Search results

Boards of Directors and other organisational leaders make decisions about the information security governance systems to implement in their companies. The increasing number of cyber-breaches targeting businesses makes this activity inescapable. Recently, researchers have published comprehensive lists of recommended cyber measures, specifically to inform organisational boards. However, the young cybersecurity industry has still to confirm and refine these guidelines. As a starting point, it would be helpful for organisational leaders to know what other organisations are doing in terms of using these guidelines. In an ideal world, bespoke surveys would be developed to gauge adherence to guidelines, but this is not always feasible. What we often do have is data from existing cybersecurity surveys. The authors argue that such data could be repurposed to quantify adherence to existing information security guidelines, and this paper aims to propose, and test, an original methodology to do so.

The authors propose a quantification mechanism to measure the degree of adherence to a set of published information security governance recommendations and guidelines targeted at organisational leaders. The authors test their quantification mechanism using a data set collected in a survey of 156 Italian companies on information security and privacy.

The evaluation of the proposed mechanism appears to align with findings in the literature, indicating the validity of the present approach. An analysis of how different industries rank in terms of their adherence to the selected set of recommendations and guidelines confirms the usability of our repurposed data set to measure adherence.

To the best of the authors’ knowledge, a quantification mechanism as the one proposed in this study has never been proposed, and tested, in the literature. It suggests a way to repurpose survey data to determine the extent to which companies are implementing measures recommended by published cybersecurity guidelines. This way, the proposed mechanism responds to increasing calls for the adoption of research practices that minimise waste of resources and enhance research sustainability.

The purpose of this study was to identify to identify reasons for the lack of protest against dragnet surveillance in the UK. As part of this investigation, a study was carried out to gauge the understanding of “privacy” and “confidentiality” by the well-informed.

To perform a best-case study, the authors identified a group of well-informed participants in terms of security. To gain insights into their privacy-related mental models, they were asked first to define the three core terms and then to identify the scenarios. Then, the participants were provided with privacy-related scenarios and were asked to demonstrate their understanding by classifying the scenarios and identifying violations.

Although the participants were mostly able to identify privacy and confidentiality scenarios, they experienced difficulties in articulating the actual meaning of the terms privacy, confidentiality and security.

There were a limited number of participants, yet the findings are interesting and justify further investigation. The implications, even of this initial study, are significant in that if citizens’ privacy rights are being violated and they did not seem to know how to protest this and if indeed they had the desire to do so.

Had the citizens understood the meaning of privacy, and their ancient right thereto, which is enshrined in law, their response to the Snowden revelations about ongoing wide-scale surveillance might well have been more strident and insistent.

People in the UK, where this study was carried out, do not seem to protest the privacy invasion effected by dragnet surveillance with any verve. The authors identify a number of possible reasons for this from the literature. One possible explanation is that people do not understand privacy. Thus, this study posits that privacy is unusual in that understanding does not seem to align with the ability to articulate the rights to privacy and their disapproval of such widespread surveillance. This seems to make protests unlikely.

There is widespread concern about the fact that small- and medium-sized enterprises (SMEs) seem to be particularly vulnerable to cyberattacks. This is perhaps because smaller businesses lack sufficient situational awareness to make informed decisions in this space, or because they lack the resources to implement security controls and precautions.

In this paper, Endsley’s theory of situation awareness was extended to propose a model of SMEs’ cyber situational awareness, and the extent to which this awareness triggers the implementation of cyber security measures. Empirical data were collected through an online survey of 361 UK-based SMEs; subsequently, the authors used partial least squares modeling to validate the model.

The results show that heightened situational awareness, as well as resource availability, significantly affects SMEs’ implementation of cyber precautions and controls.

While resource limitations are undoubtedly a problem for SMEs, their lack of cyber situational awareness seems to be the area requiring most attention.

The findings of this study are reported and recommendations were made that can help to improve situational awareness, which will have the effect of encouraging the implementation of cyber security measures.

This is the first study to apply the situational awareness theory to understand why SMEs do not implement cyber security best practice measures.

This study aims to investigate how phishers apply persuasion principles and construct deceptive URLs in mobile instant messaging (MIM) phishing.

In total, 67 examples of real-world MIM phishing attacks were collected from various online sources. Each example was coded using established guidelines from the literature to identify the persuasion principles, and the URL construction techniques employed.

