Högskolan i Skövde

his.sePublications
Change search
Link to record
Permanent link

Direct link
Publications (10 of 56) Show all publications
Kävrestad, J., Fernow, R., Lööf, D. & Birath, M. (2025). Multi-factor Authentication Adoption: A Comparison Between Digital Natives and Digital Immigrants in Sweden. In: Nathan Clarke; Steven Furnell (Ed.), Human Aspects of Information Security and Assurance: 18th IFIP WG 11.12 International Symposium, HAISA 2024, Skövde, Sweden, July 9–11, 2024, Proceedings, Part I. Paper presented at 18th IFIP WG 11.12 International Symposium, HAISA 2024, Skövde, Sweden, July 9–11, 2024 (pp. 323-338). Cham: Springer
Open this publication in new window or tab >>Multi-factor Authentication Adoption: A Comparison Between Digital Natives and Digital Immigrants in Sweden
2025 (English)In: Human Aspects of Information Security and Assurance: 18th IFIP WG 11.12 International Symposium, HAISA 2024, Skövde, Sweden, July 9–11, 2024, Proceedings, Part I / [ed] Nathan Clarke; Steven Furnell, Cham: Springer, 2025, p. 323-338Conference paper, Published paper (Refereed)
Abstract [en]

Multi-Factor Authentication (MFA) is commonly suggested as a good mechanism to overcome inherent security problems with the use of passwords. However, research suggests that MFA has so far failed to attract enough interest from users. Additionally, older users seem to be even more reluctant to use MFA. In Sweden, users are more or less required to use MFA to use services such as online banking, book doctors appointments online, and complete tax reports online. As such, Sweden is an interesting case for studying MFA adoption. This paper reports on mixed-methods research investigating how Swedish users in different age groups compare with respect to the adoption of MFA. The results suggest that users of different age are willing to adopt MFA when it is required for services they want or need to use. However, younger users appear to be more prone to voluntarily adopt MFA.

Place, publisher, year, edition, pages
Cham: Springer, 2025
Series
IFIP Advances in Information and Communication Technology, ISSN 1868-4238, E-ISSN 1868-422X ; 721
National Category
Information Systems, Social aspects
Research subject
Information Systems
Identifiers
urn:nbn:se:his:diva-24788 (URN)10.1007/978-3-031-72559-3_22 (DOI)2-s2.0-85211339529 (Scopus ID)978-3-031-72558-6 (ISBN)978-3-031-72561-6 (ISBN)978-3-031-72559-3 (ISBN)
Conference
18th IFIP WG 11.12 International Symposium, HAISA 2024, Skövde, Sweden, July 9–11, 2024
Note

First Online: 28 November 2024

Available from: 2024-12-17 Created: 2024-12-17 Last updated: 2025-01-14Bibliographically approved
Kävrestad, J., Bergström, E., Stavrou, E. & Nohlberg, M. (2025). Useful but for Someone Else - An Explorative Study on Cybersecurity Training Acceptance. In: Nathan Clarke; Steven Furnell (Ed.), Human Aspects of Information Security and Assurance: 18th IFIP WG 11.12 International Symposium, HAISA 2024, Skövde, Sweden, July 9–11, 2024, Proceedings, Part II. Paper presented at 18th IFIP WG 11.12 International Symposium, HAISA 2024, Skövde, Sweden, July 9–11, 2024 (pp. 47-60). Cham: Springer
Open this publication in new window or tab >>Useful but for Someone Else - An Explorative Study on Cybersecurity Training Acceptance
2025 (English)In: Human Aspects of Information Security and Assurance: 18th IFIP WG 11.12 International Symposium, HAISA 2024, Skövde, Sweden, July 9–11, 2024, Proceedings, Part II / [ed] Nathan Clarke; Steven Furnell, Cham: Springer, 2025, p. 47-60Conference paper, Published paper (Refereed)
Abstract [en]

Insecure user behavior is the most common cause of cybersecurity incidents. Insecure behavior includes failing to detect phishing, insecure password management, and more. The problem has been known for decades, and state-of-the-art mitigation methods include security education, training, and awareness (SETA). A common problem with SETA is, however, that users do not seem to adopt it to a high enough extent. When users are not adopting SETA, its intended benefit is lost. Previous research argues for personalized SETA and suggests that different user groups have different SETA needs and preferences. The characteristics of those groups are, however, unknown. To that end, this research draws on an existing dataset to identify how different populations perceive different SETA methods. A quantitative analysis shows that users in different demographic groups have different SETA preferences, with age being the most impactful demographic. A qualitative analysis reveals further factors that impact user adoption of SETA, with cost and ease of use being important factors for further research. 

Place, publisher, year, edition, pages
Cham: Springer, 2025
Series
IFIP Advances in Information and Communication Technology, ISSN 1868-4238, E-ISSN 1868-422X ; 722
Keywords
Awareness, Cybersecurity, Education, Human Factor, SETA, Training, User, Phishing, Cyber security, Education training, Password management, Security awareness, Security education, Security training, User behaviors
National Category
Information Systems Information Systems, Social aspects Human Computer Interaction
Research subject
Information Systems
Identifiers
urn:nbn:se:his:diva-24794 (URN)10.1007/978-3-031-72563-0_4 (DOI)2-s2.0-85211347407 (Scopus ID)978-3-031-72562-3 (ISBN)978-3-031-72565-4 (ISBN)978-3-031-72563-0 (ISBN)
Conference
18th IFIP WG 11.12 International Symposium, HAISA 2024, Skövde, Sweden, July 9–11, 2024
Projects
VISKAICANP
Funder
Swedish Civil Contingencies Agency, MSB 2021-14650Swedish Civil Contingencies Agency, MSB 2023-10887
Note

© IFIP International Federation for Information Processing 2025

Correspondence Address: J. Kävrestad; School of Engineering, Jönköping University, Jönköping, Sweden; email: joakim.kavrestad@ju.se

We gratefully acknowledge the grants from the Swedish Civil Contingencies Agency (MSB), projects VISKA (MSB 2021-14650) and ICANP (MSB 2023-10887).

Available from: 2024-12-19 Created: 2024-12-19 Last updated: 2025-01-14Bibliographically approved
Kävrestad, J., Burvall, F. & Nohlberg, M. (2024). A taxonomy of factors that contribute to organizational Cybersecurity Awareness (CSA). Information and Computer Security
Open this publication in new window or tab >>A taxonomy of factors that contribute to organizational Cybersecurity Awareness (CSA)
2024 (English)In: Information and Computer Security, E-ISSN 2056-4961Article in journal (Refereed) Epub ahead of print
Abstract [en]

Purpose

Developing cybersecurity awareness (CSA) is becoming a more and more important goal for modern organizations. CSA is a complex sociotechnical system where social, technical and organizational aspects affect each other in an intertwined way. With the goal of providing a holistic representation of CSA, this paper aims to develop a taxonomy of factors that contribute to organizational CSA.

Design/methodology/approach

The research used a design science approach including a literature review and practitioner interviews. A taxonomy was drafted based on 71 previous research publications. It was then updated and refined in two iterations of interviews with domain experts.

Findings

The result of this research is a taxonomy which outline six domains for importance for organization CSA. Each domain includes several activities which can be undertaken to increase CSA within an organization. As such, it provides a holistic overview of the CSA field.

Practical implications

Organizations can adopt the taxonomy to create a roadmap for internal CSA practices. For example, an organization could assess how well it performs in the six main themes and use the subthemes as inspiration when deciding on CSA activities.

Originality/value

The output of this research provides an overview of CSA based on information extracted from existing literature and then reviewed by practitioners. It also outlines how different aspects of CSA are interdependent on each other.

