Maria Bada

Betsy Uchendu, Jason R. C. Nurse, Maria Bada et al.

While the creation of a strong security culture has been researched and discussed for decades, it continues to elude many businesses. Part of the challenge faced is distilling pertinent, recent academic findings and research into useful guidance. In this article, we aim to tackle this issue by conducting a state-of-the-art study into organisational cyber security culture research. This work investigates four questions, including how cyber security culture is defined, what factors are essential to building and maintaining such a culture, the frameworks proposed to cultivate a security culture and the metrics suggested to assess it. Through the application of the PRISMA systematic literature review technique, we identify and analyse 58 research articles from the last 10 years (2010-2020). Our findings demonstrate that while there have been notable changes in the use of terms (e.g., information security culture and cyber security culture), many of the most influential factors across papers are similar. Top management support, policy and procedures, and awareness for instance, are critical in engendering cyber security culture. Many of the frameworks reviewed revealed common foundations, with organisational culture playing a substantial role in crafting appropriate cyber security culture models. Questionnaires and surveys are the most used tool to measure cyber security culture, but there are also concerns as to whether more dynamic measures are needed. For practitioners, this article highlights factors and models essential to the creation and management of a robust security culture. For research, we produce an up-to-date characterisation of the field and also define open issues deserving of further attention such as the role of change management processes and national culture in an enterprise's cyber security culture.

Maria Bada, Basie von Solms

The popularity of wearable devices is growing exponentially, with consumers using these for a variety of services. Fitness devices are currently offering new services such as shopping or buying train tickets using contactless payment. In addition, fitness devices are collecting a number of personal information such as body temperature, pulse rate, food habits and body weight, steps-distance travelled, calories burned and sleep stage. Although these devices can offer convenience to consumers, more and more reports are warning of the cybersecurity risks of such devices, and the possibilities for such devices to be hacked and used as springboards to other systems. Due to their wireless transmissions, these devices can potentially be vulnerable to a malicious attack allowing the data collected to be exposed. The vulnerabilities of these devices stem from lack of authentication, disadvantages of Bluetooth connections, location tracking as well as third party vulnerabilities. Guidelines do exist for securing such devices, but most of such guidance is directed towards device manufacturers or IoT providers, while consumers are often unaware of potential risks. The aim of this paper is to provide cybersecurity guidelines for users in order to take measures to avoid risks when using fitness devices.

Maria Bada, Jason R. C. Nurse

As cybercrime becomes one of the most significant threats facing society today, it is of utmost importance to better understand the perpetrators behind such attacks. In this article, we seek to advance research and practitioner understanding of the cybercriminal (cyber-offender) profiling domain by conducting a rigorous systematic review. This work investigates the aforementioned domain to answer the question: what is the state-of-the-art in the academic field of understanding, characterising and profiling cybercriminals. Through the application of the PRISMA systematic literature review technique, we identify 39 works from the last 14 years (2006-2020). Our findings demonstrate that overall, there is lack of a common definition of profiling for cyber-offenders. The review found that one of the primary types of cybercriminals that studies have focused on is hackers and the majority of papers used the deductive approach as a preferred one. This article produces an up-to-date characterisation of the field and also defines open issues deserving of further attention such as the role of security professionals and law enforcement in supporting such research, as well as factors including personality traits which must be further researched whilst exploring online criminal behaviour. By understanding online offenders and their pathways towards malevolent behaviours, we can better identify steps that need to be taken to prevent such criminal activities.

Maria Bada, Richard Clayton

Online suicide games are claimed to involve a series of challenges, ending in suicide. A whole succession of these such as the Blue Whale Challenge, Momo, the Fire Fairy and Doki Doki have appeared in recent years. The challenge culture is a deeply rooted online phenomenon, whether the challenge is dangerous or not, while social media particularly motivates youngsters to take part because of their desire for attention. Although there is no evidence that the suicide games are real, authorities around the world have reacted by releasing warnings and creating information campaigns to warn youngsters and parents. We interviewed teachers, child protection experts and NGOs, conducted a systematic review of historical news reports from 2015-2019 and searched police and other authority websites to identify relevant warning releases. We then synthesized the existing knowledge on the suicide games phenomenon. A key finding of our work is that media, social media and warning releases by authorities are mainly just serving to spread the challenge culture and exaggerate fears regarding online risk.

