HUMAN FACTORS IN CYBERSECURITY: RISKS AND IMPACTS
Technological solutions in the mobile and digital era are becoming more helpful in informing the population, educational systems, monitoring, tracking the individuals, working, and spending time from home. On the other hand, the valuable information within such systems is posed to risk of breaches at the individual and organizational level. As a result, cyber threats are constantly evolving. A vast number of security incidents and data breaches are associated with the human factor. Respectively, this work aims to highlight the importance of human factors in cybersecurity. Firstly, this article gives a brief overview of the topic and its significance. Then we present the most common risks in the cybersecurity field and their impacts. The third part emphasizes the role of human factors in security and elaborates on the behavioral approaches. Our conclusions are drawn in the last part. To further our research, we plan to investigate behavioral science theories on understanding the influence of human factors in cybersecurity.
Alohali, M. et al. (2017) Information security behavior: Recognizing the influencers. doi: 10.1109/SAI.2017.8252194.
Andress, J. (2011) ‘Chapter 1 - What is Information Security?’, in Andress, J. (ed.) The Basics of Information Security. Boston: Syngress, pp. 1–16. doi: https://doi.org/10.1016/B978-1-59749-653-7.00001-3.
Anwar, M. et al. (2017) ‘Gender difference and employees’ cybersecurity behaviors’, Computers in Human Behavior, 69, pp. 437–443. doi: 10.1016/j.chb.2016.12.040.
Australian Parliament. House of Representatives (2010) Hackers, fraudsters and botnets : tackling the problem of cyber crime : the report of the inquiry into cyber crime / House of Representatives, Standing Committee on Communications. Canberra: Canberra : [The Committee].
Badie, N. and Lashkari, A. H. (2012) ‘A new Evaluation Criteria for Effective Security Awareness in Computer Risk Management based on AHP’, Journal of Basic and Applied Scientific Research, 2(9), pp. 9331–9347.
Bayer, U. et al. (2009) ‘A View on Current Malware Behaviors’, in Proceedings of the 2nd USENIX Conference on Large-Scale Exploits and Emergent Threats: Botnets, Spyware, Worms, and More. USA: USENIX Association (LEET’09), p. 8.
Cárdenas, A. A. et al. (2008) ‘Cyber Security Basic Defenses and Attack Trends’, in Homeland Security, pp. 73–103.
Chakraborty, R. S., Narasimhan, S. and Bhunia, S. (2009) ‘Hardware Trojan: Threats and emerging solutions’, in 2009 IEEE International High Level Design Validation and Test Workshop, pp. 166–171. doi: 10.1109/HLDVT.2009.5340158.
Cloudflare (2020) What is a phishing attack?
Cluley, G. (2010) ‘Sizing up the malware threat – key malware trends for 2010’, Network Security, 2010(4), pp. 8–10. doi: https://doi.org/10.1016/S1353-4858(10)70045-3.
Crossler, R. and Bélanger, F. (2014) ‘An Extended Perspective on Individual Security Behaviors: Protection Motivation Theory and a Unified Security Practices (USP) Instrument’, SIGMIS Database, 45(4), pp. 51–71. doi: 10.1145/2691517.2691521.
Cybersecurity Insiders (2020) 2020 Insider Threat Report. Available at: https://www.cybersecurity-insiders.com/wp-content/uploads/2019/11/2020-Insider-Threat-Report-Gurucul.pdf (Accessed: 15 September 2021).
FBI (2015) Hurricane Katrina Fraud . Available at: https://www.fbi.gov/history/famous-cases/hurricane-katrina-fraud (Accessed: 15 September 2021).
Fukuyama, F. (1995) Trust: The Social Virtue and the Creation of Prosperity. London: Penguin Books.
Herath, T. and Rao, H. R. (2009) ‘Protection motivation and deterrence: a framework for security policy compliance in organisations’, European Journal of Information Systems, 18(2), pp. 106–125. doi: 10.1057/ejis.2009.6.
Herjavec Group (2020) The 2020 Official Annual Cybercrime Report . Available at: https://www.herjavecgroup.com/the-2019-official-annual-cybercrime-report/ (Accessed: 15 September 2021).
