Search results

Developing cybersecurity awareness (CSA) is becoming a more and more important goal for modern organizations. CSA is a complex sociotechnical system where social, technical and organizational aspects affect each other in an intertwined way. With the goal of providing a holistic representation of CSA, this paper aims to develop a taxonomy of factors that contribute to organizational CSA.

The research used a design science approach including a literature review and practitioner interviews. A taxonomy was drafted based on 71 previous research publications. It was then updated and refined in two iterations of interviews with domain experts.

The result of this research is a taxonomy which outline six domains for importance for organization CSA. Each domain includes several activities which can be undertaken to increase CSA within an organization. As such, it provides a holistic overview of the CSA field.

Organizations can adopt the taxonomy to create a roadmap for internal CSA practices. For example, an organization could assess how well it performs in the six main themes and use the subthemes as inspiration when deciding on CSA activities.

The output of this research provides an overview of CSA based on information extracted from existing literature and then reviewed by practitioners. It also outlines how different aspects of CSA are interdependent on each other.

As home users are increasingly responsible for securing their computing devices and home networks, there is a growing need to develop interventions to assist them in protecting their home networking devices, which are vulnerable to attack. To this end, this paper aims to examine the motivating factors that drive South African fibre users to protect their home networking devices.

Using the protection motivation theory as the primary framework, a measurement instrument comprising 53 questionnaire items was developed to measure 13 constructs. The study collected empirical data from a sample of 392 South African home fibre users and evaluated the research model using structural equation modelling.

The evaluation showed a good fit, with 12 out of 15 predicted hypotheses being accepted for the final research model, contributing to the understanding of the factors that motivate home users to protect their home networking devices.

To the best of the authors’ knowledge, this study is the first to model the factors that drive South African home fibre users to protect their home networking devices. Knowing these factors could help home internet service providers and security software vendors of home products to develop security interventions that could assist home fibre users to secure their home networking devices.

Cybersecurity has received growing attention from academic researchers and industry practitioners as a strategy to accelerate performance gains and social sustainability. Meanwhile, firms are usually prone to cyber-risks that emanate from their supply chain partners especially third-party logistics providers (3PLs). Thus, it is crucial to implement cyber-risks management in 3PLs to achieve social sustainability in supply chains. However, these 3PLs are faced with critical difficulties which tend to hamper the consistent growth of cybersecurity. This paper aims to analyze these critical difficulties.

Data were sourced from 40 managers in Nigerian 3PLs with the aid of questionnaires. A novel quantitative methodology based on the synergetic combination of interval-valued neutrosophic analytic hierarchy process (IVN-AHP) and multi-objective optimization on the basis of a ratio analysis plus the full multiplicative form (MULTIMOORA) is applied. Sensitivity analysis and comparative analysis with other decision models were conducted.

Barriers were identified from published literature, finalized using experts’ inputs and classified under organizational, institutional and human (cultural values) dimensions. The results highlight the most critical dimension as human followed by organizational and institutional. Also, the results pinpointed indigenous beliefs (e.g. cyber-crime spiritualism), poor humane orientation, unavailable specific tools for managing cyber-risks and skilled workforce shortage as the most critical barriers that show the highest potential to elicit other barriers.

By illustrating the most significant barriers, this study will assist policy makers and industry practitioners in developing strategies in a coordinated and sequential manner to overcome these barriers and thus, achieve socially sustainable supply chains.

This research pioneers the use of IVN-AHP-MULTIMOORA to analyze cyber-risks management barriers in 3PLs for supply chain social sustainability in a developing nation.

This investigation serves a dual purpose: providing preliminary results and serving as a pilot study to confirm the viability of the hypotheses advanced towards a full-scale study. This paper aims to present the preliminary findings of an investigation that explored the constructs of personality traits and situational crime prevention theory (SCPT) as antecedents to social cognitive determinants (attitude, perceived behavioural control and subjective norms using the theory of planned behaviour [TPB] framing) and how these elements subsequently estimate compliant information security behaviour. Moreover, this paper delves into the contrasting influences of light and dark personality traits on insider information security compliance.

A cross-sectional survey was conducted to study SCPT measures and the personality factors dyad using a diverse but limited sample (n = 82).

There were ten significant direct relationships between SCPT factors and personality traits related to the components of the TPB. Seventeen hypotheses were not supported. However, these findings highlight the complexity of the topic under study.

Understanding individual differences within the compliance model could be used for custom training protocols, employee selection, assignment and specific types of information security interventions.

There is a scarcity of studies considering the effects of situational and personality factors, specifically the dark versus light triad of personality traits within the information security domain. Therefore, this preliminary result provides early insight that could guide further studies. This research could have important implications for organisations at risk of insider attacks.

Mental health is not simply the absence of psychological problems any more than physical health is the absence of disease. This chapter explores various aspects of optimal mental health and wellbeing among college students. It examines the question of what is required for college students to both feel their best and function at or near their highest levels. It also discusses the characteristics of peak mental health, including its transient nature. Predictive factors such as exercise, diet, sleep and social connection will be explored. Regarding the features of optimal wellbeing, the following variables are described: integrity, values, mindfulness, self-compassion, flow and resilience. These variables are considered in an integrated fashion as components, as well as byproducts, of wellness. Hettler’s multidimensional model of wellness is presented at the outset of the chapter, followed by Keyes’ theory of flourishing.

The purpose of this paper is to provide an overview of the trends and challenges relating to research into the human aspects of ransomware.

A systematic mapping study was carried out to investigate the trends in studies into the human aspects of ransomware, identify challenges encountered by researchers and propose directions for future research. For each of the identified papers from this study, the authors mapped the year of publication, the type of paper, research strategy and data generation method, types of participants included, theories incorporated and lastly, the authors mapped the challenges encountered by the researchers.

Fifty-nine papers published between 2006 and 2022 are included in the study. The findings indicate that literature on the human aspects of ransomware was scarce prior to 2016. The most-used participant groups in this area are students and cybersecurity professionals, and most studies rely on a survey strategy using the questionnaire to collect data. In addition, many papers did not use theories for their research, but from those that did, game theory was used most often. Furthermore, the most reported challenge is that being hit with ransomware is a sensitive topic, which results in individuals and organisations being reluctant to share their experiences.

This mapping study reveals that the body of literature in the area of human aspects of ransomware has increased over the past couple of years. The findings highlight that being transparent about ransomware attacks, when possible, can help others. Moreover, senior management plays an important role in shaping the information security culture of an organisation, whether to have a culture of transparency or of secrecy.

This study is the first of its kind of systematic mapping studies contributing to the body of knowledge on the human aspects of ransomware.

The accelerated digital transformation and the growing emphasis on privacy, safety and security present ongoing challenges for cybersecurity experts. Alongside these challenges, the multidisciplinary, everchanging and complex nature of the cybersecurity domain has further challenged the acquisition and retention of cybersecurity talent. Empowering reskilling and upskilling in cybersecurity necessitates efficacious educational endeavours which promote self-confidence and foster a growth mindset. The purpose of this paper is to highlight that cultivating self-efficacy in cybersecurity education can help promote competency development and effectively address the prominent skills gaps. This notion applies equally to both aspiring individuals pursuing a career in cybersecurity and professionals in the field who may wish to better articulate the skills they already possess, the skills they lack and newly surfacing skills that need to be developed.

The study discusses the imminent need for adopting a “skills-first” approach in cybersecurity and explores innovative pedagogies and professional frameworks that can inform and frame such an approach. Subsequently, a critical analysis of the importance of self-efficacy towards motivating and supporting upskilling in cybersecurity is performed. A case study is presented, expanding the authors’ previous work on cybersecurity professional development, to demonstrate the mediating role that self-efficacy can play in developing core cybersecurity competencies. The case study presents the design of a new cybersecurity curriculum in the context of postgraduate, synchronous distance cybersecurity education, and it is utilised as a basis to discuss how the proposed curriculum cultivates self-efficacy attitudes.

A skills-first approach is becoming the new norm in contemporary workplaces. This work highlights the importance of actively nurturing self-efficacy attitudes through innovative cybersecurity curricula that can be tailored to the learners’ needs, instigating a drive for learning and, ultimately, helping learners effectively upskilling by portraying a self-directed learning path and a professional growth mindset in cybersecurity.

The authors present the importance of cultivating self-efficacy in higher and lifelong education to foster reskilling and upskilling in cybersecurity. An innovative cybersecurity curriculum was constructed and delivered with a group of learners demonstrating how self-efficacy can be leveraged through interactive, reflective and self-assessment educational activities that enhanced motivation and self-awareness, curiosity, attention to detail and resilience – key skills for a successful career in cybersecurity.

This study aimed to investigate how honest participants perceived an attacker to be during shoulder surfing scenarios that varied in terms of which Principle of Persuasion in Social Engineering (PPSE) was used, whether perceived honesty changed as scenarios progressed, and whether any changes were greater in some scenarios than others.

Participants read one of six shoulder surfing scenarios. Five depicted an attacker using one of the PPSEs. The other depicted an attacker using as few PPSEs as possible, which served as a control condition. Participants then rated perceived attacker honesty.

The results revealed honesty ratings in each condition were equal during the beginning of the conversation, participants in each condition perceived the attacker to be honest during the beginning of the conversation, perceived attacker honesty declined when the attacker requested the target perform an action that would afford shoulder surfing, perceived attacker honesty declined more when the Distraction and Social Proof PPSEs were used, participants perceived the attacker to be dishonest when making such requests using the Distraction and Social Proof PPSEs and perceived attacker honesty did not change when the attacker used the target’s computer.

To the best of the authors’ knowledge, this experiment is the first to investigate how persuasion tactics affect perceptions of attackers during shoulder surfing attacks. These results have important implications for shoulder surfing prevention training programs and penetration tests.

The purpose of this paper is to present the educational computer emergency response team (EduCERT) framework, an integrated response mechanism to bolster national cybersecurity through collaborative efforts in the higher education sector. The EduCERT framework addresses this gap by enhancing cyber security and mitigating cybercrime through collaborative incident management, knowledge sharing and university awareness campaigns.

The authors propose an EduCERT framework following the design science methodology. The framework is developed based on literature and input from focus group experts. Moreover, it is grounded in the principles of the technology-organization-environment framework, organizational learning and diffusion of innovations theory.

The EduCERT has eight components: infrastructure, governance, knowledge development, awareness, incident management, evaluation and continuous improvement. The framework reinforces national cybersecurity through cooperation between universities and the National Computer Emergency Response Team. The framework has been implemented in Jordan to generate a cybersecurity foundation for higher education. Evaluating the EduCERT framework’s influence on national cybersecurity highlights the importance of adopting comprehensive cyber-security policies and controls. The framework application shows its relevance, effectiveness, adaptability and alignment with best practices.

Despite the impact of applying the framework in the Jordanian context, it is essential to acknowledge that the proposed EduCERT framework’s practical implementation may encounter challenges specific to diverse international educational environment sectors. However, framework customization for global applicability could address varied educational institutions in other countries.

Furthermore, the proposed EduCERT framework is designed with universal applicability that extends beyond the specific country’s context. The principles and components presented in the framework can serve as valuable design advice for establishing collaborative and resilient cybersecurity frameworks in educational settings worldwide. Therefore, the research enhances the proposed framework’s practical utility and positions it as an invaluable contribution to the broader discourse on global cybersecurity in academia.

This paper enhances national cybersecurity in the higher education sector, addressing the need for a more integrated response mechanism. The EduCERT framework demonstrates its effectiveness, adaptability and alignment with best practices, offering valuable guidance for global educational institutions.

The increased use of Information Systems (IS) as a working tool for employees increases the number of accounts and passwords required. Despite being more aware of password entropy, users still often participate in deviant password behaviors, known as “password workarounds” or “shadow security.” These deviant password behaviors can put individuals and organizations at risk, resulting in a data breach. This paper aims to engage IS users and Subject Matter Experts (SMEs), focused on designing, developing and empirically validating the Password Workaround Cybersecurity Risk Taxonomy (PaWoCyRiT) – a 2x2 taxonomy constructed by aggregated scores of perceived cybersecurity risks from Password Workarounds (PWWAs) techniques and their usage frequency.

This research study was a developmental design conducted in three phases using qualitative and quantitative methods: (1) A set of 10 PWWAs that were identified from the literature were validated by SMEs along with their perspectives on the PWWAs usage and risk for data breach; (2) A pilot study was conducted to ensure reliability and validity and identify if any measurement issues would have hindered the results and (3) The main study data collection was conducted with a large group of IS users, where also they reported on coworkers' engagement frequencies related to the PWWAs.

The results indicate that statistically significant differences were found between SMEs and IS users in their aggregated perceptions of risks of the PWWAs in causing a data breach, with IS users perceiving higher risks. Engagement patterns varied between the two groups, as well as factors like years of IS experience, gender and job level had statistically significant differences among groups.

The PaWoCyRiT taxonomy that the we have developed and empirically validated is a handy tool for organizational cyber risk officers. The taxonomy provides organizations with a quantifiable means to assess and ultimately mitigate cybersecurity risks.

Passwords have been used for a long time to grant controlled access to classified spaces, electronics, networks and more. However, the dramatic increase in user accounts over the past few decades has exposed the realization that technological measures alone cannot ensure a high level of IS security; this leaves the end-users holding a critical role in protecting their organization and personal information. Thus, the taxonomy that the authors have developed and empirically validated provides broader implications for society, as it assists organizations in all industries with the ability to mitigate the risks of data breaches that can result from PWWAs.

The taxonomy the we have developed and validated, the PaWoCyRiT, provides organizations with insights into password-related risks and behaviors that may lead to data breaches.