|
1
|
Rohan R, Pal D, Hautamäki J, Funilkul S, Chutimaskul W, Thapliyal H. A systematic literature review of cybersecurity scales assessing information security awareness. Heliyon 2023; 9:e14234. [PMID: 36938452 PMCID: PMC10015252 DOI: 10.1016/j.heliyon.2023.e14234] [Citation(s) in RCA: 0] [Impact Index Per Article: 0] [Reference Citation Analysis] [Abstract] [Key Words] [Track Full Text] [Journal Information] [Subscribe] [Scholar Register] [Received: 09/21/2022] [Revised: 02/23/2023] [Accepted: 02/26/2023] [Indexed: 03/07/2023] Open
Abstract
Information Security Awareness (ISA) is a significant concept that got considerable attention recently and can assist in minimizing the risks associated with information security breaches. Several measurement scales have been developed in this regard, as measuring users' ISA is paramount. Although ISA specific scales are very important, yet what methodological rigor they use in terms of initial conceptualization of ISA, data collection and analysis during the development, and scale validation of such scales are some unknown aspects. Therefore, we provide a comprehensive review of the existing ISA specific scales to address all the above concerns. A popular method, PRISMA, is utilized, and a total of 24 articles that match with criteria of this research are included for the final in-depth analysis. Also, a holistic evaluation framework is developed containing three phases and 19 criteria. Findings revealed that most studies treat ISA as a multi-dimensional construct, and ISA researchers rarely conduct both pilot testing and pre-text evaluation while validating and refining the initial scales. Additionally, several articles did not report some of the essential elements used for checking the rigor of factor analysis, and evidence for validities of the identified scales is inadequate. Consequently, existing ISA specific scales must be improved both in terms of the methodological thoroughness of the scale development procedure and their validities. Moreover, not only justifying why the development of a new scale is necessary, but also improving the quality of the existing scales by doing multiple iterations is significant in the future. Likewise, the inclusion of all the dimensions of ISA, while generating the initial items pool is an important aspect to be considered. A thorough discussion, recommendations for future research, conclusions, and study limitations are provided.
Collapse
Affiliation(s)
- Rohani Rohan
- School of Information Technology, King Mongkut's University of Technology Thonburi, Bangkok 10140, Thailand
| | - Debajyoti Pal
- Innovative Cognitive Computing Research Center (IC2), King Mongkut's University of Technology Thonburi, Bangkok 10140, Thailand
| | - Jari Hautamäki
- School of Technology, JAMK University of Applied Sciences, Jyväskylä, Finland
| | - Suree Funilkul
- School of Information Technology, King Mongkut's University of Technology Thonburi, Bangkok 10140, Thailand
| | - Wichian Chutimaskul
- School of Information Technology, King Mongkut's University of Technology Thonburi, Bangkok 10140, Thailand
| | - Himanshu Thapliyal
- Department of Electrical Engineering and Computer Science, University of Tennessee, Knoxville, USA
| |
Collapse
|
|
2
|
Chen J, Ge H, Li N, Proctor RW. What I Say Means What I Do: Risk Concerns and Mobile Application-Selection Behaviors. HUMAN FACTORS 2022; 64:1331-1350. [PMID: 33861174 DOI: 10.1177/00187208211004288] [Citation(s) in RCA: 0] [Impact Index Per Article: 0] [Reference Citation Analysis] [Abstract] [Key Words] [MESH Headings] [Track Full Text] [Subscribe] [Scholar Register] [Indexed: 06/12/2023]
Abstract
OBJECTIVE The goal of this study was to examine the relation between users' reported risk concerns and their choice behaviors in a mobile application (app) selection task. BACKGROUND Human users are typically regarded as the weakest link in cybersecurity and privacy protection; however, it is possible to leverage the users' predilections to increase security. There have been mixed results on the relation between users' self-reported privacy concerns and their behaviors. METHOD In three experiments, the timing of self-reported risk concerns was either a few weeks before the app-selection task (pre-screen), immediately before it (pre-task), or immediately after it (post-task). We also varied the availability and placement of clear definitions and quizzes to ensure users' understanding of the risk categories. RESULTS The post-task report significantly predicted the app-selection behaviors, consistent with prior findings. The pre-screen report was largely inconsistent with the reports implemented around the time of the task, indicating that participants' risk concerns may not be stable over time and across contexts. Moreover, the pre-task report strongly predicted the app-selection behaviors only when elaborated definitions and quizzes were placed before the pre-task question, indicating the importance of clear understanding of the risk categories. CONCLUSION Self-reported risk concerns may be unstable over time and across contexts. When explained with clear definitions, self-reported risk concerns obtained immediately before or after the app-selection task significantly predicted app-selection behaviors. APPLICATION We discuss implications for including personalized risk concerns during app selection that enable comparison of alternative mobile apps.