Hoskin, R. E. (1983) ‘Opportunity Cost and Behavior’, Journal of Accounting Research, 21(1), pp. 78–95. doi: 10.2307/2490937.
ISO/IEC (2018) ISO/IEC 27000:2018(en), Information technology — Security techniques — Information security management systems — Overview and vocabulary. Available at: https://www.iso.org/obp/ui/#iso:std:iso-iec:27000:ed-5:v1:en (Accessed: 17 August 2020).
Jang-Jaccard, J. and Nepal, S. (2014) ‘A survey of emerging threats in cybersecurity’, Journal of Computer and System Sciences, 80(5), pp. 973–993. doi: https://doi.org/10.1016/j.jcss.2014.02.005.
Jeske, D., Briggs, P. and Coventry, L. (2016) ‘Exploring the relationship between impulsivity and decision-making on mobile devices’, Personal and Ubiquitous Computing, 20(4), pp. 545–557. doi: 10.1007/s00779-016-0938-4.
Kadena, E. (2018) ‘Lack of cybersecurity education’, in Tadeusz, Z. and Horzela, I. (eds) Współczesne problemy zarządzania, obronności i bezpieczeństwa. T. 2. Varsó: Akademia Sztuki Wojennej, pp. 83–90. Available at: https://www.teldat.com.pl/images/download/czasopisma/ASzWoj_Wspolczesne_problemy_zarzadzania_obronnoscia_i_bezpieczenstwa_2018.pdf.
Kadëna, E. and Kerti, A. (2017) ‘Security Risks of Machine-to-Machine Communications’, HÍRVILLÁM = SIGNAL BADGE, 8(1), pp. 95–115.
Kadena, E., Nguyen, H. P. D. and Ruiz, L. (2021) ‘Mobile Robots: An Overview of Data and Security’, in Proceedings of the 7th International Conference on Information Systems Security and Privacy - Volume 1: ICISSP, pp. 291–299. doi: 10.5220/0010174602910299.
Kamal, S. and Issac, B. (2007) ‘Analysis of network communication attacks’, 2007 5th Student Conference on Research and Development, SCORED, (December). doi: 10.1109/SCORED.2007.4451370.
Kanich, C. et al. (2008) ‘Spamalytics: An Empirical Analysis of Spam Marketing Conversion’, in Proceedings of the 15th ACM Conference on Computer and Communications Security. New York, NY, USA: Association for Computing Machinery (CCS ’08), pp. 3–14. doi: 10.1145/1455770.1455774.
Kearney, P. (2010) Security The Human Factor. IT Governance Publishing.
Kraemer, S., Carayon, P. and Clem, J. (2009) ‘Human and organizational factors in computer and information security: Pathways to vulnerabilities’, Computers & Security, 28(7), pp. 509–520. doi: 10.1016/J.COSE.2009.04.006.
Kulikova, T. and Shcherbakova, T. (2021) Q2 2021 spam and phishing report, Securelist. Available at: https://securelist.com/spam-and-phishing-in-q2-2021/103548/ (Accessed: 20 September 2021).
Li, Q. et al. (2008) ‘Hardware Threat: The Challenge of Information Security’, in 2008 International Symposium on Computer Science and Computational Technology, pp. 517–520. doi: 10.1109/ISCSCT.2008.217.
Liu, S. and Cheng, B. (2009) ‘Cyberattacks: Why, What, Who, and How’, IT Professional, 11(3), pp. 14–21. doi: 10.1109/MITP.2009.46.
McGraw, G. (2006) ‘Software Security: Building Security In’, in 2006 17th International Symposium on Software Reliability Engineering, p. 6. doi: 10.1109/ISSRE.2006.43.
Metalidou, E. et al. (2014) ‘The Human Factor of Information Security: Unintentional Damage Perspective’, Procedia - Social and Behavioral Sciences, 147. doi: 10.1016/j.sbspro.2014.07.133.
Neumann, A., Statland, N. and Webb, R. (1977) ‘Post-processing audit tools and techniques’, in Proceedings of the NBS Invitational Workshop. Miami Beach, Florida: US Department of Commerce, National Bureau of Standards, pp. 11–3; 11–4. Available at: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nbsspecialpublication500-19.pdf.
