Human Aspects of Information Security and Assurance

Cyber range training is a promising approach to address the shortage of skilled cybersecurity experts in organizations worldwide. Seeking to make the training of those experts as efficacious and efficient as possible, we investigate the potential of visual programming languages (VPLs) for training in cyber ranges. For this matter, we integrate the VPL Blockly into an existing cyber range concept. To evaluate its effect on the learning process of the trainees we conducted a user study with an experimental group using the VPL and a control group using textual programming. The evaluation results demonstrated a positive impact of the VPL on the trainees’ learning experience. The trainees in the VPL group achieved equally good learning outcomes as those in the control group but rated the subjective workload as lower and perceived the training as more interesting.

The importance of user behaviour in the cybersecurity domain is widely acknowledged. Users face cyberthreats such as phishing and fraud daily, both at work and in their private use of technology. Using training interventions to improve users’ knowledge, awareness, and behaviour is a widely accepted approach to improving the security posture of users. Research into cybersecurity training has traditionally assumed that users are provided such training as members of an organization. However, users in their private capacity are expected to cater for their own security. This research addresses this gap with a survey where 1437 Swedish adults participated. Willingness to adopt and pay for different cybersecurity training types was measured. The included types were; training delivered to users in a context where the training is of direct relevance, eLearning and game-based training. The participants were most willing to adopt and pay for contextual training, while eLearning was the second most favoured training type. We also measured if willingness to pay and adopt cybersecurity training was impacted by the participant’s worry about various cyber threats. Surprisingly, no meaningful correlation was found, suggesting that something else than worry mediates willingness to adopt and pay for cybersecurity training.

The cybersecurity skills demand is a growing concern both globally and in South Africa, creating what is known as the cybersecurity skills gap. This means that there is a shortage of Information Technology (IT) and cybersecurity professionals that have the required knowledge, skills and abilities, to effectively fill this gap. This study aims to provide a better understanding of the cybersecurity skills demand in South Africa having analysed job postings in South Africa over a 4-month period from 1^st October 2020 to 31^st January 2021. This was done by conducting a thematic content analysis of the 280 job postings identified during this period. Results indicate a condensed set of knowledge, skills and abilities (KSAs) categorised according to five main job categories, namely: Cybersecurity, Operations and Support, Data and Artificial Intelligence, Strategy and Governance, and Software and Application Development. These results can assist universities, training institutions and organisations to address the cybersecurity skills gap in South Africa.

Security standards help to create security policies, but they are often very descriptive, especially when it comes to security awareness. Information systems security awareness is vital to maintain a high level of security. SETA programs (Security Education, Training and Awareness) increase information systems security awareness and play an important role in finding the strategic balance between the prevention and response paradigms. By reviewing the literature, we identify guidelines for designing a SETA program following a PDCA (Plan Do Check Act) cycle.

Several frameworks that cover cyber security education and professional development have been introduced as a guidance for learners, educators and professionals to the different knowledge areas of the field. One of the most important frameworks is the Cyber Security Body of Knowledge (CyBOK). In this paper, we apply the BERTopic topic modeling technique to CyBOK. We aim, by using this technique, to identify the most relevant topics related to each CyBOK’s knowledge area in an automated way. Our results indicate that it is possible to find a meaningful topic model describing CyBOK and, thus, suggests the possibility of applying related techniques to texts to identify their main themes.

Based on an analysis of current cybersecurity education in Europe and findings from a series of workshops conducted with selected groups of educators and learners in several European HEIs, this paper describes a methodology that is aimed at integrating the teaching of applied skills with the prevailing teaching, which is more focused on theoretical knowledge. The resulting COLTRANE Methodology aims at achieving this goal through providing a scenario-based and problem-oriented learning environment. A first case study is described and analyzed.

Despite the many advantages that software applications provide in our daily lives, there are also numerous threats that target vulnerabilities in these applications. There is therefore a demand for new technologies and approaches to secure software development. Educational institutions are responsible for equipping computing graduates with the requisite secure programming knowledge, skills and abilities. However, despite various curricula guidelines being provided by the ACM and other professional bodies, many educational institutions have not successfully implemented such changes within their curricula. One of the problems is that the available curricula guidelines focus more on what secure programming concepts should be taught, rather than how. This paper therefore investigates how educational process models could be used for teaching secure programming. It further identifies various themes and sub-themes from different educational process models and argues how these can be used to teach secure programming.

