Käyttäjän manipulointi tietoturvauhkana

Tiivistelmä. Tämän kirjallisuuskatsauksen aiheena on käyttäjän manipulointi tietoturvauhkana. Käyttäjän manipuloinnilla tarkoitetaan tekniikoita, joilla hyökkääjä pyrkii saamaan uhrin paljastamaan arkaluontoista tietoa tai toimimaan muulla hyökkääjän haluamalla tavalla. Tavoitteen saavuttamiseksi hyökkääjä ei käytä pelkästään teknisiä keinoja, vaan käyttää hyväksi uhrin psykologisia ominaisuuksia kuten tunteita. Teknisten puolustusmekanismien kehittyessä hyökkääjät ovat siirtyneet yhä enemmän käyttämään hyökkäyksissä käyttäjän manipuloinnin keinoja. Tämän tutkielman tarkoituksena on tutkia käyttäjän manipulointia tietoturvariskinä ja löytää keinoja, joilla organisaatiot pystyisivät ehkäisemään siihen kohdistuvaa käyttäjän manipulointia. Tutkielma on kirjallisuuskatsaus aikaisempaan aiheeseen liittyvään tutkimukseen

The Effect of Applying Information Security Awareness Concept of MOH Employees on Cybersecurity Department – Ministry of Health-Riyadh

The proposed study focuses on the effect of applying the concept of information security awareness of MOH employees on the cybersecurity department at the Ministry of Health in Riyadh. The researcher used the descriptive analytical method in order to achieve the study objectives and used a questionnaire for collecting data. The study sample consisted of around (430) of MOH employees. The results of the study showed a high level of agreement on answering its questions. The study yielded numerous recommendations; it stressed that spreading the culture of awareness on the importance of personal information, through holding workshops, is considered as the most effective way to reduce cybersecurity risks. Also, it showed that the cybersecurity department is keen to develop guidelines to be followed by employees in order to limit the sharing of personal information and that paramount importance should be attached to the human element by familiarizing it with the tricks used by cybercriminals. In addition, the cybersecurity department is keen to create an electronic archive that includes monitoring and recording of cybersecurity incidents and should encourage employees to view this archive and consider it as a means of exchanging knowledge and raising awareness. Moreover, it is imperative to use the contribution of information security experts in order to design awareness programs. In addition, advanced technical training should be directed to employees to keep pace with the rapid development in methods and techniques of information crime. The researcher achieved various design of training and education program

A malware threat avoidance model for online social network users

This thesis was submitted for the award of Doctor of Philosophy and was awarded by Brunel University LondonThe main purpose of this thesis is to develop a malware threat avoidance model for users of online social networks (OSNs). To understand the research domain, a comprehensive and systematic literature review was conducted and then the research scope was established. Two design science iterations were carried out to achieve the research aim reported in this thesis. In the first iteration, the research extended the Technology Threat Avoidance Theory (TTAT) to include a unique characteristic of OSN – Mass Interpersonal Persuasion (MIP). The extended model (TTAT-MIP), focused on investigating the factors that needs to be considered in a security awareness system to motivate OSN users to avoid malware threats. Using a quantitative approach, the results of the first iteration suggests perceived severity, perceived threat, safeguard effectiveness, safeguard cost, self-efficacy and mass interpersonal persuasion should be included in a security awareness system to motivate OSN users to avoid malware threats. The second iteration was conducted to further validate TTAT-MIP through a Facebook video animation security awareness system (referred in this thesis as Social Network Criminal (SNC)). SNC is a Web-based application integrated within Facebook to provide security awareness to OSN users. To evaluate TTAT-MIP through SNC, three research techniques were adopted: lab experiments, usability study and semi-structured interviews. The results suggest that participants perceived SNC as a useful tool for malware threat avoidance. In addition, SNC had a significant effect on the malware threat avoidance capabilities of the study participants. Moreover, the thematic analysis of the semi-structured interviews demonstrated that the study participants‘ found SNC to be highly informative; persuasive; interpersonally persuasive; easy to use; relatable; fun to use; engaging; and easy to understand. These findings were strongly related to the constructs of TTAT-MIP. The research contributes to theory by demonstrating a novel approach to design and deploy security awareness systems in a social context. This was achieved by including users‘ behavioural characteristic on the online platform where malware threats occur within a security awareness system. Besides, this research shows how practitioners keen on developing systems to improve security behaviours could adopt the TTAT-MIP model for other related contexts