Advances in Human Factors in Cybersecurity

People accept a high number of computer pop-ups containing cues that indicate malevolence when they occur as interrupting tasks during a cognitively demanding memory-based task [1, 2], with younger adults spending only 5.5–6-s before making an accept or decline decision [2]. These findings may be explained by at least three factors: pressure to return to the suspended task to minimize forgetting; adopting non-cognitively demanding inspection strategies; and, having low levels of suspicion [3]. Consequences of such behavior could be potentially catastrophic for individuals and organizations (e.g., in the event of a successful cyber breach), and thus it is crucial to develop effective interventions to reduce susceptibility. The current experiment (N = 50) tested the effectiveness of malevolence cue identification training (MCIT) interventions. During phase 1, participants performed a serial recall task with some trials interrupted by pop-up messages with accept or cancel options that either contained cues (e.g., missing company name, misspelt word) to malevolence (malevolent condition) or no cues (non-malevolent condition). In phase 2, participants were allocated to one of three groups: no MCIT/Control, non-incentivized MCIT/N-IMCIT, or incentivized MCIT/IMCIT. Control group participants only had to identify category-related words (e.g., colors). Participants in intervention conditions were explicitly made aware of the malevolence cues in Phase 1 pop-ups before performing trying to identify malevolence cues within adapted passages of text. The N-IMCIT group were told that their detection accuracy was being ranked against other participants, to induce social comparison. Phase 3 was similar to phase 1, although 50% of malevolent pop-ups contained new cues. MCIT did lead to a significant reduction in the number of malevolent pop-ups accepted under some conditions. Incentivized training did not (statistically) improve performance compared to non-incentivized training. Cue novelty had no effect. Ways of further improving the MCIT training protocol used, as well as theoretical implications, are discussed.

Cybercrime is on the rise. With the ongoing digitization of our society, it is expected that, sooner or later, all organizations have to deal with cyberattacks; hence organizations need to be more cyber resilient. This paper presents a novel framework of cyber resilience, integrating models from resilience engineering and human behavior. Based on a pilot study with nearly 60 small and medium-sized enterprises (SMEs) in the Netherlands, this paper shows that the proposed framework holds the promise for better development of human aspects of cyber resilience within organizations. The framework provides organizations with diagnostic capability into how to better prepare for emerging cyber threats, while assuring the viability of human aspects of cyber security critical to their business continuity. Moreover, knowing the sources of behavior that predict cyber resiliency may help in the development of successful behavioral intervention programs.

About 20 years ago, the surprising research by Latanya Sweeney demonstrated that publicly available database information exposed the overwhelming percentage of United States residents to information easily available in order to facilitate the capture of such personal information, through techniques we now refer to as “dumpster diving.” In particular, her research demonstrated that approximately 87% of the United States population can be identified uniquely using only the five-digit postal code, date of birth (including year), and gender. Although this result has held up over time, given the demographic parameters used in developing this estimate, Sweeney’s technique made no attempt to develop similar estimates for other countries. In this paper, we use Sweeney’s technique in order to provide estimates of the ability of similar demographics to provide the same type of data in a number of other countries, particularly those that tend to be as susceptible to data privacy attacks as the United States.

The article discusses the findings of analyses of information security levels in Polish universities and presents the results of comparative analyses performed currently and those of security level studies conducted in 2008. The re-examination has demonstrated that there has been no significant improvement in the level of security. Despite the increase in public awareness of threats on the Internet and the increase in general public’s ability to protect their own information resources, the analogous trend in universities has not occurred. Resources are still not adequately protected. The authors present the results of the comparative analysis and try to explain this paradox in conclusion.

Combinations of account identifier (e.g., username) and key phrase (i.e., password) are among the most utilized form of credentials for several types of authentication purposes, such as, user verification, connection to public and private networks, and access to digital resources. Typically, usernames are considered a method of account or user identification, whereas passwords are regarded as the crucial component that protects from attackers and prevents breaches. As a result, the level of security of a set of digital credentials is primarily associated with the strength of the key phase, and most of the attention focused on promoting initiatives for increasing password security. Unfortunately, account identifiers received less consideration. Consequently, users are aware of how to enforce the security of their password, though they might prefer more convenient options. Contrarily, several bad practices are caused by overlooking usernames as the first line of defense. In this paper, we highlight the increasing importance of account names and we overview the main username practices that impact account security. Furthermore, we present the results of a study that evaluated how human factors and individuals’ awareness impact username security.

In the field of cybersecurity human factor is considered one of the most critical elements. Security experts know well the importance of people’s security behaviors such as managing passwords, avoiding phishing attacks and similar. However, organizations still lack a strong cybersecurity culture to manage security risks related in particular to the human factor. In this paper we describe the results of a study involving 212 employees belonging to two companies operating in the service sector. Within a cybersecurity awareness project executed in each company, employees participated in workshop sessions and were asked to evaluate the credibility and the success probability of a list of the most common security risk scenarios based on social engineering techniques. Cyber-attacks based on these techniques are considered among the most successful because use psychological principles to manipulate people’s perception and obtain valuable information. The comparison of results obtained in the two companies shows that awareness training programs pay off in terms of raising people’s attention to cyber-risks.

Cyber SA is described as the current and predictive knowledge of cyberspace in relation to the Network, Missions and Threats across friendly, neutral and adversary forces. While this model provides a good high-level understanding of Cyber SA, it does not contain actionable information to help inform the development of capabilities to improve SA. In this paper, we present a systematic, human-centered process that uses a card sort methodology to understand and conceptualize Senior Leader Cyber SA requirements. From the data collected, we were able to build a hierarchy of high- and low- priority Cyber SA information, as well as uncover items that represent high levels of disagreement with and across organizations. The findings of this study serve as a first step in developing a better understanding of what Cyber SA means to Senior Leaders, and can inform the development of future capabilities to improve their SA and Mission Performance.