Place, publisher, year, edition, pages
Emerald Group Publishing Limited, 2024
Keywords
Awareness, Cybersecurity, Information security, Culture
National Category
Information Systems, Social aspects
Research subject
Information Systems
Identifiers
urn:nbn:se:his:diva-24001 (URN)10.1108/ics-11-2023-0209 (DOI)001248981600001 ()2-s2.0-85196288074 (Scopus ID)
Note

CC BY 4.0

Corresponding author Joakim Kävrestad can be contacted at: joakim.kavrestad@ju.se

Available from: 2024-06-20 Created: 2024-06-20 Last updated: 2024-07-12Bibliographically approved
Kävrestad, J., Rambusch, J. & Nohlberg, M. (2024). Design principles for cognitively accessible cybersecurity training. Computers & Security, 137, Article ID 103630.
Open this publication in new window or tab >>Design principles for cognitively accessible cybersecurity training
2024 (English)In: Computers & Security, ISSN 0167-4048, E-ISSN 1872-6208, Vol. 137, article id 103630Article in journal (Refereed) Published
Abstract [en]

Exploiting human behavior to gain unauthorized access to computer systems has become common practice for modern cybercriminals. Users are expected to adopt secure behavior to avoid those attackers. This secure behavior requires cognitive processing and is often seen as a nuisance which could explain why attacks exploiting user behavior continues to be a fruitful approach for attackers. While adopting secure behavior can be difficult for any user, it can be even more difficult for users with cognitive disabilities. This research focuses on users with cognitive disabilities with the intent of developing design principles for the development of cognitively accessible cybersecurity training. The target group is estimated to include almost 10 % of all users but is previously understudied. The results show that the target group experience cybersecurity as cognitively demanding, sometimes to a degree that becomes incapacitating. Participating in cybersecurity training requires cognitive energy which is a finite resource. Cognitively accessible cybersecurity training requires a minimalist design approach and inclusion of accessibility functions. A minimalist design approach, in this case, means that both informative and design elements should be kept to a minimum. The rationale is that all such elements require cognitive processing which should be kept to a minimum. 

Place, publisher, year, edition, pages
Elsevier, 2024
Keywords
Accessible security, Cognitive accessibility, Cybersecurity training, Cybersecurity training design, Usable security, Behavioral research, Network security, Cognitive processing, Cyber security, Design Principles, Training design, Cybersecurity
National Category
Information Systems Human Computer Interaction
Research subject
Information Systems; GAME Research Group
Identifiers
urn:nbn:se:his:diva-23469 (URN)10.1016/j.cose.2023.103630 (DOI)001134538700001 ()2-s2.0-85178635646 (Scopus ID)
Funder
The Swedish Post and Telecom Authority (PTS), 19-10617
Note

CC BY 4.0 DEED

© 2023 The Author(s)

Correspondence Address: J. Kävrestad; Jönköping School of Engineering, Jönköping, Gjuterigatan 5, 551 11, Sweden; email: joakim.kavrestad@ju.se; CODEN: CPSED

This research was funded by the Swedish Post and Telecom Authority under grant number 19-10617.

Available from: 2023-12-14 Created: 2023-12-14 Last updated: 2024-12-18Bibliographically approved
Kävrestad, J. & Nohlberg, M. (2024). Ett fundament i den svenska högre utbildningsmodellen är att kombinera forskning och undervisning. Aktuell säkerhet (2024-01-08)
Open this publication in new window or tab >>Ett fundament i den svenska högre utbildningsmodellen är att kombinera forskning och undervisning
2024 (Swedish)In: Aktuell säkerhet, no 2024-01-08Article in journal (Other (popular science, discussion, etc.)) Published
Abstract [sv]

Joakim Kävrestad, lektor i datavetenskap, Tekniska Högskolan i Jönköping och Marcus Nohlberg, docent i informationsteknologi, Högskolan i Skövde, håller inte med Jan Kallberg om att svensk cybersäkerhetsforskning borde kraftsamlas till några få platser.

National Category
Information Systems, Social aspects Human Aspects of ICT
Research subject
Information Systems
Identifiers
urn:nbn:se:his:diva-23515 (URN)
Note

Replik

Available from: 2024-01-08 Created: 2024-01-08 Last updated: 2024-05-08Bibliographically approved
Ingemarsson, J., Birath, M. & Kävrestad, J. (2024). Factors influencing Swedish citizens’ willingness to provide their mobile phones to forensic examination. International Journal of Information Security, 24(1), Article ID 42.
Open this publication in new window or tab >>Factors influencing Swedish citizens’ willingness to provide their mobile phones to forensic examination
2024 (English)In: International Journal of Information Security, ISSN 1615-5262, E-ISSN 1615-5270, Vol. 24, no 1, article id 42Article in journal (Refereed) Published
Abstract [en]

The willingness of victims to report crimes is declining, which leads to an increase in the dark figure of crime and undermines effective crime control. One possible reason is that victims are reluctant to report crimes if they are required to submit their digital devices for forensic examination. Today, a mobile phone holds vast amounts of information that may be valuable for police forensics experts, showing that victims’ phones could be critical in crime investigations. This interview study has investigated the factors that influence Swedish citizens’ willingness to report crimes when reporting involves surrendering their own mobile phones for forensic analysis. The study also uncovered factors that increase their willingness to report crimes under the same circumstances. The gathered data was subjected to a qualitative analysis with thematic coding, resulting in four distinct themes with 12 categories distributed among them. The analysis reveals that the primary factors affecting Swedish citizens’ willingness to report crimes are privacy concerns, with participants feeling uneasy about others accessing their private data, and anxiety over being separated from their mobile phones. Furthermore, the study yields that the most significant factors for increasing the willingness to report crimes are enhanced information and transparency from the police. Participants suggested that better understanding of the process, and increased openness would increase their willingness to report.

Place, publisher, year, edition, pages
Springer Nature, 2024
Keywords
Digital forensics, Willingness to report, Evidence, Evidence acquisition, Crime investigations
National Category
Computer Sciences Information Systems Other Computer and Information Science
Research subject
Information Systems
Identifiers
urn:nbn:se:his:diva-24787 (URN)10.1007/s10207-024-00955-4 (DOI)001377057200001 ()2-s2.0-85212133288 (Scopus ID)
Funder
University of Skövde
Note

CC BY 4.0

jonas.ingemarsson@his.se

Open access funding provided by University of Skövde.

Available from: 2024-12-16 Created: 2024-12-16 Last updated: 2025-01-14Bibliographically approved
Kävrestad, J., Furnell, S. & Nohlberg, M. (2024). User perception of Context-Based Micro-Training – a method for cybersecurity training. Information Security Journal, 33(2), 121-137
Open this publication in new window or tab >>User perception of Context-Based Micro-Training – a method for cybersecurity training
2024 (English)In: Information Security Journal, ISSN 1939-3555, E-ISSN 1939-3547, Vol. 33, no 2, p. 121-137Article in journal (Refereed) Published
Abstract [en]

User behavior is one of the biggest challenges to cybersecurity in modern organizations. Users are continuously targeted by attackers and required to have sufficient knowledge to spot and avoid such attacks. Different training methods are suggested and used in the industry to support users to behave securely. The challenge remains, and improved methods for end-user cybersecurity training are needed. This paper introduces and evaluates user perception of a method called Context-Based Micro-Training (CBMT). This approach suggests that training should be delivered in short sequences when the information is of direct relevance. The intention is to provide training directly related to the user’s current situation while also providing an awareness-increasing effect. This notion is tested in a survey-based evaluation involving 1,452 respondents from Sweden, Italy, and the UK, comparing the perception of CBMT against the experience of traditional approaches. The results emphasize that current methods are not effective enough and show that CBMT is perceived positively by respondents in all sample groups. The study further evaluated how demographic aspects impact the perception of CBMT and found that a diverse group of users can appreciate it.

Place, publisher, year, edition, pages
Taylor & Francis, 2024
Keywords
cybersecurity, end-user, perception, training
National Category
Computer and Information Sciences Human Computer Interaction Information Systems, Social aspects
Research subject
Information Systems
Identifiers
urn:nbn:se:his:diva-22660 (URN)10.1080/19393555.2023.2222713 (DOI)001004357200001 ()2-s2.0-85161683304 (Scopus ID)
Funder
Vinnova, 2019-05021
Note

CC BY 4.0

Published online: 09 Jun 2023

CONTACT Joakim Kävrestad

The work was supported by VINNOVA under the grant [2019-05021].