Critical infrastructure in South Africa remains highly vulnerable to cybercrime threats due to a poor cyber-crime fighting capacity and a lack of a strong cybersecurity policy. South Africa appears to have fallen behind in securing and protecting cyberspace, considering the country’s dependability as well as the interconnectedness to the internet. Globally, the water and wastewater sector were ranked number four in the global security incidents. This study presents the findings of a systematic literature review conducted to assess the cybersecurity knowledge necessary for a general employee in the water sector. The study proposes a framework for determining the minimum knowledge that a general employee in the water sector should have. The frameworks start by defining the eight different types of cybersecurity challenges, then move on to mitigation strategies for dealing with such attacks. Several approaches and strategies were provided for mitigating various cybersecurity challenges. To deal with such risks, mitigations such as cybersecurity knowledge and skills, cybersecurity awareness, and cybersecurity training were proposed. The strategies for developing knowledge to deal with various sorts of dangers were provided at both the individual and organizational levels.

Cyber threats to organisations across all industries are increasing in both volume and complexity, leading to significant, and sometimes severe, consequences. The common weakest link in organisations security is the human vulnerability. The sudden popularity of remote-working due to the Covid-19 pandemic opened organisations and their employees up to more risks, particularly as many workers believe that they are more distracted when at home. Existing cyber training using a ‘one-size-fits-all’ approach has been proven inefficient/ineffective and the need for a more fit-for-purpose training is required. When it comes to cyber training, we know that there is no single-training-fits-all solution – people have different technical skills, different prior knowledge and experience, are in different roles, exposed to different security risks, and require knowledge that is relevant to what they do. This study makes a case for tailored role-based cybersecurity training suitable for awareness within organisations across multiple industries. The study explores the strengths and weaknesses of existing cyber training and literature to make recommendations on efficient awareness and training programme strategies. The study carries out knowledge and task analysis of job roles to create profiles of skills and knowledge they require. These are grouped by topic and level to form scenario-based multiple-choice questions which are mapped to create a Cyber Awareness Platform (CAP). A CAP prototype is introduced as a flexible web-based system allowing users to assess their prior knowledge and skills personalised to their role. Knowledge gaps and training needs are identified, and recommendations are tailored to the individual. Initial analysis of CAP shows promising results, indicating that such role-sensitive solution would be highly beneficial to users. This offers further development opportunities in producing an all-in-one cyber assessment and training platform.

Serious games have been shown to be an effective tool when teaching information security concepts to children and adults alike. However, due to the different ways in which people learn during different stages of their life, developing effective games for children can be a non-trivial task. In this paper, a novel framework is introduced that aims to simplify the process of developing serious games for children by making use of well-known developmental psychology principles. The framework is based on Erikson’s Theory of Psychosocial Development, as well as Bandura’s Social Cognitive Theory. Both of these theories are well-known within the field of developmental psychology, and have been shown to be valid in prior studies. To validate the proposed framework, a number of existing serious games from the literature is used in order to determine if the framework could have been used to develop the extant games. The framework, developed from a psychological basis, matches the games found in the literature. This suggests that the framework is a valid approach when developing age appropriate information security games.

Industrial control systems (ICS) are a key element of a country’s critical infrastructure, which includes industries like energy, water, and transport. In recent years, an increased convergence of operational and information technology has been taking place in these systems, increasing their cyber risks, and making security a necessity. People are often described as one of the biggest security risks in ICS, and historic attacks have demonstrated their role in facilitating or deterring them. One approach to enhance the security of organisations using ICS is the development of a security culture aiming to positively influence employees’ security perceptions, knowledge, and ultimately, behaviours. Accordingly, this work aims to review the security culture literature in organisations which use ICS and the factors that affect it, to provide a summary of the field. We conclude that the factors which affect security culture in ICS organisations are in line with the factors discussed in the general literature, such as security policies and management support. Additional factors related to ICS, such as safety culture, are also highlighted. Gaps are identified, with the limited research coverage being the most prominent. As such, proposals for future research are offered, including the need to conduct research with employees whose roles are not security related.

There is a need to shift from a purely technological approach in addressing cybersecurity threats to a more human inclusive method. As a result, cybersecurity culture is gaining momentum in research as an approach in addressing cybersecurity challenges due to human related issues. To develop a better understanding of cybersecurity culture, this paper presents a comprehensive view of cybersecurity culture (CSC) factors. These holistic cybersecurity culture factors have been developed by conducting a detailed review of literature. A total of 539 records were initially identified from seven different databases and via other sources, from which 58 records were finally selected using focused inclusion and exclusion criteria. The review identified a total of 29 cybersecurity culture factors, with security education, training, and awareness (SETA), and top management or leadership support appearing among the 10 dominant factors. The researchers produced a consolidated list of factors for CSC that can guide future researchers in this research area.

