Cognitive Systems Engineering Models Applied to Cybersecurity

Cybersecurity is an increasing area of concern for organizations and individuals alike. The majority of successfully executed cyberattacks are a result of human error. One common type of attack that targets human users is phishing. In spite of this, there is a lack of research surrounding human implications on phishing behavior. Using an online survey platform with both phishing and legitimate emails, the present research examined the utility of various cognitive engineering models for modeling responses to these example emails. Using Signal Detection Theory (SDT) and Fuzzy Signal Detection Theory (Fuzzy SDT), the influence of familiarity with phishing and having a background in cybersecurity on phishing behavior was examined. The results from SDT analysis indicated that familiarity with phishing only accounted for 11% of the variance in sensitivity and 5% in bias. When examining the same using Fuzzy SDT analysis, familiarity with phishing accounted for 6% of the variance in bias. When examining background in cybersecurity using SDT analysis, t-tests indicated the null hypothesis could be rejected for the relationship of background in cybersecurity with sensitivity and bias. When examining the same for Fuzzy SDT, the null hypothesis could only be rejected for the relationship between bias and background in cybersecurity. In addition to these findings, the use of a confusion matrix revealed that the percentage of successfully transmitted information from the stimuli to the judgements made by participants was only 26%. Participant identification of phishing cues was also examined. Participants most frequently identified requests for personal information within the emails. Future research should continue to explore predictors of phishing behavior and the application of the different cognitive engineering models to phishing behavior

Many Phish in the C : A Coexisting-Choice-Criteria Model of Security Behavior

Normative decision theory proves inadequate for modeling human responses to the social-engineering campaigns of Advanced Persistent Threat (APT) attacks. Behavioral decision theory fares better, but still falls short of capturing social-engineering attack vectors, which operate through emotions and peripheral-route persuasion. We introduce a generalized decision theory, under which any decision will be made according to one of multiple coexisting choice criteria. We denote the set of possible choice criteria by C. Thus the proposed model reduces to conventional Expected Utility theory when |CEU| = 1, whilst Dual-Process (thinking fast vs. thinking slow) decision making corresponds to a model with |CDP| = 2. We consider a more general case with C >= 2, which necessitates careful consideration of how, for a particular choice-task instance, one criterion comes to prevail over others. We operationalize this with a probability distribution that is conditional upon traits of the decision maker as well as upon the context and the framing of choice options. Whereas existing Signal Detection Theory (SDT) models of phishing detection commingle the different peripheral-route persuasion pathways, in the present descriptive generalization the different pathways are explicitly identified and represented. A number of implications follow immediately from this formulation, ranging from the conditional nature of security-breach risk to delineation of the prerequisites for valid tests of security training. Moreover, the model explains the `stepping-stone' penetration pattern of APT attacks, which has confounded modeling approaches based on normative rationality

Navigating the Phishing Landscape: A Novel Stage Model Unveiling the Journey of Individuals Exposed to Phishing Attempts

The focus of this master thesis is to understand the process and stages individuals go through when exposed to a phishing attack. To achieve this objective, we will closely examine the responses of individuals throughout the phishing process and establish connections between their cognitive processes and actions, drawing upon relevant literature. By integrating these insights, we will construct a holistic phishing stage model. Consequently, our research question, "How can we identify and understand the stages involved in the phishing process?" will guide our investigation. For this thesis, we conducted a qualitative study where we interviewed nine individuals from seven different IT consultant firms in Norway. We utilized the theoretical framework to create a holistic phishing stage model. The findings lead to the creation of a phishing stage model consisting of a pre-stage and three main stages with constituent activities that explain the flow from stage to stage. The findings reveal that individuals rely on technical solutions in more ways than we initially thought. Warnings in the delivery stage of emails affects the potential victim in the later stages, especially when they explore the content of a phishing message. Ignoring phishing attempts were found to be prevalent in the younger interview candidates. Interestingly those who reported phishing attempts were found to do so in two different ways, either officially or unofficially. The unofficial reporting consisted of altering coworkers through word of mouth or other communication channels. In contrast, official reporting was the way intended by company policies. This study offers a valuable model that effectively explains the stages individuals go through during the phishing process. This research enhances our understanding of said phenomenon by shedding light on phishing attacks from the victim’s standpoint. The insight gained from this thesis advances our understanding and offers valuable guidance for developing preventive measures, educational initiatives, training programs, and robust cybersecurity strategies. Furthermore, the model presented in this study serves as a valuable tool for identifying focal points in training efforts, thus enabling organizations to address vulnerabilities and effectively enhance their defenses against phishing attacks

Navigating the Phishing Landscape: A Novel Stage Model Unveiling the Journey of Individuals Exposed to Phishing Attempts