Available from: 2023-06-09 Created: 2023-06-09 Last updated: 2024-02-14Bibliographically approved
Kävrestad, J., Nohlberg, M. & Furnell, S. (2023). A taxonomy of SETA methods and linkage to delivery preferences. The Data base for Advances in Information Systems, 54(4), 107-133
Open this publication in new window or tab >>A taxonomy of SETA methods and linkage to delivery preferences
2023 (English)In: The Data base for Advances in Information Systems, ISSN 0095-0033, Vol. 54, no 4, p. 107-133Article in journal (Refereed) Published
Abstract [en]

Cybersecurity threats targeting users are common in today’s information systems. Threat actors exploit human behavior to gain unauthorized access to systems and data. The common suggestion for addressing this problem is to train users to behave better using SETA programs. The notion of training users is old, and several SETA methods are described in scientific literature. Yet, incidents stemming from insecure user behavior continue to happen and are reported as one of the most common types of incidents. Researchers argue that empirically proven SETA programs are needed and point out focus on knowledge rather than behavior, and poor user adoption, as problems with existing programs. The present study aims to research user preferences regarding SETA methods, with the motivation that a user is more likely to adopt a program perceived positively. A qualitative approach is used to identify existing SETA methods, and a quantitative approach is used to measure user preferences regarding SETA delivery. We show that users prefer SETA methods to be effortless and flexible and outline how existing methods meet that preference. The results outline how SETA methods respond to user preferences and how different SETA methods can be implemented to maximize user perception, thereby supporting user adoption.

Place, publisher, year, edition, pages
Association for Computing Machinery (ACM), 2023
Keywords
Cybersecurity, Security Training, Security Behavior, Security Awareness, User Training
National Category
Information Systems, Social aspects
Research subject
INF303 Information Security; Information Systems
Identifiers
urn:nbn:se:his:diva-22261 (URN)10.1145/3631341.3631348 (DOI)001098050000006 ()2-s2.0-85176937421 (Scopus ID)
Note

The ACM Digital Library is published by the Association for Computing Machinery. Copyright © 2023 ACM, Inc.

Available from: 2023-02-14 Created: 2023-02-14 Last updated: 2024-04-15Bibliographically approved
Kävrestad, J., Lindvall, D. & Nohlberg, M. (2023). Combating digital exclusion with cybersecurity training – an interview study with Swedish seniors. In: Steve Furnell; Nathan Clarke (Ed.), Human Aspects of Information Security and Assurance: 17th IFIP WG 11.12 International Symposium, HAISA 2023, Kent, UK, July 4–6, 2023, Proceedings. Paper presented at 17th IFIP WG 11.12 International Symposium on Human Aspects of Information Security and Assurance, HAISA 2023, Kent, United Kingdom, July 4–6, 2023 (pp. 3-12). Cham: Springer, 1
Open this publication in new window or tab >>Combating digital exclusion with cybersecurity training – an interview study with Swedish seniors
2023 (English)In: Human Aspects of Information Security and Assurance: 17th IFIP WG 11.12 International Symposium, HAISA 2023, Kent, UK, July 4–6, 2023, Proceedings / [ed] Steve Furnell; Nathan Clarke, Cham: Springer, 2023, Vol. 1, p. 3-12Conference paper, Published paper (Refereed)
Abstract [en]

While rapid digitalization is beneficial for a majority of all people, some people struggle to adopt digital technology. Not only do these persons miss the potential benefits of digitalization, but they are also suffering from the fact that many services are no longer provided in a non-digital way. Previous research suggests that a lack of security literacy and awareness is one driving factor behind the digital exclusion for senior citizens. To that end, this research focuses on cybersecurity training for seniors. Seniors are here defined as those aged above 65. Using interviews with eight seniors, this research evaluates the use of contextual training in this user group. The rationale is that contextual training has been found to have positive results in other user groups. The results suggest that contextual cybersecurity training can increase cybersecurity awareness for senior citizens and be appreciated by the users. The participants also confirm previous research describing that cybersecurity concerns are a driving factor behind digital exclusion and that contextual cybersecurity training can make seniors more comfortable adopting digital services.

