Editorial: Human aspects of cyber security

Human aspects are now widely recognised as being a key factor in providing a holistic cyber security solution. The nature of what we mean by human aspects can vary quite considerably, from intuitive aspects such as information security awareness and human computer interaction to the less instinctive yet still important aspects such as the development of technical solutions that remove or reduce the security burden placed upon individuals. What all these areas have in common is the impact they have upon the people involved.

With this in mind, the Human Aspects of Information Security and Assurance symposium series seeks to provide a forum for a community of related researchers working in this area. In July 2023, the 17th event in the series was held in Canterbury, UK. A total of 37 reviewed papers were presented over three days. From these, eight authors were invited to submit extended versions of their work for publication in this special issue. The resulting papers draw upon a range of areas including social engineering, cyber security culture, information security policies and the issue of cyber security awareness.

In the first of the studies, Ahmad et al. explores the increasing problem of phishing via mobile instant messaging. Capitalising on the lack of technical safeguards, this attack vector is becoming increasingly popular. The study examines 67 examples of instant message phishing and explores the persuasion techniques attackers utilise.

Three of the studies focused explore user behaviour and workload. Wright et al. focussed upon the preventive measures taken by employees towards cybercrime. Drawing upon over 200 participants during the pandemic, the study explored the Theory of Interpersonal Behaviour to demonstrate a strong correlation between the intent to engage in cybercrime preventative behaviour and actual practice. Whitty et al. developed a framework for focussing upon the social-technical variables that impact insider-based intellectual property theft. Drawing upon Situational Crime Prevention Theory, the model offers up novel opportunities to assist policymakers in preventing these types of attack. Reeves et al. explored the workload impact on the cybersecurity workforce. Utilising the Maslach Burnout Inventory (MBI), a survey of 119 cyber security professionals show that gender and job role are significant predictors of emotional exhaustion, with all roles tending to score higher on the MBI when compared to the Australian national population.

Information security policies are key instruments used by organisations to define what the organisation wishes to achieve. Two of the papers explored the utility of these policies in practice. Rostami and Karlsson analysed the usefulness of information security policies with respect to the degree to which the policy could easily be actioned in practice. An examination of 15 policies from a range of Swedish public agencies found that just a third of the policies provide over 50% of actionable advice, with two-thirds of policies containing ambiguous advice that employees can use. Gerdin et al. investigated compliance and information security policies. Focussing upon employee compliance/non-compliance they study presents the findings of 17 in-depth interviews to explore the discrepancies between what is claimed to be measured versus what is actually measured and what respondents’ interpretations are.

The final two papers focus upon cyber security awareness and preparedness. Stavrou and Piki present the importance of self-efficacy in education to foster professional development in cyber security. Using a skills-first approach, the study presents a novel curriculum design to actively nurture self-efficacy and promote improving attitudes towards upskilling in cyber security. Hedberg et al. undertake a study to explore the readiness of auto workshops in managing and responding to such attacks. Modern cars are increasingly smarter and more connected, thereby becoming a potential target for cybercriminals. Based upon a study of eight auto workshops in Sweden, it was found that there was currently limited capability, awareness and knowledge to deal with such issues.

The papers collectively illustrate a range of relevant activities in the domain of human aspects, and it is certain that the breadth of the area as a whole will continue to offer rich opportunities for further research in the years to come.