Reviewing Cybersecurity Awareness Training Tools Used to Address Phishing Attack at the Workplace

Public sector data and sensitive information are a prime target for cyberattacks. There are numerous popular security tools used across the globe to achieve automated network protection. This study reviews the following tools within the current study: KnowBe4, PhishingBox, PhishInsight, PhishThreat, PhishMe, and Gophish. The rationale behind the detailed review is comparing and contrasting various cybersecurity awareness training tools used to address phishing attacks at the workplace. The selected tools can be used as assessment or enhancement awareness tools; this depends on each tools settings and system due to its integrated models and flexibility. Furthermore, social engineering attacks are recurrently evolving, so different security tools strengths and weaknesses could help pick the right instrument for spotting and responding to digital attacks. As a result, this study discusses the drawbacks of the selected tools that can guide developers and services providers in improving the existing phishing awareness tools

Reviewing Cybersecurity Awareness Training Tools Used to Address Phishing Attack at the Workplace

Public sector data and sensitive information are a prime target for cyberattacks. There are numerous popular security tools used across the globe to achieve automated network protection. This study reviews the following tools within the current study: KnowBe4, PhishingBox, PhishInsight, PhishThreat, PhishMe, and Gophish. The rationale behind the detailed review is comparing and contrasting various cybersecurity awareness training tools used to address phishing attacks at the workplace. The selected tools can be used as assessment or enhancement awareness tools; this depends on each tools settings and system due to its integrated models and flexibility. Furthermore, social engineering attacks are recurrently evolving, so different security tools strengths and weaknesses could help pick the right instrument for spotting and responding to digital attacks. As a result, this study discusses the drawbacks of the selected tools that can guide developers and services providers in improving the existing phishing awareness tools

A Survey on Phishing Website Detection Using Hadoop

Phishing is an activity carried out by phishers with the aim of stealing personal data of internet users such as user IDs, password, and banking account, that data will be used for their personal interests. Average internet user will be easily trapped by phishers due to the similarity of the websites they visit to the original websites. Because there are several attributes that must be considered, most of internet user finds it difficult to distinguish between an authentic website or not. There are many ways to detecting a phishing website, but the existing phishing website detection system is too time-consuming and very dependent on the database it has. In this research, the focus of Hadoop MapReduce is to quickly retrieve some of the attributes of a phishing website that has an important role in identifying a phishing website, and then informing to users whether the website is a phishing website or not

Why Do Employees Report Cyber Threats? Comparing Utilitarian and Hedonic Motivations to Use Incident Reporting Tools

Organizational cybersecurity is threatened by increasingly sophisticated cyberattacks. Early detection of such threats is paramount to ensure organizations’ welfare. Particularly for advanced cyberattacks, such as spear phishing, human perception can complement or even outperform technical detection procedures. However, employees’ usage of reporting tools is scarce. Whereas prior cybersecurity literature has limited its scope to utilitarian motives, we specifically take hedonic motives in the form of warm glow into account to provide a more nuanced understanding of cyber incident reporting behavior. Drawing on a vignette experiment, we test how the design features of report reasoning and risk indication impact users’ reporting tool acceptance. The results of our mediation analysis offer important contributions to information systems literature by uncovering the dominant and under-investigated role of hedonic motives in employees’ cyber incident reporting activities. From a practice perspective, our findings provide critical insights for the design of cyber incident reporting tools

Human-centered Information Security and Privacy: Investigating How and Why Social and Emotional Factors Affect the Protection of Information Assets

