Högskolan i Skövde

his.sePublications
Change search
Refine search result
12 1 - 50 of 63
CiteExportLink to result list
Permanent link
Cite
Citation style
  • apa
  • apa-cv
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Rows per page
  • 5
  • 10
  • 20
  • 50
  • 100
  • 250
Sort
  • Standard (Relevance)
  • Author A-Ö
  • Author Ö-A
  • Title A-Ö
  • Title Ö-A
  • Publication type A-Ö
  • Publication type Ö-A
  • Issued (Oldest first)
  • Issued (Newest first)
  • Created (Oldest first)
  • Created (Newest first)
  • Last updated (Oldest first)
  • Last updated (Newest first)
  • Disputation date (earliest first)
  • Disputation date (latest first)
  • Standard (Relevance)
  • Author A-Ö
  • Author Ö-A
  • Title A-Ö
  • Title Ö-A
  • Publication type A-Ö
  • Publication type Ö-A
  • Issued (Oldest first)
  • Issued (Newest first)
  • Created (Oldest first)
  • Created (Newest first)
  • Last updated (Oldest first)
  • Last updated (Newest first)
  • Disputation date (earliest first)
  • Disputation date (latest first)
Select
The maximal number of hits you can export is 250. When you want to export more records please use the Create feeds function.
  • 1.
    Abbas, Assad
    et al.
    University of Skövde, School of Humanities and Informatics.
    Nohlberg, Marcus
    University of Skövde, School of Humanities and Informatics.
    Design issues related to the knowledge bases of medical decision support systems2010In: Proceedings, ICIIT 2010 International Conference on Intelligence and Information Technology, 28-30 October, 2010, Lahore, Pakistan: Volume 2, Lahore: IEEE conference proceedings, 2010, p. 54-58Conference paper (Refereed)
  • 2.
    Al Salek, Aous
    et al.
    University of Skövde, School of Informatics.
    Kävrestad, Joakim
    University of Skövde, School of Informatics. University of Skövde, Informatics Research Environment.
    Nohlberg, Marcus
    University of Skövde, School of Informatics. University of Skövde, Informatics Research Environment.
    Exploring Experiences of Using SETA in Nordic Municipalities2021In: Human Aspects of Information Security and Assurance: 15th IFIP WG 11.12 International Symposium, HAISA 2021, Virtual Event, July 7–9, 2021, Proceedings / [ed] Steven Furnell; Nathan Clarke, Cham: Springer, 2021, p. 22-31Conference paper (Refereed)
    Abstract [en]

    User behavior is a key aspect of cybersecurity and it is well documented that insecure user behavior is the root cause of the majority of all cybersecurity incidents. Security Education, Training, and Awareness (SETA) is described by practitioners and researchers as the most important tool for improving cybersecurity behavior and has been for several decades. Further, there are several ways to work with SETA found in academic literature and a lot of research into various aspects of SETA effectiveness. However, the problem of insecure user behavior remains revealing a need for further research in the domain. While previous research have looked at the users’ experience of SETA, this study looks at SETA adoption from the perspective of the adopting organization. For this purpose, a survey was sent out to all Nordic municipalities with the intent of measuring if and how SETA is conducted, and how the respondents would ideally like to conduct SETA. The results show that a majority of the participating organizations use SETA and that e-learning is the most common delivery method. However, the results also show that gamification and embedded training is seldom used in practice nor a part of the participants’ picture of ideal SETA.

  • 3.
    Boldt, Martin
    et al.
    Blekinge Institute of Technology, Sweden.
    Nohlberg, Marcus
    University of Skövde, School of Humanities and Informatics. University of Skövde, The Informatics Research Centre.
    Phishing with Gifts as Bait: Measurement and Analysis of Phishing Attacks within a University Environment2010Conference paper (Refereed)
  • 4.
    Cervantes Mori, Milagros D.
    et al.
    University of Skövde, School of Informatics.
    Kävrestad, Joakim
    University of Skövde, School of Informatics. University of Skövde, Informatics Research Environment.
    Nohlberg, Marcus
    University of Skövde, School of Informatics. University of Skövde, Informatics Research Environment.
    Success factors and challenges in digital forensics for law enforcement in Sweden2021In: Proceedings of the 7th International Workshop on Socio-Technical Perspective in IS Development (STPIS 2021): Virtual conference in Trento, Italy, October 11-12, 2021 / [ed] Peter Bednar; Alexander Nolte; Mikko Rajanen; Anna Sigridur Islind; Helena Vallo Hult; Fatema Zaghloul; Aurelio Ravarini; Alessio Maria Braccini, CEUR-WS , 2021, p. 100-116Conference paper (Refereed)
    Abstract [en]

    The widespread use of communication and digital technology has affected the number of devices requiring analysis in criminal investigations. Additionally, the increase in storage volume, the diversity of digital devices, and the use of cloud environments introduce more complexities to the digital forensic domain. This work aims to supply a taxonomy of the main challenges and success factors faced in the digital forensic domain in law enforcement. The chosen method for this research is a systematic literature review of studies with topics related to success factors and challenges in digital forensics for law enforcement. The candidate studies were 1,428 peer-reviewed scientific articles published between 2015 and 2021. A total of twenty-eight primary studies were analyzed by applying thematic coding. Furthermore, a survey of digital forensic practitioners from the Swedish Police was held to triangulate the results achieved with the systematic literature review. 

    Download full text (pdf)
    fulltext
  • 5.
    Hedberg, David
    et al.
    University of Skövde, School of Informatics.
    Lundgren, Martin
    University of Skövde, School of Informatics. University of Skövde, Informatics Research Environment.
    Nohlberg, Marcus
    University of Skövde, School of Informatics. University of Skövde, Informatics Research Environment.
    Cybersecurity in modern cars: awareness and readiness of auto workshops2024In: Information and Computer Security, E-ISSN 2056-4961, Vol. 32, no 4, p. 407-419Article in journal (Refereed)
    Abstract [en]

    Purpose: This study aims to explore auto mechanics awareness of repairs and maintenance related to the car’s cybersecurity and provide insights into challenges based on current practice. Design/methodology/approach: This study is based on an empirical study consisting of semistructured interviews with representatives from both branded and independent auto workshops. The data was analyzed using thematic analysis. A version of the capability maturity model was introduced to the respondents as a self-evaluation of their cybersecurity awareness. Findings: Cybersecurity was not found to be part of the current auto workshop work culture, and that there is a gap between independent workshops and branded workshops. Specifically, in how they function, approach problems and the tools and support available to them to resolve (particularly regarding previously unknown) issues. Research limitations/implications: Only auto workshop managers in Sweden were interviewed for this study. This role was picked because it is the most likely to have come in contact with cybersecurity-related issues. They may also have discussed the topic with mechanics, manufacturers or other auto workshops – thus providing a broader view of potential issues or challenges. Practical implications: The challenges identified in this study offers actionable advice to car manufacturers, branded workshops and independent workshops. The goal is to further cooperation, improve knowledge sharing and avoid unnecessary safety or security issues. Originality/value: As cars become smarter, they also become potential targets for cyberattacks, which in turn poses potential threats to human safety. However, research on auto workshops, which has previously ensured that cars are road safe, has received little research attention with regards to the role cybersecurity can play in repairs and maintenance. Insights from auto workshops can therefore shed light upon the unique challenges and issues tied to the cybersecurity of cars, and how they are kept up-to-date and road safe in the digital era. 

    Download full text (pdf)
    fulltext
  • 6.
    Hedberg, David
    et al.
    Minneapolis, USA.
    Lundgren, Martin
    University of Skövde, School of Informatics. University of Skövde, Informatics Research Environment.
    Nohlberg, Marcus
    University of Skövde, School of Informatics. University of Skövde, Informatics Research Environment.
    Cyberthreats in Modern Cars: Responsibility and Readiness of Auto Workshops2023In: Human Aspects of Information Security and Assurance: 17th IFIP WG 11.12 International Symposium, HAISA 2023, Kent, UK, July 4–6, 2023, Proceedings / [ed] Steve Furnell; Nathan Clarke, Cham: Springer, 2023, Vol. 1, p. 275-284Conference paper (Refereed)
    Abstract [en]

    Modern cars are becoming increasingly smarter and connected. Today, cars often contain features ranging from controlling service functions through a mobile application to remote road assistance. However, as cars become smarter, they also become potential targets for cyberattacks, and a potential threat to human safety. Traditionally, handing in a car to an auto workshop for repairs and maintenance have ensured that the car is road safe. But, to what extent are auto mechanics aware of repairs and maintenance related to the car’s cybersecurity? Based on interviews with eight auto workshop specialists in Sweden, using the capability maturity model as lens to capture the readiness maturity, the following study looks at experiences with cybersecurity related to cars, what current tools are used, and procedures to deal with a cyberattack against cars in their workshop. It was found that auto workshops are potential targets, with limited solutions existing today, and that cyber security is not a part of the current culture. It was also found that there is a gap between independent workshops and branded workshops in how they function and in what manner they approach problems and issues. Specifically, for new issues (i.e., previously unencountered issues), branded workshops relied more on the manufacturer than independent workshops who were left to use whatever solution they could figure out by their own means, which sometimes may be akin to hacking the car’s systems.

