Högskolan i Skövde

his.sePublications
Change search
Link to record
Permanent link

Direct link
Publications (10 of 52) Show all publications
Kävrestad, J., Rambusch, J. & Nohlberg, M. (2024). Design principles for cognitively accessible cybersecurity training. Computers & security (Print), 137, Article ID 103630.
Open this publication in new window or tab >>Design principles for cognitively accessible cybersecurity training
2024 (English)In: Computers & security (Print), ISSN 0167-4048, E-ISSN 1872-6208, Vol. 137, article id 103630Article in journal (Refereed) Published
Abstract [en]

Exploiting human behavior to gain unauthorized access to computer systems has become common practice for modern cybercriminals. Users are expected to adopt secure behavior to avoid those attackers. This secure behavior requires cognitive processing and is often seen as a nuisance which could explain why attacks exploiting user behavior continues to be a fruitful approach for attackers. While adopting secure behavior can be difficult for any user, it can be even more difficult for users with cognitive disabilities. This research focuses on users with cognitive disabilities with the intent of developing design principles for the development of cognitively accessible cybersecurity training. The target group is estimated to include almost 10 % of all users but is previously understudied. The results show that the target group experience cybersecurity as cognitively demanding, sometimes to a degree that becomes incapacitating. Participating in cybersecurity training requires cognitive energy which is a finite resource. Cognitively accessible cybersecurity training requires a minimalist design approach and inclusion of accessibility functions. A minimalist design approach, in this case, means that both informative and design elements should be kept to a minimum. The rationale is that all such elements require cognitive processing which should be kept to a minimum. 

Place, publisher, year, edition, pages
Elsevier, 2024
Keywords
Accessible security, Cognitive accessibility, Cybersecurity training, Cybersecurity training design, Usable security, Behavioral research, Network security, Cognitive processing, Cyber security, Design Principles, Training design, Cybersecurity
National Category
Information Systems Human Computer Interaction
Research subject
Interaction Lab (ILAB); Information Systems
Identifiers
urn:nbn:se:his:diva-23469 (URN)10.1016/j.cose.2023.103630 (DOI)001134538700001 ()2-s2.0-85178635646 (Scopus ID)
Funder
The Swedish Post and Telecom Authority (PTS), 19-10617
Note

CC BY 4.0 DEED

© 2023 The Author(s)

Correspondence Address: J. Kävrestad; Jönköping School of Engineering, Jönköping, Gjuterigatan 5, 551 11, Sweden; email: joakim.kavrestad@ju.se; CODEN: CPSED

This research was funded by the Swedish Post and Telecom Authority under grant number 19-10617.

Available from: 2023-12-14 Created: 2023-12-14 Last updated: 2024-01-26Bibliographically approved
Kävrestad, J. & Nohlberg, M. (2024). Ett fundament i den svenska högre utbildningsmodellen är att kombinera forskning och undervisning. Aktuell säkerhet (8 januari)
Open this publication in new window or tab >>Ett fundament i den svenska högre utbildningsmodellen är att kombinera forskning och undervisning
2024 (Swedish)In: Aktuell säkerhet, no 8 januariArticle in journal (Other (popular science, discussion, etc.)) Published
Abstract [sv]

Joakim Kävrestad, lektor i datavetenskap, Tekniska Högskolan i Jönköping och Marcus Nohlberg, docent i informationsteknologi, Högskolan i Skövde, håller inte med Jan Kallberg om att svensk cybersäkerhetsforskning borde kraftsamlas till några få platser.

