Human Factors in Cybersecurity
Editors: Abbas Moallem
Topics: Human Factors in Cybersecurity
Publication Date: 2023
ISBN: 978-1-958651-67-4
DOI: 10.54941/ahfe1003993
Articles
Deployment of Ransomware Detection Using Dynamic Analysis and Machine Learning
Ransomware's growing impact is powered by dedicated criminal teams working within an organized business framework. Because of the amount of sensitive information stored on devices and the cloud while transferring over the networks, malware detection, especially ransomware, has become a primary research topic in recent years. In this paper, we present a dynamic feature dataset with 50 characteristics that are ransomware related and with low correlation pairwise. The link to the dataset is included. Using this dataset, machine learning models are generated implementing Random Forest, Gradient Boosted Regression Trees, Gaussian Naïve Bayes, and Neural Networks algorithms obtaining average ten-fold cross-validation accuracies between 74% and 100%. Processing times range between 0.15 sec and 25.47 secs, allowing a fast response to avoid encryption. These models are applied to new artifacts to effectively detect possible incoming threats.
Juan Herrera- Silva, Myriam Hernandez-Alvarez
Open Access
Article
Conference Proceedings
Keeping the human element to secure autonomous shipping operations
Autonomous shipping operations are becoming economically and technically feasible, but this development also requires new human roles and responsibilities onshore for managing cyber events. The goal of this paper is to present a methodology for describing autonomous shipping operations and risks caused by potential cyber-attacks, focusing on critical situations to the interplay between the automation and human operators. We have applied our methodology on a case study for planned autonomous operations in European waterways. Our results show that the reliance on new technologies such as sensors, computer vision and AI reasoning onboard the autonomous ships or cranes opens to new types of attacks that the industry has little experience with as of now. Unmanned systems should therefore be designed with assurance methods that can bring the human into the loop, providing situational awareness and control. At the same time, human resource exhaustion is a potential attack goal against remote operations. We could see from our threat likelihood estimation that attacks related to deny- and injure-motivations have the highest values in all mission phase patterns. This is in accordance with the general attack trends within the maritime domain and many other sectors, where financially motivated attackers will try to demand a ransom to stop business disruption.
Per Håkon Meland, Dag Atle Nesheim, Ørnulf Jan Rødseth
Open Access
Article
Conference Proceedings
Out of Sight but Still In Mind: Making ‘Invisible’ Cyber Threats More Salient Via Concrete Analogies
It can be easier to conceive of and anticipate physical threats than cyber threats. Cyber threats can involve unseen remote hackers, and capitalize on invisible wireless signals as vectors. As such cyber threats are often out of sight and out of mind. How can we make these abstract, 'invisible' threats more intuitive and salient? We employed concrete analogies to enable future Army Officers to better anticipate cyber threats in tactical contexts. Modern multi-domain battle involves not only physical threats like fire fights and improvised explosive devices (IEDs), but also, increasingly, cyber threats. For example, the enemy may jam, intercept or track communication signals, hack into computing systems to exfiltrate or alter information, and/or hack equipment with electronic and autonomous components (including navigation systems, drones and robots). To ensure readiness, all soldiers, (not only cyber specialists) must have some awareness of this 'threatscape'. We developed the problem anticipation task (PAT) to gauge the degree to which participants would anticipate cyber as well as non-cyber tactical threats. They read a hypothetical mission description and tried to anticipate various problems that could arise. The mission explicitly mentioned several cyber-vulnerable components (e.g., radios, navigation systems, drones, biosensors, cell phones). Prior research using a sample from the same population indicated that about 40% of subjects did not anticipate a single cyber threat (Pyke, Ness, Feltner, in press). The current research used the PAT as a pre- and post-test and included an intervening intervention. Experimental subjects read a passage about a fictitious historical mission set in the 1800s. The version of the passage presented to the experimental group included historical issues (e.g., carrier pigeon intercepted by enemy) that were intended to be analogous to modern cyber-related issues (e.g., wireless communications signal intercepted/tapped by enemy). The intervention for the comparison group involved a passage describing historical issues (e.g., horse losing a shoe) that were intended to be analogous to modern non-cyber related issues (e.g., vehicle breakdown). Note that the link to the corresponding modern situation was not made explicit to the participants, they were just exposed to a historical situation that could lend itself to being analogous to a modern cyber situation. For the experimental group (but not the control) there was a significant gain in the percent of participants who were able anticipate one or more cyber issues. Thus, concrete analogies can serve to make 'invisible' cyber threats more intuitive and easier to anticipate.