  • 7.
    Hedström, Karin
    et al.
    Örebro University.
    Jäger, Kerstin
    University of Skövde, School of Technology and Society.
    Krasnizi, Hanife
    University of Skövde, The Informatics Research Centre. University of Skövde, School of Humanities and Informatics.
    Linderoth, Henrik
    University of Skövde, School of Technology and Society.
    Nohlberg, Marcus
    University of Skövde, The Informatics Research Centre. University of Skövde, School of Humanities and Informatics.
    Persson, Anne
    University of Skövde, School of Informatics. University of Skövde, The Informatics Research Centre.
    Åhlfeldt, Rose-Mharie
    University of Skövde, The Informatics Research Centre. University of Skövde, School of Humanities and Informatics.
    Vårdens framtida informationssystem - Vision i form av en demonstrator: Slutrapport.2010Report (Other (popular science, discussion, etc.))
    Download full text (pdf)
    VFI - slutrapport
  • 8.
    Holgersson, Jesper
    et al.
    University of Skövde, School of Informatics. University of Skövde, Informatics Research Environment.
    Kävrestad, Joakim
    University of Skövde, School of Informatics. University of Skövde, Informatics Research Environment.
    Nohlberg, Marcus
    University of Skövde, School of Informatics. University of Skövde, Informatics Research Environment.
    Cybersecurity and Digital Exclusion of Seniors: What Do They Fear?2021In: Human Aspects of Information Security and Assurance: 15th IFIP WG 11.12 International Symposium, HAISA 2021, Virtual Event, July 7–9, 2021, Proceedings / [ed] Steven Furnell; Nathan Clarke, Cham: Springer, 2021, p. 12-21Conference paper (Refereed)
    Abstract [en]

    The rapid development of digitalization has led to a more or less endless variety of ways for individuals to communicate and interact with the outside world. However, in order to take advantage of all the benefits of digitalization, individuals need to have the necessary skills. Seniors represent a group that, compared to other groups, lives in a digital exclusion to an excessive extent, mainly due to the fact that they lack the necessary knowledge to use digital technology and digital services. Based on empirical data collected from seniors partaking in digital training, we have analyzed their perceptions of why they and other seniors are digitally excluded. Our findings point out that a major barrier for seniors to be more digitally included is different variants of fear of using digital technology and digital services. The common denominator can be traced down the possibilities to be exposed to frauds, scams, viruses, and faulty handling, which in turn cause undesired consequences. Consequently, we propose a research agenda where digital training and digital inclusion measurements should be studied side by side with cybersecurity behavior. Thus, making cybersecurity a fundamental part of digital inclusion has the potential to minimize the fears identified in this research as inhibitors to technology adoption.

  • 9. Huber, Markus
    et al.
    Kowalski, Stewart
    Nohlberg, Marcus
    University of Skövde, School of Humanities and Informatics. University of Skövde, The Informatics Research Centre.
    Tjoa, Simon
    Towards Automating Social Engineering Using Social Networking Sites2009In: 2009 International Conference on Computational Science and Engineering, IEEE Computer Society , 2009, p. 117-124Conference paper (Refereed)
    Abstract [en]

    A growing number of people use social networking sites to foster social relationships among each other. While the advantages of the provided services are obvious, drawbacks on a users’ privacy and arising implications are often neglected. In this paper we introduce a novel attack called automated social engineering which illustrates how social networking sites can be used for social engineering. Our approach takes classical social engineering one step further by automating tasks which formerly were very time-intensive. In order to evaluate our proposed attack cycle and our prototypical implementation (ASE bot), we conducted two experiments. Within the first experiment we examine the information gathering capabilities of our bot. The second evaluation of our prototype performs a Turing test. The promising results of the evaluation highlightthe possibility to efficiently and effectively perform social engineering attacks by applying automated social engineering bots.

  • 10.
    Kävrestad, Joakim
    et al.
    University of Skövde, School of Informatics. University of Skövde, Informatics Research Environment. School of Engineering, Jönköping University, Sweden.
    Abbasi, Muhammad Abbas Khan
    University of Skövde, School of Informatics.
    Tarczal, Márton
    University of Skövde, School of Informatics.
    Nohlberg, Marcus
    University of Skövde, School of Informatics. University of Skövde, Informatics Research Environment.
    The impact of short-term memory on phishing detection ability and password behaviour2023In: Proceedings of the 9th International Conference on Socio-Technical Perspective in Information Systems Development (STPIS 2023) / [ed] Peter Bednar; Fatema Zaghloul; Christine Welch; Alexander Nolte; Mikko Rajanen; Anna Sigridur Islind; Helena Vallo Hult; Aurelio Ravarini; Alessio Maria Braccini, CEUR-WS , 2023, p. 160-173Conference paper (Refereed)
    Abstract [en]

    Cybersecurity is a socio-technical discipline which is dependent on the interplay between users and devices, and the organizations where this interplay takes place. Previous research has shown that the interplay between users and devices is highly affected by the cognitive abilities of users. This is prominent in cybersecurity, which requires users to make security-aware decisions when, for instance, reading emails and decide which emails are legitimate and which emails constitute phishing. Research further suggests that decision-making is dependent on memory ability, which is the focus of this research. In this study, we investigate the impact of short-term memory on phishing detection ability and password behaviour. A web survey was used to collect quantitative data from a large sample of respondents. The survey was distributed on social media platforms and 93 participants completed the survey. The results indicate a positive correlation between short-term memory scores and both password detection ability and password behavior. 

    Download full text (pdf)
    fulltext
  • 11.
    Kävrestad, Joakim
    et al.
    School of Engineering, Jönköping University, Sweden.
    Burvall, Felicia
    University of Skövde, School of Informatics.
    Nohlberg, Marcus
    University of Skövde, School of Informatics. University of Skövde, Informatics Research Environment.
    A taxonomy of factors that contribute to organizational Cybersecurity Awareness (CSA)2024In: Information and Computer Security, E-ISSN 2056-4961Article in journal (Refereed)
    Abstract [en]

    Purpose

    Developing cybersecurity awareness (CSA) is becoming a more and more important goal for modern organizations. CSA is a complex sociotechnical system where social, technical and organizational aspects affect each other in an intertwined way. With the goal of providing a holistic representation of CSA, this paper aims to develop a taxonomy of factors that contribute to organizational CSA.

    Design/methodology/approach

    The research used a design science approach including a literature review and practitioner interviews. A taxonomy was drafted based on 71 previous research publications. It was then updated and refined in two iterations of interviews with domain experts.

    Findings

    The result of this research is a taxonomy which outline six domains for importance for organization CSA. Each domain includes several activities which can be undertaken to increase CSA within an organization. As such, it provides a holistic overview of the CSA field.

    Practical implications

    Organizations can adopt the taxonomy to create a roadmap for internal CSA practices. For example, an organization could assess how well it performs in the six main themes and use the subthemes as inspiration when deciding on CSA activities.

    Originality/value

    The output of this research provides an overview of CSA based on information extracted from existing literature and then reviewed by practitioners. It also outlines how different aspects of CSA are interdependent on each other.

    Download full text (pdf)
    fulltext
  • 12.
    Kävrestad, Joakim
    et al.
    University of Skövde, School of Informatics. University of Skövde, Informatics Research Environment.
    Eriksson, Fredrik
    University of Skövde, School of Informatics. University of Skövde, Informatics Research Environment.
    Nohlberg, Marcus
    University of Skövde, School of Informatics. University of Skövde, Informatics Research Environment.
    The Development of a Password Classification Model2018In: Journal of Information System Security, ISSN 1551-0123, E-ISSN 1551-0808, Vol. 14, no 1, p. 31-46Article in journal (Refereed)
    Abstract [en]

    In order to ensure that we are the only ones that can access our data, we use authentication to secure our computers and different online accounts. Passwords remain the most common type of authentication, even if there are several different ways to authenticate, including biometrics and tokens. With this study we aim to reveal and collect the different strategies that users are using when designing their passwords. To achieve this, a model was developed using interactive interviews with computer forensic experts. The model was then applied on 5,000 passwords gathered from 50 different password databases that had leaked to the Internet. The result is a model that can be used to classify passwords based on the strategy used to create them. As such, the results of this study increase the understanding of passwords and they can be used as a tool in education and training, as well as in future research.