Maria Bada, Jason R. C. Nurse

Cyber-attacks have become as commonplace as the Internet itself. Each year, industry reports, media outlets and academic articles highlight this increased prevalence, spanning both the amount and variety of attacks and cybercrimes. In this article, we seek to further advance discussions on cyber threats, cognitive vulnerabilities and cyberpsychology through a critical reflection on the social and psychological aspects related to cyber-attacks. In particular, we are interested in understanding how members of the public perceive and engage with risk and how they are impacted during and after a cyber-attack has occurred. This research focuses on key cognitive issues relevant to comprehending public reactions to malicious cyber events including risk perception, protection motivation, culture, and attacker characteristics (e.g., attacker identity, target identity and scale of attack). To consider the applicability of our findings, we investigate two significant cyber-attacks over the last few years, namely the WannaCry attack of 2017 and the Lloyds Banking Group attack in the same year.

Maria Bada, Jason R. C. Nurse

Purpose: An essential component of an organisation's cybersecurity strategy is building awareness and education of online threats, and how to protect corporate data and services. This research article focuses on this topic and proposes a high-level programme for cybersecurity education and awareness to be used when targeting Small-to-Medium-sized Enterprises/Businesses (SMEs/SMBs) at a city-level. We ground this programme in existing research as well as unique insight into an ongoing city-based project with similar aims. Findings: We find that whilst literature can be informative at guiding education and awareness programmes, it may not always reach real-world programmes. On the other hand, existing programmes, such as the one we explored, have great potential but there can also be room for improvement. Knowledge from each of these areas can, and should, be combined to the benefit of the academic and practitioner communities. Originality/value: The study contributes to current research through the outline of a high-level programme for cybersecurity education and awareness targeting SMEs/SMBs. Through this research, we engage in a reflection of literature in this space, and present insights into the advances and challenges faced by an on-going programme. These analyses allow us to craft a proposal for a core programme that can assist in improving the security education, awareness and training that targets SMEs/SMBs.

Maria Bada, Angela M. Sasse, Jason R. C. Nurse

The present paper focuses on Cyber Security Awareness Campaigns, and aims to identify key factors regarding security which may lead them to failing to appropriately change people's behaviour. Past and current efforts to improve information-security practices and promote a sustainable society have not had the desired impact. It is important therefore to critically reflect on the challenges involved in improving information-security behaviours for citizens, consumers and employees. In particular, our work considers these challenges from a Psychology perspective, as we believe that understanding how people perceive risks is critical to creating effective awareness campaigns. Changing behaviour requires more than providing information about risks and reactive behaviours - firstly, people must be able to understand and apply the advice, and secondly, they must be motivated and willing to do so - and the latter requires changes to attitudes and intentions. These antecedents of behaviour change are identified in several psychological models of behaviour. We review the suitability of persuasion techniques, including the widely used 'fear appeals'. From this range of literature, we extract essential components for an awareness campaign as well as factors which can lead to a campaign's success or failure. Finally, we present examples of existing awareness campaigns in different cultures (the UK and Africa) and reflect on these.

Jason R. C. Nurse, Maria Bada

While cybercrime can often be an individual activity pursued by lone hackers, it has increasingly grown into a group activity, with networks across the world. This chapter critically examines the group element of cybercrime from several perspectives. It identifies the platforms that online groups---cybercriminal and otherwise---use to interact, and considers groups as both perpetrators and victims of cybercrime. A key novelty is the discovery of new types of online groups whose collective actions border on criminality. The chapter also analyzes how online cybercrime groups form, organize, and operate. It explores issues such as trust, motives, and means, and draws on several poignant examples, from Anonymous to LulzSec, to illustrate the arguments.