Högskolan i Skövde

Purpose

Developing cybersecurity awareness (CSA) is becoming a more and more important goal for modern organizations. CSA is a complex sociotechnical system where social, technical and organizational aspects affect each other in an intertwined way. With the goal of providing a holistic representation of CSA, this paper aims to develop a taxonomy of factors that contribute to organizational CSA.

Design/methodology/approach

The research used a design science approach including a literature review and practitioner interviews. A taxonomy was drafted based on 71 previous research publications. It was then updated and refined in two iterations of interviews with domain experts.

Findings

The result of this research is a taxonomy which outline six domains for importance for organization CSA. Each domain includes several activities which can be undertaken to increase CSA within an organization. As such, it provides a holistic overview of the CSA field.

Practical implications

Organizations can adopt the taxonomy to create a roadmap for internal CSA practices. For example, an organization could assess how well it performs in the six main themes and use the subthemes as inspiration when deciding on CSA activities.

Originality/value

The output of this research provides an overview of CSA based on information extracted from existing literature and then reviewed by practitioners. It also outlines how different aspects of CSA are interdependent on each other.

Definition

Context-Based Micro-Training (CBMT) is a method for implementing cybersecurity training for end-users. CBMT includes goals that describe what such training should aim to facilitate and guidelines that outline how.

Background

Users are expected to behave in a certain way in cyberspace to ensure cybersecurity. Policies and technical controls, for instance, provide rules that regulate how passwords should be created, how users should react to email, and what information is allowed to be given away on the phone. Yet, incorrect or insecure user actions continuously lead to cybersecurity incidents (Safa and Von Solms 2016). The use of training to support users towards secure behavior has been suggested by researchers for decades and is often used in practice. Such training can be delivered to users in different ways that can be grouped as follows:

Scheduled training often takes the form of a live lecture delivered physically or online.On-demand training where the user will access ...

While the prevalent use of digital devices has many benefits in a modern society, it has also increased the complexity of evidence acquisition in crime investigations. With a digital device being seized in almost all criminal cases, creating investigation backlogs, a need for investigating how this challenge affects victims’ willingness to report crimes is rising. Previous research show that victims are less inclined to report crimes when having to hand in a mobile phone for evidence acquisition. However, why that is remains unclear. Taking a quantitative approach, we investigate the assumed relation between the willingness to report crimes and the time a mobile phone is seized for evidence collection. A survey was sent out to 500 Swedish citizens inquiring how likely they are to report various crimes in relation to the time their mobile phone would be seized by the police. The results show a significantly reduced willingness to report crimes as the seizure times increase, consequently resulting in unreported crimes. The findings also indicate a variation in reporting willingness among various crimes, suggesting a reluctance to report crimes of less monetary consequence, ultimately accepting victimization and enabling unlawful behavior.

Multi-Factor Authentication (MFA) is commonly suggested as a good mechanism to overcome inherent security problems with the use of passwords. However, research suggests that MFA has so far failed to attract enough interest from users. Additionally, older users seem to be even more reluctant to use MFA. In Sweden, users are more or less required to use MFA to use services such as online banking, book doctors appointments online, and complete tax reports online. As such, Sweden is an interesting case for studying MFA adoption. This paper reports on mixed-methods research investigating how Swedish users in different age groups compare with respect to the adoption of MFA. The results suggest that users of different age are willing to adopt MFA when it is required for services they want or need to use. However, younger users appear to be more prone to voluntarily adopt MFA.

Insecure user behavior is the most common cause of cybersecurity incidents. Insecure behavior includes failing to detect phishing, insecure password management, and more. The problem has been known for decades, and state-of-the-art mitigation methods include security education, training, and awareness (SETA). A common problem with SETA is, however, that users do not seem to adopt it to a high enough extent. When users are not adopting SETA, its intended benefit is lost. Previous research argues for personalized SETA and suggests that different user groups have different SETA needs and preferences. The characteristics of those groups are, however, unknown. To that end, this research draws on an existing dataset to identify how different populations perceive different SETA methods. A quantitative analysis shows that users in different demographic groups have different SETA preferences, with age being the most impactful demographic. A qualitative analysis reveals further factors that impact user adoption of SETA, with cost and ease of use being important factors for further research. 