Aryn Pyke, Rebecca Bouchelle, David Uzhca
Open Access
Article
Conference Proceedings
Analysis of Risks to Data Privacy Throughout European Countries
Over 20 years ago, the surprising research by Latanya Sweeney demonstrated that publicly available database information exposed the overwhelming percentage of United States residents to information easily available in order to facilitate the capture of such personal information, through techniques we now refer to as “dumpster diving.” In particular, her research demonstrated that approximately 87% of the United States population can be identified uniquely using only the Unites States’ five digit postal code, date of birth (including year), and gender. Although this result has held up over time, given the demographic parameters used in developing this estimate, Sweeney’s technique made no attempt to develop similar estimates for other countries. In this paper, we use Sweeney’s technique in order to provide estimates of the ability of similar demographics to provide the same type of data in a number of other countries throughout the European Community and other non-EU countries in Europe. Through this mechanism, we attempt to determine the susceptibility to data privacy attacks in Europe as compared to the United States.
Wayne Patterson
Open Access
Article
Conference Proceedings
Maladaptive Behaviour in Phishing Susceptibility: How Email Context Influences the Impact of Persuasion Techniques
With over 80-90% of cyber incidents occurring in businesses and home settings often due to human errors in decision making (CybSafe, 2020; World Economic Forum, 2022; Verizon, 2022), a human-centric approach to cyber-security is needed to understand mechanisms behind maladaptive behaviours. One key area is susceptibility to phishing emails. Whilst some have investigated the success of different persuasion techniques in phishing susceptibility – most notably use of authority, urgency, and scarcity – less is known about how the wider context of the email (e.g., financial vs a work-related event) could influence the success of such techniques. The current paper presents initial findings from a repeated measures experiment where 271 participants included in the final analysis, recruited via Prolific (2022), judged whether they would or would not respond to presented email content containing a range of contexts and persuasion techniques. Diverging from previous research, participants were not necessarily more likely on average to respond to emails containing a persuasion technique, with large differences in persuasion success greatly depending upon the email context – with the proportion of response likelihood varying from 13.3% to 87.5% of participants choosing to respond. From this, not only do we demonstrate the successful impact of the main persuasion techniques and email context combinations upon phishing, but how overreliance on available information can bias individuals to engage in maladaptive cyber security behaviours.
George Raywood-Burke, Dylan Jones, Phillip Morgan
Open Access
Article
Conference Proceedings
The Effects of Cyber Readiness and Response on Human Trust in Self Driving Cars
Self driving cars (SDC) are potentially set to revolutionise the automotive industry. Despite the promise of a plethora of purported benefits (e.g. fewer road traffic accidents, better traffic flow; lower emissions), one key concern relates to the potential for SDCs and their connected infrastructure to be cyber attacked. Aside from material losses, an adverse cyber experience is likely to undermine human trust – with trust being a key contributing factor to the uptake and use of automated technology such as SDCs.Many studies have projected the different types of cyber attacks an SDC could fall victim to [1]. Concerns about the consequences of cyber attacks for e.g. users, other road users, manufacturers, legislators, legal experts, and governments have also been raised. Procedural and technical solutions have been proposed to tackle the SDC-cyber security challenge, which includes the proposition of rankings for SDCs GPS system vulnerabilities [2].Nonetheless, it is inevitable that threat actors will compromise an SDC system(s) through either exploited vulnerabilities and/or user error. It is crucial that such an event(s) does not erode trust (e.g. leading to misuse or even disuse) if the long-term benefits of this technology are to be reaped. Therefore, the study explores whether the capability and obligation from a SDC company (who are most likely to be blamed when an attack happens) to manage a cyber attack – with regards to its readiness and response activities – impacts trust in SDC technology.Using a cutting-edge AV Simulation Driving Simulator and simulation software generated animations (SCANeR Studio) embedded into an online survey, participants watch a futuristic driving scenario where the SDC executes a variety of successful driving manoeuvres before the system falls victim to an unspecified cyber-attack. Self-reported trust is measured after each successful manoeuvre as well as following the cyber attack. The experiment follows a 3x2 – 6 condition design – manipulated between participants. In each condition, all participants are shown the same driving scenario. The independent variables (IVs) consist of the information given to the participant before and after watching the scenario: IV1 being the SDCs cyber readiness (low/medium/high) and IV2, the SDCs company’s response to the incident (positive/negative). Before watching the scenario, information about cars status (including its cyber readiness) is provided. After watching the scenario and experiencing the cyber attack, participants are provided with text detailing how the SDC company responded to the cyber attack. The key prediction is that a company with higher cyber maturity (i.e. has a high level of cyber readiness and responds positively to the incident) will be trusted more than a company/companies with lower cyber security considerations. Currently the experiment is in progress and findings and details on the implications will be presented in the paper. Future research will involve exploring the boundary conditions of the effects and extending to physiological as well as subjective measures of trust.References: [1] Phama, M. & Xiongb, K. (2021) A survey on security attacks and defense techniques for connected and autonomous vehicles, Computers & Security, 109(1), 1-29. https://doi.org/10.1016/j.cose.2021.102269[2] Sheehan, B., Murphy, F., Mullins, M., Ryan, C. (2019) Connected and autonomous vehicles: A cyber-risk classification framework. Transportation Research Part A: Policy and Practice. 124(1), 523-536. https://doi.org/10.1016/j.tra.2018.06.033The work is part of a PhD funded project by the EPSRC IDTH in Cyber Security Analytics. It is also part of an ESRC-JST (Economic & Social Research Council - Japan Science & Technology Agency) project grant reference: ES/T007079/1, Prof Morgan is UK PI : Rule of Law in the Age of AI: Principles of Distributive Liability for Multi-Agent Societies.
Victoria Marcinkiewicz, Qiyuan Zhang, Phillip Morgan
Open Access
Article
Conference Proceedings
Using Security Metrics to Determine Security Program Effectiveness
Security objectives serve as the foundation for security metrics, which are used to guide decisions on how to increase the security of all parts engaged in providing services and processing data. Numerous data breaches are re-vealed each week, some of which may have affected tens or even hundreds of millions of people. Customers and regulators are both becoming more concerned about firms' information security procedures and their plans for preventing security breaches and protecting sensitive data. As a result, sever-al laws and regulations have been enacted to enhance cybersecurity risk management and to protect personal information that may be held or trans-mitted among businesses. The majority of these industry-specific and general data protection laws are complex, requiring ongoing oversight to maintain compliance throughout your business and the companies of your vendors. To gauge the effectiveness of and involvement in the usage of security con-trols, it is crucial to define a set of security metrics. A carefully defined set of metrics will help direct future security decisions and strengthen your or-ganization's security posture. In our study, we proposed to review security metrics to determine security program effectiveness for a company which is fictional for the scope of study. Firstly, we defined security metrics and their key indicators successfully. We discussed different scenarios for Trivest Technologies Limited company, which is fictional, we just used it for our scope of study. We successfully discussed, developed, and used KPIs, KRIs and KGIs; which are security metrics for the Trivest Technologies Limited company, and we found out that these security metrics help us determine the security program effectiveness for a company successfully. By implementation of its successful results, it also aligns with one of the United Nations Sustainable Development Goals i.e., 8th: Decent work and Economic Growth.
Satyam Mishra, Phung Thao Vi, Vu Minh Phuc, Damilola Oni, Nguyen Van Tanh
Open Access
Article
Conference Proceedings
Social Engineering Penetration Testing within the OODCA Cycle – Approaches to Detect and Remediate Human Vulnerabilities and Risks in Information Security
In more than 95% of all successfully conducted cyberattacks, the human factor is exploited as a vulnerability point. The following principle applies. Whenever a hacker uses external attack vectors and thus does not directly use the Internet as a medium, employees become the target of the attack. As a result, the current technical and intelligent defense mechanisms can only contribute to a limited extent to the increase the resilience of IT systems, as these technological approaches do not fully account for the behavioral, cognitive, and heterogeneous motivations that lead to human error in the security causal chain of information security using social engineering (SE) methods. In this paper, we present a strategic and iterative analysis tool to detect SE threats through systemic monitoring, to train and successfully defend against them. For this purpose, we use the so-called Course of Actions to practically check the security-compliant behavior of employees and to initialize the feedback processes for reactivating the human firewall based on the knowledge gained. This approach is already being applied to various types of organizations and critical infrastructure and can be seamlessly integrated into existing training and auditing programs.