Collapse
Affiliation(s)
- Jing Chen
- 6042 Old Dominion University, Norfolk, Virginia, USA
| | - Huangyi Ge
- 311308 Purdue University, West Lafayette, Indiana, USA
| | - Ninghui Li
- 311308 Purdue University, West Lafayette, Indiana, USA
| | | |
Collapse
|
|
3
|
Cybersecurity Behavior among Government Employees: The Role of Protection Motivation Theory and Responsibility in Mitigating Cyberattacks. INFORMATION 2022. [DOI: 10.3390/info13090413] [Citation(s) in RCA: 0] [Impact Index Per Article: 0] [Reference Citation Analysis] [Abstract] [Track Full Text] [Journal Information] [Subscribe] [Scholar Register] [Indexed: 11/16/2022] Open
Abstract
This study examines the factors influencing government employees’ cybersecurity behavior in Malaysia. The country is considered the most vulnerable in Southeast Asia. Applying the protection motivation theory, this study addresses the gap by investigating how government employees behave toward corresponding cyberrisks and threats. Using partial least-squares structural equation modeling (PLS-SEM), 446 respondents participated and were analyzed. The findings suggest that highly motivated employees with high severity, vulnerability, response efficacy, and self-efficacy exercise cybersecurity. Incorporating the users’ perceptions of vulnerability and severity facilitates behavioral change and increases the understanding of cybersecurity behavior’s role in addressing cybersecurity threats—particularly the impact of the threat response in predicting the cybersecurity behavior of government employees. The implications include providing robust information security protection to the government information systems.
Collapse
|
|
4
|
Pawlicka A, Pawlicki M, Kozik R, Choraś M. Human-driven and human-centred cybersecurity: policy-making implications. TRANSFORMING GOVERNMENT- PEOPLE PROCESS AND POLICY 2022. [DOI: 10.1108/tg-05-2022-0073] [Citation(s) in RCA: 0] [Impact Index Per Article: 0] [Reference Citation Analysis] [Abstract] [Track Full Text] [Subscribe] [Scholar Register] [Indexed: 11/17/2022]
Abstract
Purpose
The purpose of this paper is to challenge the prevailing, stereotypical approach of the human aspect of cybersecurity, i.e. treating people as weakness or threat. Instead, several reflections are presented, pertaining to the ways of making cybersecurity human-centred.
Design/methodology/approach
This paper bases on the authors’ own experiences, gathered whilst working in cybersecurity projects; the resulting comments and reflections have been enriched and backed up by the results of a targeted literature study.
Findings
The findings show that the way the human aspects of cybersecurity are understood is changing, and deviates from the stereotypical approach.
Practical implications
This paper provides a number of practical recommendations for policymakers, as well as cybersecurity managers on how to make the cybersecurity more human-centred; it also inspires further research directions.
Originality/value
This paper presents a fresh, positive approach to humans in cybersecurity and opens the doors to further discourse about new paradigms in the field.
Collapse
|
|
5
|
Yan Z, Yang P, Xue Y, Lou Y, Nealon M. Validity and reliability of Cybersecurity Judgment Questionnaire for middle and high school students: A validation study with Rasch analysis. HUMAN BEHAVIOR AND EMERGING TECHNOLOGIES 2021. [DOI: 10.1002/hbe2.312] [Citation(s) in RCA: 0] [Impact Index Per Article: 0] [Reference Citation Analysis] [Track Full Text] [Journal Information] [Subscribe] [Scholar Register] [Indexed: 11/06/2022]
Affiliation(s)
- Zheng Yan
- Department of Educational and Counselling Psychology University at Albany, State University of New York Albany New York USA
| | - Panpan Yang
- Department of Educational and Counselling Psychology University at Albany, State University of New York Albany New York USA
| | - Yukang Xue
- Department of Educational and Counselling Psychology University at Albany, State University of New York Albany New York USA
| | - Yaosheng Lou
- Department of Educational and Counselling Psychology University at Albany, State University of New York Albany New York USA
| | - Melissa Nealon
- Department of Educational and Counselling Psychology Hudson Valley Community College Troy New York USA
| |
Collapse
|
|
6
|
Yan Z, Xue Y, Lou Y. Risk and protective factors for intuitive and rational judgment of cybersecurity risks in a large sample of K-12 students and teachers. COMPUTERS IN HUMAN BEHAVIOR 2021. [DOI: 10.1016/j.chb.2021.106791] [Citation(s) in RCA: 0] [Impact Index Per Article: 0] [Reference Citation Analysis] [Track Full Text] [Journal Information] [Subscribe] [Scholar Register] [Indexed: 10/21/2022]
|
|
7
|
Rodríguez-Priego N, van Bavel R, Vila J, Briggs P. Framing Effects on Online Security Behavior. Front Psychol 2020; 11:527886. [PMID: 33192769 PMCID: PMC7609889 DOI: 10.3389/fpsyg.2020.527886] [Citation(s) in RCA: 5] [Impact Index Per Article: 1.3] [Reference Citation Analysis] [Abstract] [Key Words] [Track Full Text] [Download PDF] [Figures] [Journal Information] [Subscribe] [Scholar Register] [Received: 01/17/2020] [Accepted: 09/28/2020] [Indexed: 11/13/2022] Open
Abstract
We conducted an incentivized lab experiment examining the effect of gain vs. loss-framed warning messages on online security behavior. We measured the probability of suffering a cyberattack during the experiment as the result of five specific security behaviors: choosing a safe connection, providing minimum information during the sign-up process, choosing a strong password, choosing a trusted vendor, and logging-out. A loss-framed message led to more secure behavior during the experiment. The experiment also measured the effect of trusting beliefs and cybersecurity knowledge. Trusting beliefs had a negative effect on security behavior, while cybersecurity knowledge had a positive effect.
