Skip to main content
Top

2025 | Book

Human Aspects of Information Security and Assurance

18th IFIP WG 11.12 International Symposium, HAISA 2024, Skövde, Sweden, July 9–11, 2024, Proceedings, Part II

insite
SEARCH

About this book

The two-volume set IFIP AICT 721 +722 constitutes the proceedings of the 18th IFIP WG 11.12 International Symposium on Human Aspects of Information Security and Assurance, HAISA 2024, held in Skövde, Sweden, in July 9–11, 2024.

The 39 full papers presented were carefully reviewed and selected from 55 submissions. The papers are organized in the following topical sections:

Part I - Management and Risk; Social Engineering; Technical Attacks and Defenses; Usable Security.

Part II - Awareness and Education; Privacy.

Table of Contents

Frontmatter

Awareness and Education

Frontmatter
The Influence of Human Factors on Adaptive Social Media Cybersecurity Training and Education
Abstract
Despite the efforts to mitigate the risks posed by social media, no organisation can be completely protected from hackers. Therefore, specialists are increasingly relying on the training and education of the organisations’ workforce to prevent cyberattacks. To investigate the best training strategies available, we have conducted a survey among a large and diverse sample of employees working in various sectors, and we have interviewed people who possess expertise in policymaking and cybersecurity training—either as trainers or trainees. Our analysis reveals that the efficiency of cybersecurity training varies among individuals due to aspects such as motivation, simplicity, the expertise of the trainer, the experience of the trainee, the training environment, customisation, and the delivery methods employed. Moreover, we have concluded that cybersecurity training is contingent upon the trainees’ specific job roles within the organisation. Our findings have the potential to improve cybersecurity training, as well as the productivity of the trainers involved in its development.
Fai Ben Salamah, Marco A. Palomino, Maria Papadaki, Matthew J. Craven, Steven Furnell
Towards an Active Learning Approach for the Design of a Secure Programming Course Using Constructive Alignment
Abstract
Even though economic development encourages innovation across the world, the education industry has remained relatively consistent in following traditional modes of teaching. Traditional modes of teaching include the instructor transferring content to students through presenting the content either in a classroom setting, or through online means, often with little attention given to active learning and engagement of students. This form of education may not be effective particularly in Science, Technology, Engineering, and Mathematics (STEM) subjects, such as programming, which is popular in STEM related qualifications. The traditional teaching mode often negatively affects students’ success rates resulting in unemployment. Due to the passiveness of the traditional teaching modes, students often lose concentration during lengthy lectures. Therefore, a more active learning approach is recommended due to its engaging and effective mode of teaching. This paper investigates the relevant active learning elements which could assist in effective secure programming education. The identified elements are used to design a secure programming course within a constructive alignment approach thereby ensuring that intended learning outcomes are achieved.
Vuyolwethu Mdunyelwa, Lynn Futcher, Johan van Niekerk
Investigating the Use of Indigenous Languages Within South African Schools to Teach Cyber-Safety Awareness
Abstract
Language is an essential instrument for both learning and teaching, used extensively by educational institutions at all levels across the globe. In South Africa, the integration of languages in school systems has been an ongoing debate. In the digital age, where technology and online safety are crucial, ensuring that educational resources are accessible and understandable to all learners is important. However, the majority of South Africans engage in indigenous languages, raising concerns about the efficiency of cyber-safety awareness offered only in English or other non-indigenous languages. This study investigated the use of indigenous languages within South African schools to enhance cyber-safety awareness among learners and to explore teachers’ perspectives on their use of languages in the curriculum. A quantitative approach was employed for data collected through a survey questionnaire administered to 150 teachers in selected schools in the Ekurhuleni district of Gauteng, South Africa. Based on holistic result analysis using SPSS software, the results show that teachers require training in the integration of indigenous languages for cyber-safety awareness in the classroom. Additionally, the integration of indigenous languages can enhance cyber-safety awareness among learners and boost cultural relevance in education. The findings contribute to the discourse on inclusive education and inform strategies for promoting cyber-safety awareness in multicultural settings.
Amukelani Lisa Nkuna, Elmarie Kritzinger
Useful but for Someone Else - An Explorative Study on Cybersecurity Training Acceptance
Abstract
Insecure user behavior is the most common cause of cybersecurity incidents. Insecure behavior includes failing to detect phishing, insecure password management, and more. The problem has been known for decades, and state-of-the-art mitigation methods include security education, training, and awareness (SETA). A common problem with SETA is, however, that users do not seem to adopt it to a high enough extent. When users are not adopting SETA, its intended benefit is lost. Previous research argues for personalized SETA and suggests that different user groups have different SETA needs and preferences. The characteristics of those groups are, however, unknown. To that end, this research draws on an existing dataset to identify how different populations perceive different SETA methods. A quantitative analysis shows that users in different demographic groups have different SETA preferences, with age being the most impactful demographic. A qualitative analysis reveals further factors that impact user adoption of SETA, with cost and ease of use being important factors for further research.
Joakim Kävrestad, Erik Bergström, Eliana Stavrou, Marcus Nohlberg
Laying the Foundation for Digital Citizenship: The Integration of ‘The CyberSmart Squad’ into a Pre-School Curriculum
Abstract
Ensuring the safety and well-being of young children in online environments has emerged as a critical priority. This paper introduces a cybersafety curriculum for pre-school learners through The CyberSmart Squad, a group of animated characters based on the Big Five in South Africa. The overarching focus of The Cybersmart Squad is that learners should use ‘superpowers’ of Courage, Kindness, Safety, Respect and Honesty whether on the ‘real-life playground’ or in the ‘digital playground’. The competencies of Digital Citizenship Identity, Cyberbullying Management, Critical Thinking and Digital Empathy are encouraged through this cybersafety curriculum. This paper introduces The CyberSmart Squad curriculum, and related content, and uses the spiral curriculum approach to integrate cybersafety topics into the pre-school curriculum in South Africa. By empowering young children with essential cybersafety skills from an early age, this curriculum aims to contribute to building a foundation for lifelong digital citizenship in an increasingly digital world.
Kerry-Lynn Thomson, Noluxolo Gcaza
Gamification in Cybersecurity Training: High-Level Properties of Cybersecurity Games
Abstract
This paper examines high-level gamification properties, including mechanics, principles, engagement, and cybersecurity considerations suitable for educational settings. Utilising a literature review, the study consolidates these facets. Through this synthesis, the paper aims to present a unified understanding of gamification’s theoretical constructs and its pragmatic implications in education, specifically focusing on imparting cybersecurity concepts. A set of five properties that describe gamification in cybersecurity training is identified. The properties are described, and the relationship between the properties is described. The properties and their relationships form a foundation when developing cybersecurity training games.
Victoria Marciano, Jaco du Toit, Rhulani Maluleka
A Framework for Matching Distinct Personality Types with Information Security Awareness Methods
Abstract
The objective of this study is to develop a framework to associate learning styles and social influencing vulnerabilities with different personality types in the context of tailoring Information Security Awareness (ISA) methods for people with different personality types. Directed content analysis is carried out to develop the framework. The analysis is conducted in the following two parts: a). Describe and identify keywords for the DISC (Dominance (D), Inducement (I), Submission (S) and Compliance (C)) personality types, Kolb’s learning styles and Cialdini’s social influencing principles; b). Identify the relationships between Personality types, Learning styles, and Social influencing vulnerabilities and create the PLS (i.e., Personality types, Learning styles, and Social influencing vulnerabilities) framework. As a result, four relationships are identified for each distinct personality type in the PLS framework. This study contributes to building a sound theoretical ground for tailoring ISA methods for people with different personality types . In addition, the derived keywords are helpful to capture a good understanding of the different dimensions of the selected theories. Furthermore, the developed PLS framework can be used as a base for managers to employ ISA methods for people with different personality types in organizations.