Asiye Öztürk, Erfan Koza, Michael Willer
Open Access
Article
Conference Proceedings
Bringing humans at the core of cybersecurity: Challenges and future research directions
The prompt response to successfully adopt good cybersecurity practices from protecting passwords to security incidents’ responding to activating a disaster recovery or a business continuity plan depends upon the level of operators’ ability in problem solving, resilience, readiness, maturity, observation, and perception. New technologies, such as Artificial Intelligence (AI) can also be helpful to more effectively forecast or respond to serious incidents, especially to massive attacks. However, the cybersecurity operators need to alter their mindsets, adopt new behavioural patterns, and work attitudes to embrace and interact with AI-assistance during cyber defence activities. in addition, when the operators need to assess or mitigate AI socio-technical risks related to bias, transparency and equality, they will base their decisions for estimating or mitigating these risks on their behavioural, social, cultural, and ethical characteristics. In this paper, we are presenting challenges related to human and psychosocial factors of the cybersecurity operators. We also discuss the motives and drivers that impact the cognitive aspects (e.g., focus on operational tasks, attention, objectivity) of the cyber operations. We further identify how the cybersecurity operators’ personality traits impact the success of the cybersecurity practices and estimations and analyse research challenges, regarding the impact of operators’ profiles on their perceptions and interactions, with AI cyber defending tools and management of AI risks. Finally, we consider the impact these human factors may have on successful cybersecurity operations and practices and provide proposals for interdisciplinary research directions requiring the collaboration of cybersecurity experts, psychologists, and behavioural scientists.
Kitty Kioskli, Haralambos Mouratidis, Nineta Polemi
Open Access
Article
Conference Proceedings
Enhancing practical cybersecurity skills: The ECSF and the CyberSecPro European efforts
The accelerated digitalization of all business and industrial sectors (transport, government, health, finance manufacturing) will increase the number, complexity and scale of cybersecurity incidents and their impact on the economy and society. The digital transformation imposes Higher Education Institutions and training providers to enhance their role in preparing the new generation of workforce that will have the capabilities and skills to address the upcoming digital challenges. Training providers need to become the enablers of the digital transformation with the capacity to accommodate different skills needed by the market, to a variety of training specializations. Fostering collaboration with the private sector can be effective in attracting the necessary funding, state-of-the-art technological training tools needed and real-life based training material. In this paper, we describe two recent efforts coming from the European Union targeting to close the gap between the available cybersecurity training and cybersecurity marketing demands, and further analyse the human factors involved in these efforts.
Nineta Polemi, Kitty Kioskli
Open Access
Article
Conference Proceedings
C.S. Technopoly: A Megagame for Teaching and Learning Cybersecurity
In this paper we present our ongoing research where we are attempting to integrate sustainable development issues into a megagame designed to teach cybersecurity. There are several serious games that have been developed to teach and inform individuals about sustainability issues but none that deal specifically with both cybersecurity and sustainability issues. A Megagame is a multiplayer game with between 30-40 players who play in teams of 3-5 players that take on specific roles in dealing with complex problems that cover subject matters ranging from science fiction and heroic fantasy to political, economic, historical, and even cyber conflicts. We have built and tested a megagame entitled CS -Technopoly using the socio-technical framework of sustainability proposed by Geels and integrated it further with the Security by Consensus Model proposed by Kowalski. The intended learning objectives of the game, such as teaching adversarial and sustainable systems thinking by exposing the students to cyber threat intelligence reports and cyber security investments decision making, were tested by performing semi-structured interviews of a stratified sample of the participants. Preliminary results from 11 interviews from the two first trials of CS Technopoly indicate that the participating security experts found that C.S. Technopoly would be a useful tool for team building and improving collaboration between security departments and upper strategic management
Stewart Kowalski, Eduard Von Seth, Erjon Zoto
Open Access
Article
Conference Proceedings
Training the Trainers for Cybersecurity Exercises - Developing EXCON-teams
In recent years there has been a large increase in advanced computer attacks targeting Norwegian authorities and businesses (PST, 2021). At the same time there is a great shortage of trained and qualified personnel within cyber- and information security (Cisco, 2018). To fill this demand supply gap there has been an increased focus to educate new personnel through exercises and training (Nikolova, 2017). To meet this increased demand the Norwegian government in cooperation with several private and public organizations and academia established the Norwegian Cyber Range (NCR) in 2018 (NTNU, 2019). NCR is an arena for testing, training, and exercising in cyber- and information security. Running the training and exercises in a realistic and safe environment is a demanding task, which requires a well-trained Exercise Control (EXCON) team. In a military context NATO’s Bilateral Strategic Command (BI-SC) Directive 75-003 – Collective Training and Evaluation appendix H;” Roles and responsibilities of the exercise control (EXCON)” (NATO, 2013), provides a clear plan for how to establish an EXCON team that can properly direct and control an exercise (NATO, 2013, pg. 166). In addition, Østby et. al have suggested how to build an EXCON team to train public emergency organizations (Østby et al., 2019). Neither of these specify how the EXCON-team itself should be trained. In this paper we present results from in-depth interviews which were conducted with information security and/or exercise experts from different Norwegian organizations with relevant EXCON experience, and suggest a future train-the trainer concept to meet the challenges found in the study.The result from the research shows that the development of exercise control teams is not prioritized by organizations, and not given time or resources for education or team development. Being part of an exercise control teams is a side job where organizations mostly rely on hiring external experts. Another key finding in this research is the importance of exercise planning competence amongst the exercise control team, for the exercises to be successfully executed. Results also shows that a core team of experts is necessary to continuously improve the exercises, and also the need for these experts participating in the preparation for exercises.References:Cisco. (2018). Annual cyber security report.NATO. (2013). Resilient e-Communications Networks Good Practice Guide on National Exercises Enhancing the Resilience of Public Communications Networks Good Practice Guide on Exercises 2 Good Practice Guide on National Exercises. http://www.enisa.europa.eu/act/resNikolova, I. (2017). Best Practice for Cybersecurity Capacity Building in Bulgaria’s Public Sector. Information & Security: An International Journal, 38, 79–92. https://doi.org/10.11610/isij.3806NTNU. (2019). The Norwegian Cyber Range. https://www.ntnu.no/ncrØstby, G., Lovell, K. N., & Katt, B. (2019). EXCON teams in cyber security training. Proceedings - 6th Annual Conference on Computational Science and Computational Intelligence, CSCI 2019, 14–19. https://doi.org/10.1109/CSCI49370.2019.00010PST 2021, (2021). https://www.pst.no/alle-artikler/trusselvurderinger/nasjonal-trusselvurdering-2021/
Grethe Østby, Bjørn Emil Selebø, Stewart Kowalski
Open Access
Article
Conference Proceedings
Architectural Design for Secure Smart Contract Development
As time progresses, the need for more secure applications grows exponentially. The different types of sensitive information that is being transferred virtually has sparked a rise in systems that leverage blockchain. Different sectors are beginning to use this disruptive technology to evaluate the risks and benefits. Sectors like finance, medicine, higher education, and wireless communication have research regarding blockchain. Futhermore, the need for security standards in this area of research is pivotal. In recent past, several attacks on blockchain infrastructures have resulted in hundreds of millions dollars lost and sensitive information compromised. Some of these attacks include DAO attacks, bZx attacks, and Parity Multisignature Wallet Double Attacks which targeted vulnerabilities within smart contracts on the Ethereum network. These attacks exposed the weaknesses of current smart contract development practices which has led to the increase in distrust and adoption of systems that leverage blockchain for its functionality. In this paper, I identify common software vulnerabilities and attacks on blockchain infrastructures, thoroughly detail the smart contract development process and propose a model for ensuring a stronger security standard for future systems leveraging smart contracts. The purpose for proposing a model is to promote trust among end users in the system which is a foundational element for blockchain adoption in the future.
Myles Lewis
Open Access
Article
Conference Proceedings
Modeling the effects of different honeypot proportions in a deception-based security game
Cyber-attacks, an intentional effort to steal information or interrupt the network, are growing dramatically. It is of great importance to understand how an adversary’s behavior might impact the detection of threats. Prior research in adversarial cybersecurity has investigated the effect of different honeypot variations on adversarial decisions in a deception-based game experimentally. However, it is unknown how different honeypot variation affects adversarial decisions using cognitive models. The primary objective of this research is to develop the cognitive model using Instance-based learning theory (IBLT) to make predictions for decisions for networks with different honeypot proportions. The experimental study involved the use of a deception game (DG): small, medium, and large. The DG is defined as DG (n, k, γ), where n is the number of servers, k is the number of honeypots, and γ is the number of probes that the opponent makes before attacking the network. The DG had three between-subject conditions, which denoted three different honeypot proportions. Human data in the experimental study was collected by recruiting 60 participants who were randomly assigned one of the three between-subject conditions of the deception game (N = 20 per condition). The results revealed with an increase in the proportion of honeypots, the honeypot and no-attack actions increased significantly. Next, we built two Instance-based Learning (IBL) models, an IBL model with calibrated parameters (IBL-calibrated) and an IBL model with ACT-R parameters (IBL-ACT-R), to account for human decisions in conditions involving different honeypot proportions in a deception-based security game. It was found that both IBL-calibrated and IBL-ACT-R models were able to account for human behavior across different experimental conditions. In addition, results revealed a greater reliance on the recent and frequent occurrence of events among the human participants. We highlight the key importance of our research for the field of cognitive modelling.
Harsh Katakwar, Palvi Aggarwal, Varun Dutt
Open Access
Article
Conference Proceedings