Collapse
Affiliation(s)
- Nuria Rodríguez-Priego
- Joint Research Centre, European Commission, Seville, Spain.,Departamento de Análisis Económico: Teoría Económica e Historia Económica, Universidad Autónoma de Madrid, Madrid, Spain
| | - René van Bavel
- Joint Research Centre, European Commission, Seville, Spain
| | - José Vila
- Center for Research in Social and Economic Behavior (ERI-CES), Intelligent Data Analysis Laboratory (IDAL), University of Valencia, Valencia, Spain
| | - Pam Briggs
- Department of Psychology, School of Life Sciences, Northumbria University, Newcastle upon Tyne, United Kingdom
| |
Collapse
|
|
8
|
Arend I, Shabtai A, Idan T, Keinan R, Bereby-Meyer Y. Passive- and not active-risk tendencies predict cyber security behavior. Comput Secur 2020. [DOI: 10.1016/j.cose.2020.101964] [Citation(s) in RCA: 4] [Impact Index Per Article: 1.0] [Reference Citation Analysis] [Track Full Text] [Journal Information] [Subscribe] [Scholar Register] [Indexed: 11/16/2022]
|
|
9
|
Arend I, Shabtai A, Idan T, Keinan R, Bereby-Meyer Y. Passive- and not active-risk tendencies predict cyber security behavior. Comput Secur 2020. [DOI: 10.1016/j.cose.2020.101929] [Citation(s) in RCA: 1] [Impact Index Per Article: 0.3] [Reference Citation Analysis] [Track Full Text] [Journal Information] [Subscribe] [Scholar Register] [Indexed: 11/29/2022]
|
|
10
|
Susceptibility to phishing on social network sites: A personality information processing model. Comput Secur 2020; 94:101862. [PMID: 32501314 PMCID: PMC7252086 DOI: 10.1016/j.cose.2020.101862] [Citation(s) in RCA: 21] [Impact Index Per Article: 5.3] [Reference Citation Analysis] [Abstract] [Key Words] [Track Full Text] [Download PDF] [Figures] [Journal Information] [Subscribe] [Scholar Register] [Received: 03/05/2019] [Revised: 04/26/2020] [Accepted: 04/28/2020] [Indexed: 11/26/2022]
Abstract
Today, the traditional approach used to conduct phishing attacks through email and spoofed websites has evolved to include social network sites (SNSs). This is because phishers are able to use similar methods to entice social network users to click on malicious links masquerading as fake news, controversial videos and other opportunities thought to be attractive or beneficial to the victim. SNSs are a phisher's “market” as they offer phishers a wide range of targets and take advantage of opportunities that exploit the behavioural vulnerabilities of their users. As such, it is important to further investigate aspects affecting behaviour when users are presented with phishing. Based on the literature studied, this research presents a theoretical model to address phishing susceptibility on SNSs. Using data collected from 215 respondents, the study examined the mediating role that information processing plays with regard to user susceptibility to social network phishing based on their personality traits, thereby identifying user characteristics that may be more susceptible than others to phishing on SNSs. The results from the structural equation modeling (SEM) analysis revealed that conscientious users were found to have a negative influence on heuristic processing, and are thus less susceptible to phishing on SNSs. The study also confirmed that heuristic processing increases susceptibility to phishing, thus supporting prior studies in this area. This research contributes to the information security discipline as it is one of the first to examine the effect of the relationship between the Big Five personality model and the heuristic-systematic model of information processing.