Place, publisher, year, edition, pages
Cham: Springer, 2023
Series
IFIP Advances in Information and Communication Technology (IFIPAICT), ISSN 1868-4238, E-ISSN 1868-422X ; 674
Keywords
cybersecurity awareness, senior digital exclusion, contextual training
National Category
Human Computer Interaction Information Systems, Social aspects
Research subject
Information Systems
Identifiers
urn:nbn:se:his:diva-23031 (URN)10.1007/978-3-031-38530-8_1 (DOI)2-s2.0-85172691419 (Scopus ID)978-3-031-38529-2 (ISBN)978-3-031-38532-2 (ISBN)978-3-031-38530-8 (ISBN)
Conference
17th IFIP WG 11.12 International Symposium on Human Aspects of Information Security and Assurance, HAISA 2023, Kent, United Kingdom, July 4–6, 2023
Available from: 2023-07-13 Created: 2023-07-13 Last updated: 2024-07-03Bibliographically approved
Kävrestad, J., Fallatah, W. & Furnell, S. (2023). Cybersecurity training acceptance: A literature review. In: Steve Furnell; Nathan Clarke (Ed.), Human Aspects of Information Security and Assurance: 17th IFIP WG 11.12 International Symposium, HAISA 2023, Kent, UK, July 4–6, 2023, Proceedings. Paper presented at 17th IFIP WG 11.12 International Symposium on Human Aspects of Information Security and Assurance, HAISA 2023, Kent, United Kingdom, July 4–6, 2023 (pp. 53-63). Cham: Springer, 1
Open this publication in new window or tab >>Cybersecurity training acceptance: A literature review
2023 (English)In: Human Aspects of Information Security and Assurance: 17th IFIP WG 11.12 International Symposium, HAISA 2023, Kent, UK, July 4–6, 2023, Proceedings / [ed] Steve Furnell; Nathan Clarke, Cham: Springer, 2023, Vol. 1, p. 53-63Conference paper, Published paper (Refereed)
Abstract [en]

User behavior is widely acknowledged as a crucial part of cybersecurity, and training is the most commonly suggested way of ensuring secure behavior. However, an open challenge is to get users to engage with such training to a high enough extent. Consequently, this paper provides research into user acceptance of cybersecurity training. User acceptance can be understood from a socio-technical perspective and depends on the training itself, the organization where it is deployed, and the user expected to engage with it. A structured literature review is conducted to review previous research on cybersecurity training acceptance using a social-technical approach. The paper contributes with an overview of how user acceptance has been researched in the three social-technical dimensions and with what results. The review shows that previous research mostly focused on how the training method itself affects user acceptance, while research focusing on organizational or user-related dimensions is more scarce. Consequently, the paper calls for further research on the organizational aspects of user acceptance of cybersecurity training and how user acceptance can differ between user groups.

Place, publisher, year, edition, pages
Cham: Springer, 2023
Series
IFIP Advances in Information and Communication Technology (IFIPAICT), ISSN 1868-4238, E-ISSN 1868-422X ; 674
Keywords
security training, education, user acceptance, adoption
National Category
Human Computer Interaction Information Systems, Social aspects
Research subject
Information Systems
Identifiers
urn:nbn:se:his:diva-23030 (URN)10.1007/978-3-031-38530-8_5 (DOI)2-s2.0-85172701495 (Scopus ID)978-3-031-38529-2 (ISBN)978-3-031-38532-2 (ISBN)978-3-031-38530-8 (ISBN)
Conference
17th IFIP WG 11.12 International Symposium on Human Aspects of Information Security and Assurance, HAISA 2023, Kent, United Kingdom, July 4–6, 2023
Available from: 2023-07-13 Created: 2023-07-13 Last updated: 2023-10-16Bibliographically approved
Organisations
Identifiers
ORCID iD: ORCID iD iconorcid.org/0000-0003-2084-9119

Search in DiVA

Show all publications