A Behavioral Economics Perspective on Cognitive Biases in Cybersecurity

Alecse, Cristian

01 January 2022

As the complexity of technology and information systems constantly increases, the human component becomes ever more prone to cybersecurity errors. Nevertheless, the existing information security policies created to prevent cybersecurity incidents show very little account of human behavior. This corresponds with the view of the neoclassical economics model that regards humans as rational agents who have perfect self-control and who make only rational choices when provided with adequate information. Behavioral economics introduced quantifiable irrationalities in the model, allowing for an explanation of why humans are often taking decisions that are not in their best interest. This dissertation comprises three studies that explore the influence of cognitive biases and heuristics in cybersecurity. Findings from Study 1 confirm that when presented with a large assortment of choices individuals are more likely to defer their decision than when presented with a small assortment of choices. Also, time constraints are acting as a moderator in the relationship between the number of choices and decision deferral caused by choice overload. Study 2 revealed that the level of fear of missing out is positively correlated with the level of social engineering vulnerability and a negative correlation of information security awareness with social engineering vulnerability was confirmed. Also, an analysis of the influence of information security awareness on the relationship between the level of fear of missing out and the level of social engineering vulnerability indicated a moderation effect. Study 3 emphasized the importance of integrating the habit concept into research on information systems security by revealing a positive correlation between the level of habits in daily life and the level of ISS compliance habits. Also, the study confirmed that ISS training participation is positively correlated with the level of ISS compliance habits strength.

Information Security

Interdisciplinary Cybersecurity for Resilient Cyberdefense

Ait Maalem Lahcen, Rachid

01 January 2020

Cybersecurity's role is to protect confidentiality, integrity, and availability of enterprise assets. Confidentiality secures data from theft, integrity mitigates modification of data in a malicious way, and availability assures continuation of systems' access and services. However, achieving these goals is difficult due to the mushrooming of various cyber attackers that come from individuals or state actors with motives ranging from ideological, financial, state-sponsored espionage, revenge, or simple curiosity and boredom. The difficulty also lies in the complexity of the cyber layers that are not well studied. Layers that interconnect and require effective communication and collaboration. This effectiveness is still lacking in cyber programs. To understand this complexity, one must seek an interdisciplinary approach to cybersecurity. Interdisciplinary study requires understanding of technology, mathematics, engineering, psychology, economics, human factors, and political science. Hence, this dissertation is proposing an Interdisciplinary Cybersecurity for Resilient Cyberdefense or ICRC model that includes (1) building behavioral aspects of cybersecurity with insider threat insights, (2) mastering encryption standards and requirements through developing a novel encryption method, (3) understanding different cyberdefense strategies' costs and payoffs by using game theory, (4) assessing vulnerabilities in the networks and plan ethical hacking in an audit, (5) studying machine learning challenges in cybersecurity to improve tools and set new ontologies for different threats, including the insider threat risk, and (6) address trustworthiness by aligning overall requirements of cybersecurity. ICRC is more than the sum of the above parts; it is a new approach for cybersecurity professionals to consider expanding their expertise to be interdisciplinary. Since cybersecurity is a complex task it requires a team that can handle its complexity. However, a given team's structure, team's hierarchy, and team members' characteristics could affect negatively that team's performance. With executing ICRC, both the team and the individuals seek interdisciplinary approaches to contribute to enterprise's resilience.