National Category
Information Systems, Social aspects Human Aspects of ICT
Research subject
Information Systems
Identifiers
urn:nbn:se:his:diva-23515 (URN)
Note

Replik

Available from: 2024-01-08 Created: 2024-01-08 Last updated: 2024-01-08Bibliographically approved
Kävrestad, J., Furnell, S. & Nohlberg, M. (2024). User perception of Context-Based Micro-Training – a method for cybersecurity training. Information Security Journal, 33(2), 121-137
Open this publication in new window or tab >>User perception of Context-Based Micro-Training – a method for cybersecurity training
2024 (English)In: Information Security Journal, ISSN 1939-3555, E-ISSN 1939-3547, Vol. 33, no 2, p. 121-137Article in journal (Refereed) Published
Abstract [en]

User behavior is one of the biggest challenges to cybersecurity in modern organizations. Users are continuously targeted by attackers and required to have sufficient knowledge to spot and avoid such attacks. Different training methods are suggested and used in the industry to support users to behave securely. The challenge remains, and improved methods for end-user cybersecurity training are needed. This paper introduces and evaluates user perception of a method called Context-Based Micro-Training (CBMT). This approach suggests that training should be delivered in short sequences when the information is of direct relevance. The intention is to provide training directly related to the user’s current situation while also providing an awareness-increasing effect. This notion is tested in a survey-based evaluation involving 1,452 respondents from Sweden, Italy, and the UK, comparing the perception of CBMT against the experience of traditional approaches. The results emphasize that current methods are not effective enough and show that CBMT is perceived positively by respondents in all sample groups. The study further evaluated how demographic aspects impact the perception of CBMT and found that a diverse group of users can appreciate it.

Place, publisher, year, edition, pages
Taylor & Francis, 2024
Keywords
cybersecurity, end-user, perception, training
National Category
Computer and Information Sciences Human Computer Interaction Information Systems, Social aspects
Research subject
Information Systems
Identifiers
urn:nbn:se:his:diva-22660 (URN)10.1080/19393555.2023.2222713 (DOI)001004357200001 ()2-s2.0-85161683304 (Scopus ID)
Funder
Vinnova, 2019-05021
Note

CC BY 4.0

Published online: 09 Jun 2023

CONTACT Joakim Kävrestad

The work was supported by VINNOVA under the grant [2019-05021].

Available from: 2023-06-09 Created: 2023-06-09 Last updated: 2024-02-14Bibliographically approved
Kävrestad, J., Nohlberg, M. & Furnell, S. (2023). A taxonomy of SETA methods and linkage to delivery preferences. The Data base for Advances in Information Systems, 54(4), 107-133
Open this publication in new window or tab >>A taxonomy of SETA methods and linkage to delivery preferences
2023 (English)In: The Data base for Advances in Information Systems, ISSN 0095-0033, Vol. 54, no 4, p. 107-133Article in journal (Refereed) Published
Abstract [en]

Cybersecurity threats targeting users are common in today’s information systems. Threat actors exploit human behavior to gain unauthorized access to systems and data. The common suggestion for addressing this problem is to train users to behave better using SETA programs. The notion of training users is old, and several SETA methods are described in scientific literature. Yet, incidents stemming from insecure user behavior continue to happen and are reported as one of the most common types of incidents. Researchers argue that empirically proven SETA programs are needed and point out focus on knowledge rather than behavior, and poor user adoption, as problems with existing programs. The present study aims to research user preferences regarding SETA methods, with the motivation that a user is more likely to adopt a program perceived positively. A qualitative approach is used to identify existing SETA methods, and a quantitative approach is used to measure user preferences regarding SETA delivery. We show that users prefer SETA methods to be effortless and flexible and outline how existing methods meet that preference. The results outline how SETA methods respond to user preferences and how different SETA methods can be implemented to maximize user perception, thereby supporting user adoption.

Place, publisher, year, edition, pages
Association for Computing Machinery (ACM), 2023
Keywords
Cybersecurity, Security Training, Security Behavior, Security Awareness, User Training
National Category
Information Systems, Social aspects
Research subject
INF303 Information Security; Information Systems
Identifiers
urn:nbn:se:his:diva-22261 (URN)10.1145/3631341.3631348 (DOI)001098050000006 ()2-s2.0-85176937421 (Scopus ID)
Note

The ACM Digital Library is published by the Association for Computing Machinery. Copyright © 2023 ACM, Inc.