  • 13.
    Kävrestad, Joakim
    et al.
    University of Skövde, School of Informatics. University of Skövde, The Informatics Research Centre.
    Eriksson, Fredrik
    University of Skövde, School of Informatics. University of Skövde, The Informatics Research Centre.
    Nohlberg, Marcus
    University of Skövde, School of Informatics. University of Skövde, The Informatics Research Centre.
    Understanding passwords – a taxonomy of password creation strategies2019In: Information and Computer Security, E-ISSN 2056-4961, Vol. 27, no 3, p. 453-467Article in journal (Refereed)
    Abstract [en]

    Purpose Using authentication to secure data and accounts has grown to be a natural part of computing. Even if several authentication methods are in existence, using passwords remains the most common type of authentication. As long and complex passwords are encouraged by research studies and practitioners alike, computer users design passwords using strategies that enable them to remember their passwords. This paper aims to present a taxonomy of those password creation strategies in the form of a model describing various strategies used to create passwords. Design/methodology/approach The study was conducted in a three-step process beginning with a short survey among forensic experts within the Swedish police. The model was then developed by a series of iterative semi-structured interviews with forensic experts. In the third and final step, the model was validated on 5,000 passwords gathered from 50 different password databases that have leaked to the internet. Findings The result of this study is a taxonomy of password creation strategies presented as a model that describes the strategies as properties that a password can hold. Any given password can be classified as holding one or more of the properties outlined in the model. Originality/value On an abstract level, this study provides insight into password creation strategies. As such, the model can be used as a tool for research and education. It can also be used by practitioners in, for instance, penetration testing to map the most used password creation strategies in a domain or by forensic experts when designing dictionary attacks.

  • 14.
    Kävrestad, Joakim
    et al.
    University of Skövde, School of Informatics. University of Skövde, Informatics Research Environment.
    Friman, Evelina
    University of Skövde, Informatics Research Environment.
    Bohlander, Joacim
    University of Skövde, Informatics Research Environment.
    Nohlberg, Marcus
    University of Skövde, School of Informatics. University of Skövde, Informatics Research Environment.
    Can Johnny actually like security training?2020In: Proceedings of the 6th International Workshop on Socio-Technical Perspective in IS Development (STPIS 2020): Virtual conference in Grenoble, France, June 8-9, 2020 / [ed] Peter Bednar, Alexander Nolte, Mikko Rajanen, Helena Vallo Hult, Anna Sigridur Islind, Federico Pigni, CEUR-WS , 2020, p. 76-83Conference paper (Refereed)
    Abstract [en]

    Information security is a socio-technical property where a lot of traditional efforts has been placed in the technical domain. Security has been seen as a technical challenge and the solutions has been technical. However, it is well known that human behavior plays a key role in information security and the user is often seen as the weakest link in the security chain. As such, information security is a socio-technical property where the social, or human side needs increased attention. Security training is commonly suggested as the way to improve user behavior but the effects of various training efforts is also under-researched. This paper demonstrates how ContextBased MicroTraining (CBMT) can be implemented and performs a usability evaluation of that implementation. CBMT is a method for information security training which has been developed over years of research. The paper demonstrates that the CBMT method can aid in the development of highly usable security training. The paper also emphasizes the need for user centered design in development of security software intended for end-users. 

    Download full text (pdf)
    fulltext
  • 15.
    Kävrestad, Joakim
    et al.
    University of Skövde, School of Informatics. University of Skövde, Informatics Research Environment.
    Furnell, Steven
    School of Computer Science, University of Nottingham, UK.
    Nohlberg, Marcus
    University of Skövde, School of Informatics. University of Skövde, Informatics Research Environment.
    User perception of Context-Based Micro-Training – a method for cybersecurity training2024In: Information Security Journal, ISSN 1939-3555, E-ISSN 1939-3547, Vol. 33, no 2, p. 121-137Article in journal (Refereed)
    Abstract [en]

    User behavior is one of the biggest challenges to cybersecurity in modern organizations. Users are continuously targeted by attackers and required to have sufficient knowledge to spot and avoid such attacks. Different training methods are suggested and used in the industry to support users to behave securely. The challenge remains, and improved methods for end-user cybersecurity training are needed. This paper introduces and evaluates user perception of a method called Context-Based Micro-Training (CBMT). This approach suggests that training should be delivered in short sequences when the information is of direct relevance. The intention is to provide training directly related to the user’s current situation while also providing an awareness-increasing effect. This notion is tested in a survey-based evaluation involving 1,452 respondents from Sweden, Italy, and the UK, comparing the perception of CBMT against the experience of traditional approaches. The results emphasize that current methods are not effective enough and show that CBMT is perceived positively by respondents in all sample groups. The study further evaluated how demographic aspects impact the perception of CBMT and found that a diverse group of users can appreciate it.

    Download full text (pdf)
    fulltext
  • 16.
    Kävrestad, Joakim
    et al.
    University of Skövde, School of Informatics. University of Skövde, Informatics Research Environment.
    Furnell, Steven
    University of Nottingham, UK.
    Nohlberg, Marcus
    University of Skövde, School of Informatics. University of Skövde, Informatics Research Environment.
    What Parts of Usable Security Are Most Important to Users?2021In: Information Security Education for Cyber Resilience: 14th IFIP WG 11.8 World Conference, WISE 2021, Virtual Event, June 22–24, 2021, Proceedings / [ed] Lynette Drevin; Natalia Miloslavskaya; Wai Sze Leung; Suné von Solms, Cham: Springer, 2021, p. 126-139Conference paper (Refereed)
    Abstract [en]

    The importance of the human aspects of cybersecurity cannot be overstated in light of the many cybersecurity incidents stemming from insecure user behavior. Users are supposed to engage in secure behavior by use of security features or procedures but those struggle to get widespread use and one hindering factor is usability. While several previous papers studied various usability factors in the cybersecurity domain, a common understanding of usable security is missing. Further, usability covers a large range of aspects and understanding what aspects users prioritize is integral for development of truly usable security features. This paper builds on previous work and investigates what usability factors users prioritize and what demographic factors that affects the perception of usability factors. This is done through a survey answered by 1452 respondents from Sweden, Italy and UK. The results show that users prefer security functions to minimize resource consumption in terms of cost, device performance and time. The study further demonstrate that users want security functions to require as little effort as possible and just work. Further, the study determines that nation of residence and IT-competence greatly impacts the perception of usability for security functions while gender and age does so to a much lesser extent.

  • 17.
    Kävrestad, Joakim
    et al.
    University of Skövde, School of Informatics. University of Skövde, Informatics Research Environment.
    Gellerstedt, Martin
    University of Skövde, School of Health Sciences. University of Skövde, Digital Health Research (DHEAR).
    Nohlberg, Marcus
    University of Skövde, School of Informatics. University of Skövde, Informatics Research Environment.
    Rambusch, Jana
    University of Skövde, School of Informatics. University of Skövde, Informatics Research Environment.
    Survey of Users’ Willingness to Adopt and Pay for Cybersecurity Training2022In: Human Aspects of Information Security and Assurance: 16th IFIP WG 11.12 International Symposium, HAISA 2022, Mytilene, Lesbos, Greece, July 6–8, 2022, Proceedings / [ed] Nathan Clarke; Steven Furnell, Cham: Springer Nature Switzerland AG , 2022, p. 14-23Conference paper (Refereed)
    Abstract [en]

    The importance of user behaviour in the cybersecurity domain is widely acknowledged. Users face cyberthreats such as phishing and fraud daily, both at work and in their private use of technology. Using training interventions to improve users’ knowledge, awareness, and behaviour is a widely accepted approach to improving the security posture of users. Research into cybersecurity training has traditionally assumed that users are provided such training as members of an organization. However, users in their private capacity are expected to cater for their own security. This research addresses this gap with a survey where 1437 Swedish adults participated. Willingness to adopt and pay for different cybersecurity training types was measured. The included types were; training delivered to users in a context where the training is of direct relevance, eLearning and game-based training. The participants were most willing to adopt and pay for contextual training, while eLearning was the second most favoured training type. We also measured if willingness to pay and adopt cybersecurity training was impacted by the participant’s worry about various cyber threats. Surprisingly, no meaningful correlation was found, suggesting that something else than worry mediates willingness to adopt and pay for cybersecurity training. 