The principles of social proof, liking and authority were the most widely used in MIM phishing, followed by scarcity and reciprocity. Most phishing examples use three persuasion principles, often a combination of authority, liking and social proof. In contrast to email phishing but similar to vishing, the social proof principle was the most commonly used in MIM phishing. Phishers implement the social proof principle in different ways, most commonly by claiming that other users have already acted (e.g. crafting messages that indicate the sender has already benefited from the scam). In contrast to email, retail and fintech companies are the most commonly targeted in MIM phishing. Furthermore, phishers created deceptive URLs using multiple URL obfuscation techniques, often using spoofed domains, to make the URL complex by adding random characters and using homoglyphs.

The insights from this study provide a theoretical foundation for future research on the psychological aspects of phishing in MIM apps. The study provides recommendations that software developers should consider when developing automated anti-phishing solutions for MIM apps and proposes a set of MIM phishing awareness training tips.

Phishing is still a very popular and effective security threat, and it takes, on average, more than a day to detect new phish websites. Protection by purely technical means is hampered by this vulnerability window. During this window, users need to act to protect themselves. To support users in doing so, the paper aims to propose to first make users aware of the need to consult the address bar. Moreover, the authors propose to prune URL displayed in the address bar. The authors report on an evaluation of this proposal.

The paper opted for an online study with 411 participants, judging 16 websites – all with authentic design: half with legitimate and half with phish URLs. The authors applied four popular widely used types of URL manipulation techniques. The authors conducted a within-subject and between-subject study with participants randomly assigned to one of two groups (domain highlighting or pruning). The authors then tested both proposals using a repeated-measures multivariate analysis of variance.

The analysis shows a significant improvement in terms of phish detection after providing the hint to check the address bar. Furthermore, the analysis shows a significant improvement in terms of phish detection after the hint to check the address bar for uninitiated participants in the pruning group, as compared to those in the highlighting group.

Because of the chosen research approach, the research results may lack generalisability. Therefore, researchers are encouraged to test the proposed propositions further.

This paper confirms the efficacy of URL pruning and of prompting users to consult the address bar for phish detection.

This paper introduces a classification for URL manipulation techniques used by phishers. We also provide evidence that drawing people’s attention to the address bar makes them more likely to spot phish websites, but does not impair their ability to identify authentic websites.

The purpose of this paper is to scope the field of child-related online harms and to produce a resource pack to communicate all the different dimensions of this domain to teachers and carers.

With children increasingly operating as independent agents online, their teachers and carers need to understand the risks of their new playground and the range of risk management strategies they can deploy. Carers and teachers play a prominent role in applying the three M’s: mentoring the child, mitigating harms using a variety of technologies (where possible) and monitoring the child’s online activities to ensure their cybersecurity and cybersafety. In this space, the core concepts of “cybersafety” and “cybersecurity” are substantively different and this should be acknowledged for the full range of counter-measures to be appreciated. Evidence of core concept conflation emerged, confirming the need for a resource pack to improve comprehension. A carefully crafted resource pack was developed to convey knowledge of risky behaviors for three age groups and mapped to the appropriate “three M’s” to be used as counter-measures.

The investigation revealed key concept conflation, and then identified a wide range of harms and countermeasures. The resource pack brings clarity to this domain for all stakeholders.

The number of people who were involved in the empirical investigation was limited to those living in Scotland and Nigeria, but it is unlikely that the situation is different elsewhere because the internet is global and children’s risky behaviors are likely to be similar across the globe.

Others have investigated this domain, but no one, to the authors’ knowledge, has come up with the “Three M’s” formulation and a visualization-based resource pack that can inform educators and carers in terms of actions they can take to address the harms.

Cyber-enabled crimes are on the increase, and law enforcement has had to expand many of their detecting activities into the digital domain. As such, the field of digital forensics has become far more sophisticated over the years and is now able to uncover even more evidence that can be used to support prosecution of cyber criminals in a court of law. Governments, too, have embraced the ability to track suspicious individuals in the online world. Forensics investigators are driven to gather data exhaustively, being under pressure to provide law enforcement with sufficient evidence to secure a conviction.

Yet, there are concerns about the ethics and justice of untrammeled investigations on a number of levels. On an organizational level, unconstrained investigations could interfere with, and damage, the organization's right to control the disclosure of their intellectual capital. On an individual level, those being investigated could easily have their legal privacy rights violated by forensics investigations. On a societal level, there might be a sense of injustice at the perceived inequality of current practice in this domain.

This paper argues the need for a practical, ethically grounded approach to digital forensic investigations, one that acknowledges and respects the privacy rights of individuals and the intellectual capital disclosure rights of organizations, as well as acknowledging the needs of law enforcement. The paper derives a set of ethical guidelines, and then maps these onto a forensics investigation framework. The framework to expert review in two stages is subjected, refining the framework after each stage. The paper concludes by proposing the refined ethically grounded digital forensics investigation framework. The treatise is primarily UK based, but the concepts presented here have international relevance and applicability.

In this paper, the lens of justice theory is used to explore the tension that exists between the needs of digital forensic investigations into cybercrimes on the one hand, and, on the other, individuals' rights to privacy and organizations' rights to control intellectual capital disclosure.

The investigation revealed a potential inequality between the practices of digital forensics investigators and the rights of other stakeholders. That being so, the need for a more ethically informed approach to digital forensics investigations, as a remedy, is highlighted and a framework proposed to provide this.

The proposed ethically informed framework for guiding digital forensics investigations suggests a way of re-establishing the equality of the stakeholders in this arena, and ensuring that the potential for a sense of injustice is reduced.

Justice theory is used to highlight the difficulties in squaring the circle between the rights and expectations of all stakeholders in the digital forensics arena. The outcome is the forensics investigation guideline, PRECEpt: Privacy-Respecting EthiCal framEwork, which provides the basis for a re-aligning of the balance between the requirements and expectations of digital forensic investigators on the one hand, and individual and organizational expectations and rights, on the other.

The purpose of this paper is to reveal the lived experiences of dyslexics in engaging with all kinds of alphanumeric authentication mechanisms.

A significant proportion of the world’s population experiences some degree of dyslexia, which can lead to spelling, processing, sequencing and retention difficulties. Passwords, being essentially sequences of alphanumeric characters, make it likely that dyslexics will struggle with these, even more so than the rest of the population. Here, this study explores the difficulties people with dyslexia face, their general experiences with passwords, the coping strategies they use and the advice they can provide to developers and others who struggle with passwords. This paper collects empirical data through semi-structured interviews with 13 participants. Thematic analysis was used to provide an in-depth view of each participant’s experience.

The main contribution of this paper is to provide evidence related to the inaccessibility dimensions of passwords as an authentication mechanism, especially for dyslexics and to recommend a solution direction.

There is a possible volunteer bias, as this study is dealing with self-reported data including historical and reflective elements and this paper is seeking information only from those with self-declared or diagnosed dyslexia. Furthermore, many expressed interest or curiosity in the relationship between dyslexia and password difficulties, for some a motivation for their participation. Finally, given that the participants told us that dyslexics might hide, it is possible that the experiences of those who do hide are different from those who chose to speak to us and thus were not hiding.

A few authors have written about the difficulties dyslexics face when it comes to passwords, but no one has asked dyslexics to tell them about their experiences. This paper fills that gap.

Penetration tests have become a valuable tool in the cyber security defence strategy in terms of detecting vulnerabilities. Although penetration testing has traditionally focussed on technical aspects, the field has started to realise the importance of the human in the organisation, and the need to ensure that humans are resistant to cyberattacks. To achieve this, some organisations “pentest” their employees, testing their resilience and ability to detect and repel human-targeted attacks. In a previous paper, the authors reported on PoinTER (Prepare TEst Remediate), a human pentesting framework, tailored to the needs of SMEs. This paper aims to propose improvements to refine the framework. The improvements are based on a derived set of ethical principles that have been subjected to ethical scrutiny

The authors conducted a systematic literature review of academic research, a review of actual hacker techniques, industry recommendations and official body advice related to social engineering techniques. To meet the requirements to have an ethical human pentesting framework, the authors compiled a list of ethical principles from the research literature which they used to filter out techniques deemed unethical.

Drawing on social engineering techniques from academic research, reported by the hacker community, industry recommendations and official body advice and subjecting each technique to ethical inspection, using a comprehensive list of ethical principles, the authors propose the refined GDPR-compliant and privacy respecting PoinTER framework. The list of ethical principles, as suggested, could also inform ethical technical pentests.

Previous work has considered penetration testing humans, but few have produced a comprehensive framework such as PoinTER. PoinTER has been rigorously derived from multiple sources and ethically scrutinised through inspection, using a comprehensive list of ethical principles derived from the research literature.