Högskolan i Skövde

his.sePublications
Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • apa-cv
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Evaluation of Contextual and Game-Based Training for Phishing Detection
University of Skövde, School of Informatics. University of Skövde, Informatics Research Environment. (Informationssystem, Information Systems)ORCID iD: 0000-0003-2084-9119
Xenolith AB, Skövde, Sweden.
University of Skövde, School of Informatics. University of Skövde, Informatics Research Environment. (Informationssystem, Information Systems)ORCID iD: 0000-0001-5962-9995
University of Skövde, School of Informatics. University of Skövde, Informatics Research Environment. (Interaction Lab)
Show others and affiliations
2022 (English)In: Future Internet, E-ISSN 1999-5903, Vol. 14, no 4Article in journal (Refereed) Published
Abstract [en]

Cybersecurity is a pressing matter, and a lot of the responsibility for cybersecurity is put on the individual user. The individual user is expected to engage in secure behavior by selecting good passwords, identifying malicious emails, and more. Typical support for users comes from Information Security Awareness Training (ISAT), which makes the effectiveness of ISAT a key cybersecurity issue. This paper presents an evaluation of how two promising methods for ISAT support users in acheiving secure behavior using a simulated experiment with 41 participants. The methods were game-based training, where users learn by playing a game, and Context-Based Micro-Training (CBMT), where users are presented with short information in a situation where the information is of direct relevance. Participants were asked to identify phishing emails while their behavior was monitored using eye-tracking technique. The research shows that both training methods can support users towards secure behavior and that CBMT does so to a higher degree than game-based training. The research further shows that most participants were susceptible to phishing, even after training, which suggests that training alone is insufficient to make users behave securely. Consequently, future research ideas, where training is combined with other support systems, are proposed

Place, publisher, year, edition, pages
MDPI, 2022. Vol. 14, no 4
Keywords [en]
usable security, cybersecurity training, ISAT, SETA, phishing, user awareness, security behavior
National Category
Computer Sciences
Research subject
Information Systems; Interaction Lab (ILAB); INF303 Information Security
Identifiers
URN: urn:nbn:se:his:diva-21026DOI: 10.3390/fi14040104ISI: 000786358900001Scopus ID: 2-s2.0-85128214429OAI: oai:DiVA.org:his-21026DiVA, id: diva2:1649842
Projects
Utveckling av beslutsstöd för användare i riskfyllda situationer online
Funder
The Swedish Post and Telecom Authority (PTS), 19-10617
Note

CC BY 4.0

Published: 25 March 2022

Correspondence: joakim.kavrestad@his.se

Available from: 2022-04-05 Created: 2022-04-05 Last updated: 2023-08-03Bibliographically approved
In thesis
1. Context-Based Micro-Training: Enhancing cybersecurity training for end-users
Open this publication in new window or tab >>Context-Based Micro-Training: Enhancing cybersecurity training for end-users
2022 (English)Doctoral thesis, comprehensive summary (Other academic)
Abstract [en]

This research addresses the human aspect of cybersecurity by developing a method for cybersecurity training of end-users. The reason for addressing that area is that human behaviour is widely regarded as one of the most used attack vectors. Exploiting human behaviour through various social engineering techniques, password guessing, and more is a common practice for attackers. Reports even suggest that human behaviour is exploited in 95% of all cybersecurity attacks. 

Human behaviour with regard to cybersecurity has been long discussed in the research. It is commonly suggested that users need support to behave securely. Training is often suggested as the way to improve user behaviour, and there are several different training methods available. The available training methods include instructor-led training, game-based training, eLearning, etc. However, even with the diversity of existing training methods, the effectiveness of such training has been questioned by recent research. Research suggests that existing training does not facilitate knowledge retention and user participation to a high enough degree.    

This research aims to address the problems with current training practices by developing a new method for cybersecurity training of end-users. The research used a design science (DS) approach to develop the new method in three increasingly complex design cycles. Principles for cybersecurity training were developed based on previous research and the Technology Acceptance Model and made the theoretical foundation of the reserach. The result is a theoretically grounded method for cybersecurity training that outlines goals and guidelines for how such training should be implemented. It has been evaluated in several steps with more than 1800 survey participants and 300 participants in various experiments. The evaluations have shown that it can both support users towards secure behaviour and be appreciated by its users.  

The main contribution of this research is the method for cybersecurity training, Context-Based Micro-Training (CBMT). CBMT is a theoretical contribution that describes good practices for cybersecurity training for end-users. Practitioners can adopt it as a guide on how to implement such training or to support procurement decisions. The research also shows the importance of integrating usability into the development of security practices. Users must positively receive both training and the guidelines imposed by training since positive user perception increases user adoption. Finally, the research shows that following security guidelines is difficult. While training is essential, this research suggests that training alone is not enough, and future research should consider the interplay between training and other support mechanisms.

