International Journal of Computer Science & Network Security

International Journal of Computer Science & Network Security (국제컴퓨터통신보호논문지학회)
권호 표지
DOI QR코드

DOI QR Code

A Systematic Review on Human Factors in Cybersecurity

  • Alghamdi, Ahmed (Department of Cybersecurity, College of Computer Science and Engineering, University of Jeddah)
  • Received : 2022.10.05
  • Published : 2022.10.30
Download PDF
⟨ Previous Next ⟩

Abstract

A huge budget is spent on technological solutions to protect Information Systems from cyberattacks by organizations. However, it is not enough to invest alone in technology-based protection and to keep humans out of the cyber loop. Humans are considered the weakest link in cybersecurity chain and most of the time unaware that their actions and behaviors have consequences in cyber space. Therefore, humans' aspects cannot be neglected in cyber security field. In this work we carry out a systematic literature review to identify human factors in cybersecurity. A total of 27 papers were selected to be included in the review, which focuses on the human factors in cyber security. The results show that in total of 14 identified human factors, risk perception, lack of awareness, IT skills and gender are considered critical for organization as for as cyber security is concern. Our results presented a further step in understanding human factors that may cause issues for organizations in cyber space and focusing on the need of a customized and inclusive training and awareness programs.

Keywords

Acknowledgement

This project was funded by the Deanship of Scientific Research (DSR), University of Jeddah, Jeddah, Saudi Arabia (Project number: UJ-02-18-DR).