Available from: 2023-02-14 Created: 2023-02-14 Last updated: 2023-12-11Bibliographically approved
Kävrestad, J., Lindvall, D. & Nohlberg, M. (2023). Combating digital exclusion with cybersecurity training – an interview study with Swedish seniors. In: Steve Furnell; Nathan Clarke (Ed.), Human Aspects of Information Security and Assurance: 17th IFIP WG 11.12 International Symposium, HAISA 2023, Kent, UK, July 4–6, 2023, Proceedings. Paper presented at 17th IFIP WG 11.12 International Symposium on Human Aspects of Information Security and Assurance, HAISA 2023, Kent, United Kingdom, July 4–6, 2023 (pp. 3-12). Cham: Springer, 1
Open this publication in new window or tab >>Combating digital exclusion with cybersecurity training – an interview study with Swedish seniors
2023 (English)In: Human Aspects of Information Security and Assurance: 17th IFIP WG 11.12 International Symposium, HAISA 2023, Kent, UK, July 4–6, 2023, Proceedings / [ed] Steve Furnell; Nathan Clarke, Cham: Springer, 2023, Vol. 1, p. 3-12Conference paper, Published paper (Refereed)
Abstract [en]

While rapid digitalization is beneficial for a majority of all people, some people struggle to adopt digital technology. Not only do these persons miss the potential benefits of digitalization, but they are also suffering from the fact that many services are no longer provided in a non-digital way. Previous research suggests that a lack of security literacy and awareness is one driving factor behind the digital exclusion for senior citizens. To that end, this research focuses on cybersecurity training for seniors. Seniors are here defined as those aged above 65. Using interviews with eight seniors, this research evaluates the use of contextual training in this user group. The rationale is that contextual training has been found to have positive results in other user groups. The results suggest that contextual cybersecurity training can increase cybersecurity awareness for senior citizens and be appreciated by the users. The participants also confirm previous research describing that cybersecurity concerns are a driving factor behind digital exclusion and that contextual cybersecurity training can make seniors more comfortable adopting digital services.

Place, publisher, year, edition, pages
Cham: Springer, 2023
Series
IFIP Advances in Information and Communication Technology (IFIPAICT), ISSN 1868-4238, E-ISSN 1868-422X ; 674
Keywords
cybersecurity awareness, senior digital exclusion, contextual training
National Category
Human Computer Interaction Information Systems, Social aspects
Research subject
Information Systems
Identifiers
urn:nbn:se:his:diva-23031 (URN)10.1007/978-3-031-38530-8_1 (DOI)2-s2.0-85172691419 (Scopus ID)978-3-031-38529-2 (ISBN)978-3-031-38532-2 (ISBN)978-3-031-38530-8 (ISBN)
Conference
17th IFIP WG 11.12 International Symposium on Human Aspects of Information Security and Assurance, HAISA 2023, Kent, United Kingdom, July 4–6, 2023
Available from: 2023-07-13 Created: 2023-07-13 Last updated: 2023-10-16Bibliographically approved
Kävrestad, J., Fallatah, W. & Furnell, S. (2023). Cybersecurity training acceptance: A literature review. In: Steve Furnell; Nathan Clarke (Ed.), Human Aspects of Information Security and Assurance: 17th IFIP WG 11.12 International Symposium, HAISA 2023, Kent, UK, July 4–6, 2023, Proceedings. Paper presented at 17th IFIP WG 11.12 International Symposium on Human Aspects of Information Security and Assurance, HAISA 2023, Kent, United Kingdom, July 4–6, 2023 (pp. 53-63). Cham: Springer, 1
Open this publication in new window or tab >>Cybersecurity training acceptance: A literature review
2023 (English)In: Human Aspects of Information Security and Assurance: 17th IFIP WG 11.12 International Symposium, HAISA 2023, Kent, UK, July 4–6, 2023, Proceedings / [ed] Steve Furnell; Nathan Clarke, Cham: Springer, 2023, Vol. 1, p. 53-63Conference paper, Published paper (Refereed)
Abstract [en]

User behavior is widely acknowledged as a crucial part of cybersecurity, and training is the most commonly suggested way of ensuring secure behavior. However, an open challenge is to get users to engage with such training to a high enough extent. Consequently, this paper provides research into user acceptance of cybersecurity training. User acceptance can be understood from a socio-technical perspective and depends on the training itself, the organization where it is deployed, and the user expected to engage with it. A structured literature review is conducted to review previous research on cybersecurity training acceptance using a social-technical approach. The paper contributes with an overview of how user acceptance has been researched in the three social-technical dimensions and with what results. The review shows that previous research mostly focused on how the training method itself affects user acceptance, while research focusing on organizational or user-related dimensions is more scarce. Consequently, the paper calls for further research on the organizational aspects of user acceptance of cybersecurity training and how user acceptance can differ between user groups.

