Moving from a "human-as-problem" to a "human-as-solution" cybersecurity mindset

Cybersecurity has gained prominence, with a number of widely publicised security incidents, hacking attacks and data breaches reaching the news over the last few years. The escalation in the numbers of cyber incidents shows no sign of abating, and it seems appropriate to take a look at the way cybersecurity is conceptualised and to consider whether there is a need for a mindset change.To consider this question, we applied a "problematization" approach to assess current conceptualisations of the cybersecurity problem by government, industry and hackers. Our analysis revealed that individual human actors, in a variety of roles, are generally considered to be "a problem". We also discovered that deployed solutions primarily focus on preventing adverse events by building resistance: i.e. implementing new security layers and policies that control humans and constrain their problematic behaviours. In essence, this treats all humans in the system as if they might well be malicious actors, and the solutions are designed to prevent their ill-advised behaviours. Given the continuing incidences of data breaches and successful hacks, it seems wise to rethink the status quo approach, which we refer to as "Cybersecurity, Currently". In particular, we suggest that there is a need to reconsider the core assumptions and characterisations of the well-intentioned human's role in the cybersecurity socio-technical system. Treating everyone as a problem does not seem to work, given the current cyber security landscape.Benefiting from research in other fields, we propose a new mindset i.e. "Cybersecurity, Differently". This approach rests on recognition of the fact that the problem is actually the high complexity, interconnectedness and emergent qualities of socio-technical systems. The "differently" mindset acknowledges the well-intentioned human's ability to be an important contributor to organisational cybersecurity, as well as their potential to be "part of the solution" rather than "the problem". In essence, this new approach initially treats all humans in the system as if they are well-intentioned. The focus is on enhancing factors that contribute to positive outcomes and resilience. We conclude by proposing a set of key principles and, with the help of a prototypical fictional organisation, consider how this mindset could enhance and improve cybersecurity across the socio-technical system

Adversarial behaviours knowledge area

The technological advancements witnessed by our society in recent decades have brought improvements in our quality of life, but they have also created a number of opportunities for attackers to cause harm. Before the Internet revolution, most crime and malicious activity generally required a victim and a perpetrator to come into physical contact, and this limited the reach that malicious parties had. Technology has removed the need for physical contact to perform many types of crime, and now attackers can reach victims anywhere in the world, as long as they are connected to the Internet. This has revolutionised the characteristics of crime and warfare, allowing operations that would not have been possible before. In this document, we provide an overview of the malicious operations that are happening on the Internet today. We first provide a taxonomy of malicious activities based on the attacker’s motivations and capabilities, and then move on to the technological and human elements that adversaries require to run a successful operation. We then discuss a number of frameworks that have been proposed to model malicious operations. Since adversarial behaviours are not a purely technical topic, we draw from research in a number of fields (computer science, criminology, war studies). While doing this, we discuss how these frameworks can be used by researchers and practitioners to develop effective mitigations against malicious online operations.Published versio

Incorporating psychology into cyber security education: A pedagogical approach

The role of the human in cyber security is well acknowledged. Many cyber security incidents rely upon targets performing specific behavioural actions, such as opening a link within a phishing email. Cyber adversaries themselves are driven by psychological processes such as motivation, group dynamics and social identity. Furthermore, both intentional and unintentional insider threats are associated with a range of psychological factors, including cognitive load, mental wellbeing, trust and interpersonal relations. By incorporating psychology into cyber security education, practitioners will be better equipped with the skills they need to address cyber security issues. However, there are challenges in doing so. Psychology is a broad discipline, and many theories, approaches and methods may have little practical significance to cyber security. There is a need to sift through the literature to identify what can be applied to cyber security. There are also pedagogical differences in how psychology and cyber security are taught and also psychological differences in the types of student that may typically study psychology and cyber security. To engage with cyber security students, it is important that these differences are identified and positively addressed. Essential to this endeavor is the need to discuss and collaborate across the two disciplines. In this paper, we explore these issues and discuss our experiences as psychology and cyber security academics who work across disciplines to deliver psychology education to cyber security students, practitioners and commercial clients

Exploring the Relationship Between Self-Esteem, Financial Egocentrism, and Fraud Susceptibility in Cyber-Enabled Fraud Schemes Involving Crypto Assets