Information Security

Human-out-of-the-Loop Swarm-based IoT Network Penetration Testing By IoT Devices

Schiller, Thomas

15 August 2023

Networks of IoT devices are becoming increasingly important, but these networks are prone to cybersecurity issues. This work provides a novel approach for safer IoT networks: swarm-based IoT cybersecurity penetration testing by other IoT devices in the same network. To test this scenario, a simulation environment including three different penetration testing algorithms was developed. A linear penetration testing algorithm mimics human penetration testing activities and is used with a single agent and with multiple agents. A swarm-based algorithm utilizing queues adds communication between agents. The third algorithm is a swarm algorithm that uses Particle Swarm Optimization (PSO), thus adding a nature-based approach. All three algorithms are used to find vulnerabilities in simulated IoT networks of two different sizes. The networks are a smart home with 30 IoT devices and a smart building with 250 IoT devices. This study's results show the superiority of multi-agent approaches over linear, single-agent approaches to detecting unique vulnerabilities in a network. The swarm algorithms, which used communication between agents, outperformed the multi-agent approach with no communication. Additionally, the swarm algorithm utilizing queues demonstrated faster detection of vulnerabilities than the PSO algorithm. However, over time, the PSO outperformed the queue-based algorithm on the smart home scale. The smart building scale also provided faster detection for the queue-based algorithm than for the PSO. However, the PSO approach again provides better results over time and uses less computation time and memory resources.

Information Security

Establishing an information security awareness and culture

Korovessis, Peter

January 2015

In today’s business environment all business operations are enabled by technology. Its always on and connected nature has brought new business possibilities but at the same time has increased the number of potential threats. Information security has become an established discipline as more and more businesses realize its value. Many surveys have indicated the importance of protecting valuable information and an important aspect that must be addressed in this regard is information security awareness. The human component has been recognized to have an important role in information security since the only way to reduce security risks is through making employees more information security aware. This also means that employees take responsibility of their actions when dealing with information in their everyday activities. The research is concentrated mainly on information security concepts alongside their relation to the human factor with evidence that users remain susceptible to information security threats, thus illustrating the need for more effective user training in order to raise the level of security awareness. Two surveys were undertaken in order to investigate the potential of raising security awareness within existing education systems by measuring the level of security awareness amongst the online population. The surveys analyzed not only the awareness levels and needs of students during their study and their preparation towards entering the workforce, but also whether this awareness level changes as they progress in their studies. The results of both surveys established that the awareness level of students concerning information security concepts is not at a sufficient level for students entering university education and does not significantly change as they progress their academic life towards entering the workforce. In respect to this, the research proposes and develops the information security toolkit as a prototype awareness raising initiative. The research goes one step further by piloting and evaluating toolkit effectiveness. As an awareness raising method, the toolkit will be the basis for the general technology user to understand the challenges associated with secure use of information technology and help him assess its current knowledge, identify lacks and weaknesses and acquire the required knowledge in order to be competent and confident users of technology.

005.8

The antecedents of information security policy compliance

Bulgurcu, Burcu

11 1900

Information security is one of the major challenges for organizations that critically depend on information systems to conduct their businesses. Ensuring safety of information and technology resources has become the top priority for many organizations since the consequences of failure can be devastating. Many organizations recognize that their employees, who are often considered as the weakest link in information security, can be a great resource as well to fight against information security-related risks. The key, however, is to ensure that employees comply with information security related rules and regulations of the organization. Therefore, understanding of compliance behavior of an employee is crucial for organizations to effectively leverage their human capital to strengthen their information security. This research aims at identifying antecedences of an employee’s compliance with the information security policy (ISP) of his/her organization. Specifically, we address how employees without any malicious intent choose to comply with requirements of the ISP with regards to protecting the information and technology resources of their organizations. Drawing on the Theory of Planned Behavior, we show an employee’s attitude towards compliance results in his/her intention to comply with the ISP. Of those, Benefit of Compliance and Cost of Non-Compliance are shown to be shaped by positive and negative reinforcing factors; such as, Intrinsic Benefit, Safety of Resources, Rewards and Intrinsic Cost, Vulnerability of Resources, and Sanctions, respectively. We also investigate the role of information security awareness on an employee’s ISP compliance behavior. As expected, we show that information security awareness positively influences attitude towards compliance. We also show that information security awareness positively influences the perception of reinforcing factors and negatively increases perception of the Cost of Compliance. As organizations strive to get their employees to follow their information security rules and regulations, our study sheds light on the role of an employee’s information security awareness and his/her beliefs about the rationality of compliance and non-compliance with the ISP.