O’Neill, M. (2014) ‘The Internet of Things: do more devices mean more risks?’, Computer Fraud & Security, 2014(1), pp. 16–17. doi: https://doi.org/10.1016/S1361-3723(14)70008-9.
Oberlo (2020) How Many People Have Smartphones? . Available at: https://www.oberlo.com/statistics/how-many-people-have-smartphones (Accessed: 12 May 2021).
Orshesky, C. M. (2003) ‘Beyond technology - The human factor in business systems’, Journal of Business Strategy, 24, pp. 43–47. doi: 10.1108/02756660310494872.
Parsons, K. et al. (2010) Human Factors and Information Security : Individual , Culture and Security Environment, Science And Technology. Edinburgh (AUSTRALIA). doi: 10.14722/ndss.2014.23268.
Pattison, M. and Stedmon, A. (2006) ‘Inclusive design and human factors: Designing mobile phones for older users’, PsychNology Journal, 4, pp. 267–284.
Potlapally, N. (2011) ‘Hardware security in practice: Challenges and opportunities’, in 2011 IEEE International Symposium on Hardware-Oriented Security and Trust, pp. 93–98. doi: 10.1109/HST.2011.5955003.
Ratchford, M. M. and Wang, Y. (2019) ‘BYOD-Insure: A Security Assessment Model for Enterprise BYOD’, in 2019 Fifth Conference on Mobile and Secure Services (MobiSecServ), pp. 1–10. doi: 10.1109/MOBISECSERV.2019.8686551.
Romer, H. (2014) ‘Best practices for BYOD security’, Computer Fraud & Security, 2014(1), pp. 13–15. doi: https://doi.org/10.1016/S1361-3723(14)70007-7.
RSA (2021) DRIVE-BY DOWNLOAD. Available at: https://www.rsa.com/content/dam/en/case-study/asoc-drive-by-download.pdf (Accessed: 20 September 2021).
Schultz, E. E. (2006) ‘Where have the worms and viruses gone?—new trends in malware’, Computer Fraud & Security, 2006(7), pp. 4–8. doi: https://doi.org/10.1016/S1361-3723(06)70398-0.
Shabut, A. M., Lwin, K. T. and Hossain, M. A. (2016) ‘Cyber attacks, countermeasures, and protection schemes — A state of the art survey’, in 2016 10th International Conference on Software, Knowledge, Information Management & Applications (SKIMA), pp. 37–44. doi: 10.1109/SKIMA.2016.7916194.
Shahriar, H. and Zulkernine, M. (2012) ‘Mitigating Program Security Vulnerabilities: Approaches and Challenges’, ACM Comput. Surv., 44(3). doi: 10.1145/2187671.2187673.
Steiner, P. (2014) ‘Going beyond mobile device management’, Computer Fraud & Security, 2014, pp. 19–20. doi: 10.1016/S1361-3723(14)70483-X.
Thaler, R. (1980) ‘Toward a positive theory of consumer choice’, Journal of Economic Behavior and Organization, 1(1), pp. 39–60. doi: 10.1016/0167-2681(80)90051-7.
Tsipenyuk, K., Chess, B. and McGraw, G. (2005) ‘Seven pernicious kingdoms: a taxonomy of software security errors’, IEEE Security Privacy, 3(6), pp. 81–84. doi: 10.1109/MSP.2005.159.
Tu, Z. et al. (2015) ‘Learning to cope with information security risks regarding mobile device loss or theft: An empirical examination’, Information & Management, 52. doi: 10.1016/j.im.2015.03.002.
Wang, T., Duong, T. and Chen, C. (2016) ‘Intention to disclose personal information via mobile applications: A privacy calculus perspective’, International Journal of Information Management, 36, pp. 531–542. doi: 10.1016/j.ijinfomgt.2016.03.003.
World Health Organization (2020) WHO reports fivefold increase in cyber attacks, urges vigilance. Available at: https://www.who.int/news/item/23-04-2020-who-reports-fivefold-increase-in-cyber-attacks-urges-vigilance (Accessed: 15 September 2021).
© 2020 Security Science Journal. All rights reserved