Collapse
|
|
11
|
Palanisamy R, Norman AA, Mat Kiah ML. BYOD Policy Compliance: Risks and Strategies in Organizations. JOURNAL OF COMPUTER INFORMATION SYSTEMS 2020. [DOI: 10.1080/08874417.2019.1703225] [Citation(s) in RCA: 1] [Impact Index Per Article: 0.3] [Reference Citation Analysis] [Track Full Text] [Subscribe] [Scholar Register] [Indexed: 10/25/2022]
|
|
12
|
Linkov V, Zámečník P, Havlíčková D, Pai CW. Human Factors in the Cybersecurity of Autonomous Vehicles: Trends in Current Research. Front Psychol 2019; 10:995. [PMID: 31130903 PMCID: PMC6509749 DOI: 10.3389/fpsyg.2019.00995] [Citation(s) in RCA: 23] [Impact Index Per Article: 4.6] [Reference Citation Analysis] [Abstract] [Key Words] [Track Full Text] [Download PDF] [Journal Information] [Subscribe] [Scholar Register] [Received: 12/14/2018] [Accepted: 04/15/2019] [Indexed: 11/13/2022] Open
Abstract
The cybersecurity of autonomous vehicles (AVs) is an important emerging area of research in traffic safety. Because human failure is the most common reason for a successful cyberattack, human-factor researchers and psychologists might improve AV cybersecurity by researching how to decrease the probability of a successful attack. We review some areas of research connected to the human factor in cybersecurity and find many potential issues. Psychologists might research the characteristics of people prone to cybersecurity failure, the types of scenarios they fail in and the factors that influence this failure or over-trust of AV. Human behavior during a cyberattack might be researched, as well as how to educate people about cybersecurity. Multitasking has an effect on the ability to defend against a cyberattack and research is needed to set the appropriate policy. Human-resource researchers might investigate the skills required for personnel working in AV cybersecurity and how to detect potential defectors early. The psychological profile of cyber attackers should be investigated to be able to set policies to decrease their motivation. Finally, the decrease of driver's driving skills as a result of using AV and its connection to cybersecurity skills is also worth of research.
Collapse
Affiliation(s)
- Václav Linkov
- Department of Traffic Psychology, CDV – Transport Research Centre, Brno, Czechia
| | - Petr Zámečník
- Department of Traffic Psychology, CDV – Transport Research Centre, Brno, Czechia
| | - Darina Havlíčková
- Department of Traffic Psychology, CDV – Transport Research Centre, Brno, Czechia
| | - Chih-Wei Pai
- Graduate Institute of Injury Prevention and Control, College of Public Health, Taipei Medical University, Taipei, Taiwan
| |
Collapse
|
|
13
|
Jones HS, Towse JN, Race N, Harrison T. Email fraud: The search for psychological predictors of susceptibility. PLoS One 2019; 14:e0209684. [PMID: 30650114 PMCID: PMC6334892 DOI: 10.1371/journal.pone.0209684] [Citation(s) in RCA: 33] [Impact Index Per Article: 6.6] [Reference Citation Analysis] [Abstract] [MESH Headings] [Track Full Text] [Download PDF] [Figures] [Journal Information] [Subscribe] [Scholar Register] [Received: 07/30/2018] [Accepted: 12/09/2018] [Indexed: 11/26/2022] Open
Abstract
Decisions that we make about email legitimacy can result in a pernicious threat to security of both individuals and organisations. Yet user response to phishing emails is far from uniform; some respond while others do not. What is the source of this diversity in decision-making? From a psychological perspective, we consider cognitive and situational influences that might explain why certain users are more susceptible than others. Alongside an email judgment task employed as a proxy for fraud susceptibility, 224 participants completed a range of cognitive tasks. In addition, we manipulated time pressure for email legitimacy judgments. We identify cognitive reflection and sensation seeking as significant, albeit modest, predictors of susceptibility. Further to this, participants asked to make quicker responses made more judgment errors. We conclude there are cognitive signatures that partially contribute to email fraud susceptibility, with implications for efforts to limit online security breaches and train secure behaviors.
Collapse
Affiliation(s)
- Helen S. Jones
- Department of Psychology, Lancaster University, Lancaster, United Kingdom
- * E-mail:
| | - John N. Towse
- Department of Psychology, Lancaster University, Lancaster, United Kingdom
| | - Nicholas Race
- School of Computing and Communications, Lancaster University, Lancaster, United Kingdom
| | - Timothy Harrison
- Defence Science and Technology Laboratory, Salisbury, United Kingdom
| |
Collapse
|