On the evolution of hyperlinking

Across time, the hyperlink object has supported different applications and studies. This is one perspective on the evolution of the hyperlinking concept, its context and related behaviors. Through a spectrum of hyperlinking applications and practices, the article contrasts the status quo with its related, broader, conceptual roots; it also bridges to some theorized and prototyped hyperlink variations, namely "stigmergic hyperlinks", to make the case that the ubiquitousness of some objects and certain usage patterns can obfuscate opportunities to (re)think them. In trying to contribute an answer to "what has the common hyperlink (such an apparently simple object) done to society, and what has society done to it?", the article identifies situations that have become so embedded in the daily routine, that it is now hard to think of hyperlinking alternatives.info:eu-repo/semantics/publishedVersio

Understanding phishing awareness among students in tertiary institutions and setting-up defensive mechanisms against the attackers

The average loss by companies to phishing in 2021 is $14.8 million, more than triple what it was in 2015. That translates to hundreds of billions of dollars in total losses from phishing attacks on global businesses, and the vulnerability of these attacks is every day increasing, particularly among the younger generation less than 40 years of age. This paper begins with a background exposition on phishing trends and highlights previous findings concerning users' susceptibility to phishing attacks. It however explores the term Phishing itself, its kinds, types and some basic measures necessary for defense against phishing activities. The research was employed with a major focus on the email aspect of phishing. Alongside the website aspect of phishing, the certificate of a website was also considered. The purpose of this study was to identify the level of student awareness related to specific phishing tactics. Findings revealed that while students are unlikely to provide personal information in response to an email/SMS request, they can be easily tricked by numerous other tactics. This paper reports the findings of the study in addition to listing suggested points to employ for creating phishing awareness

The Role of Time Pressure, Cue Utilisation, and Information Security Awareness on Phishing Email Susceptibility

This item is only available electronically.Phishing emails are emails which attempt to solicit sensitive information from unsuspecting users. Phishing represents a major threat to information security. To develop interventions aimed at reducing phishing susceptibility, an understanding of how emails are evaluated to determine their legitimacy, and individual differences that may predict phishing email susceptibility is required. The current study aims to examine the relationship between phishing susceptibility and time pressure, along with individual differences in cue utilisation and information security awareness (ISA). In an online study, 127 participants were randomly assigned to either a 7-second or 15-second time condition and were presented with 60 emails (40 genuine and 20 phishing). Emails were presented one at a time for the duration corresponding with each participant’s time condition. Participants were required to sort each email into one of ten categories. The ‘phishing’ category was considered a hit when chosen following a phishing email, and a false alarm when following a genuine email. Participants also completed an assessment of cue utilisation in the domain of phishing, and the Human Aspects of Information Security Questionnaire (HAIS-Q). Statistical analyses revealed that a higher level of cue utilisation, a shorter email exposure duration and higher ISA resulted in reduced ability to differentiate between phishing and genuine emails. Furthermore, a positive correlation was found between cue utilisation and ISA, however, there was no interaction between time pressure and cue utilisation on phishing susceptibility. This study’s outcomes may aid in the development of training and education programs aimed at reducing phishing susceptibility.Thesis (B.PsychSc(Hons)) -- University of Adelaide, School of Psychology, 202

Unbiased phishing detection using domain name based features

2018 Summer.Includes bibliographical references.Internet users are coming under a barrage of phishing attacks of increasing frequency and sophistication. While these attacks have been remarkably resilient against the vast range of defenses proposed by academia, industry, and research organizations, machine learning approaches appear to be a promising one in distinguishing between phishing and legitimate websites. There are three main concerns with existing machine learning approaches for phishing detection. The first concern is there is neither a framework, preferably open-source, for extracting feature and keeping the dataset updated nor an updated dataset of phishing and legitimate website. The second concern is the large number of features used and the lack of validating arguments for the choice of the features selected to train the machine learning classifier. The last concern relates to the type of datasets used in the literature that seems to be inadvertently biased with respect to the features based on URL or content. In this thesis, we describe the implementation of our open-source and extensible framework to extract features and create up-to-date phishing dataset. With having this framework, named Fresh-Phish, we implemented 29 different features that we used to detect whether a given website is legitimate or phishing. We used 26 features that were reported in related work and added 3 new features and created a dataset of 6,000 websites with these features of which 3,000 were malicious and 3,000 were genuine and tested our approach. Using 6 different classifiers we achieved the accuracy of 93% which is a reasonable high in this field. To address the second and third concerns, we put forward the intuition that the domain name of phishing websites is the tell-tale sign of phishing and holds the key to successful phishing detection. We focus on this aspect of phishing websites and design features that explore the relationship of the domain name to the key elements of the website. Our work differs from existing state-of-the-art as our feature set ensures that there is minimal or no bias with respect to a dataset. Our learning model trains with only seven features and achieves a true positive rate of 98% and a classification accuracy of 97%, on sample dataset. Compared to the state-of-the-art work, our per data instance processing and classification is 4 times faster for legitimate websites and 10 times faster for phishing websites. Importantly, we demonstrate the shortcomings of using features based on URLs as they are likely to be biased towards dataset collection and usage. We show the robustness of our learning algorithm by testing our classifiers on unknown live phishing URLs and achieve a higher detection accuracy of 99.7% compared to the earlier known best result of 95% detection rate

