Cyber risk

Phishing emails provide a means to infiltrate the technical systems of organisations by encouraging employees to click on malicious links or attachments. Despite the use of awareness campaigns and phishing simulations, employees remain vulnerable to phishing emails. The present research uses a mixed methods approach to explore employee susceptibility to targeted phishing emails, known as spear phishing. In study one, nine spear phishing simulation emails sent to 62,000 employees over a six-week period were rated according to the presence of authority and urgency influence techniques. Results demonstrated that the presence of authority cues increased the likelihood that a user would click a suspicious link contained in an email. In study two, six focus groups were conducted in a second organisation to explore whether additional factors within the work environment impact employee susceptibility to spear phishing. We discuss these factors in relation to current theoretical approaches and provide implications for user communities.

Highlights

• Susceptibility to phishing emails is explored in an ecologically valid setting.
• Authority and urgency techniques are found to impact employee susceptibility.
• Context-specific factors are also likely to impact employee susceptibility.
• A range of targeted initiatives are required to address susceptibility factors.

(From the journal abstract)

Emma Williams, Joanne Hinds, and Adam N. Joinson. 2018. ‘Exploring Susceptibility to Phishing in the Workplace’. International Journal of Human-Computer Studies, 120 (December): 1–13. https://doi.org/10.1016/j.ijhcs.2018.06.004.

The social and psychological characteristics of individuals who hoard physical items are quite well understood, however very little is known about the psychological characteristics of those who hoard digital items and the kinds of material they hoard. In this study, we designed a new questionnaire (Digital Behaviours Questionnaire: DBQ) comprising 2 sections: the Digital Hoarding Questionnaire (DHQ) assessing two key components of physical hoarding (accumulation and difficulty discarding); and the second measuring the extent of digital hoarding in the workplace (Digital Behaviours in the Workplace Questionnaire: DBWQ).

In an initial study comprising 424 adults we established the psychometric properties of the questionnaires. In a second study, we presented revised versions of the questionnaires to a new sample of 203 adults, and confirmed their validity and reliability. Both samples revealed that digital hoarding was common (with emails being the most commonly hoarded items) and that hoarding behaviours at work could be predicted by the 10 item DHQ. Digital hoarding was significantly higher in employees who identified as having ‘data protection responsibilities’, suggesting that the problem may be influenced by working practices. In sum, we have validated a new psychometric measure to assess digital hoarding, documented some of its psychological characteristics, and shown that it can predict digital hoarding in the workplace.

(From the journal abstract)

Nick Neave, Pam Briggs, Kerry McKellar, and Elizabeth Sillence. 2019. ‘Digital Hoarding Behaviours: Measurement and Evaluation’. Computers in Human Behavior, 96 (July): 72–77. https://doi.org/10.1016/j.chb.2019.01.037.

Scams and other malicious attempts to influence people are continuing to proliferate across the globe, aided by the availability of technology that makes it increasingly easy to create communications that appear to come from legitimate sources. The rise in integrated technologies and the connected nature of social communications means that online scams represent a growing issue across society, with scammers successfully persuading people to click on malicious links, make fraudulent payments, or download malicious attachments.

However, current understanding of what makes people particularly susceptible to scams in online contexts, and therefore how we can effectively reduce potential vulnerabilities, is relatively poor. So why are online scams so effective? And what makes people particularly susceptible to them? This paper presents a theoretical review of literature relating to individual differences and contextual factors that may impact susceptibility to such forms of malicious influence in online contexts.

A holistic approach is then proposed that provides a theoretical foundation for research in this area, focusing on the interaction between the individual, their current context, and the influence message itself, when considering likely response behaviour.

(From the journal abstract)

Williams, Emma J., Amy Beardmore, and Adam N. Joinson. 2017. ‘Individual Differences in Susceptibility to Online Influence: A Theoretical Review’. Computers in Human Behavior 72 (July): 412–21. https://doi.org/10.1016/j.chb.2017.03.002.

Increasingly, connected communication technologies have resulted in people being exposed to fraudulent communications by scammers and hackers attempting to gain access to computer systems for malicious purposes. Common influence techniques, such as mimicking authority figures or instilling a sense of urgency, are used to persuade people to respond to malevolent messages by, for example, accepting urgent updates. An ‘accept’ response to a malevolent influence message can result in severe negative consequences for the user and for others, including the organisations they work for.

This paper undertakes exploratory research to examine individual differences in susceptibility to fraudulent computer messages when they masquerade as interruptions during a demanding memory recall primary task compared to when they are presented in a post-task phase. A mixed-methods approach was adopted to examine when and why people choose to accept or decline three types of interrupting computer update message (genuine, mimicked, and low authority) and the relative impact of such interruptions on performance of a serial recall memory primary task.

Results suggest that fraudulent communications are more likely to be accepted by users when they interrupt a demanding memory-based primary task, that this relationship is impacted by the content of the fraudulent message, and that influence techniques used in fraudulent communications can over-ride authenticity cues when individuals decide to accept an update message. Implications for theories, such as the recently proposed Suspicion, Cognition and Automaticity Model and the Integrated Information Processing Model of Phishing Susceptibility, are discussed.

(From the journal abstract)

Williams, Emma J., Phillip L. Morgan, and Adam N. Joinson. 2017. ‘Press Accept to Update Now: Individual Differences in Susceptibility to Malevolent Interruptions’. Decision Support Systems 96 (April): 119–29. https://doi.org/10.1016/j.dss.2017.02.014.

What happens if you lose trust in the systems on which you rely? If the displays and dashboards tell you everything is operating normally but, with your own eyes, you can see that this is not the case? This is what apparently happened with the Stuxnet virus attack on the Iranian nuclear programme in 2010.

Dr Debi Ashenden, CREST lead on protective security and risk assessment, writes that with cyber attacks set to rise, it’s important that we empower employees to defend our front line.

(From the journal abstract)

Ashenden, Debi. 2017. ‘Employees: The Front Line in Cyber Security’. The Chemical Engineer, February 2017, 908 edition. https://crestresearch. ac.uk/comment/employees-front-line-cyber-security/.

The idea that the internet may enable an individual to become radicalized has been of increasing concern over the last two decades. Indeed, the internet provides individuals with an opportunity to access vast amounts of information and to connect to new people and new groups.

Together, these prospects may create a compelling argument that radicalization via the internet is plausible. So, is this really the case? Can viewing ‘radicalizing’ material and interacting with others online actually cause someone to subsequently commit violent and/or extremist acts? In this article, we discuss the potential role of the internet in radicalization and relate to how cybersecurity and certain HCI ‘affordances’ may support it.

We focus on how the design of systems provides opportunities for extremist messages to spread and gain credence, and how an application of HCI and user-centered understanding of online behavior and cybersecurity might be used to counter extremist messages.

By drawing upon existing research that may be used to further understand and address internet radicalization, we discuss some future research directions and associated challenges.

(From the journal abstract)

Hinds, Joanne, and Adam Joinson. 2017. 'Radicalization, the Internet and Cybersecurity: Opportunities and Challenges for HCI'. In Human Aspects of Information Security, Privacy and Trust, 481–93. Lecture Notes in Computer Science. Springer, Cham. https://researchportal.bath.ac.uk/en/publications/radicalization-the-internet-and-cybersecurity-opportunities-and-c