The propensity to exploit others for one’s own benefit is continuously exhibited by bad actors. Unfortunately, this sentiment holds true in emerging asset classes, such as crypto assets. As a result, it is surprising that current research on fraud susceptibility is approached in a binary way. Researchers examine either what makes an individual predisposed to victimization by bad actors or what factors influence one’s propensity to perpetrate fraudulent schemes. This study bridged this substantial gap in current research by investigating if specific psychological factors influence when, or if, an individual shifts between these two outcomes. The psychological factors incorporated into this analysis included self-esteem, financial egocentrism, and fraud susceptibility. These variables were measured through self-reported assessments. Secondary analysis additionally explored the efficacy of the threat of punishment as a deterrent for the perpetration of cyber-enabled fraud schemes. The evidence indicated that higher levels of financial egocentrism were linked to higher fraud susceptibility. The study also identified that the threat of punishment did not have a statistically significant impact on the decision to perpetrate a cyber-enabled fraud scheme involving crypto assets

Assessing the Presence of Mindfulness within Cyber and Non-Cybersecurity groups

Corporations and individuals continue to be under Phishing attack. Researchers categorizes methods corporations and individuals can employ to reduce the impact of being caught in a Phishing scheme. Corporation enable technical mechanisms such as automated filtering, URL blacklisting, and manipulation of browser warning messages to reduce phishing susceptibility costing billions of dollars annually. However, even with robust efforts to educate employees about phishing techniques through security awareness training the abundance of attacks continues to plague organizations. This study aims to identify whether a correlation exists between mindfulness and phishing susceptibility. The goal of this research is to determine if mindful individuals are less susceptible to phishing. By showing individuals with increased awareness are significantly able to identify areas that phishing attempts exploit. Based on a review of the literature a misconception exists between end-users, corporation and Internet Service Providers (ISP) regarding ownership of Phishing identification. Specifically, individuals blame ISPs and corporate information technology departments for failing to protect them from Phishing attacks. Still, the truth of the matter is that the end-user is ultimately the weakest link in the phishing identification chain. The methodology of this study polled participants through initial screening focusing on whether the individuals were mindful using the Mindful Attention Awareness Scale (MAAS) survey. Conclusions seen in this study in contrast with other studies saw no significant correlation between Mindfulness and phishing susceptibility, increase in cogitative ability or increase in Phishing identification. Thus, continued use of MAAS survey questionnaire is necessary to screen other groups for phishing awareness prior to focusing on other phishing cues

A Framework to Detect the Susceptibility of Employees to Social Engineering Attacks

Social engineering attacks (SE-attacks) in enterprises are hastily growing and are becoming increasingly sophisticated. Generally, SE-attacks involve the psychological manipulation of employees into revealing confidential and valuable company data to cybercriminals. The ramifications could bring devastating financial and irreparable reputation loss to the companies. Because SE-attacks involve a human element, preventing these attacks can be tricky and challenging and has become a topic of interest for many researchers and security experts. While methods exist for detecting SE-attacks, our literature review of existing methods identified many crucial factors such as the national cultural, organizational, and personality traits of employees that enable SE-attacks not considered by the other researchers. Thus, this thesis aims to address the gap by identifying and analyzing all the factors that make the SE-attack possible. We have developed a framework that operates in an enterprise environment and can detect the susceptibility of victims to SE-attacks. It relies on mapping Gragg’s psychological triggers of social engineering to three groups of factors, namely the national cultural factors, the organizational factors, and the personality traits of employees. Our analysis demonstrates that there is a correlation between the social engineering triggers and the three-layered factors that make employees susceptible to social engineering attacks. Thus, adding these factors in the proposed framework detects susceptibility of victims. Finally, we introduce a proposed framework that would detect and recognize weaknesses and susceptibility of employees in an organization which can be used for enhancing awareness and employee training to better recognize and prevent SE-attacks

Addressing Emerging Information Security Personnel Needs. A Look at Competitions in Academia: Do Cyber Defense Competitions Work?