  • 18.
    Kävrestad, Joakim
    et al.
    University of Skövde, School of Informatics. University of Skövde, Informatics Research Environment.
    Hagberg, Allex
    Xenolith AB, Skövde, Sweden.
    Nohlberg, Marcus
    University of Skövde, School of Informatics. University of Skövde, Informatics Research Environment.
    Rambusch, Jana
    University of Skövde, School of Informatics. University of Skövde, Informatics Research Environment.
    Roos, Robert
    Xenolith AB, Skövde, Sweden.
    Furnell, Steven
    School of Computer Science, University of Nottingham, UK.
    Evaluation of Contextual and Game-Based Training for Phishing Detection2022In: Future Internet, E-ISSN 1999-5903, Vol. 14, no 4Article in journal (Refereed)
    Abstract [en]

    Cybersecurity is a pressing matter, and a lot of the responsibility for cybersecurity is put on the individual user. The individual user is expected to engage in secure behavior by selecting good passwords, identifying malicious emails, and more. Typical support for users comes from Information Security Awareness Training (ISAT), which makes the effectiveness of ISAT a key cybersecurity issue. This paper presents an evaluation of how two promising methods for ISAT support users in acheiving secure behavior using a simulated experiment with 41 participants. The methods were game-based training, where users learn by playing a game, and Context-Based Micro-Training (CBMT), where users are presented with short information in a situation where the information is of direct relevance. Participants were asked to identify phishing emails while their behavior was monitored using eye-tracking technique. The research shows that both training methods can support users towards secure behavior and that CBMT does so to a higher degree than game-based training. The research further shows that most participants were susceptible to phishing, even after training, which suggests that training alone is insufficient to make users behave securely. Consequently, future research ideas, where training is combined with other support systems, are proposed

    Download full text (pdf)
    fulltext
  • 19.
    Kävrestad, Joakim
    et al.
    University of Skövde, School of Informatics. University of Skövde, Informatics Research Environment.
    Hagberg, Allex
    Xenolith AB, Skövde, Sweden.
    Roos, Robert
    Xenolith AB, Skövde, Sweden.
    Rambusch, Jana
    University of Skövde, School of Informatics. University of Skövde, Informatics Research Environment.
    Nohlberg, Marcus
    University of Skövde, School of Informatics. University of Skövde, Informatics Research Environment.
    Usable Privacy and Security from the Perspective of Cognitive Abilities2022In: Privacy and Identity Management. Between Data Protection and Security: 16th IFIP WG 9.2, 9.6/11.7, 11.6/SIG 9.2.2 International Summer School, Privacy and Identity 2021, Virtual Event, August 16–20, 2021, Revised Selected Papers / [ed] Michael Friedewald; Stephan Krenn; Ina Schiering; Stefan Schiffner, Springer, 2022, 1, Vol. 1, p. 105-121Chapter in book (Refereed)
    Abstract [en]

    Privacy, Information, and Cybersecurity (PICS) are related properties that have become a concern for more or less everyone. A large portion of the responsibility for PICS is put on the end-user, who is expected to adopt PICS tools, guidelines, and features to stay secure and maintain organizational security. However, the literature describes that many users do not adopt PICS tools and a key reason seems to be usability. This study acknowledges that the usability of PICS tools is a crucial concern and seeks to problematize further by adding cognitive ability as a key usability aspect. We argue that a user’s cognitive abilities determine how the user perceives the usability of PICS tools and that usability guidelines should account for varying cognitive abilities held by different user groups. This paper presents a case study with focus on how cognitive disabilities can affect the usability of PICS tools. Interviews with users with cognitive disabilities as well as usability experts, and experts on cognitive disabilities were conducted. The results suggest that many of the usability factors are shared by all users, cognitive challenges or not. However, cognitive challenges often cause usability issues to be more severe. Based on the results, several design guidelines for the usability of PICS tools are suggested.

  • 20.
    Kävrestad, Joakim
    et al.
    University of Skövde, School of Informatics. University of Skövde, Informatics Research Environment.
    Lennartsson, Markus
    University of Skövde, School of Informatics.
    Birath, Marcus
    University of Skövde, School of Informatics. University of Skövde, Informatics Research Environment.
    Nohlberg, Marcus
    University of Skövde, School of Informatics. University of Skövde, Informatics Research Environment.
    Constructing secure and memorable passwords2020In: Information and Computer Security, E-ISSN 2056-4961, Vol. 28, no 5, p. 701-717Article in journal (Refereed)
    Abstract [en]

    Purpose Using authentication to secure data and accounts has grown to be a natural part of computing. Even if several authentication methods are in existence, using passwords remain the most common type of authentication. As long and complex passwords are encouraged by research studies and practitioners alike, computer users design passwords using strategies that enable them to remember their passwords. This paper aims to find strategies that allow for the generation of passwords that are both memorable and computationally secure. Design/methodology/approach The study began with a literature review that was used to identify cognitive password creation strategies that facilitate the creation of passwords that are easy to remember. Using an action-based approach, attack models were created for the resulting creation strategies. The attack models were then used to calculate the entropy for passwords created with different strategies and related to a theoretical cracking time. Findings The result of this study suggests that using phrases with four or more words as passwords will generate passwords that are easy to remember and hard to attack. Originality/value This paper considers passwords from a socio-technical approach and provides insight into how passwords that are easy to remember and hard to crack can be generated. The results can be directly used to create password guidelines and training material that enables users to create usable and secure passwords.

  • 21.
    Kävrestad, Joakim
    et al.
    University of Skövde, School of Informatics. University of Skövde, Informatics Research Environment.
    Lindvall, David
    Skövde Municipality, Sweden.
    Nohlberg, Marcus
    University of Skövde, School of Informatics. University of Skövde, Informatics Research Environment.
    Combating digital exclusion with cybersecurity training – an interview study with Swedish seniors2023In: Human Aspects of Information Security and Assurance: 17th IFIP WG 11.12 International Symposium, HAISA 2023, Kent, UK, July 4–6, 2023, Proceedings / [ed] Steve Furnell; Nathan Clarke, Cham: Springer, 2023, Vol. 1, p. 3-12Conference paper (Refereed)
    Abstract [en]

    While rapid digitalization is beneficial for a majority of all people, some people struggle to adopt digital technology. Not only do these persons miss the potential benefits of digitalization, but they are also suffering from the fact that many services are no longer provided in a non-digital way. Previous research suggests that a lack of security literacy and awareness is one driving factor behind the digital exclusion for senior citizens. To that end, this research focuses on cybersecurity training for seniors. Seniors are here defined as those aged above 65. Using interviews with eight seniors, this research evaluates the use of contextual training in this user group. The rationale is that contextual training has been found to have positive results in other user groups. The results suggest that contextual cybersecurity training can increase cybersecurity awareness for senior citizens and be appreciated by the users. The participants also confirm previous research describing that cybersecurity concerns are a driving factor behind digital exclusion and that contextual cybersecurity training can make seniors more comfortable adopting digital services.

  • 22.
    Kävrestad, Joakim
    et al.
    University of Skövde, School of Informatics. University of Skövde, The Informatics Research Centre.
    Marcus, Nohlberg
    University of Skövde, School of Informatics. University of Skövde, The Informatics Research Centre.
    Online Fraud Defence by Context Based Micro Training2015In: Proceedings of the Ninth International Symposium on Human Aspects of Information Security & Assurance (HAISA 2015) / [ed] Steven M. Furnell; Nathan L. Clarke, University of Plymouth Press, 2015, p. 256-264Conference paper (Refereed)
    Abstract [en]

    Online frauds are a category of Internet crime that has been increasing globally over the past years. Online fraudsters use a lot of different arenas and methods to commit their crimes and that is making defence against online fraudsters a difficult task. Today we see continuous warnings in the daily press and both researchers and governmental web-pages propose that Internet users gather knowledge about online frauds in order to avoid victimisation. In this paper we suggest a framework for presenting this knowledge to the Internet users when they are about to enter a situation where they need it. We provide an evaluation of the framework that indicates that it can both make users less prone to fraudulent ads and more trusting towards legitimate ads. This is done with a survey containing 117 participants over two groups where the participants were asked to rate the trustworthiness of fraudulent and legitimate ads.. One groups used the framework before the rating and the other group did not. The results showed that, in our study, the participants using the framework put less trust in fraudulent ads and more trust in legitimate ads. 