Veronika Jashari, Satu Björn, Ella Kolkowska, Shang Gao
“Probably Put Some Sort of Fear in”: Investigating the Role of Heuristics in Cyber Awareness Messaging for Small to Medium Sized Enterprises
Abstract
Cyber-attacks are increasing at an exponential rate, targeting organisation irrespective of size. Small to medium sized enterprises (SMEs) are particularly vulnerable yet often lack cybersecurity awareness. This entails that an individual or organisation becomes aware of the cyber threats they face in addition to the protective actions and behaviours they can take. Despite the positive intentions of current cybersecurity awareness initiatives, there is a lack of adoption by SMEs. To better understand the situation this study explores SME owner or manager perceptions of cybersecurity awareness messages, leveraging psychological heuristics and message framing. Empirical data was collected through interviews with 16 participants representing SMEs in the North-East of England. Findings reflect that the framing of messages towards fear is more accepted by SMEs as opposed to positivity messages. Moreover, heuristics of self-efficacy and cost are seen to instil a desire to comply with cyber security behaviours. However, not all SMEs could agree on an approach thus suggesting that SMEs require bespoke messaging relating to the businesses and the owner.
Dominic Button, Jacques Ophoff, Alastair Irons, Sharon McDonald
Improving the Human Firewall: Exploring the Factors that Influence Cyber-Security Incident Reporting
Abstract
Purpose: Cyber-security incidents present a growing risk to organisations due to their increasing sophistication and prevalence. It is crucial for employees, often considered the ‘human firewall’ against cyber-attacks, to report these incidents promptly. Doing so can minimise damage and enable cyber-security teams to quickly detect and mitigate active attacks. Hence, the aim of this study was to investigate the relationship of a subset of factors on the reporting of cyber-security incidents. Methodology: 549 working Australian adults completed the Cyber Security Incident Reporting Inventory (CSIRI; pronounced, “Siri”) and a series of demographic questions via an online survey. Findings: Participants were significantly more likely to report incidents if their organisation had a cyber-security policy, regardless of whether it was formal or informal, or if they perceived cyber-security as being primary or relevant to their job. In addition, employees identifying with diverse gender identities exhibited significantly more negative attitudes and less perceived behavioural control in reporting cyber-security incidents, compared to the male, female, and non-binary groups. Implications: The results of this study indicate that organisations should consider introducing or modifying their existing cyber-security policies and training programs to meet the needs of their diverse employees. Organisations who leverage such insights can reinforce their ‘human firewall’ and better defend themselves against cyber-attacks.
Kristiina Ahola, Daniel Sturman, Nadia Scott, Malcolm Pattinson, Andrew Reeves, Marcus Butavicius, Agata McCormac
Harnessing the Right Talent for SETA Programs: Cybersecurity Roles and Competencies that Make a Difference
Abstract
Security Education, Training, and Awareness (SETA) is considered among the prominent strategies to develop a cybersecurity culture. Even though many SETA programs have been developed, their effectiveness is questionable as evident by the ongoing struggle of organizations to create a sustainable cybersecurity culture. A key factor that often challenges the design of effective SETA programs is the lack of expertise to create engaging and tailored initiatives to influence employees changing their unsafe behavior and adopting best practices. To address this challenge, organizations can leverage the expertise from multiple cybersecurity career roles, formulating a strong SETA development team that can exhibit a diverse range of perspectives and skills which are essential to design impactful SETA programs. Enabling such a collective design and development approach might be a solution to the pursuit of achieving a sustainable cybersecurity culture. This research work identifies: 1) the core knowledge areas and transferable skills that professionals responsible to design effective SETA programs should demonstrate, 2) which career roles in the ENISA European Cybersecurity Skills Framework cover relevant knowledge areas and transferable skills, 3) the prominent career roles for demonstrating knowledge and skills across multiple essential areas for SETA program development, and 4) the significance of lifelong learning in cybersecurity for developing sustainable SETA programs.
Apostolos Charalambous, Eliana Stavrou