Alphanumeric passwords are the most commonly employed authentication scheme. However, technical security requirements often make alphanumeric authentication difficult to use. Researchers have developed graphical authentication schemes to help strike a balance between security requirements and usability. However, replacing characters with pictures has introduced both negative (security vulnerabilities) and positive (memorability benefits) outcomes. We are aware of the noteworthy long-term memory advantages of graphical passcodes, but little is known about the impact on users’ limited working memory resources. Authentication is always a secondary task, which probably consumes working memory. This pilot study examines the impact graphical authentication schemes (Convex-Hull Click; Use Your Illusion; What You See is Where you Enter) have on working memory (Verbal; Spatial; Central Executive). Our findings suggest that graphical authentication schemes impact on working memory varies. This work shows that further investigation is needed to understand the complex relationship between scheme design and working memory.

A strong password is considered the most important feature for the security of any account credentials. In the last decades, several organizations focused on improving its strength and produced awareness initiatives and security guidelines on how to create and maintain secure passwords. However, studies found that users perceive security and convenience as a trade-off, and they often compromise password strength in favor of a key phrase that is easier to remember and type. Therefore, nowadays websites and applications implement password generation aiding systems (PGAS) that help, and even force, users to create more secure passwords. Nowadays, several types of PGAS are available, each implementing a different strategy for stimulating users in crating stronger and more secure passwords. In this paper, we present the results of a study in which we compared six different PGAS and evaluated their performance in terms of security and convenience, with the aim of suggesting the system that has the most beneficial trade-off depending on the type of application.

Cyber malware has evolved from simple hacking programs to highly sophisticated software engineering products. Human experts are in high demand but are busy, expensive, and have difficulty searching through massive amount of data to detect malware. In this paper, we develop algorithms for machines to learn visual pattern recognition processes from human experts and then to map, measure, attribute, and disrupt malware distribution networks. Our approach is to combine visualization and machine vision for an intuitive discovery system that includes visual ontology of textures, topological structures, traces, and dynamics. The machine vision and learning algorithms are designed to analyze texture patterns and search for similar topological dynamics. Compared to recent human-machine teaming systems that use input from human experts for supervised machine-learning, our approach uses fewer samples, i.e. less training, and aims for novel discoveries through human-machine teaming.

Deception, an art of making someone believe in something that is not true, may provide a promising real-time solution against cyber-attacks. In this paper, we propose a human-in-the-loop real-world simulation tool called HackIT, which could be configured to create different cyber-security scenarios involving deception. We discuss how researchers can use HackIT to create networks of different sizes; use deception and configure different webservers as honeypots; and, create any number of fictitious ports, services, fake operating systems, and fake files on honeypots. Next, we report a case-study involving HackIT where adversaries were tasked with stealing information from a simulated network over multiple rounds. In one condition in HackIT, deception occurred early; and, in the other condition, it occurred late. Results revealed that participants used different attack strategies across the two conditions. We discuss the potential of using HackIT in helping cyber-security teams understand adversarial cognition in the laboratory.

Cybersecurity in networks and computer systems is a very important research area for companies and institutions around the world. Therefore, safeguarding information is a fundamental objective, because data is the most valuable asset of a person or company. Users interacting with multiple systems generate a unique behavioral pattern for each person (called digital fingerprint). This behavior is compiled with the interactions between the user and the applications, websites, communication equipment (PCs, mobile phones, tablets, etc.). In this paper the analysis of eight users with computers with a UNIX operating system, who have performed their tasks in a period of 2 years, is detailed. This data is the history of use in Shell sessions, which are sorted by date and token. With this information a mathematical model of intrusion detection based on time series behaviors is generated. To generate this model a data pre-processing is necessary, which it generates user sessions \( S_{m}^{u} \), where u identifies the user and m the number of sessions the user u has made. Each session \( S_{m}^{u} \) contains a sequence of execution of commands \( C\_n \), that is \( S_{m}^{u} = \{ C_{1} ,C_{2} ,C_{3} , \ldots ,C_{n} \} \), where n is the position in wich the C command was executed. Only 17 commands have been selected, which are the most used by each user u. In the creation of the mathematical model we apply the page Rank algorithm [1], the same that within a command execution session \( S_{m}^{u} \), determines which command \( C_{n} \) calls another command \( C_{n + 1} \), and determines which command is the most executed. For this study we will perform a model with sb subsequences of two commands, \( sb = \{ C_{n} ,C_{n + 1} \} \), where the algorithm is applied and we obtain a probability of execution per command defined by \( P(C_{n} ) \). Finally, a profile is generated for each of the users as a signal in time series, where maximum and minimum normal behavior is obtained. If any behavior is outside those ranges, it is determined as intrusive behavior, with a detection probability value. Otherwise, it is determined that the behavior is normal and can continue executing commands in a normal way. The results obtained in this model have shown that the proposal is quite effective in the testing phase, with an accuracy rate greater than 90% and a false positive rate of less than 4%. This shows that our model is effective and adaptable to the dynamic behavior of the user. On the other hand, a variability in the execution of user commands has been found to be quite high in periods of short time, but the proposed algorithm tends to adapt quite optimally.

There are many studies on eye and mouse movement. However, there are not many studies that try to evaluate the skill of Web search while considering the relationship between the line of sight and the movement of the mouse. In this study, we analyze the data acquired from the viewpoint of the differences in information literacy of subjects and investigate the method of quantitatively evaluating the skill of web search.