An Empirical Assessment of Senior Citizens’ Cybersecurity Awareness, Computer Self-Efficacy, Perceived Risk of Identity Theft, Attitude, and Motivation to Acquire Cybersecurity Skills

Cyber-attacks on Internet users have caused billions of dollars in losses annually. Cybercriminals launch attacks via threat vectors such as unsecured wireless networks and phishing attacks on Internet users who are usually not aware of such attacks. Senior citizens are one of the most vulnerable groups who are prone to cyber-attacks, and this is largely due to their limited cybersecurity awareness and skills. Within the last decade, there has been a significant increase in Internet usage among senior citizens. It was documented that senior citizens had the greatest rate of increase in Internet usage over all the other age groups during the past decade. However, whenever senior citizens use the Internet, they are being targeted and exploited particularly for financial crimes, with estimation that one in five becoming a victim of financial fraud, costing more than $2.6 billion per year. Increasing the cybersecurity awareness and skills levels of Internet users have been recommended to mitigate the effects of cyber-attacks. However, it is unclear what motivates Internet users, particularly senior citizens, to acquire cybersecurity skills so that they can identify as well as mitigate the effects of the cyber-attacks. It is also not known how effective cybersecurity awareness training are on the cybersecurity skill level of senior citizens. Therefore, the main goal of this quantitative study was to empirically investigate the factors that contributed to senior citizens’ motivation to acquire cybersecurity skills so that they would be able to identify and mitigate cyber-attacks, as well as assess their actual cybersecurity skills level. This was done by assessing a model of contributing factors identified in prior literature (senior citizens’ cybersecurity awareness, computer self-efficacy, perceived risk of identity theft, & older adults’ computer technology attitude) on the motivation of senior citizens to acquire cybersecurity skills. This study utilized a Web-based survey to measure the contributing factors and a hands-on scenarios-based iPad app called MyCyberSkills™ that was developed and empirically validated in prior research to measure the cybersecurity skills level of the senior citizens. All study measures were done before and after cybersecurity awareness training (pre- & post-test) to uncover if there were any differences on the assessed models and scores due to such treatment. The study included a sample of 254 senior citizens with a mean age of about 70 years. Path analyses using Smart PLS 3.0 were done to assess the pre- and post-test models to determine the contributions of each contributing factor to senior citizens’ motivation to acquire cybersecurity skills. Additionally, analysis of variance (ANOVA) and analysis of covariance (ANCOVA) using SPSS were done to determine significant mean difference between the pre-and post-test levels of the senior citizens’ cybersecurity skill level. The path analysis results indicate that while all paths on both models were significant, many of the paths had very low path coefficients, which in turn, indicated weak relationships among the assessed paths. However, although the path coefficients were lower than expected, the findings suggest that both intrinsic and extrinsic motivation, along with antecedents such as senior citizens’ cybersecurity awareness, computer self-efficacy, perceived risk of identity theft, and older adults’ computer technology attitude significantly impact the cybersecurity skill levels of senior citizens. The analysis of variance results indicated that there was a significant increase in the mean cybersecurity skills scores from 59.67% to 64.51% (N=254) as a result of the cybersecurity awareness training. Hence, the cybersecurity awareness training was effective in increasing the cybersecurity skill level of the senior citizens, and empowered them with small but significant improvement in the requisite skills to take mitigating actions against cyberattacks. The analysis of covariance results indicated that, except for years using computers, all the other demographic indicators were not significant. Contributions from this study add to the body of knowledge by providing empirical results on the factors that motivate senior citizens to acquire cybersecurity skills, and thus, may help in reducing some of the billions of dollars in losses accrued to them because of cyber-attacks. Senior citizens will also benefit in that they will be better able to identify and mitigate the effects of cyber-attacks should they attend cybersecurity awareness trainings. Additionally, the recommendations from this study can be useful to law enforcement and other agencies that work with senior citizens in reducing the number of cases relating to cybersecurity issues amongst senior citizens, and thus, free up resources to fight other sources of cybercrime for law enforcement agencies

WHERE DO YOU LOOK? RELATING VISUAL ATTENTION TO LEARNING OUTCOMES AND URL PARSING

Visual behavior provides a dynamic trail of where attention is directed. It is considered the behavioral interface between engagement and gaining information, and researchers have used it for several decades to study user\u27s behavior. This thesis focuses on employing visual attention to understand user\u27s behavior in two contexts: 3D learning and gauging URL safety. Such understanding is valuable for improving interactive tools and interface designs. In the first chapter, we present results from studying learners\u27 visual behavior while engaging with tangible and virtual 3D representations of objects. This is a replication of a recent study, and we extended it using eye tracking. By analyzing the visual behavior, we confirmed the original study results and added more quantitative explanations for the corresponding learning outcomes. Among other things, our results indicated that the users allocate similar visual attention while analyzing virtual and tangible learning material. In the next chapter, we present a user study\u27s outcomes wherein participants are instructed to classify a set of URLs wearing an eye tracker. Much effort is spent on teaching users how to detect malicious URLs. There has been significantly less focus on understanding exactly how and why users routinely fail to vet URLs properly. This user study aims to fill the void by shedding light on the underlying processes that users employ to gauge the UR L\u27s trustworthiness at the time of scanning. Our findings suggest that users have a cap on the amount of cognitive resources they are willing to expend on vetting a URL. Also, they tend to believe that the presence of www in the domain name indicates that the URL is safe