This paper is part of a proposed study that looks at the emerging information security personnel needs of organizations. We are attempting to explore the correlation between components of a regional cyber defense competition and an organization’s needs in terms of employing adequately trained information security personnel. We look to identify some unique characteristics of a regional academic cyber defense competition via the critical success factors method

An Examination of the Human Factors in Cybersecurity: Future Direction for Nigerian Banks

Information and communication technology has become necessary for conducting business operations and ensuring business survival in Nigerian banks. However, this has come with some encumbrances, as this technology is vulnerable to attacks due to technical or human factors. These human factors have been very challenging for organizations due to their multi-dimensional nature and the fact that humans have been responsible for most cybersecurity incidents. Resolving issues arising from cybersecurity incidents is expensive and time-consuming. Therefore, this study is crucial as it will enable Nigerian banks witnessing increased attacks to take preventive measures and reduce the enormous expenditure required for remediation. This study adopts a literature review approach, reviewing previous studies on human factors in cybersecurity to determine the factors responsible for successful cyber-attacks and their suggested mitigations. The findings categorize these human factors into social engineering, poor information security culture, risky password practices, stress, burnout, and security fatigue. The study presents mitigations but notes that training and cybersecurity awareness are the most common reoccurring pre-emptive actions recommended. This research is significant as very little prior research has been conducted in this area targeted at the Nigerian banking sector. Practically, the findings of this study are expected to point Nigerian banks toward the critical human factors that they need to concentrate on to minimize the success rate of cyber-attacks and reduce the associated costs of recovering from these attacks

An Examination of User Detection of Business Email Compromise Amongst Corporate Professionals

With the evolution in technology and increase in utilization of the public Internet, Internet-based mobile applications, and social media, security risks for organizations have greatly increased. While corporations leverage social media as an effective tool for customer advertisements, the abundance of information available via public channels along with the growth in Internet connections to corporate networks including mobile applications, have made cyberattacks attractive for cybercriminals. Cybercrime against organizations is a daily threat and targeting companies of all sizes. Cyberattacks are continually evolving and becoming more complex that make it difficult to protect against with traditional security methods. Cybercriminals utilize email attacks as their most common method to compromise corporations for financial gain. Email attacks on corporations have evolved into very sophisticated scams that specifically target businesses that conduct wire transfers or financial transactions as part of their standard mode of operations. This new evolution of email driven attacks is called Business Email Compromise (BEC) attacks and utilize advanced social engineering, phishing techniques, and email hacking to manipulate employees into conducting fraudulent wire transfers that are intended for actual suppliers and business partners. One of the most common types of BEC attacks is the Chief Executive Officer (CEO) fraud, which are highly customized and targeted attacks aimed to impersonate corporate users that have authority to approve financial transactions and wire transfers in order to influence an employee to unknowingly conduct a fraudulent financial wire transfer. Thus, the main goal of this research study was to assess if there are any significant differences of corporate users’ detection skills of BEC attacks in a simulated test environment based on their personality attributes, using the Myers-Briggs Type Indicator® (MBTI®)’ 16 personalities® framework. BEC attacks have attributed to over $26 billion in corporate financial losses across the globe and are continually increasing. The human aspect in the cybersecurity has been a known challenge and is especially significant in direct interaction with BEC attacks. Furthermore, this research study analyzed corporate users’ attention span levels and demographics to assess if there are any significant differences on corporate users’ BEC attack detection skills. Moreover, this research study analyzed if there are any significant differences for BEC detection skills before and after a BEC awareness training. This research study was conducted by first developing an experiment to measure BEC detection and ensure validity via cybersecurity subject matter experts using the Delphi process. The experiment also collected qualitative and quantitative data for the participants’ performance measures using an application developed for the study. This research was conducted on a group of 45 corporate users in an experimental setting utilizing online surveys and a BEC detection mobile test application. This research validated and developed a BEC detection measure as well as the BEC awareness training module that were utilized in the research experiment. The results of the experiments were analyzed using analysis of variance (ANOVA) and analysis of covariance (ANCOVA) to address the research questions. It was found that there were that no statistically significant mean differences for Business Email Compromise Detection (BECD) skills between personality attributes of corporate professional participants, However, results indicated that there was a significant mean difference for BECD skills and span attention with a p\u3c.0001. Furthermore, there was a significant mean difference for BECD skills and span attention when controlled for gender with a p\u3c0.05. Furthermore, the results indicated that the BEC detection awareness training significantly improved the participant BEC detection skill with a p\u3c.0001. Moreover, following the training, it was found that female BEC detection test scores improved by 45% where the men BECD score improved by 31%. Recommendations for research and industry stakeholders are provided, including to corporations on methods to mitigate BEC attacks