Abstract [sv]

Denna forskning adresserar mänskliga aspekter på cybersäkerhet genom att utveckla en metod för cybersäkerhetsträning av användare. Forskningen motiveras med att användarbeteende anses vara en av de attackvektorer som angripare oftast använder. Att använda social manipulation, gissa lösenord och liknande för att utnyttja mänskligt beteende är vanligt. Vissa rapporter hävdar till och med att mänskligt beteende utnyttjas i 95% av alla cyberattacker.

Användarbeteende relaterat till cybersäkerhet har diskuterats i forskningen under lång tid. Det beskrivs ofta att användare behöver stöd för att agera säkert och träning föreslås ofta som sättet för att förbättra användarbeteenden. Det finns flera olika träningsmetoder att tillgå, bland annat lärarledd träning, spelbaserad träning och eLearning. Trots att det finns en mångfald av träningsmetoder har effektiviteten hos dessa metoder blivit ifrågasatt i samtida forskning. Forskning visar att existerande träningsmetoder inte ger tillräckligt bestående kunskap eller har tillräckligt hög användningsgrad.

Målet med denna forskning är att adressera problemen med existerande metoder för cybersäkerhetsträning genom att utveckla en ny metod för cybersäkerhetsträning av användare. Designbaserad forskning tillämpades för att utveckla den nya metoden i tre allt mer komplexa designcykler. Principer för cybersäkerhetsträning utvecklades baserat på tidigare forskning och teorin Technology Acceptance Model. Dessa principer utgjorde startpunkten för denna forskning. Resultatet är en teoretisk grundad metod för cybersäkerhetsträning vilken beskriver mål och riktlinjer för hur träning kan implementeras. Metoden har utvärderats i flera steg med fler än 1800 enkätdeltagare och 300 deltagare i olika experiment. Utvärderingarna visar att metoden kan stödja användare att agera säkert och att metoden uppskattas av användare.

Det huvudsakliga bidraget från denna forskning är metoden för säkerhetsträning, KontextBaserad MikroTräning (CBMT). CBMT är ett teoretiskt bidrag som beskriver mål och riktlinjer för säkerhetsträning av användare. Yrkesverksamma kan använda metoden som en guide för implementation av säkerhetsträning eller som ett stöd vid upphandling av säkerhetsträning. Forskningen visar också att det är viktigt att integrera användbarhet i utvecklingen av säkerhetsrutiner. När användare är positiva till träning, och de rutiner träningen förmedlar, ökar sannolikheten att användarna tillämpar rutinerna. Avslutningsvis påvisar forskningen att det är svårt för användare att följa säkerhetsråd. Även om träning är avgörande föreslår denna forskning att träning i sig inte är tillräckligt. Framtida forskning behöver studera samspelet mellan träning och andra stödfunktioner för användare.

Place, publisher, year, edition, pages
Skövde: University of Skövde, 2022. p. 139
Series
Dissertation Series ; 45
Keywords
cybersecurity, training, usable, security, user, education, awareness
National Category
Computer Systems Information Systems
Research subject
Information Systems
Identifiers
urn:nbn:se:his:diva-21819 (URN)978-91-984919-9-9 (ISBN)
Public defence
2022-10-17, Assar Industrial Innovation Arena, Kavelbrovägen 2B, Skövde, 13:15 (English)
Opponent
Supervisors
Available from: 2022-09-20 Created: 2022-09-15 Last updated: 2022-09-20Bibliographically approved

Open Access in DiVA

fulltext(1395 kB)186 downloads
File information
File name FULLTEXT01.pdfFile size 1395 kBChecksum SHA-512
fd643d19bb6bfa20e2c34101b12fba95fb7182d531c8255f8177ff114d533ea8f63c612318af005d65289f3442f968d53ceead182f821084c5b2a4bc5a632867
Type fulltextMimetype application/pdf

Other links

Publisher's full textScopus

Authority records

Kävrestad, JoakimNohlberg, MarcusRambusch, Jana

Search in DiVA

By author/editor
Kävrestad, JoakimNohlberg, MarcusRambusch, JanaFurnell, Steven
By organisation
School of InformaticsInformatics Research Environment
In the same journal
Future Internet
Computer Sciences

Search outside of DiVA

GoogleGoogle Scholar
Total: 186 downloads
The number of downloads is the sum of all downloads of full texts. It may include eg previous versions that are now no longer available

doi
urn-nbn

Altmetric score

doi
urn-nbn
Total: 517 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • apa-cv
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf