| 1. |
- Kävrestad, Joakim, 1989-, et al.
(författare)
-
ContextBased MicroTraining : A Framework for Information Security Training
- 2020
-
Ingår i: Human Aspects of Information Security and Assurance. - Cham : Springer. - 9783030574031 - 9783030574048 ; , s. 71-81
-
Konferensbidrag (refereegranskat)abstract
- This paper address the emergent need for training measures designed to improve user behavior in regards to security. We do this by proposing a framework for information security training that has been developed for several years and over several projects. The result is the framework ContextBased MicroTraining (CBMT) which provides goals and guidelines for how to better implement information security training that supports the user in the situation where the user needs support. CBMT has been developed and tested for use in higher education as well as for the support of users during passwords creation. This paper presents version 1.0 of the framework with the latest renements.
|
|
| 2. |
- Nohlberg, Marcus, 1976-, et al.
(författare)
-
Exploring Information Security and Domestic Equality
- 2020
-
Ingår i: Human Aspects of Information Security and Assurance. - Cham : Springer. - 9783030574031 - 9783030574048 ; , s. 224-232
-
Konferensbidrag (refereegranskat)abstract
- It is well known that men and women dier in terms of securitybehavior. For instance, studies report that gender plays a role insecurity non-compliance intentions, malware susceptibility, and securityself-ecacy. While one reason for gender-based dierences can be thatwomen are vastly underrepresented in the community of security professionals,the impact that gender dierences in security behavior haveon equality is an underresearched area. This paper argues that cyberinequalitycan impact domestic inequality and even be an enabler fordomestic abuse. This paper intends to shed light on how digitalizationworks in households in order to problematize around equality in the digitalera. It reports on a survey that measures dierent factors of personalinformation security and shows that men and women do indeed dierin personal information security behavior on a number of points suchas men being more inuential when it comes to ICT decisions in thehousehold.
|
|
| 3. |
- Kävrestad, Joakim, 1989-, et al.
(författare)
-
Users perception of using CBMT for information security training
- 2019
-
Ingår i: Proceedings of the Thirteenth International Symposium on Human Aspects of Information Security & Assurance (HAISA 2019). - : University of Plymouth Press. - 9780244190965 ; , s. 122-131
-
Konferensbidrag (refereegranskat)abstract
- It is well established that user behavior is a crucial aspect of information security and archivingsecure behavior through awareness and security training is the go-to solution proposed bypractitioners as well as the research community. Thus, there is a dire need for efficient trainingmethods for use in the security domain. This paper introduces ContextBased MicroTraining(CBMT), a framework for information security training that dictated that information securitytraining should be delivered to end users in short-sequences when the users are in a situationwhere the training is needed. Further, the users' perception of CBMT in evaluated in an onlinesurvey where about 200 respondents are subjected to training material and asked about how theyperceived them. The results show that users like the training material designed according to theCBMT framework and would prefer to use CBMT over other traditional methods of informationsecurity training.
|
|
| 4. |
- Lennartsson, Markus, et al.
(författare)
-
Exploring the Meaning of "Usable Security"
- 2020
-
Ingår i: Human Aspects of Information Security and Assurance. - Cham : Springer. - 9783030574031 - 9783030574048 ; , s. 247-258
-
Konferensbidrag (refereegranskat)abstract
- While there are many examples of incidents that make theneed for more work around the human aspects of security apparent, theliterature makes it obvious that usable security can mean many dierentthings and usable security is a complex matter. This paper reports on astructured literature review that analyzed what the research communityconsiders to be included in the term "usable security". Publications fromthe past ve years were analyzed and dierent perceptions of usablesecurity were gathered. The result is a listing of the dierent aspectsthat are discussed under the term "usable security" and can be used as areference for future research of practitioners who are developing securityfunctions with usability in mind.
|
|
| 5. |
|
|
| 6. |
- Kävrestad, Joakim, 1989-, et al.
(författare)
-
Can Johnny actually like security training?
- 2020
-
Ingår i: Proceedings of the 6th International Workshop on Socio-Technical Perspective in IS Development (STPIS 2020). - : CEUR-WS. ; , s. 76-83
-
Konferensbidrag (refereegranskat)abstract
- Information security is a socio-technical property where a lot of traditional efforts has been placed in the technical domain. Security has been seen as a technical challenge and the solutions has been technical. However, it is well known that human behavior plays a key role in information security and the user is often seen as the weakest link in the security chain. As such, information security is a socio-technical property where the social, or human side needs increased attention. Security training is commonly suggested as the way to improve user behavior but the effects of various training efforts is also under-researched. This paper demonstrates how ContextBased MicroTraining (CBMT) can be implemented and performs a usability evaluation of that implementation. CBMT is a method for information security training which has been developed over years of research. The paper demonstrates that the CBMT method can aid in the development of highly usable security training. The paper also emphasizes the need for user centered design in development of security software intended for end-users.
|
|
| 7. |
- Kävrestad, Joakim, 1989-, et al.
