Human Risk Factors in Cybersecurity

Cuchta, Tom; Blackwood, B. Randall; Devine, Thomas; Niichel, Robert J.; Daniels, Kristina M.; Lutjens, Caleb H.; Maibach, Sydney; Stephenson, Ryan J.

doi:10.1145/3349266.3351407

Cited by 15 publications

(5 citation statements)

References 11 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…There has also been conducted multiple phishing and social engineering studies of students and faculty in HE, for example, Diaz et al [25] and Cuchta et al [26], both documenting a high level of susceptibility to phishing attacks in academia. Related to phishing-attacks, Dadkhah [27] reviews cyber-attacks in scholarly publishing, such as the fraudulent call for papers, and reviews attackers strategies employed to fool scholars.…”

Section: Previous Work On Information Security In Hementioning

confidence: 99%

See 1 more Smart Citation

A Systematic Review of Cybersecurity Risks in Higher Education

Ulven

Wangen

2021

Future Internet

View full text Add to dashboard Cite

The demands for information security in higher education will continue to increase. Serious data breaches have occurred already and are likely to happen again without proper risk management. This paper applies the Comprehensive Literature Review (CLR) Model to synthesize research within cybersecurity risk by reviewing existing literature of known assets, threat events, threat actors, and vulnerabilities in higher education. The review included published studies from the last twelve years and aims to expand our understanding of cybersecurity’s critical risk areas. The primary finding was that empirical research on cybersecurity risks in higher education is scarce, and there are large gaps in the literature. Despite this issue, our analysis found a high level of agreement regarding cybersecurity issues among the reviewed sources. This paper synthesizes an overview of mission-critical assets, everyday threat events, proposes a generic threat model, and summarizes common cybersecurity vulnerabilities. This report concludes nine strategic cyber risks with descriptions of frequencies from the compiled dataset and consequence descriptions. The results will serve as input for security practitioners in higher education, and the research contains multiple paths for future work. It will serve as a starting point for security researchers in the sector.

show abstract

Section: Previous Work On Information Security In Hementioning

confidence: 99%

“…• Literature not written in either English or Norwegian • Studies that do not focus on risk related topics faced by the academic industry (e.g., papers on cybersecurity education [37,38], legal issues [21,22], or issue specific topics in HE [26,39].…”

mentioning

confidence: 99%

A Systematic Review of Cybersecurity Risks in Higher Education

Ulven

Wangen

2021

Future Internet

View full text Add to dashboard Cite

show abstract

“…Interventions for employees, such as training, must be fun and provide direct benefits. Easily understandable documents with visual cues can make such training more effective (Cuchta et al, 2019). If the training is playful, competition occurs, and feedback can be provided, which will make the intervention more exciting and successful.…”

Section: Implications For Practicementioning

confidence: 99%

Employee behavior: the psychological gateway for cyberattacks

Aschwanden,

Messner,

Höchli

et al. 2024

OCJ

View full text Add to dashboard Cite

PurposeCyberattacks have become a major threat to small and medium-sized enterprises. Their prevention efforts often prioritize technical solutions over human factors, despite humans posing the greatest risk. This article highlights the importance of developing tailored behavioral interventions. Through qualitative interviews, we identified three persona types with different psychological biases that increase the risk of cyberattacks. These psychological biases are a basis for creating behavioral interventions to strengthen the human factor and, thus, prevent cyberattacks.Design/methodology/approachWe conducted structured, in-depth interviews with 44 employees, decision makers and IT service providers from small and medium-sized Swiss enterprises to understand insecure cyber behavior.FindingsA thematic analysis revealed that, while knowledge about cyber risks is available, no one assumes responsibility for employees’ and decision makers’ behavior. The interview results suggest three personas for employees and decision makers: experts, deportees and repressors. We have derived corresponding biases from these three persona types that help explain the interviewees’ insecure cyber behavior.Research limitations/implicationsThis study provides evidence that employees differ in their cognitive biases. This implies that tailored interventions are more effective than one-size-fits7-all interventions. It is inherent in the idea of tailored interventions that they depend on multiple factors, such as cultural, organizational or individual factors. However, even if the segments change somewhat, it is still very likely that there are subgroups of employees that differ in terms of their misleading cognitive biases and risk behavior.Practical implicationsThis article discusses behavior directed recommendations for tailored interventions in small and medium-sized enterprises to minimize cyber risks.Originality/valueThe contribution of this study is that it is the first to use personas and cognitive biases to understand insecure cyber behavior, and to explain why small and medium-sized enterprises do not implement behavior-based cybersecurity best practices. The personas and biases provide starting points for future research and interventions in practice.

show abstract

“…However, each covers its focus from the perspective of risk management, and none of them explicitly identifies which indicators should be taken into account for a data-based approach that translates into indicators that can be used proactively. In this work developed by ENISA [35], [41] and other researchers, we understand the need to create a more focused methodology on management indicators and data that can be used proactively. By analyzing the broad collection of RM frameworks and methodologies presented in the previous table, we identified several factors that limit the potential of RM frameworks and methodologies.…”

Section: Existing Framework Reviewed and Analyzedmentioning

confidence: 99%

“…Despite several existing works on cybersecurity risk management, the literature does not present works considering such contextual information when performing risk management for critical infrastructures [12], [41].…”

Section: Problem Identification and Research Question(s)mentioning

confidence: 99%

Predicting Cybersecurity Risk - A Methodology for Assessments

Ferreira¹,

Mamede²

2022

ARIS2-Journal

View full text Add to dashboard Cite

Defining an appropriate cybersecurity incident response model is a critical challenge that all companies face on a daily basis.However, there is not always an adequate answer. This is due to the lack of predictive models based on data (evidence). There is a significant investment in research to identify the main factors that can cause such incidents, always trying to have the most appropriate response and, consequently, enhancing response capacity and success. At the same time, several different methodologies assess the risk management and maturity level of organizations.There is, however, a gap in determining an organization's degree of proactive responsiveness to successfully adopt cybersecurity and an even more significant gap in assessing it from a risk management perspective. This paper proposes a model to evaluate this capacity, a model that intends to evaluate the methodological aspects of an organization and indicates the apparent gaps that can negatively impact the future of the organization in the management of cybersecurity incidents and presents a model that intends to be proactive.

show abstract

Human Risk Factors in Cybersecurity

Cited by 15 publications

References 11 publications

A Systematic Review of Cybersecurity Risks in Higher Education

A Systematic Review of Cybersecurity Risks in Higher Education

Employee behavior: the psychological gateway for cyberattacks

Predicting Cybersecurity Risk - A Methodology for Assessments

Contact Info

Product

Resources

About