References

  1. Mustonen-Ollila, E.L., Kalle, How organizations adopt information system process innovations: A longitudinal analysis. European Journal of Information Systems, 2004. 13: p. 35-51. DOI:10.1057/palgrave.ejis.3000467
  2. Uma, M. and P. Ganapathi, A Survey on Various Cyber Attacks and their Classification. Int. J. Netw. Secur., 2013. 15: p. 390-396. DOI:10.6633/IJNS.201309.15(5).09
  3. Limba, T., et al., Cyber security management model for critical infrastructure. Entrepreneurship and Sustainability Issues, 2017. 4(4): p. 559-573. DOI: 10.9770/jesi.2017.4.4(12)
  4. Sasse, M.A., S. Brostoff, and D. Weirich, Transforming the 'Weakest Link' - a Human/Computer Interaction Approach to Usable and Effective Security. BT Technology Journal, 2001. 19(3): p. 122-131. https://doi.org/10.1023/A:1011902718709
  5. Glaspie, H.W. and W. Karwowski. Human Factors in Information Security Culture: A Literature Review. 2018. Cham: Springer International Publishing. https://DOI: 10.1007/978-3-319-60585-2_25
  6. Metalidou, E., et al., The Human Factor of Information Security: Unintentional Damage Perspective. Procedia - Social and Behavioral Sciences, 2014. 147: p. 424-428. https://doi.org/10.1016/j.sbspro.2014.07.133
  7. Im, G.P. and R.L. Baskerville, A longitudinal study of information system threat categories: the enduring problem of human error. SIGMIS Database, 2005. 36(4): p. 68-79. https://doi.org/10.1145/1104004.1104010
  8. Proofpoint, The Human Factor 2019 Report. Available at https://www.proofpoint.com/sites/default/files/gtd-pfpt-us-tr-human-factor-2019.pdf. 2019.
  9. Liginlal, D., I. Sim, and L. Khansa, How significant is human error as a cause of privacy breaches? An empirical study and a framework for error management. Computers & Security, 2009. 28(3): p. 215-228. 10.1016/j.cose.2008.11.003
  10. Cain, A.A., M.E. Edwards, and J.D. Still, An exploratory study of cyber hygiene behaviors and knowledge. Journal of Information Security and Applications, 2018. 42: p. 36-45. https://doi.org/10.1016/j.jisa.2018.08.002
  11. Safa, N.S., R.v. Solms, and L. Futcher, Human aspects of information security in organisations. Computer Fraud & Security, 2016. 2016(2): p. 15-18. https://doi.org/10.1016/S1361-3723(16)30017-3
  12. Jeske, D. and P. van Schaik, Familiarity with Internet threats: Beyond awareness. Computers & Security, 2017. 66: p. 129-141. https://doi.org/10.1016/j.cose.2017.01.010
  13. Hadlington, L., Human factors in cybersecurity; examining the link between Internet addiction, impulsivity, attitudes towards cybersecurity, and risky cybersecurity behaviours. Heliyon, 2017. 3(7): p. e00346. DOI:10.1016/j.heliyon.2017.e00346
  14. Niazi, M., Do Systematic Literature Reviews Outperform Informal Literature Reviews in the Software Engineering Domain? An Initial Case Study. Arabian Journal for Science and Engineering, 2015. 40(3): p. 845-855. https://doi.org/10.1007/s13369-015-1586-0
  15. Kitchenham, B. and S. Charters, Guidelines for performing systematic literature reviews in software engineering. 2007: Keele University.
  16. de Bruijn, H. and M. Janssen, Building Cybersecurity Awareness: The need for evidence-based framing strategies. Government Information Quarterly, 2017. 34(1): p. 1-7. https://doi.org/10.1016/j.giq.2017.02.007
  17. Anwar, M., et al., Gender difference and employees' cybersecurity behaviors. Computers in Human Behavior, 2017. 69: p. 437-443. https://doi.org/10.1016/j.chb.2016.12.040
  18. Choi, K.-s., K. Choo, and Y.-e. Sung, Demographic variables and risk factors in computer-crime: an empirical assessment. Cluster Computing, 2016. 19(1): p. 369-377. https://doi.org/10.1007/s10586-015-0519-8
  19. Jang-Jaccard, J. and S. Nepal, A survey of emerging threats in cybersecurity. Journal of Computer and System Sciences, 2014. 80(5): p. 973-993. https://doi.org/10.1016/j.jcss.2014.02.005
  20. Chan, H. and S. Mubarak, Significance of Information Security Awareness in the Higher Education Sector. International Journal of Computer Applications, 2012. 60(10): p. 23-31. DOI: 10.5120/9729-4202
  21. Mittal, S. and P.V. Ilavarasan. Demographic Factors in Cyber Security: An Empirical Study. 2019. Cham: Springer International Publishing. https://doi.org/10.1007/978-3-030-29374-1_54
  22. Alotaibi, M., S. Furnell, and N. Clarke. Information security policies: A review of challenges and influencing factors. in 2016 11th International Conference for Internet Technology and Secured Transactions (ICITST). 2016. 10.1109/ICITST.2016.7856729
  23. Hibshi, H., T.D. Breaux, and S.B. Broomell. Assessment of risk perception in security requirements composition. in 2015 IEEE 23rd International Requirements Engineering Conference (RE). 2015. DOI: 10.1109/RE.2015.7320417
  24. Slovic, P. and E. Peters, Risk Perception and Affect. Current Directions in Psychological Science, 2006. 15(6): p. 322-325. https://doi.org/10.1111/j.1467-8721.2006.00461.x
  25. Schneier, B. The Psychology of Security. 2008. Berlin, Heidelberg: Springer Berlin Heidelberg. DOI: 10.1007/978-3-540-68164-9_5
  26. Oltramari, A., et al., Towards a Human Factors Ontology for Cyber Security, in In Semantic Technology for Intelligence, Defense, and Security (STIDS 2015). 2015. p. 26-33.
  27. Gutzwiller, R.S., et al., The Human Factors of Cyber Network Defense. Proceedings of the Human Factors and Ergonomics Society Annual Meeting, 2015. 59(1): p. 322-326. DOI:10.1177/1541931215591067