Creating a good information security culture among employees within organizations is the cornerstone for a safe and robust cyberspace. Furthermore, a strong information security culture within organizations will assist in reducing the effects of human habits that lead to data breaches. This article seeks to conduct a scoping review of the scholarly literature on Cyber Resilience for Development (Cyber4Dev) security culture within the context of African countries. With limited scholarly articles available for Cyber4Dev, the review will focus on information security culture to adapt it to a Cyber4Dev security culture that organizations in Africa can replicate. Using the Preferred Reporting Items for Systematic Reviews and Meta-Analyses (PRISMA) for the scoping review, this paper analysed 40 scholarly articles on information security culture to propose a Cyber4Dev security culture model for organizations applicable within an African context. Economic, social-culture and trust were identified as some of the factors to consider in an African context to promote an information security culture. Organisations can consider these factors as part of their information security programs. The model serves as reference for further research to explore the influence of the identified factors in an African context.

This research aims to elicit a conceptual understanding of creativity and innovation to enable a totally aligned information security culture. Stimulating the creativity and innovation of employees in an organisation can help to solve information security problems and to create a culture where information security issues are addressed and resolved, as opposed to being introduced by end-users. The study applied a theoretical approach with a scoping literature review using the PRISMA method to derive traits and programmes that organisations can implement to stimulate creativity and innovation as part of the organisational culture. A model for engendering employee creativity and innovation as part of the information security culture is proposed, through the lens of the three levels of organisational culture. This study both offers novel insights for managerial practice and serves as a point of reference for further academic research about the influence of creativity and innovation in information security culture.

In recent years, users of Mobile Instant Messaging (MIM) apps like WhatsApp and Telegram are being targeted by phishing attacks. While user susceptibility to phishing in other media is well studied, the literature currently lacks studies on phishing susceptibility in MIM apps. This paper presents a study that offers the first insights into the susceptibility of users of MIM apps to phishing by investigating their behaviour towards shared links. Using an online survey, we collected data from 111 users of MIM apps and found that participants frequently click and forward links during instant messaging, while factors such as the user’s relationship with the sender and the group context of the communication influence these behaviours. The results show that behaviours of most users towards shared links try to reduce their risk to phishing by trusting their friends, family and colleagues to protect them. This raises some interesting questions for further research on the effectiveness and reliability of their strategy.

In today’s information technology-driven world, most criminal acts leave digital evidence. In such cases, cooperation through the handover of digital devices such as mobile phones from victims is a success factor that enables evidence-seeking through digital forensics. Unfortunately, forensic examinations of devices can become an additional negative consequence due to privacy invasion. Privacy invasion can make crime victims less cooperative and less willing to report crimes. To address this problem, we surveyed 400 Swedish adults to identify their hypothetical willingness to report certain crimes. The survey examined the impact a mobile phone handover made on the willingness to report a crime. Our findings demonstrate that mobile phone handover resulted in a significantly lower willingness to report crimes. However, the data could not show privacy as a common tendency cause. The presented results can be used as a reference for further research on attitudes and behaviours regarding the subject.

Cookie disclaimers are omnipresent since the GDPR went into effect in 2018. By far not all disclaimers are designed in a way that they are aligned with the ideas of the GDPR, some are even clearly violating the regulation. We wanted to understand how websites justify the use of those cookie disclaimers and what needs to happen for them to change the design of their cookie disclaimers. We, therefore, notified 147 websites (out of the top 500 Alexa German webpages) that their cookie disclaimers are (potentially) not GDPR compliant and asked for their motivation to use specific designs. We also monitored changes at the websites’ cookie disclaimers.

The challenge of meeting security requirements (of a nation-state) and the privacy needs of citizens is perhaps a political goal, but it is enabled by technology. Attacks on citizens tend to move the balance towards security, whilst civil liberties groups often act as a counter to not over-correct security, so as to guarantee privacy. This paper explores Australian attitudes towards privacy and surveillance during the pandemic. We consider a fundamental question: Has the pandemic changed the perception of Australian citizens with regard to their fundamental right to privacy? We surveyed Australian attitudes to privacy in the light of the COVID-19 pandemic and report on some interesting results.

The privacy concerns of home Internet of Things (IoT) device users and experts have been widely studied, but the designs of privacy controls addressing those concerns are sparse. Literature shows a significant body of research uncovering design factors for privacy controls in smart home devices, but fewer studies have translated those design recommendations into design and evaluated the designs. To fill this gap, we designed a prototype user interface implementing the design recommendations of data-related privacy controls based on prior work and evaluated the prototype for user experience, usability, perceived information control, user satisfaction, and intention to use. The results of interviews (n = 10) critique the proposed design and the survey results (n = 105) show that the prototype design provides positive evaluation for perceived information control, user satisfaction and intention to use. Based on findings, we discuss design recommendations for further improvements. Thus, this paper contributes to the design of data-related privacy controls for user interfaces of home IoT devices and applications.