(författare)
-
Assisting Users to Create Stronger Passwords Using ContextBased MicroTraining
- 2020
-
Ingår i: ICT Systems Security and Privacy Protection. - Cham : Springer. - 9783030582005 - 9783030582012 ; , s. 95-108
-
Konferensbidrag (refereegranskat)abstract
- In this paper, we describe and evaluate how the learning framework ContextBased MicroTraining (CBMT) can be used to assist users to create strong passwords. Rather than a technical enforcing measure, CBMT is a framework that provides information security training to users when they are in a situation where the training is directly relevant. The study is carried out in two steps. First, a survey is used to measure how well users understand password guidelines that are presented in different ways. The second part measures how using CBMT to present password guidelines affect the strength of the passwords created. This experiment was carried out by implementing CBMT at the account registration page of a local internet service provider and observing the results on user-created passwords. The results of the study show that users presented with passwords creation guidelines using a CBMT learning module do understand the password creation guidelines to a higher degree than other users. Further, the experiment shows that users presented with password guidelines in the form of a CBMT learning module do create passwords that are longer and more secure than other users. The assessment of password security was performed using the zxcvbn tool, developed by Dropbox, that measures password entropy.
|
|
| 8. |
- Kävrestad, Joakim, 1989-, et al.
(författare)
-
Evaluation of Contextual and Game-Based Training for Phishing Detection
- 2022
-
Ingår i: Future Internet. - : MDPI. - 1999-5903. ; 14:4
-
Tidskriftsartikel (refereegranskat)abstract
- Cybersecurity is a pressing matter, and a lot of the responsibility for cybersecurity is put on the individual user. The individual user is expected to engage in secure behavior by selecting good passwords, identifying malicious emails, and more. Typical support for users comes from Information Security Awareness Training (ISAT), which makes the effectiveness of ISAT a key cybersecurity issue. This paper presents an evaluation of how two promising methods for ISAT support users in acheiving secure behavior using a simulated experiment with 41 participants. The methods were game-based training, where users learn by playing a game, and Context-Based Micro-Training (CBMT), where users are presented with short information in a situation where the information is of direct relevance. Participants were asked to identify phishing emails while their behavior was monitored using eye-tracking technique. The research shows that both training methods can support users towards secure behavior and that CBMT does so to a higher degree than game-based training. The research further shows that most participants were susceptible to phishing, even after training, which suggests that training alone is insufficient to make users behave securely. Consequently, future research ideas, where training is combined with other support systems, are proposed
|
|
| 9. |
- Kävrestad, Joakim, 1989-, et al.
(författare)
-
A taxonomy of SETA methods and linkage to delivery preferences
- 2023
-
Ingår i: The Data base for Advances in Information Systems. - : Association for Computing Machinery (ACM). - 0095-0033 .- 1532-0936. ; 54:4, s. 107-133
-
Tidskriftsartikel (refereegranskat)abstract
- Cybersecurity threats targeting users are common in today’s information systems. Threat actors exploit human behavior to gain unauthorized access to systems and data. The common suggestion for addressing this problem is to train users to behave better using SETA programs. The notion of training users is old, and several SETA methods are described in scientific literature. Yet, incidents stemming from insecure user behavior continue to happen and are reported as one of the most common types of incidents. Researchers argue that empirically proven SETA programs are needed and point out focus on knowledge rather than behavior, and poor user adoption, as problems with existing programs. The present study aims to research user preferences regarding SETA methods, with the motivation that a user is more likely to adopt a program perceived positively. A qualitative approach is used to identify existing SETA methods, and a quantitative approach is used to measure user preferences regarding SETA delivery. We show that users prefer SETA methods to be effortless and flexible and outline how existing methods meet that preference. The results outline how SETA methods respond to user preferences and how different SETA methods can be implemented to maximize user perception, thereby supporting user adoption.
|
|
| 10. |
- Kävrestad, Joakim, 1989-, et al.
(författare)
-
Analyzing the usage of character groups and keyboard patterns in password creation
- 2020
-
Ingår i: Information and Computer Security. - : Emerald Group Publishing Limited. - 2056-4961. ; 28:3, s. 347-358
-
Tidskriftsartikel (refereegranskat)abstract
- PurposeUsing passwords to keep account and data safe is very common in modern computing. The purpose of this paper is to look into methods for cracking passwords as a means of increasing security, a practice commonly used in penetration testing. Further, in the discipline of digital forensics, password cracking is often an essential part of a computer examination as data has to be decrypted to be analyzed. This paper seeks to look into how users that actively encrypt data construct their passwords to benefit the forensics community.Design/methodology/approachThe study began with an automated analysis of over one billion passwords in 22 different password databases that leaked to the internet. The study validated the result with an experiment were passwords created on a local website was analyzed during account creation. Further a survey was used to gather data that was used to identify differences in password behavior between user that actively encrypt their data and other users.FindingsThe result of this study suggests that American lowercase letters and numbers are present in almost every password and that users seem to avoid using special characters if they can. Further, the study suggests that users that actively encrypt their data are more prone to use keyboard patterns as passwords than other users.Originality/valueThis paper contributes to the existing body of knowledge around password behavior and suggests that password-guessing attacks should focus on American letters and numbers. Further, the paper suggests that forensics experts should consider testing patterns-based passwords when performing password-guessing attacks against encrypted data.
|
|