  28. Aldawood, H. and G. Skinner, Reviewing Cyber Security Social Engineering Training and Awareness Programs-Pitfalls and Ongoing Issues. Future Internet, 2019. 11(3): p. 73. https://doi.org/10.3390/fi11030073
  29. Kassicieh, S., V. Lipinski, and A.F. Seazzu. Human centric cyber security: What are the new trends in data protection? in 2015 Portland International Conference on Management of Engineering and Technology (PICMET). 2015. DOI:10.1109/PICMET.2015.7273084
  30. Caputo, D.D., et al., Going Spear Phishing: Exploring Embedded Training and Awareness. IEEE Security & Privacy, 2014. 12(1): p. 28-38. DOI:10.1109/MSP.2013.106
  31. Mackenzie, A. and M. Maged, Cybersecurity Skills Training: An Attacker-Centric Gamified Approach. Technology Innovation Management Review, 2015. 5(1). DOI:10.22215/timreview/861
  32. Hoonakker, P., N. Bornoe, and P. Carayon, Password Authentication from a Human Factors Perspective: Results of a Survey among End-Users. Proceedings of the Human Factors and Ergonomics Society Annual Meeting, 2009. 53(6): p. 459-463. https://doi.org/10.1177/154193120905300605
  33. Gyunka, B.A., Christiana, and A. Oluwakemi, Analysis of human factors in cyber security: A case study of anonymous attack on Hbgary. Computing & Information Systems, 2017. 21(2): p. 10-18.
  34. Pollock, T., Reducing human error in cyber security using the Human Factors Analysis Classification System (HFACS). 2017.
  35. Micaela, D. Human factor in cyber security : link between attitude towards security and intention to perform security related behavior. 2018.
  36. Proctor, R. and J. Chen, The Role of Human Factors/Ergonomics in the Science of Security. Human factors, 2015. 57. https://doi.org/10.1177/0018720815585906
  37. Wang, Z., L. Sun, and H. Zhu, Defining Social Engineering in Cybersecurity. IEEE Access, 2020. 8: p. 85094-85115. DOI: 0.1109/ACCESS.2020.2992807 https://doi.org/10.1109/ACCESS.2020.2992807
  38. Kovacevic, A., N. Putnik, and O. Toskovic, Factors Related to Cyber Security Behavior. IEEE Access, 2020. 8: p. 125140-125148. DOI: 0.1109/ACCESS.2020.3007867 https://doi.org/10.1109/ACCESS.2020.3007867
  39. Jeong, J., et al. Towards an Improved Understanding of Human Factors in Cybersecurity. in 2019 IEEE 5th International Conference on Collaboration and Internet Computing (CIC). 2019. DOI: 10.1109/CIC48465.2019.00047
  40. Lee, M.G. Securing the human to protect the system: Human factors in cyber security. in 7th IET International Conference on System Safety, incorporating the Cyber Security Conference 2012. 2012. DOI: 10.1049/cp.2012.1519
  41. Nowakowska, M. and K. Swiderski. Information systems and ways of communication with regard to human factor in the face of the challenges posed by modern battlefield. in 2017 International Conference on Military Technologies (ICMT). 2017. DOI: 10.1109/MILTECHS.2017.7988786
  42. Widdowson, A.J. and P.B. Goodliff. CHEAT, an approach to incorporating human factors in cyber security assessments. in 10th IET System Safety and Cyber-Security Conference 2015. 2015. DOI: 10.1049/cp.2015.0298
  43. Neupane, A., et al., Neural Markers of Cybersecurity: An fMRI Study of Phishing and Malware Warnings. IEEE Transactions on Information Forensics and Security, 2016. 11(9): p. 1970-1983. DOI 10.1109/TIFS.2016.2566265
  44. Colwill, C., Human factors in information security: The insider threat - Who can you trust these days? Information Security Technical Report, 2009. 14(4): p. 186-196. https://dl.acm.org/doi/10.1016/j.istr.2010.04.004
  45. Gratian, M., et al., Correlating human traits and cyber security behavior intentions. Computers & Security, 2018. 73: p. 345-358. DOI:10.1016/j.cose.2017.11.015
  46. Henshel, D., et al., Trust as a Human Factor in Holistic Cyber Security Risk Assessment. Procedia Manufacturing, 2015. 3: p. 1117-1124. https://doi.org/10.1016/j.promfg.2015.07.186
  47. Li, L., et al., Investigating the impact of cybersecurity policy awareness on employees' cybersecurity behavior. International Journal of Information Management, 2019. 45: p. 13-24. https://dl.acm.org/doi/abs/10.1016/j.ijinfomgt.2018.10.017
  48. Corradini, I. and E. Nardelli. Building Organizational Risk Culture in Cyber Security: The Role of Human Factors. 2019. Cham: Springer International Publishing.
  49. Young, H., et al. Understanding Human Factors in Cyber Security as a Dynamic System. 2018. Cham: Springer International Publishing. https://doi.org/10.1007/978-3-319-60585-2_23
  50. Henshel, D., et al. Integrating Cultural Factors into Human Factors Framework and Ontology for Cyber Attackers. 2016. Cham: Springer International Publishing. DOI: 10.1007/978-3-319-41932-9_11
  51. Sheng, S., et al., Who falls for phish? a demographic analysis of phishing susceptibility and effectiveness of interventions, in Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. 2010, Association for Computing Machinery: Atlanta, Georgia, USA. p. 373-382. https://doi.org/10.1145/1753326.1753383
  52. Pattinson, M., et al., Factors that Influence Information Security Behavior: An Australian Web-Based Study, in Proceedings of the Third International Conference on Human Aspects of Information Security, Privacy, and Trust - Volume 9190. 2015, Springer-Verlag. p. 231-241. DOI: 10.1007/978-3-319-20376-8_21