This study used an exploratory factor analysis to examine the factors underlying personality traits that influence the constructs of information security compliance. Studies of this nature could be germane to organisations grappling with the insider threat problem. The current study, which is situated within the socio-technical realm and considers the human element within the information security domain, concludes by providing a conceptual model that could be useful to both researchers and practitioners.

Today, many business processes are propelled by critical information that needs safeguarding. Procedures on how to achieve this end are found in information security policies (ISPs) that are rarely tailored to different target groups in organizations. The purpose of this paper is therefore to propose a conceptual model of policy components for software that supports modularizing and tailoring of ISPs. We employed design science research to this end. The conceptual model was developed as a Unified Modeling Language class diagram using existing ISPs from public agencies in Sweden. The conceptual model can act as a foundation for developing software to tailor ISPs.

Due to the number of data breaches occurring worldwide there is increasing vigilance regarding information security. Organisations employ a variety of technical, formal, and informal security controls but also rely on employees to safeguard information assets. This relies heavily on compliance and constantly challenges employees with security-related tasks. Security compliance behaviour is a finite resource and when employees engage in cost-benefit analyses that extend tolerance thresholds, security fatigue may set in. Security fatigue has been described as a despondency and weariness to experience any further security tasks. This study used a case study approach to investigate employee security fatigue, focusing on data specialists. Primary data was collected through semi-structured interviews with 12 data specialists in a large financial services company. A thematic analysis of the data revealed several interlinked themes that evidence security fatigue. Awareness and understanding of these themes can help organisations to monitor for this and tailor security activities, such as security education, training, and awareness for increased effectiveness.

Cybercrime may destabilise organisations and society due to the social, financial, emotional, psychological, and physical impacts. The purpose of this paper was to investigate cybercrime reporting behaviour and the factors that influence it. South African state-owned entities were the focus of attention given their strategic role, which requires that attention be given to improving their cybersecurity practices, such as cybercrime reporting in an increasingly digital society. The conceptual framework was developed using themes from the cybercrime literature, and the Theory of Planned Behaviour (TPB) as a lens. The study used a quantitative method, and data was collected online using a questionnaire survey. One hundred and three complete responses were received from employees working in South African state-owned entities. Factors that were identified as influencing cybercrime reporting behaviour were self-efficacy and facilitating conditions.

Online security issues continue to grow as a concern, amplified by the coronavirus pandemic. The current cohort of young people (aged 18–30, “Generation Z”) are the first to have grown up with digital technologies, but to what extent are they worried about online security attacks and what experience do they have of them? An online survey of 81 young UK participants investigated their experience with 12 scenarios presenting online security attacks, asked about their level of worry with 9 online security attacks and their knowledge of computer and online security, and their confidence in their ability to identity an attack. Experience with the online attacks ranged widely, from over 50% of participants experiencing spear phishing to attempt identity theft, to only 2.5% experiencing a spoofed website. A principal components analysis showed that worries clearly fell into two components: Theft Worry and Phishing Worry. Levels of worry on these two components could be predicted from the number of different online security attacks participants had experienced. These relationships may be useful for developing education and advice to encourage better online security behaviour.

Security configuration remains obscure for many Internet users, especially those with limited computing skills. This obscurity exposes such users to various Internet attacks. Recently, there has been an increase in cyberattacks targeted at individuals due to the remote workforce imposed by the COVID 19 pandemic. These attacks have exposed the inefficiencies of the non-human-centric implementation of Internet security mechanisms and protocols. Security research usually positions users as the weakest link in the security ecosystem, making system and protocol developers exclude the users in the development process. This stereotypical approach has negatively affected users’ security uptake. Mostly, security systems are not comprehensible for an average user, negatively affecting performance and Quality of Experience. This causes the users to shun using security mechanisms. Building on human-centric cybersecurity research, we present a tool that aids in configuring Internet Quality of protection and Experience (referred to as PowerQoPE in this paper). We describe its architecture and design methodology and finally present evaluation results. Preliminary evaluation results show that user-centric and data-driven approaches in the design of Internet security systems improves users’ Quality of Experience. The controlled experiment results show that users are not really stupid; they know what they want and that given proper security configuration platforms with proper framing of components and information, they can make optimal security decisions.