Secure and Usable User Authentication

Authentication is a ubiquitous task in users\u27 daily lives. The dominant form of user authentication are text passwords. They protect private accounts like online banking, gaming, and email, but also assets in organisations. Yet, many issues are associated with text passwords, leading to challenges faced by both, users and organisations. This thesis contributes to the body of research enabling secure and usable user authentication, benefiting both, users and organisations. To that end, it addresses three distinct challenges. The first challenge addressed in this thesis is the creation of correct, complete, understandable, and effective password security awareness materials. To this end, a systematic process for the creation of awareness materials was developed and applied to create a password security awareness material. This process comprises four steps. First, relevant content for an initial version is aggregated (i.e. descriptions of attacks on passwords and user accounts, descriptions of defences to these attacks, and common misconceptions about password and user account security). Then, feedback from information security experts is gathered to ensure the correctness and completeness of the awareness material. Thereafter, feedback from lay-users is gathered to ensure the understandability of the awareness material. Finally, a formal evaluation of the awareness material is conducted to ensure its effectiveness (i.e. whether the material improves participant\u27s ability to assess the security of passwords as well as password-related behaviour and decreases the prevalence of common misconceptions about password and user account security). The results of the evaluation show the effectiveness of the awareness material: it significantly improved the participants\u27 ability to assess the security of password-related behaviour as well as passwords and significantly decreased the prevalence of misconceptions about password and user account security. The second challenge addressed in this thesis is shoulder-surfing resistant text password entry with gamepads (as an example of very constrained input devices) in shared spaces. To this end, the very first investigation of text password entry with gamepads is conducted. First, the requirements of authentication in the gamepad context are described. Then, these requirements are applied to assess schemes already deployed in the gamepad context and shoulder-surfing resistant authentication schemes from the literature proposed for non-gamepad contexts. The results of this assessment show that none of the currently deployed and only four of the proposals in the literature fulfil all requirements. Furthermore, the results of the assessment also indicate a need for an empirical evaluation in order to exactly gauge the shoulder-surfing threat in the gamepad context and compare alternatives to the incumbent on-screen keyboard. Based on these results, two user studies (one online study and one lab study) are conducted to investigate the shoulder-surfing resistance and usability of three authentication schemes in the gamepad context: the on-screen keyboard (as de-facto standard in this context), the grid-based scheme (an existing proposal from the literature identified as the most viable candidate adaptable to the gamepad context during the assessment), and Colorwheels (a novel shoulder-surfing resistant authentication scheme specifically designed for the gamepad context). The results of these two user studies show that on-screen keyboards are highly susceptible to opportunistic shoulder-surfing, but also show the most favourable usability properties among the three schemes. Colorwheels offers the most robust shoulder-surfing resistance and scores highest with respect to participants\u27 intention to use it in the future, while showing more favourable usability results than the grid-based scheme. The third challenge addressed in this thesis is secure and efficient storage of passwords in portfolio authentication schemes. Portfolio authentication is used to counter capture attacks such as shoulder-surfing or eavesdropping on network traffic. While usability studies of portfolio authentication schemes showed promising results, a verification scheme which allows secure and efficient storage of the portfolio authentication secret had been missing until now. To remedy this problem, the (t,n)-threshold verification scheme is proposed. It is based on secret sharing and key derivation functions. The security as well as the efficiency properties of two variants of the scheme (one based on Blakley secret sharing and one based on Shamir secret sharing) are evaluated against each other and against a naive approach. These evaluations show that the two (t,n)-threshold verification scheme variants always exhibit more favourable properties than the naive approach and that when deciding between the two variants, the exact application scenario must be considered. Three use cases illustrate as exemplary application scenarios the versatility of the proposed (t,n)-threshold verification scheme. By addressing the aforementioned three distinct challenges, this thesis demonstrates the breadth of the field of usable and secure user authentication ranging from awareness materials, to the assessment and evaluation of authentication schemes, to applying cryptography to craft secure password storage solutions. The research processes, results, and insights described in this thesis represent important and meaningful contributions to the state of the art in the research on usable and secure user authentication, offering benefits for users, organisations, and researchers alike

Student Research Colloquium Proceedings 2015

2015 Student Research Colloquium proceedings include the following: explanation of the 18th annual Student Research Colloquium, the formal paper competition, and the poster presentation competition, a schedule of the day\u27s events, student presenter index, research sponsor index, judges, moderators, sponsors, and donors, map of Atwood Memorial Center