The focus of this master thesis is to understand the process and stages individuals go through when exposed to a phishing attack. To achieve this objective, we will closely examine the responses of individuals throughout the phishing process and establish connections between their cognitive processes and actions, drawing upon relevant literature. By integrating these insights, we will construct a holistic phishing stage model. Consequently, our research question, "How can we identify and understand the stages involved in the phishing process?" will guide our investigation. For this thesis, we conducted a qualitative study where we interviewed nine individuals from seven different IT consultant firms in Norway. We utilized the theoretical framework to create a holistic phishing stage model. The findings lead to the creation of a phishing stage model consisting of a pre-stage and three main stages with constituent activities that explain the flow from stage to stage. The findings reveal that individuals rely on technical solutions in more ways than we initially thought. Warnings in the delivery stage of emails affects the potential victim in the later stages, especially when they explore the content of a phishing message. Ignoring phishing attempts were found to be prevalent in the younger interview candidates. Interestingly those who reported phishing attempts were found to do so in two different ways, either officially or unofficially. The unofficial reporting consisted of altering coworkers through word of mouth or other communication channels. In contrast, official reporting was the way intended by company policies. This study offers a valuable model that effectively explains the stages individuals go through during the phishing process. This research enhances our understanding of said phenomenon by shedding light on phishing attacks from the victim’s standpoint. The insight gained from this thesis advances our understanding and offers valuable guidance for developing preventive measures, educational initiatives, training programs, and robust cybersecurity strategies. Furthermore, the model presented in this study serves as a valuable tool for identifying focal points in training efforts, thus enabling organizations to address vulnerabilities and effectively enhance their defenses against phishing attacks

Alpha Phi-shing Fraternity: Phishing Assessment in a Higher Education Institution

Phishing is a common social engineering attack aimed to steal personal information. Universities attract phishing attacks because: 1) they store employees and students sensitive data, 2) they save confidential documents, 3) their infrastructures often lack security. In this paper, we showcase a phishing assessment at the University of Redacted aimed to identify the people, and the features of such people, that are more susceptible to phishing attacks. We delivered phishing emails to 1.508 subjects in three separate batches, collecting a clickrate equal to 30%, 11% and 13%, respectively. We considered several features (i.e., age, gender, role, working/studying field, email template) in univariate and multivariate analyses and found that students are more susceptible to phishing attacks than professors or technical/administrative staff, and that emails designed through a spearphishing approach receive a highest clickrate. We believe this work provides the foundations for setting up an effective educational campaign to prevent phishing attacks not only at the University of Redacted, but in any other university

A personality-based behavioural model: Susceptibility to phishing on social networking sites

The worldwide popularity of social networking sites (SNSs) and the technical features they offer users have created many opportunities for malicious individuals to exploit the behavioral tendencies of their users via social engineering tactics. The self-representation and social interactions on SNSs encourage users to reveal their personalities in a way which characterises their behaviour. Frequent engagement on SNSs may also reinforce the performance of certain activities, such as sharing and clicking on links, at a “habitual” level on these sites. Subsequently, this may also influence users to overlook phishing posts and messages on SNSs and thus not apply sufficient cognitive effort in their decision-making. As users do not expect phishing threats on these sites, they may become accustomed to behaving in this manner which may consequently put them at risk of such attacks. Using an online survey, primary data was collected from 215 final-year undergraduate students. Employing structural equation modelling techniques, the associations between the Big Five personality traits, habits and information processing were examined with the aim to identify users susceptible to phishing on SNSs. Moreover, other behavioural factors such as social norms, computer self-efficacy and perceived risk were examined in terms of their influence on phishing susceptibility. The results of the analysis revealed the following key findings: 1) users with the personality traits of extraversion, agreeableness and neuroticism are more likely to perform habitual behaviour, while conscientious users are least likely; 2) users who perform certain behaviours out of habit are directly susceptible to phishing attacks; 3) users who behave out of habit are likely to apply a heuristic mode of processing and are therefore more susceptible to phishing attacks on SNSs than those who apply systematic processing; 4) users with higher computer self-efficacy are less susceptible to phishing; and 5) users who are influenced by social norms are at greater risk of phishing. This study makes a contribution to scholarship and to practice, as it is the first empirical study to investigate, in one comprehensive model, the relationship between personality traits, habit and their effect on information processing which may influence susceptibility to phishing on SNSs. The findings of this study may assist organisations in the customisation of an individual anti-phishing training programme to target specific dispositional factors in vulnerable users. By using a similar instrument to the one used in this study, pre-assessments could determine and classify certain risk profiles that make users vulnerable to phishing attacks.Thesis (PhD) -- Faculty of Commerce, Information Systems, 202

Evaluation der interaktiven NoPhish Präsenzschulung

Phishing Angriffe stellen nach wie vor eine große Bedrohung für Privatpersonen und Unternehmen, Vereine und öffentliche Einrichtungen dar. Es gibt bereits viel Forschung zur Effektivität von Security Awareness-Maßnahmen und insbesondere im Kontext von Phishing Angriffen. Die meisten Paper messen den Effekt unmittelbar nach der Durchführung der Maßnahme. Nur wenige Paper untersuchen, wie lange der Effekt hält, sprich wann eine Auffrischungsmaßnahme durchgeführt werden sollte. Ziel dieses Papers ist es, zu bestätigen, dass der Effekt der NoPhish Präsenzschulung vier Monate anhält. Hierzu wurde eine entsprechende Studie im Rahmen einer freiwilligen Präsenzschulung mit 19 Teilnehmener/innen bei der Polizei durchgeführt und konnte die bisherigen Ergebnisse nicht bestätigen