Information security awareness

Information security management

Information security behavioral Issues

The antecedents of information security policy compliance

Bulgurcu, Burcu

11 1900

Information security is one of the major challenges for organizations that critically depend on information systems to conduct their businesses. Ensuring safety of information and technology resources has become the top priority for many organizations since the consequences of failure can be devastating. Many organizations recognize that their employees, who are often considered as the weakest link in information security, can be a great resource as well to fight against information security-related risks. The key, however, is to ensure that employees comply with information security related rules and regulations of the organization. Therefore, understanding of compliance behavior of an employee is crucial for organizations to effectively leverage their human capital to strengthen their information security. This research aims at identifying antecedences of an employee’s compliance with the information security policy (ISP) of his/her organization. Specifically, we address how employees without any malicious intent choose to comply with requirements of the ISP with regards to protecting the information and technology resources of their organizations. Drawing on the Theory of Planned Behavior, we show an employee’s attitude towards compliance results in his/her intention to comply with the ISP. Of those, Benefit of Compliance and Cost of Non-Compliance are shown to be shaped by positive and negative reinforcing factors; such as, Intrinsic Benefit, Safety of Resources, Rewards and Intrinsic Cost, Vulnerability of Resources, and Sanctions, respectively. We also investigate the role of information security awareness on an employee’s ISP compliance behavior. As expected, we show that information security awareness positively influences attitude towards compliance. We also show that information security awareness positively influences the perception of reinforcing factors and negatively increases perception of the Cost of Compliance. As organizations strive to get their employees to follow their information security rules and regulations, our study sheds light on the role of an employee’s information security awareness and his/her beliefs about the rationality of compliance and non-compliance with the ISP.

Information security awareness

Information security management

Information security behavioral Issues

The antecedents of information security policy compliance

Bulgurcu, Burcu

11 1900

Information security is one of the major challenges for organizations that critically depend on information systems to conduct their businesses. Ensuring safety of information and technology resources has become the top priority for many organizations since the consequences of failure can be devastating. Many organizations recognize that their employees, who are often considered as the weakest link in information security, can be a great resource as well to fight against information security-related risks. The key, however, is to ensure that employees comply with information security related rules and regulations of the organization. Therefore, understanding of compliance behavior of an employee is crucial for organizations to effectively leverage their human capital to strengthen their information security. This research aims at identifying antecedences of an employee’s compliance with the information security policy (ISP) of his/her organization. Specifically, we address how employees without any malicious intent choose to comply with requirements of the ISP with regards to protecting the information and technology resources of their organizations. Drawing on the Theory of Planned Behavior, we show an employee’s attitude towards compliance results in his/her intention to comply with the ISP. Of those, Benefit of Compliance and Cost of Non-Compliance are shown to be shaped by positive and negative reinforcing factors; such as, Intrinsic Benefit, Safety of Resources, Rewards and Intrinsic Cost, Vulnerability of Resources, and Sanctions, respectively. We also investigate the role of information security awareness on an employee’s ISP compliance behavior. As expected, we show that information security awareness positively influences attitude towards compliance. We also show that information security awareness positively influences the perception of reinforcing factors and negatively increases perception of the Cost of Compliance. As organizations strive to get their employees to follow their information security rules and regulations, our study sheds light on the role of an employee’s information security awareness and his/her beliefs about the rationality of compliance and non-compliance with the ISP. / Business, Sauder School of / Graduate