Information systems (IS) are becoming increasingly integrated into the fabric of our everyday lives, for example, through cloud-based collaboration platforms, smart wearables, and social media. As a result, nearly every aspect of personal, social, and professional life relies on the constant exchange of information between users and online service providers. However, as users and organizations entrust more and more of their personal and sensitive information to IS, the challenges of ensuring information security and privacy become increasingly pressing, particularly given the rise of cybercrime and microtargeting capabilities. While the protection of information assets is a shared responsibility between technology providers, legislation, organizations, and individuals, previous research has emphasized the pivotal role of the user as the last line of defense. Whereas prior works on human-centered information security and privacy have primarily studied the human aspect from a cognitive perspective, it is important to acknowledge that security and privacy phenomena are deeply embedded within users’ social, emotional, and technological environment. Therefore, individual decision-making and organizational phenomena related to security and privacy need to be examined through a socio-emotional lens. As such, this thesis sets out to investigate how and why socio-emotional factors influence information security and privacy, while simultaneously providing a deeper understanding of how these insights can be utilized to design effective security and privacy-enhancing tools and interventions. This thesis includes five studies that have been published in peer-reviewed IS outlets. The first strand of this thesis investigates individual decision-making related to information security and privacy. Daily information disclosure decisions, such as providing login credentials to a phishing website or giving apps access to one’s address book, crucially affect information security and privacy. In an effort to support users in their decision-making, research and practice have begun to develop tools and interventions that promote secure and privacy-aware behavior. However, our knowledge on the design and effectiveness of such tools and interventions is scattered across a diverse research landscape. Therefore, the first study of this thesis (article A) sets out to systematize this knowledge. Through a literature review, the study presents a taxonomy of user-oriented information security interventions and highlights crucial shortcomings of current approaches, such as a lack of tools and interventions that provide users with long-term guidance and an imbalance regarding cyber attack vectors. Importantly, the study confirms that prior works in this field tend to limit their scope to a cognitive processing perspective, neglecting the influence of social and emotional factors. The second study (article B) examines how users make decisions on disclosing their peers’ personal information, a phenomenon referred to as privacy interdependence. Previous research has shown that users tend to have a limited understanding of the social ramifications of their decisions to share information, that is, the impact of their disclosure decisions on others’ privacy. The study is based on a theoretical framework that suggests that for a user, recognizing and respecting others’ privacy rights is heavily influenced by the perceived salience of others within their own socio-technical environment. The study introduces an intervention aimed at increasing the salience of others’ personal data during the decision-making process, resulting in a significant decrease of interdependent privacy infringements. These findings indicate that current interfaces do not allow users to make informed decisions about their peers’ privacy – a problem that is highly relevant for policymakers and regulators. Shifting the focus towards an organizational context of individual security decision-making, the third study (article C) investigates employees’ underlying motives for reporting cyber threats. With the aim to maximize employees’ adoption of reporting tools, the study examines the effect of two tool design features on users’ utilitarian and hedonic motivation to report information security incidents. The findings suggest that reporting tools that elicit a sense of warm glow, that is, a boost of self-esteem and personal satisfaction after performing an altruistic act, result in higher tool adoption compared to those that address solely users’ utilitarian motivation. This unlocks a new perspective on organizational information security as a whole and showcases new ways in which organizations can engage users in promoting information security. The second strand of this thesis focuses on the context of organizational information security. Beyond individual decision-making, organizations face the challenge of maintaining an information security culture, including, for example, employees’ awareness of security risks, top management commitment, and interdepartmental collaboration with regard to security issues. The fourth study (article D) presents a measurement instrument to assess employees’ security awareness. Complementary to the predominant method of self-reported surveys, the study introduces an index based on employees’ susceptibility to simulated social engineering attacks. As such, it presents a novel way to measure security awareness that closes the intention-behavior gap and enables information security officers to nonintrusively monitor human vulnerabilities in real-time. Furthermore, the findings indicate that security education, training and awareness (SETA) programs not only increase employees’ awareness of information security risks, but also improve their actual security behavior. Finally, the fifth study (article E) investigates the influence of external socio-emotional disruption on information security culture. Against the backdrop of the COVID-19 pandemic, the longitudinal study reveals novel inhibitors and facilitators of information security culture that emerged in the face of global socially and emotionally disruptive change over the course of 2020. Specifically, the study demonstrates that such disruptive events can influence information security culture negatively, or – counterintuitively – positively, depending on prerequisites such as digital maturity and economic stability. Overall, this thesis highlights the importance of considering socio-emotional factors in protecting information assets by providing a more comprehensive understanding of why and how such factors affect human behavior related to information security and privacy. By doing so, this thesis answers calls for research that urge scholars to consider security and privacy issues in a larger social and emotional context. The studies in this thesis contribute to IS research on information security and privacy by (1) uncovering social and emotional motives as hitherto largely neglected drivers of users decision-making, (2) demonstrating how tools and interventions can leverage these motives to improve users’ protection of information assets, and (3) revealing the importance of external socio-emotional factors as a thus far under-investigated influence on organizational information security. In practice, this thesis offers actionable recommendations for designers building tools and interventions to support decision-making with regard to information security and privacy. Likewise, it provides important insights to information security officers on how to build a strong and resilient information security culture, and guides policymakers in accounting for socially embedded privacy phenomena