Privacy

Frontmatter
Privacy Policies on Websites: A Case Study in the Financial Industry in South Africa
Abstract
Financial companies handle clients’ personal data and outline the related data processing conditions in online privacy policies. Despite data privacy laws, legislative guidelines for these policies are lacking. This research aimed to address the current state of online privacy policies, firstly by proposing holistic criteria for what must be included in a website privacy policy. Thereafter, a case study methodology was applied to review online privacy policies in the financial industry in South Africa, applying the proposed criteria. The key findings of this research indicate that financial companies do not fully address the criteria relating to the data subject's choice and consent, the integrity and security of the data, enforcement and redress, and any further information transfer that may occur in terms of their online privacy policies. The proposed criteria offer value to financial companies by providing a measure by which to assess their online privacy policy content.
Alisa Dayanand, Adéle da Veiga
Analysing Websites Privacy Policies: A Study of E-commerce Websites in South Africa
Abstract
Website privacy policies are used to inform consumers of the use and processing of their data but are often long and jargonised, complicating the comprehension of the website's privacy policies. While consumers require assurance on the processing of their personal information, organisations must also ensure that their website privacy policies cover the principles of data protection Acts. In South Africa, the Protection of Personal Information Act (POPIA) came into effect in July 2021, which provided principles for processing personal information. This study adopts the PRISMA methodology to systematically examine the existing literature to propose consolidated guidelines to aid website developers and administrators in drafting website privacy policies for the e-commerce sector. The proposed guidelines are a holistic consolidation of literature that applies to various jurisdictions. As the study was conducted in South Africa, the guidelines were also mapped to POPIA, and a sample of website privacy policies in South Africa were reviewed using the proposed guidelines. The e-commerce industry can benefit by implementing recommendations to aid them in addressing data privacy principles in website privacy policies.
Dzunani Makhuvele, Adéle da Veiga
Security and Privacy Perspectives on Using ChatGPT at the Workplace: An Interview Study
Abstract
The emergence of the artificial intelligence (AI) tool ChatGPT has created great excitement and unprecedented potential in various fields. Users are increasingly recognizing its benefits in aiding with work-related tasks and are incorporating it into their work routines. However, unconscious use of ChatGPT poses a risk to an organization if employees inadvertently disclose sensitive information. To date, there is a lack of research examining individuals’ perceptions of the security and privacy implications of ChatGPT use in organizational contexts. To bridge this gap, this study examines employees’ perceptions of security and privacy-related risks of using ChatGPT for work-related tasks and their strategies to mitigate these risks. Employing grounded theory, we conducted semi-structured interviews with 17 participants from 15 organizations across a range of professions and industries. Our findings indicate that employees have a general awareness of security and privacy-related risks, albeit with some uncertainties and misconceptions. While organizational guidelines for managing these risks are largely absent, participants describe that they employ self-determined strategies to avoid sharing sensitive data.
Angelika Kimbel, Magdalena Glas, Günther Pernul
A Holistic Approach to Developing Intervention Strategies Against Digital Piracy
Abstract
Addressing the global challenge of digital piracy, this study concludes a research series that explores the multifaceted drivers behind copyright infringement activities. Integrating findings from a PRISMA-guided systematic literature review and the application of behavioural psychology through the Theoretical Domains Framework (TDF), this work identifies key factors of digital piracy, including accessibility, awareness, education and social and cultural influences, alongside a consideration of previous behaviour. Crucially, the research leverages expert reviews analysed through ATLAS.ti, enhancing the development of the Digital Piracy Conceptual Framework (DPCF). The study’s findings, derived from interviews with one (1) participant from each of the six (6) sectors, provide sector-specific insights that, while informative, should not be interpreted as broadly generalisable across industries. This detailed approach has refined the DPCF, offering a comprehensive blueprint for devising effective digital piracy intervention strategies, marking a significant step towards mitigating this pervasive issue and protecting intellectual property rights globally.
Nompilo Fakude, Elmarie Kritzinger
Data After Death: Australian User Preferences and Future Solutions to Protect Posthumous User Data
Abstract
The digital footprints of today’s internet-active individuals are a testament to their lives, and have the potential become digital legacies once they pass on. Future descendants of those alive today will greatly appreciate the unprecedented insight into the lives of their long-since deceased ancestors, but this can only occur if today we have a process for data preservation and handover after death. Many prominent online platforms offer nebulous or altogether absent policies regarding posthumous data handling, and despite recent advances it is currently unclear who the average Australian would like their data to be managed after their death (i.e., social media platforms, a trusted individual, or another digital executor). While at present the management of deceased accounts is largely performed by the platform (e.g., Facebook), it is conceivable that many Australians may not trust such platforms to do so with integrity. This study aims to further the academic conversation around posthumous data by delving deeper into the preferences of the Australian Public regarding the management of their data after death, ultimately to inform future development of research programs and industry solutions. A survey of 1020 Australians revealed that most desired a level of control over how their data is managed after death. Australians currently prefer to entrust the management of their data to a trusted close individual or a third-party software that they can administrate themselves. As expected, social media companies ranked low regarding both trust and convenience to manage data after death. Furthermore, we found that the more active internet users have stronger desire for control over their data after death, as did people with children and those with greater levels of formal education. Unexpectedly, marital status, age, and gender did not predict preferences for posthumous data control. Future research focus should be to conceptualise and develop a third-party solution that enables these preferences to be realised. Such a solution could interface with the major online vendors (social media, cloud hosting etc.) to action the deceased’s will – erasing select data, while sharing other data with selected individuals.
Andrew Reeves, Arash Shaghaghi, Shiri Krebs, Debi Ashenden
Backmatter
Metadata
Title
Human Aspects of Information Security and Assurance
Editors
Nathan Clarke
Steven Furnell
Copyright Year
2025
Electronic ISBN
978-3-031-72563-0
Print ISBN
978-3-031-72562-3
DOI
https://doi.org/10.1007/978-3-031-72563-0

Premium Partner