Information security awareness

Information security management

Information security behavioral Issues

Personalising information security education

Talib, Shuhaili

January 2014

Whilst technological solutions go a long way in providing protection for users online, it has been long understood that the individual also plays a pivotal role. Even with the best of protection, an ill-informed person can effectively remove any protection the control might provide. Information security awareness is therefore imperative to ensure a population is well educated with respect to the threats that exist to one’s electronic information, and how to better protect oneself. Current information security awareness strategies are arguably lacking in their ability to provide a robust and personalised approach to educating users, opting for a blanket, one-size-fits-all solution. This research focuses upon achieving a better understanding of the information security awareness domain; appreciating the requirements such a system would need; and importantly, drawing upon established learning paradigms in seeking to design an effective personalised information security education. A survey was undertaken to better understand how people currently learn about information security. It focussed primarily upon employees of organisations, but also examined the relationship between work and home environments and security practice. The survey also focussed upon understanding how people learn and their preferences for styles of learning. The results established that some good work was being undertaken by organisations in terms of security awareness, and that respondents benefited from such training – both in their workplace and also at home – with a positive relationship between learning at the workplace and practise at home. The survey highlighted one key aspect for both the training provided and the respondents’ preference for learning styles. It varies. It is also clear, that it was difficult to establish the effectiveness of such training and the impact upon practice. The research, after establishing experimentally that personalised learning was a viable approach, proceeded to develop a model for information security awareness that utilised the already successful field of pedagogy and individualised learning. The resulting novel framework “Personalising Information Security Education (PISE)” is proposed. The framework is a holistic approach to solving the problem of information security awareness that can be applied both in the workplace environment and as a tool for the general public. It does not focus upon what is taught, but rather, puts into place the processes to enable an individual to develop their own information security personalised learning plan and to measure their progress through the learning experience.

005.8

Fast algorithms for public key cryptography

Han, Yong-Fei

January 1996

No description available.

005

Information security

Management of operational risks related to information security in financial organizations

Mehmood, Furhan, Rafique, Rajia

January 2010

<p><strong>Date</strong>: 30^th May 2010</p><p><strong>Authors</strong>: Rajia Rafique, Furhan Mehmood</p><p><strong>Tutor:</strong> Dr. Michael Le Duc, Dr. Deepak Gupta</p><p><strong>Title:</strong> Management of Operational Risks related to Information Security in Financial Organizations</p><p><strong>Introduction: </strong>Information security is very significant for organizations, especially for financial organizations where customer information and their satisfaction are considered the most important assets for financial organizations. Therefore customer information must be sustained from information security breaches in order to satisfy customers. Financial organizations use their customer’s information several times a day to deal with different operations. These operations contain several types of risks. Operational risks related to information security are becoming sensational for financial organizations. Financial organizations concentrate to reduce the exposure of operational risk related to information security because these risks can affect the business to a great extent. Financial organizations need such policies and techniques which can be used to reduce the exposure of operational risk and to enhance information security. Several authors discuss about several types of operational risk related to information security, and several authors discuss about the techniques to avoid these risks in order to enhance information security.</p><p><strong>Problem:</strong> Investigate the concept of Operational Risks related to Information Security and how it is perceived in Financial Organization?<strong><em> </em></strong></p><p><strong>Purpose: </strong>The aspiration of writing this report is to describe and analyze operational risks related to information security in financial organizations and then to present some suggestions in form of polices or techniques which can be used by financial organizations to enhance their information security.</p><p><strong>Method:</strong> Since the type of our thesis is Qualitative based, therefore exploratory research approach is used to carry out research. Authors tried to use secondary source of information as well as primary source of information in order to get maximum knowledge about the topic and to come up with maximum possible output.</p><p><strong>Target Audience</strong></p><p>The target audience in our mind for this paper consists of both, academic readers and professionals who have interest and some knowledge about information security and operational risks. Target audience for this research work includes professionals, academic readers and both investigated organizations (NCCPL and CDC).</p><p><strong>Conclusion</strong></p><p>By critically analyzing the literature written by various authors and the worthy information provided by our primary sources gave us the opportunity to develop a solution to keep the operations secure from risks and to fix the current problems related to information security. We found that there are different types of operational risks related to information security which can affect the business of financial organizations and there are various techniques which can be used by financial organizations to solve the current issue related to operational risks in order to enhance information security. It was also found that top management in financial organizations is interested in issues about information security operational risk and they showed their keen interest in adopting new effective techniques.</p><p><strong>Keywords:</strong> Information Security, Information Security Risks, Operational Risks, Operational Risk Management, Operational Risks in Financial Organizations.</p>

Operational risks

information security