Exploiting human behavior to gain unauthorized access to computer systems has become common practice for modern cybercriminals. Users are expected to adopt secure behavior to avoid those attackers. This secure behavior requires cognitive processing and is often seen as a nuisance which could explain why attacks exploiting user behavior continues to be a fruitful approach for attackers. While adopting secure behavior can be difficult for any user, it can be even more difficult for users with cognitive disabilities. This research focuses on users with cognitive disabilities with the intent of developing design principles for the development of cognitively accessible cybersecurity training. The target group is estimated to include almost 10 % of all users but is previously understudied. The results show that the target group experience cybersecurity as cognitively demanding, sometimes to a degree that becomes incapacitating. Participating in cybersecurity training requires cognitive energy which is a finite resource. Cognitively accessible cybersecurity training requires a minimalist design approach and inclusion of accessibility functions. A minimalist design approach, in this case, means that both informative and design elements should be kept to a minimum. The rationale is that all such elements require cognitive processing which should be kept to a minimum. 

Joakim Kävrestad, lektor i datavetenskap, Tekniska Högskolan i Jönköping och Marcus Nohlberg, docent i informationsteknologi, Högskolan i Skövde, håller inte med Jan Kallberg om att svensk cybersäkerhetsforskning borde kraftsamlas till några få platser.

The willingness of victims to report crimes is declining, which leads to an increase in the dark figure of crime and undermines effective crime control. One possible reason is that victims are reluctant to report crimes if they are required to submit their digital devices for forensic examination. Today, a mobile phone holds vast amounts of information that may be valuable for police forensics experts, showing that victims’ phones could be critical in crime investigations. This interview study has investigated the factors that influence Swedish citizens’ willingness to report crimes when reporting involves surrendering their own mobile phones for forensic analysis. The study also uncovered factors that increase their willingness to report crimes under the same circumstances. The gathered data was subjected to a qualitative analysis with thematic coding, resulting in four distinct themes with 12 categories distributed among them. The analysis reveals that the primary factors affecting Swedish citizens’ willingness to report crimes are privacy concerns, with participants feeling uneasy about others accessing their private data, and anxiety over being separated from their mobile phones. Furthermore, the study yields that the most significant factors for increasing the willingness to report crimes are enhanced information and transparency from the police. Participants suggested that better understanding of the process, and increased openness would increase their willingness to report.

User behavior is one of the biggest challenges to cybersecurity in modern organizations. Users are continuously targeted by attackers and required to have sufficient knowledge to spot and avoid such attacks. Different training methods are suggested and used in the industry to support users to behave securely. The challenge remains, and improved methods for end-user cybersecurity training are needed. This paper introduces and evaluates user perception of a method called Context-Based Micro-Training (CBMT). This approach suggests that training should be delivered in short sequences when the information is of direct relevance. The intention is to provide training directly related to the user’s current situation while also providing an awareness-increasing effect. This notion is tested in a survey-based evaluation involving 1,452 respondents from Sweden, Italy, and the UK, comparing the perception of CBMT against the experience of traditional approaches. The results emphasize that current methods are not effective enough and show that CBMT is perceived positively by respondents in all sample groups. The study further evaluated how demographic aspects impact the perception of CBMT and found that a diverse group of users can appreciate it.

Cybersecurity threats targeting users are common in today’s information systems. Threat actors exploit human behavior to gain unauthorized access to systems and data. The common suggestion for addressing this problem is to train users to behave better using SETA programs. The notion of training users is old, and several SETA methods are described in scientific literature. Yet, incidents stemming from insecure user behavior continue to happen and are reported as one of the most common types of incidents. Researchers argue that empirically proven SETA programs are needed and point out focus on knowledge rather than behavior, and poor user adoption, as problems with existing programs. The present study aims to research user preferences regarding SETA methods, with the motivation that a user is more likely to adopt a program perceived positively. A qualitative approach is used to identify existing SETA methods, and a quantitative approach is used to measure user preferences regarding SETA delivery. We show that users prefer SETA methods to be effortless and flexible and outline how existing methods meet that preference. The results outline how SETA methods respond to user preferences and how different SETA methods can be implemented to maximize user perception, thereby supporting user adoption.