    Download full text (pdf)
    fulltext
  • 23.
    Kävrestad, Joakim
    et al.
    University of Skövde, School of Informatics. University of Skövde, Informatics Research Environment.
    Nohlberg, Marcus
    University of Skövde, School of Informatics. University of Skövde, Informatics Research Environment.
    Assisting Users to Create Stronger Passwords Using ContextBased MicroTraining2020In: ICT Systems Security and Privacy Protection: 35th IFIP TC 11 International Conference, SEC 2020, Maribor, Slovenia, September 21–23, 2020, Proceedings / [ed] Marko Hölbl, Kai Rannenberg, Tatjana Welzer, Cham: Springer, 2020, p. 95-108Conference paper (Refereed)
    Abstract [en]

    In this paper, we describe and evaluate how the learning framework ContextBased MicroTraining (CBMT) can be used to assist users to create strong passwords. Rather than a technical enforcing measure, CBMT is a framework that provides information security training to users when they are in a situation where the training is directly relevant. The study is carried out in two steps. First, a survey is used to measure how well users understand password guidelines that are presented in different ways. The second part measures how using CBMT to present password guidelines affect the strength of the passwords created. This experiment was carried out by implementing CBMT at the account registration page of a local internet service provider and observing the results on user-created passwords. The results of the study show that users presented with passwords creation guidelines using a CBMT learning module do understand the password creation guidelines to a higher degree than other users. Further, the experiment shows that users presented with password guidelines in the form of a CBMT learning module do create passwords that are longer and more secure than other users. The assessment of password security was performed using the zxcvbn tool, developed by Dropbox, that measures password entropy.

  • 24.
    Kävrestad, Joakim
    et al.
    University of Skövde, School of Informatics. University of Skövde, Informatics Research Environment.
    Nohlberg, Marcus
    University of Skövde, School of Informatics. University of Skövde, Informatics Research Environment.
    Context-Based Micro-training2022In: Encyclopedia of Cryptography, Security and Privacy / [ed] Sushil Jajodia; Pierangela Samarati; Moti Yung, Springer, 2022Chapter in book (Refereed)
  • 25.
    Kävrestad, Joakim
    et al.
    University of Skövde, School of Informatics. University of Skövde, Informatics Research Environment.
    Nohlberg, Marcus
    University of Skövde, School of Informatics. University of Skövde, Informatics Research Environment.
    ContextBased MicroTraining: A Framework for Information Security Training2020In: Human Aspects of Information Security and Assurance: 14th IFIP WG 11.12 International Symposium, HAISA 2020, Mytilene, Lesbos, Greece, July 8–10, 2020, Proceedings / [ed] Nathan Clarke, Steven Furnell, Cham: Springer, 2020, p. 71-81Conference paper (Refereed)
    Abstract [en]

    This paper address the emergent need for training measures designed to improve user behavior in regards to security. We do this by proposing a framework for information security training that has been developed for several years and over several projects. The result is the framework ContextBased MicroTraining (CBMT) which provides goals and guidelines for how to better implement information security training that supports the user in the situation where the user needs support. CBMT has been developed and tested for use in higher education as well as for the support of users during passwords creation. This paper presents version 1.0 of the framework with the latest renements.

  • 26.
    Kävrestad, Joakim
    et al.
    University of Skövde, School of Informatics. University of Skövde, The Informatics Research Centre.
    Nohlberg, Marcus
    University of Skövde, School of Informatics. University of Skövde, The Informatics Research Centre.
    Defining and modelling the online fraud process2018In: Proceedings of the twelfth International Symposium on Human Aspects of Information Security & Assurance: HAISA 2018 / [ed] Nathan L. Clarke; Steven M. Furnell, Plymouth: University of Plymouth Press, 2018, p. 203-213Conference paper (Refereed)
    Abstract [en]

    As we have become more and more active online so has online criminals. Looking at one type of Internet crimes, online frauds, it is apparent that any-one can be targeted by a fraudster online. It has also been shown that online frauds keep increasing from year to year. It has even been estimated that one third of the adult population in America encounters online fraudsters, annually. In this paper we aimed to increase the knowledge about online frauds. We did this by producing a model that describes the process and aspects of an online fraud as well as a proposed definition of the term "online fraud". In this paper, we present the model and definition that we created and demonstrate their usefulness. The usefulness is demonstrated in our validation step, where we applied the definition to known online fraud schemes. We also conducted an interview in which the model was said to be useful in order to explain how an online fraud scheme was carried out, during a criminal prosecution. As such, that demonstrates that our model can be used to increase the understanding of online frauds.

  • 27.
    Kävrestad, Joakim
    et al.
    Tekniska Högskolan i Jönköping, Jönköping University.
    Nohlberg, Marcus
    University of Skövde, School of Informatics. University of Skövde, Informatics Research Environment.
    Ett fundament i den svenska högre utbildningsmodellen är att kombinera forskning och undervisning2024In: Aktuell säkerhet, no 2024-01-08Article in journal (Other (popular science, discussion, etc.))
    Abstract [sv]

    Joakim Kävrestad, lektor i datavetenskap, Tekniska Högskolan i Jönköping och Marcus Nohlberg, docent i informationsteknologi, Högskolan i Skövde, håller inte med Jan Kallberg om att svensk cybersäkerhetsforskning borde kraftsamlas till några få platser.

  • 28.
    Kävrestad, Joakim
    et al.
    University of Skövde, School of Informatics. University of Skövde, Informatics Research Environment.
    Nohlberg, Marcus
    University of Skövde, School of Informatics. University of Skövde, Informatics Research Environment.
    Evaluation Strategies for Cybersecurity Training Methods: A Literature Review2021In: Human Aspects of Information Security and Assurance: 15th IFIP WG 11.12 International Symposium, HAISA 2021, Virtual Event, July 7–9, 2021, Proceedings / [ed] Steven Furnell; Nathan Clarke, Cham: Springer, 2021, p. 102-112Conference paper (Refereed)
    Abstract [en]

    The human aspect of cybersecurity continues to present challenges to researchers and practitioners worldwide. While measures are being taken to improve the situation, a vast majority of security incidents can be attributed to user behavior. Security and Awareness Training (SAT) has been available for several decades and is commonly given as a suggestion for improving the cybersecurity behavior of end-users. However, attackers continue to exploit the human factor suggesting that current SAT methods are not enough. Researchers argue that providing knowledge alone is not enough, and some researchers suggest that many currently used SAT methods are, in fact, not empirically evaluated. This paper aims to examine how SAT has been evaluated in recent research using a structured literature review. The result is an overview of evaluation methods which describes what results that can be obtained using them. The study further suggests that SAT methods should be evaluated using a variety of methods since different methods will inevitably provide different results. The presented results can be used as a guide for future research projects seeking to develop or evaluate methods for SAT.

  • 29.
    Kävrestad, Joakim
    et al.
    University of Skövde, School of Informatics. University of Skövde, Informatics Research Environment.
    Nohlberg, Marcus
    University of Skövde, School of Informatics. University of Skövde, Informatics Research Environment.
    Using Context Based MicroTraining to Develop OER for the Benefit of All2019In: Proceedings of the 15th International Symposium on Open Collaboration, OpenSym 2019, 20-22 August 2019, Skövde, Sweden, New York: ACM Digital Library, 2019, article id A7Conference paper (Refereed)
    Abstract [en]

    This paper demonstrates how Context Based MicroTraining (CBMT) can be used to develop open educational resources in a way that benefits students enrolled in university courses as well as anyone who wants to participate in open-learning activities. CBMT is a framework that provides guidelines for how educational resources should be structured. CBMT stipulates that information should be presented in short sequences and that is relevant for the learner’s current situation. In this paper, CBMT is implemented in a practical ICT course using video lectures that are delivered as open educational resources using YouTube. The experiences of enrolled students as well as YouTube users are evaluated as well as the actual results of the enrolled students. The results of the study suggest that users of the video lectures appreciate the learning approach. The actual results, i.e. learning outcomes, of the enrolled students are maintained. The study also demonstrates how using CBMT as open educational resources can free up time for teachers and increase the quality of teaching by benefitting from community feedback.

  • 30.
    Kävrestad, Joakim
    et al.
    University of Skövde, School of Informatics. University of Skövde, Informatics Research Environment.
    Nohlberg, Marcus
    University of Skövde, School of Informatics. University of Skövde, Informatics Research Environment.
    Furnell, Steven
    University of Nottingham, United Kingdom.
    A taxonomy of SETA methods and linkage to delivery preferences2023In: The Data base for Advances in Information Systems, ISSN 0095-0033, Vol. 54, no 4, p. 107-133Article in journal (Refereed)
    Abstract [en]

    Cybersecurity threats targeting users are common in today’s information systems. Threat actors exploit human behavior to gain unauthorized access to systems and data. The common suggestion for addressing this problem is to train users to behave better using SETA programs. The notion of training users is old, and several SETA methods are described in scientific literature. Yet, incidents stemming from insecure user behavior continue to happen and are reported as one of the most common types of incidents. Researchers argue that empirically proven SETA programs are needed and point out focus on knowledge rather than behavior, and poor user adoption, as problems with existing programs. The present study aims to research user preferences regarding SETA methods, with the motivation that a user is more likely to adopt a program perceived positively. A qualitative approach is used to identify existing SETA methods, and a quantitative approach is used to measure user preferences regarding SETA delivery. We show that users prefer SETA methods to be effortless and flexible and outline how existing methods meet that preference. The results outline how SETA methods respond to user preferences and how different SETA methods can be implemented to maximize user perception, thereby supporting user adoption.