Place, publisher, year, edition, pages
Cham: Springer, 2023
Series
IFIP Advances in Information and Communication Technology (IFIPAICT), ISSN 1868-4238, E-ISSN 1868-422X ; 674
Keywords
security training, education, user acceptance, adoption
National Category
Human Computer Interaction Information Systems, Social aspects
Research subject
Information Systems
Identifiers
urn:nbn:se:his:diva-23030 (URN)10.1007/978-3-031-38530-8_5 (DOI)2-s2.0-85172701495 (Scopus ID)978-3-031-38529-2 (ISBN)978-3-031-38532-2 (ISBN)978-3-031-38530-8 (ISBN)
Conference
17th IFIP WG 11.12 International Symposium on Human Aspects of Information Security and Assurance, HAISA 2023, Kent, United Kingdom, July 4–6, 2023
Available from: 2023-07-13 Created: 2023-07-13 Last updated: 2023-10-16Bibliographically approved
Ameel, H., Decavele, T., Eeckhout, C., van der Heide, J., Lohner, D., van der Ploeg, B., . . . Luh, R. (2023). Experiences From a Multi-National Course in Cybersecurity Awareness Raising. International Journal of Information Security and Cybercrime (IJISC), 12(1), 18-22, Article ID 2.
Open this publication in new window or tab >>Experiences From a Multi-National Course in Cybersecurity Awareness Raising
Show others...
2023 (English)In: International Journal of Information Security and Cybercrime (IJISC), ISSN 2285-9225, Vol. 12, no 1, p. 18-22, article id 2Article in journal (Refereed) Published
Abstract [en]

The European Union (EU), as well as the entire world, is facing emerging challenges in the cybersecurity domain. Two of the most prominent challenges are citizens’ cybersecurity awareness which is the first line of defense against cybersecurity incidents, and the cybersecurity skill gap expected to lead to a future shortage of cybersecurity professionals. This paper presents an effort to combat those issues through the implementation of an intra-European course on cybersecurity awareness. The course engages university students from four EU member states who learn about increasing cybersecurity awareness while practically developing cybersecurity awareness activities for preadolescents. The paper provides an overview of the course and lessons learned from implementing it in international cooperation. The intention is to provide a guide for the development of such courses and outline success factors others can adopt and pitfalls that should be avoided.

Place, publisher, year, edition, pages
The Romanian Association for Information Security Assurance (RAISA), 2023
Keywords
awareness, course, cybersecurity, development, education, international
National Category
Human Computer Interaction Information Systems, Social aspects
Research subject
Information Systems
Identifiers
urn:nbn:se:his:diva-23246 (URN)10.19107/IJISC.2023.01.02 (DOI)
Available from: 2023-09-25 Created: 2023-09-25 Last updated: 2023-10-10Bibliographically approved
Lindqvist, G. & Kävrestad, J. (2023). How privacy concerns impact Swedish citizens’ willingness to report crimes: a quantitative mobile phone survey. Information and Computer Security, 31(3), 304-315
Open this publication in new window or tab >>How privacy concerns impact Swedish citizens’ willingness to report crimes: a quantitative mobile phone survey
2023 (English)In: Information and Computer Security, E-ISSN 2056-4961, Vol. 31, no 3, p. 304-315Article in journal (Refereed) Published
Abstract [en]

Purpose

The purpose of this paper is to identify whether there is a lower willingness to report a crime if a victim must hand in their mobile phone as evidence. If that is the case, the research seeks to examine whether privacy concerns and lower willingness correlate with one another and thereby investigate whether privacy concerns could lead to fewer crimes being reported and resolved.

Design/methodology/approach

A mobile phone survey was distributed to 400 Swedish adults to identify their hypothetical willingness to report certain crimes with and without handing in their mobile phones as evidence. The results were then analysed using inferential statistics.

Findings

The result suggests that there is no meaningful correlation between privacy attitudes and willingness to report crime when the handover of a mobile phone is necessary. The results of this study however show a significant lower willingness to report crimes when the mobile phone must be handed in.

Research limitations/implications

Because the chosen target group were Swedish adults, the research results may lack generalisability for other demographics. Therefore, researchers are encouraged to test other demographics.

Originality/value

This paper’s contribution is the novel exploration of attitudes and behaviours regarding the combination of privacy, digital forensics, mobile phones and crime reportage. This research effort examined the problematic situation that can arise for victims of crime, the invasion of privacy when providing evidence by handing in a mobile phone to the police’s forensic unit for examination.

Place, publisher, year, edition, pages
Emerald Group Publishing Limited, 2023
Keywords
crime, digital forensics, privacy, mobile phone
National Category
Computer and Information Sciences
Research subject
INF303 Information Security; Information Systems
Identifiers
urn:nbn:se:his:diva-22245 (URN)10.1108/ICS-10-2022-0167 (DOI)000929129600001 ()2-s2.0-85147513542 (Scopus ID)
Note

CC BY 4.0

Article publication date: 9 February 2023

Corresponding author Joakim Kävrestad can be contacted at: joakim.kavrestad@his.se

Available from: 2023-02-08 Created: 2023-02-08 Last updated: 2023-07-06Bibliographically approved
Kävrestad, J., Abbasi, M. A., Tarczal, M. & Nohlberg, M. (2023). The impact of short-term memory on phishing detection ability and password behaviour. In: Peter Bednar; Fatema Zaghloul; Christine Welch; Alexander Nolte; Mikko Rajanen; Anna Sigridur Islind; Helena Vallo Hult; Aurelio Ravarini; Alessio Maria Braccini (Ed.), Proceedings of the 9th International Conference on Socio-Technical Perspective in Information Systems Development (STPIS 2023): . Paper presented at 9th International Conference on Socio-Technical Perspective in Information Systems Development, STPIS 2023 Hybrid, Portsmouth 27 October 2023 through 28 October 2023 (pp. 160-173). CEUR-WS
Open this publication in new window or tab >>The impact of short-term memory on phishing detection ability and password behaviour
2023 (English)In: Proceedings of the 9th International Conference on Socio-Technical Perspective in Information Systems Development (STPIS 2023) / [ed] Peter Bednar; Fatema Zaghloul; Christine Welch; Alexander Nolte; Mikko Rajanen; Anna Sigridur Islind; Helena Vallo Hult; Aurelio Ravarini; Alessio Maria Braccini, CEUR-WS , 2023, p. 160-173Conference paper, Published paper (Refereed)
Abstract [en]

Cybersecurity is a socio-technical discipline which is dependent on the interplay between users and devices, and the organizations where this interplay takes place. Previous research has shown that the interplay between users and devices is highly affected by the cognitive abilities of users. This is prominent in cybersecurity, which requires users to make security-aware decisions when, for instance, reading emails and decide which emails are legitimate and which emails constitute phishing. Research further suggests that decision-making is dependent on memory ability, which is the focus of this research. In this study, we investigate the impact of short-term memory on phishing detection ability and password behaviour. A web survey was used to collect quantitative data from a large sample of respondents. The survey was distributed on social media platforms and 93 participants completed the survey. The results indicate a positive correlation between short-term memory scores and both password detection ability and password behavior. 

Place, publisher, year, edition, pages
CEUR-WS, 2023
Series
CEUR Workshop Proceedings, ISSN 1613-0073 ; 3598
Keywords
behaviour, cybersecurity, memory, password, phishing, Authentication, Brain, Computer crime, Decision making, Long short-term memory, Behavior, Cognitive ability, Cyber security, Detection ability, Phishing detections, Security-aware, Short term memory, Sociotechnical, Electronic mail
National Category
Computer Sciences Human Computer Interaction Information Systems Information Systems, Social aspects
Research subject
Information Systems
Identifiers
urn:nbn:se:his:diva-23531 (URN)2-s2.0-85181156268 (Scopus ID)
Conference
9th International Conference on Socio-Technical Perspective in Information Systems Development, STPIS 2023 Hybrid, Portsmouth 27 October 2023 through 28 October 2023
Note

CC BY 4.0 DEED

© 2023 CEUR-WS. All rights reserved

Correspondence Address: J. Kävrestad; School of Informatics, University of Skövde, Sweden; email: joakim.kavrestad@ju.se

Available from: 2024-01-11 Created: 2024-01-11 Last updated: 2024-01-17Bibliographically approved
Birath, M., Ginman, J. & Kävrestad, J. (2022). A Model for the Creation of Biographical Dictionaries. In: Peter Bednar; Anna Sigridur Islind; Helena Vallo Hult; Alexander Nolte; Mikko Rajanen; Fatema Zaghloul; Aurelio Ravarini; Alessio Maria Braccini (Ed.), Proceedings of the 8th International Workshop on Socio-Technical Perspective in Information Systems Development (STPIS 2022): Hybrid conference in Reykjavik, Iceland, August 19-20, 2022. Paper presented at 8th International Workshop on Socio-Technical Perspective in Information Systems Development (STPIS 2022) Hybrid conference in Reykjavik, Iceland, August 19-20, 2022 (pp. 165-172). CEUR-WS
Open this publication in new window or tab >>A Model for the Creation of Biographical Dictionaries
2022 (English)In: Proceedings of the 8th International Workshop on Socio-Technical Perspective in Information Systems Development (STPIS 2022): Hybrid conference in Reykjavik, Iceland, August 19-20, 2022 / [ed] Peter Bednar; Anna Sigridur Islind; Helena Vallo Hult; Alexander Nolte; Mikko Rajanen; Fatema Zaghloul; Aurelio Ravarini; Alessio Maria Braccini, CEUR-WS , 2022, p. 165-172Conference paper, Published paper (Refereed)
Abstract [en]

The use of encryption is increasing, and while that is good for cybersecurity it is a core challenge for digital forensics. Encrypted information cannot be analyzed unless it is first decrypted, which is a complex and time-consuming process. Using a brute force attack to guess the password used for encryption is deemed impractical as even a simple password, being long enough, could take weeks, months, or even years to find. A more feasible approach is to use a dictionary attack where each word in a list is tested. However, a dictionary attack is only successful if the password is in the list, making the process of creating that list a crucial part of decrypting passwords. This research builds on existing literature showing that users commonly use strategies to create passwords, and the aim is to propose a method for creating dictionaries that are grounded in theories of password construction. An initial model was developed using a selective literature review with the purpose of identifying common elements included in biographical passwords, and in what order the elements are used. To improve the model, the study utilized semi-structured interviews with forensic experts from the Swedish police and the Swedish National Forensic Center (NFC). The main contribution of this research is a readily available model for creating dictionaries that can be used by practitioners. The model can also serve as a theoretical contribution that describes how users commonly construct biographical passwords.

Place, publisher, year, edition, pages
CEUR-WS, 2022
Series
CEUR Workshop Proceedings, ISSN 1613-0073 ; 3239
Keywords
passwords, biographical dictionary, password cracking, digital forensics
National Category
Other Computer and Information Science
Research subject
Information Systems
Identifiers
urn:nbn:se:his:diva-21949 (URN)2-s2.0-85139846312 (Scopus ID)
Conference
8th International Workshop on Socio-Technical Perspective in Information Systems Development (STPIS 2022) Hybrid conference in Reykjavik, Iceland, August 19-20, 2022
Note

CC BY 4.0

Available from: 2022-10-14 Created: 2022-10-14 Last updated: 2023-01-16Bibliographically approved
Organisations
Identifiers
ORCID iD: ORCID iD iconorcid.org/0000-0003-2084-9119

Search in DiVA

Show all publications