any differences on the assessed models and scores due to such treatment. The study included a sample of 254 senior citizens with a mean age of about 70 years. Path analyses using Smart PLS 3.0 were done to assess the pre- and post-test models to determine the contributions of each contributing factor to senior citizens’ motivation to acquire cybersecurity skills. Additionally, analysis of variance (ANOVA) and analysis of covariance (ANCOVA) using SPSS were done to determine significant mean difference between the pre-and post-test levels of the senior citizens’ cybersecurity skill level. The path analysis results indicate that while all paths on both models were significant, many of the paths had very low path coefficients, which in turn, indicated weak relationships among the assessed paths. However, although the path coefficients were lower than expected, the findings suggest that both intrinsic and extrinsic motivation, along with antecedents such as senior citizens’ cybersecurity awareness, computer self-efficacy, perceived risk of identity theft, and older adults’ computer technology attitude significantly impact the cybersecurity skill levels of senior citizens. The analysis of variance results indicated that there was a significant increase in the mean cybersecurity skills scores from 59.67% to 64.51% (N=254) as a result of the cybersecurity awareness training. Hence, the cybersecurity awareness training was effective in increasing the cybersecurity skill level of the senior citizens, and empowered them with small but significant improvement in the requisite skills to take mitigating actions against cyberattacks. The analysis of covariance results indicated that, except for years using computers, all the other demographic indicators were not significant. Contributions from this study add to the body of knowledge by providing empirical results on the factors that motivate senior citizens to acquire cybersecurity skills, and thus, may help in reducing some of the billions of dollars in losses accrued to them because of cyber-attacks. Senior citizens will also benefit in that they will be better able to identify and mitigate the effects of cyber-attacks should they attend cybersecurity awareness trainings. Additionally, the recommendations from this study can be useful to law enforcement and other agencies that work with senior citizens in reducing the number of cases relating to cybersecurity issues amongst senior citizens, and thus, free up resources to fight other sources of cybercrime for law enforcement agencies

Cyber Situational Awareness and Cyber Curiosity Taxonomy for Understanding Susceptibility of Social Engineering Attacks in the Maritime Industry

The maritime information system (IS) user has to be prepared to deal with a potential safety and environmental risk that can be caused by an unanticipated failure to a cyber system used onboard a vessel. A hacker leveraging a maritime IS user’s Cyber Curiosity can lead to a successful cyber-attack by enticing a user to click on a malicious Web link sent through an email and/or posted on a social media website. At worst, a successful cyber-attack can impact the integrity of a ship’s cyber systems potentially causing disruption or human harm. A lack of awareness of social engineering attacks can increase the susceptibility of a successful cyber-attack against any organization. A combination of limited cyber situational awareness (SA) of social engineering attacks used against IS users and the user’s natural curiosity create significant threats to organizations. The theoretical framework for this research study consists of four interrelated constructs and theories: social engineering, Cyber Curiosity, Cyber Situational Awareness, and activity theory. This study focused its investigation on two constructs, Cyber Situational Awareness and Cyber Curiosity. These constructs reflect user behavior and decision-making associated with being a victim of a social engineering cyber-attack. This study designed an interactive Web-based experiment to measure an IS user’s Cyber Situational Awareness and Cyber Curiosity to further understand the relationship between these two constructs in the context of cyber risk to organizations. The quantitative and qualitative data analysis from the experiment consisting of 174 IS users (120 maritime & 54 shoreside) were used to empirically assess if there are any significant differences in the maritime IS user’s level of Cyber SA, Cyber Curiosity, and position in the developed Cyber Risk taxonomy when controlled for demographic indicators. To ensure validity and reliability of the proposed measures and the experimental procedures, a panel of nine subject matter experts (SMEs) reviewed the proposed measures/scores of Cyber SA and Cyber Curiosity. The SMEs’ responses were incorporated into the proposed measures and scores including the Web-based experiment. Furthermore, a pilot test was conducted of the Web-based experiment to assess measures of Cyber SA and Cyber Curiosity. This research validated that the developed Cyber Risk taxonomy could be used to assess the susceptibility of an IS user being a victim of a social engineering attack. Identifying a possible link in how both Cyber SA and Cyber Curiosity can help predict the susceptibility of a social engineering attack can be beneficial to the IS research community. In addition, potentially reducing the likelihood of an IS user being a victim of a cyber-attack by identifying factors that improve Cyber SA can reduce risks to organizations. The discussions and implications for future research opportunities are provided to aid the maritime cybersecurity research and practice communities

An Analysis of Computer Systems for the Secure Creation and Verification of User Instructions

The ongoing digitisation of previously analogue systems through the Fourth Industrial Revolution transforms modern societies. Almost every citizen and businesses operating in most parts of the economy are increasingly dependent on the ability of computer systems to accurately execute people's command. This requires efficient data processing capabilities and effective data input methods that can accurately capture and process instructions given by a user. This thesis is concerned with the analysis of state-of-the-art technologies for reliable data input through three case studies. In the first case study, we analyse the UI of Windows 10 and macOS 10.14 for their ability to capture accurate input from users intending to erase data. We find several shortcomings in how both OS support users in identifying and selecting operations that match their intentions and propose several improvements. The second study investigates the use of transaction authentication technology in online banking to preserve the integrity of transaction data in the presence of financial malware. We find a complex interplay of personal and sociotechnical factors that affect whether people successfully secure their transactions, derive representative personas, and propose a novel transaction authentication mechanism that ameliorates some of these factors. In the third study, we analyse the Security Code AutoFill feature in iOS and macOS and its interactions with security processes of remote servers that require users to handle security codes delivered via SMS. We find novel security risks arising from this feature's design and propose amendments, some of which were implemented by Apple. From these case studies, we derive general insights on latent failure as causes for human error that extend the Swiss Cheese model of human error to non-work environments. These findings consequently extend the Human Factors Analysis and Classification System and can be applied to human error incident investigations

A Systematic Review of Multimedia Tools for Cybersecurity Awareness and Education

© {Leah Zhang-Kennedy, Sonia Chiasson ​| ACM} {2021}. This is the author's version of the work. It is posted here for your personal use. Not for redistribution. The definitive Version of Record was published in {ACM Computing Surveys}, https://doi.org/10.1145/3427920.We conduct a comprehensive review covering academic publications and industry products relating to tools for cybersecurity awareness and education aimed at non-expert end-users developed in the past 20 years. Through our search criteria, we identified 119 tools that we cataloged into five broad media categories. We explore current trends, assess their use of relevant instructional design principles, and review empirical evi dence of the tools’ effectiveness. From our review, we provide an evaluation checklist and suggest that a more systematic approach to the design and evaluation of cybersecurity educational tools would be beneficial

A Universal Cybersecurity Competency Framework for Organizational Users

The global reliance on the Internet to facilitate organizational operations necessitates further investments in organizational information security. Such investments hold the potential for protecting information assets from cybercriminals. To assist organizations with their information security, The National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework (NCWF) was created. The framework referenced the cybersecurity work, knowledge, and skills required to competently complete the tasks that strengthen their information security. Organizational users’ limited cybersecurity competency contributes to the financial and information losses suffered by organizations year after year. While most organizational users may be able to respond positively to a cybersecurity threat, without a measure of their cybersecurity competency they represent a cybersecurity threat to organizations. The main goal of this research study was to develop a universal Cybersecurity Competency Framework (CCF) to determine the demonstrated cybersecurity Knowledge, Skills, and Tasks (KSTs) through the NCWF (NICE, 2017) as well as identify the cybersecurity competency of organizational users. Limited attention has been given in cybersecurity research to determine organizational users’ cybersecurity competency. An expert panel of cybersecurity professionals known as Subject Matter Experts (SMEs) validated the cybersecurity KSTs necessary for the universal CCF. The research study utilized the explanatory sequential mixed-method approach to develop the universal CCF. This research study included a developmental approach combining quantitative and qualitative data collection in three research phases. In Phase 1, 42 SMEs identified the KSTs needed for the universal CCF. The results of the validated data from Phase 1 were inputted to construct the Phase 2 semi-structured interview. In Phase 2, qualitative data were gathered from 12 SMEs. The integration of the quantitative and qualitative data validated the KSTs. In Phase 3, 20 SMEs validated the KST weights and identified the threshold level. Phase 3 concluded with the SMEs\u27 aggregation of the KST weights into the universal CCF index. The weights assigned by the SMEs in Phase 3 showed that they considered knowledge as the most important competency, followed by Skills, then Tasks. The qualitative results revealed that training is needed for cybersecurity tasks. Phase 3 data collection and analysis continued with the aggregation of the validated weights into a single universal CCF index score. The SMEs determined that 72% was the threshold level. The findings of this research study significantly contribute to the body of knowledge on information systems and have implications for practitioners and academic researchers. It appears this is the only research study to develop a universal CCF to assess the organizational user’s competency and create a threshold level. The findings also offer further insights into what organizations need to provide cybersecurity training to their organizational users to enable them to competently mitigate cyber-attacks