    Download full text (pdf)
    fulltext
  • 31.
    Kävrestad, Joakim
    et al.
    University of Skövde, School of Informatics. University of Skövde, Informatics Research Environment.
    Pettersson, Rickard
    University of Skövde, School of Informatics.
    Nohlberg, Marcus
    University of Skövde, School of Informatics. University of Skövde, Informatics Research Environment.
    The language effect in phishing susceptibility2020In: Proceedings of the 6th International Workshop on Socio-Technical Perspective in IS Development (STPIS 2020): Virtual conference in Grenoble, France, June 8-9, 2020 / [ed] Peter Bednar, Alexander Nolte, Mikko Rajanen, Helena Vallo Hult, Anna Sigridur Islind, Federico Pigni, CEUR-WS , 2020, p. 162-167Conference paper (Refereed)
    Abstract [en]

    Phishing has been, and remains to be, one of the most common types of social engineering. It is the act of tricking users to perform actions they normally wouldn’t using e-mail. Since phishing involves using technical measures to trick users, it is a social technical phenomenon that must be understood from the technical as well as the social side. While phishing and phishing susceptibility has been researched for decades, the effect of language ability on phishing susceptibility is underresearched. In this paper, we conducted a survey where we had swedes rate their English ability before classifying e-mails in Swedish and English as fraudulent or legitimate. The results shows that the respondents English ability does affect the ability to correctly identify legitimate emails and brings another piece to the puzzle of phishing susceptibility.

    Download full text (pdf)
    fulltext
  • 32.
    Kävrestad, Joakim
    et al.
    Jönköping School of Engineering, Sweden.
    Rambusch, Jana
    University of Skövde, School of Informatics. University of Skövde, Informatics Research Environment.
    Nohlberg, Marcus
    University of Skövde, School of Informatics. University of Skövde, Informatics Research Environment.
    Design principles for cognitively accessible cybersecurity training2024In: Computers & security (Print), ISSN 0167-4048, E-ISSN 1872-6208, Vol. 137, article id 103630Article in journal (Refereed)
    Abstract [en]

    Exploiting human behavior to gain unauthorized access to computer systems has become common practice for modern cybercriminals. Users are expected to adopt secure behavior to avoid those attackers. This secure behavior requires cognitive processing and is often seen as a nuisance which could explain why attacks exploiting user behavior continues to be a fruitful approach for attackers. While adopting secure behavior can be difficult for any user, it can be even more difficult for users with cognitive disabilities. This research focuses on users with cognitive disabilities with the intent of developing design principles for the development of cognitively accessible cybersecurity training. The target group is estimated to include almost 10 % of all users but is previously understudied. The results show that the target group experience cybersecurity as cognitively demanding, sometimes to a degree that becomes incapacitating. Participating in cybersecurity training requires cognitive energy which is a finite resource. Cognitively accessible cybersecurity training requires a minimalist design approach and inclusion of accessibility functions. A minimalist design approach, in this case, means that both informative and design elements should be kept to a minimum. The rationale is that all such elements require cognitive processing which should be kept to a minimum. 

    Download full text (pdf)
    fulltext
  • 33.
    Kävrestad, Joakim
    et al.
    University of Skövde, School of Informatics. University of Skövde, Informatics Research Environment.
    Skärgård, Marie
    University of Skövde, School of Informatics. University of Skövde, Informatics Research Environment.
    Nohlberg, Marcus
    University of Skövde, School of Informatics. University of Skövde, Informatics Research Environment.
    Users perception of using CBMT for informationsecurity training2019In: Proceedings of the Thirteenth International Symposium on Human Aspects of Information Security & Assurance (HAISA 2019) / [ed] Steven M. Furnell; Nathan L. Clarke, University of Plymouth Press, 2019, p. 122-131Conference paper (Refereed)
    Abstract [en]

    It is well established that user behavior is a crucial aspect of information security and archivingsecure behavior through awareness and security training is the go-to solution proposed bypractitioners as well as the research community. Thus, there is a dire need for efficient trainingmethods for use in the security domain. This paper introduces ContextBased MicroTraining(CBMT), a framework for information security training that dictated that information securitytraining should be delivered to end users in short-sequences when the users are in a situationwhere the training is needed. Further, the users' perception of CBMT in evaluated in an onlinesurvey where about 200 respondents are subjected to training material and asked about how theyperceived them. The results show that users like the training material designed according to theCBMT framework and would prefer to use CBMT over other traditional methods of informationsecurity training.

  • 34.
    Kävrestad, Joakim
    et al.
    University of Skövde, School of Informatics. University of Skövde, The Informatics Research Centre.
    Zaxmy, Johan
    University of Skövde, School of Informatics.
    Nohlberg, Marcus
    University of Skövde, School of Informatics. University of Skövde, The Informatics Research Centre.
    Analysing the Usage of Character Groups and Keyboard Patterns in Password Usage2019In: Proceedings of the Thirteenth International Symposium on Human Aspects of Information Security & Assurance (HAISA 2019) / [ed] Steven M. Furnell, Nathan L. Clarke, University of Plymouth Press, 2019, p. 155-165Conference paper (Refereed)
    Abstract [en]

    Even with the advances in different methods for authentication, passwords remain the mostcommon approach for authentication as well as for encryption of user data. Password guessingattacks have grown to be a vital part of computer forensics as well as penetration testing. In thispaper, we seek to provide a statistical analysis of password composition by analyzing whatcharacter sets that are most commonly used in over 1 billion leaked passwords in over 20different databases. Further, we use a survey to analyze if users that actively encrypt data differfrom the norm. The results of this study suggest that American lowercase letters and numbersare the, by far, most commonly used character sets and that users who actively encrypt data usekeyboard patterns and special characters more frequently than the average user.

  • 35.
    Kävrestad, Joakim
    et al.
    University of Skövde, School of Informatics. University of Skövde, Informatics Research Environment.
    Zaxmy, Johan
    University of Skövde, School of Informatics.
    Nohlberg, Marcus
    University of Skövde, School of Informatics. University of Skövde, Informatics Research Environment.
    Analyzing the usage of character groups and keyboard patterns in password creation2020In: Information and Computer Security, E-ISSN 2056-4961, Vol. 28, no 3, p. 347-358Article in journal (Refereed)
    Abstract [en]

    Purpose

    Using passwords to keep account and data safe is very common in modern computing. The purpose of this paper is to look into methods for cracking passwords as a means of increasing security, a practice commonly used in penetration testing. Further, in the discipline of digital forensics, password cracking is often an essential part of a computer examination as data has to be decrypted to be analyzed. This paper seeks to look into how users that actively encrypt data construct their passwords to benefit the forensics community.

    Design/methodology/approach

    The study began with an automated analysis of over one billion passwords in 22 different password databases that leaked to the internet. The study validated the result with an experiment were passwords created on a local website was analyzed during account creation. Further a survey was used to gather data that was used to identify differences in password behavior between user that actively encrypt their data and other users.

    Findings

    The result of this study suggests that American lowercase letters and numbers are present in almost every password and that users seem to avoid using special characters if they can. Further, the study suggests that users that actively encrypt their data are more prone to use keyboard patterns as passwords than other users.

    Originality/value

    This paper contributes to the existing body of knowledge around password behavior and suggests that password-guessing attacks should focus on American letters and numbers. Further, the paper suggests that forensics experts should consider testing patterns-based passwords when performing password-guessing attacks against encrypted data.

  • 36.
    Kävrestad, Joakim
    et al.
    University of Skövde, School of Informatics. University of Skövde, Informatics Research Environment.
    Åhlfeldt, Rose-Mharie
    University of Skövde, School of Informatics. University of Skövde, Informatics Research Environment.
    Nohlberg, Marcus
    University of Skövde, School of Informatics. University of Skövde, Informatics Research Environment.
    Karonen, Johani
    University of Skövde.
    Kowalski, Stewart
    University of Skövde, School of Informatics. University of Skövde, Informatics Research Environment.
    Spiraling out in control: A Video Cartesian Dialectic on a Socio-technical Approach to Teaching Privacy, Information- and Cyber Security (PICS)2019In: Socio-Technical Perspective in IS Development 2019: Proceedings of the 5th International Workshop on Socio-Technical Perspective in IS Development (STPIS 2019) co-located with 27th European Conference on Information Systems (ECIS 2019) / [ed] Stewart Kowalski; Peter Bednar; Alexander Nolte; Ilia Bider, CEUR-WS , 2019, Vol. 2398, p. 153-155Conference paper (Refereed)
    Download full text (pdf)
    fulltext
  • 37.
    Lennartsson, Markus
    et al.
    University of Skövde, School of Informatics. University of Skövde, Informatics Research Environment.
    Kävrestad, Joakim
    University of Skövde, School of Informatics. University of Skövde, Informatics Research Environment.
    Nohlberg, Marcus
    University of Skövde, School of Informatics. University of Skövde, Informatics Research Environment.
    Exploring the Meaning of "Usable Security"2020In: Human Aspects of Information Security and Assurance: 14th IFIP WG 11.12 International Symposium, HAISA 2020, Mytilene, Lesbos, Greece, July 8–10, 2020, Proceedings / [ed] Clarke, Nathan, Furnell, Steven, Cham: Springer, 2020, p. 247-258Conference paper (Refereed)
    Abstract [en]

    While there are many examples of incidents that make theneed for more work around the human aspects of security apparent, theliterature makes it obvious that usable security can mean many dierentthings and usable security is a complex matter. This paper reports on astructured literature review that analyzed what the research communityconsiders to be included in the term "usable security". Publications fromthe past ve years were analyzed and dierent perceptions of usablesecurity were gathered. The result is a listing of the dierent aspectsthat are discussed under the term "usable security" and can be used as areference for future research of practitioners who are developing securityfunctions with usability in mind.

  • 38.
    Lennartsson, Markus
    et al.
    University of Skövde, School of Informatics. University of Skövde, Informatics Research Environment.
    Kävrestad, Joakim
    University of Skövde, School of Informatics. University of Skövde, Informatics Research Environment.
    Nohlberg, Marcus
    University of Skövde, School of Informatics. University of Skövde, Informatics Research Environment.
    Exploring the meaning of usable security – a literature review2021In: Information and Computer Security, E-ISSN 2056-4961, Vol. 29, no 4, p. 647-663Article, review/survey (Refereed)
    Abstract [en]

    Purpose

    For decades, literature has reported on the perceived conflict between usability and security. This mutual trade-off needs to be considered and addressed whenever security products are developed. Achieving well-balanced levels of both is a precondition for sufficient security as users tend to reject unusable solutions. To assess it correctly, usability should be evaluated in the context of security. This paper aims to identify and describe universally applicable and solution-independent factors that affect the perceived usability of security mechanisms.

    Design/methodology/approach

    The selected methodology was a systematic literature review during which multiple database resources were queried. Application of predefined selection criteria led to the creation of a bibliography before backward snowballing was applied to minimize the risk of missing material of importance. All 70 included publications were then analyzed through thematic analysis.

    Findings

    The study resulted in the identification of 14 themes and 30 associated subthemes representing aspects with reported influence on perceived usability in the context of security. While some of them were only mentioned sparsely, the most prominent and thus presumably most significant ones were: simplicity, information and support, task completion time, error rates and error management.

    Originality/value

    The identified novel themes can increase knowledge about factors that influence usability. This can be useful for different groups: end users may be empowered to choose appropriate solutions more consciously, developers may be able to avoid common usability pitfalls when designing new products and system administrators may benefit from a better understanding of how to configure solutions and how to educate users efficiently.

    Download full text (pdf)
    fulltext
  • 39.
    Nohlberg, Marcus
    University of Skövde, School of Informatics. University of Skövde, Informatics Research Environment.
    Bank-ID:s nya krav ökar utanförskapet – men problemen kunde lösts enklare för länge sedan2023In: Dagens industri, ISSN 0346-640X, no 2023-09-11Article in journal (Other (popular science, discussion, etc.))
    Abstract [sv]

    Bank-ID:s oförmåga eller ovilja att leverera säkra tjänster har under snart ett årtionde möjliggjort för en bedrägerikultur att växa fram i samhället, i en skala som gör att brotten ibland inte ens utreds numera, skriver Marcus Nohlberg docent i cybersäkerhet.

  • 40.
    Nohlberg, Marcus
    University of Skövde, School of Informatics. University of Skövde, Informatics Research Environment.
    Låt inte din partner ta över din digitala värld: Cyberforskare: Kraschar relationen kan det bli stora problem2024In: Aftonbladet, ISSN 1103-9000, no 2024-10-02, p. 6-6Article in journal (Other (popular science, discussion, etc.))
    Abstract [sv]

    DEBATT. Jämställdhet handlar inte bara om lika löner och delat ansvar i hemmet. I dagens digitala samhälle är cybersäkerhet en grundläggande förutsättning för verklig jämställdhet.

    Över 30 000 människor i Sverige lever i dag med skyddad identitet, ofta på grund av våld i nära relationer. För dem blir bristande cyberkompetens en barriär som försvårar möjligheten att lämna destruktiva relationer och återfå sin frihet.

  • 41.
    Nohlberg, Marcus
    University of Skövde, School of Humanities and Informatics. University of Skövde, The Informatics Research Centre.
    Securing Information Assets: Understanding, Measuring and Protecting against Social Engineering Attacks2008Doctoral thesis, comprehensive summary (Other academic)
    Abstract [en]

    Social engineering denotes, within the realm of security, a type of attack against the human element during which the assailant induces the victim to release information or perform actions they should not. Our research on social engineering is divided into three areas: understanding, measuring and protecting. Understanding deals with finding out more about what social engineering is, and how it works. This is achieved through the study of previous work in information security as well as other relevant research areas. The measuring area is about trying to find methods and approaches that put numbers on an organization’s vulnerability to social engineering attacks. Protecting covers the ways an organization can use to try to prevent attacks. A common approach is to educate the users on typical attacks, assailants, and their manipulative techniques. In many cases there are no preventive techniques, dealing with the human element of security, in place.

    The results show that social engineering is a technique with a high probability of success. Furthermore, defense strategies against it are complicated, and susceptibility to it is difficult to measure. Important contributions are a model describing social engineering attacks and defenses, referred to as the Cycle of Deception, together with a thorough discussion on why and how social engineering works. We also propose new ways of conducting social engineering penetration testing and outline a set of recommendations for protection. It is crucial to involve managers more, but also to train the users with practical exercises instead of theoretical education, for example, by combining measuring exercises and penetration testing with training. We also discuss the future threat of Automated Social Engineering, in which software with a simple form of artificial intelligence can be used to act as humans using social engineering techniques online, making it quite hard for Internet users to trust anyone they communicate with online.

  • 42.
    Nohlberg, Marcus
    University of Skövde, School of Humanities and Informatics.
    Social Engineering Audits Using Anonymous Surveys: Conning the Users in Order to Know if They Can Be Conned2005In: CD-ROM Proceedings of the 4th Security Conference, Las Vegas, USA, 30-31 March 2005, 2005Conference paper (Refereed)
    Abstract [en]

    It is important to know the security readiness of any organization in order to strengthen it. One often neglected aspect of security is the human element, which is often attacked by social engineering” techniques. This paper studies to what extent users are aware and susceptible to common social engineering attacks, and if a quantitative approach to enetration testing of social engineering can be used. By employing a quantitative study under the false pretense of studying “micro efficiency”, an organization with above average skilled users was surveyed on three classic social engineering cons. The results indicate that the approach could be useful as a part of, or as a stand alone auditing technique. The human element is not only vulnerable, but vulnerable to the extent that it shadows most other security measures. The author argues for the necessity of education in order to counter the serious threat of social engineering, since it in many cases complies with the principle of adequate protection.

  • 43.
    Nohlberg, Marcus
    University of Skövde, School of Humanities and Informatics. University of Skövde, The Informatics Research Centre.
    Why Humans are the Weakest Link2008In: Social and Human Elements of Information Security: Emerging Trends and Counter-measures / [ed] Manish Gupta, Raj Sharman, Hershey, PA: IGI Global, 2008, p. 15-26Chapter in book (Refereed)
    Abstract [en]

     

    This chapter introduces the concept of social psychology, and what forms of deception humans are prone to fall for. It presents a background of the area and a thorough description of the most common and important influence techniques. It also gives more practical examples of potential attacks, and what kind of influence techniques they use, as well as a set of recommendations on how to defend against deception, and a discussion on future trends. The author hopes that the understanding of why and how the deceptive techniques work will give the reader new insights into information security in general, and deception in particular. This insight can be used to improve training, to discover influence earlier, or even to gain new powers of influence.

     

     

  • 44.
    Nohlberg, Marcus
    et al.
    University of Skövde, School of Humanities and Informatics. University of Skövde, The Informatics Research Centre.
    Bäckström, Johannes
    Department of Computer and Information Science, University of Linköping, Linköping, Sweden.
    Talking security to managers: How to do it2007In: Proceedings of the 6th International Conference on Perspectives in Business Information Research: BIR'2007 / [ed] Jyrki Nummenmaa, Eva Söderström, Tampere: Tampere University , 2007, p. 104-113Conference paper (Refereed)
    Abstract [en]

    Seven security specialists working close to managers were interviewed about what managers wanted to know about security, as well as other security issues and asked to perform a scenario. This information was analyzed, and the major conclusion of the study is that managers are interested in knowing about security mainly regarding financial and strategic matters, formulated in managerial terms rather than technical and grouped in sets of crossinformationrather than individual detailed data. A trend of giving the users themselves more responsibility for security was also noticed which is potentially worrisome due to the increased insider threat.

  • 45.
    Nohlberg, Marcus
    et al.
    University of Skövde, School of Humanities and Informatics. University of Skövde, The Informatics Research Centre.
    Johannes, Bäckström
    Department of Computer and Information Science, University of Linköping, Linköping, Sweden.
    User-centered security applied to the development of a management information system2007In: Information Management & Computer Security, ISSN 0968-5227, E-ISSN 1758-5805, Vol. 15, no 5, p. 372-381Article in journal (Refereed)
    Abstract [en]

    Purpose – This paper aims to use user-centred security development of a prototype graphical interface for a management information system dealing with information security with upper-level management as the intended users.

    Design/methodology/approach – The intended users were studied in order to understand their needs. An iterative design process was used where the designs were first made on paper, then as a prototype interface and later as a final interface design. All was tested by subjects within the target user group.

    Findings – The interface was perceived as being successful by the test subjects and the sponsoring organization, Siguru. The major conclusion of the study is that managers use knowledge of information security mainly for financial and strategic matters which focus more on risk issues than security issues. To facilitate the need of managers the study presents three heuristics for the design of management information security system interfaces.

    Research limitations/implications – This interface was tested on a limited set of users and further tests could be done, especially of users with other cultural/professional backgrounds.

    Practical implications – This paper presents a useful set of heuristics that can be used in development of management information systems as well as other practical tips for similar projects.

    Originality/value – This paper gives an example of a successful user-centred security development process. The lessons learned could be beneficial in software development in general and security products in particular.

  • 46.
    Nohlberg, Marcus
    et al.
    University of Skövde, School of Humanities and Informatics. University of Skövde, The Informatics Research Centre.
    Kowalski, Stewart
    Stockholms universitet, Samhällsvetenskapliga fakulteten, Institutionen för data- och systemvetenskap.
    The cycle of deception: a model of social engineering attacks, defenses and victims2008In: Proceedings of the Second International Symposium on Human Aspects of Information Security and Assurance (HAISA 2008) / [ed] Nathan Clarke, Steven Furnell, University of Plymouth , 2008, p. 1-11Conference paper (Refereed)
    Abstract [en]

    In this paper we propose a model for describing deceptive crimes in general and social engineering in particular. Our research approach was naïve inductivist and the methods used were literature study and interviews with the lead investigator in a grooming case, as we see many similarities between the techniques used in grooming, and those used in social engineering. From this we create cycles describing attacker, defender, and the victim and merge them into a model describing the cycle of deception. The model is then extended into a possible deception sphere. The resulting models can be used to educate about social engineering, to create automated social engineering attacks, to facilitate better incident reporting, and to understand the impact and economical aspects of defenses.

  • 47.
    Nohlberg, Marcus
    et al.
    University of Skövde, School of Humanities and Informatics. University of Skövde, The Informatics Research Centre.
    Kowalski, Stewart
    Stockholms universitet, Samhällsvetenskapliga fakulteten, Institutionen för data- och systemvetenskap (Säkerhetsinformatik).
    Huber, Markus
    Stockholms universitet, Samhällsvetenskapliga fakulteten, Institutionen för data- och systemvetenskap (Säkerhetsinformatik).
    Measuring Readiness for Automated Social Engineering2008In: Proceedings of the 7th Annual Security Conference, Las Vegas, USA, June 2-3, 2008 [CD-ROM], 2008, p. 20.1-20.13Conference paper (Refereed)
    Abstract [en]

    This paper presents the result of a case study of the readiness of four large Swedish multinational corporations to deal with automated social engineering attacks. A preliminary study to review how the security policy of a large corporation deals with social engineering attacks was performed. The results from this study were combined with a conceptual model of social engineering when constructing a new interview protocol and a grading scale. This interview protocol was designed to measure the readiness of an organization to deal with social engineering attacks in general, and in this case with automated social engineering in particular. Four interviews were conducted with senior security managers and senior employees. Results indicate that no organization was over 60% on the readiness scale and thus all are considered at risk of attack.

  • 48.
    Nohlberg, Marcus
    et al.
    University of Skövde, School of Humanities and Informatics.
    Kowalski, Stewart
    Department of Computer and Systems Sciences, Stockholm University/Royal Institute of Technology, Stockholm, Sweden.
    Karlsson, Kerstin
    University of Skövde, School of Humanities and Informatics.
    Ask and you shall know: using interviews and the SBC model for social-engineering penetration testing2008In: Proceedings of the 1st International Multi-Conference on Engineering and Technological Innovation; IMETI 2008: Volume I / [ed] Chu Hsing-Wei, Estrems Manuel, Ferrer José, Franco Patricio, Savoie Michael, Orlando: International Institute of Informatics and Systemics, 2008, p. 121-128Conference paper (Refereed)
    Abstract [en]

    This paper presents the result of a case study where the SBC model was used as a foundation to perform semi-structured interviews to test the security in a medical establishment. The answers were analyzed and presented in an uncomplicated graph. The purpose was to study the feasibility of letting the users participate, instead of exploiting their weaknesses. It was found that the approach of interviewing the subjects rendered interesting, and relevant, results, making it an approach that should be studied further due to its apparent gains: less ethically troublesome penetration testing, increased awareness, improved coverage and novel information as added bonuses.

  • 49.
    Nohlberg, Marcus
    et al.
    University of Skövde, School of Humanities and Informatics. University of Skövde, The Informatics Research Centre.
    Kowalski, Stewart
    Karlsson, Kerstin
    University of Skövde.
    Non-Invasive Social Engineering Penetration Testing in a Medical Environment2008In: Proceedings of the 7th Annual Security Conference [CD-ROM], 2008, p. 22.1-22.13Conference paper (Refereed)
    Abstract [en]

    This paper proposes a soft approach for social engineering penetration testing. By using the SBC model as a foundation, questions related to the social element of security were asked in semi-structured interviews to a group of subjects. The answers were analyzed and presented in an uncomplicated graph. The purpose was to study the feasibility of letting the users participate, instead of exploiting their weaknesses. It was found that the approach of interviewing the subjects rendered interesting, and relevant, results, making it an approach that should be studied further due to its apparent gains: less ethically troublesome penetration testing, increased awareness, improved coverage and novel information as added bonuses.

  • 50.
    Nohlberg, Marcus
    et al.
    University of Skövde, School of Informatics. University of Skövde, Informatics Research Environment.
    Kävrestad, Joakim
    University of Skövde, School of Informatics. University of Skövde, Informatics Research Environment.
    Exploring Information Security and Domestic Equality2020In: Human Aspects of Information Security and Assurance: 14th IFIP WG 11.12 International Symposium, HAISA 2020, Mytilene, Lesbos, Greece, July 8–10, 2020, Proceedings / [ed] Nathan Clarke, Steven Furnell, Cham: Springer, 2020, p. 224-232Conference paper (Refereed)
    Abstract [en]

    It is well known that men and women dier in terms of securitybehavior. For instance, studies report that gender plays a role insecurity non-compliance intentions, malware susceptibility, and securityself-ecacy. While one reason for gender-based dierences can be thatwomen are vastly underrepresented in the community of security professionals,the impact that gender dierences in security behavior haveon equality is an underresearched area. This paper argues that cyberinequalitycan impact domestic inequality and even be an enabler fordomestic abuse. This paper intends to shed light on how digitalizationworks in households in order to problematize around equality in the digitalera. It reports on a survey that measures dierent factors of personalinformation security and shows that men and women do indeed dierin personal information security behavior on a number of points suchas men being more inuential when it comes to ICT decisions in thehousehold.

12 1 - 50 of 63
CiteExportLink to result list
Permanent link
Cite
Citation style
  • apa
  • apa-cv
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf