=Paper=
{{Paper
|id=Vol-3356/paper10
|storemode=property
|title=Diving Deep into Human Centric Issues within Cyber Security
|pdfUrl=https://ceur-ws.org/Vol-3356/paper-10.pdf
|volume=Vol-3356
|authors=Kalpit Jadhav,Sherif Haggag,Hussein Haggag
|dblpUrl=https://dblp.org/rec/conf/apsec/JadhavHH22
}}
==Diving Deep into Human Centric Issues within Cyber Security==
https://ceur-ws.org/Vol-3356/paper-10.pdf
Diving Deep into Human Centric Issues within Cyber
Security
Kalpit Jadhav1,2 , Sherif Haggag3 and Hussein Haggag4
1
The University of Adelaide, Adelaide, Australia
3
The University of Adelaide, Adelaide, Australia
4
Umeå University, Sweden
Abstract
Computer security is more than just about the technological systems; it also relates to the people that use the systems and
how their different behaviours may be exploited. Organizations are prone to security breaches, which sometimes are caused
by human error. As a result, organizations should seek to improve their employees’ knowledge about cyber security and
their capability to engage in secure cyber behaviours. It is possible to target groups ranging from basic users who need some
basic understanding of the current threat environment and how to utilize the associated preventive mechanisms, to security
experts who need practical exposure in responding to security incidents. Risk-taking preferences, decision-making styles,
demographics, and personality characteristics, such as gender, age, culture and emotions, have been found to significantly
affect the predictive ability of good security behavior. How gender and age mediate the influences on cyber security beliefs
and behaviours among employees is quite interesting. Using behavioural cyber security and human factors to provide insight
into relevant theories and principles, this paper proposes an interdisciplinary framework that combines these disciplines.
Keywords
cyber security, human factors, social engineering, framework
1. Introduction sential to developing effective cyber security programs
for the workplace [4]. In addition to training materials,
Humans play an important role in security measures, policies and frameworks, information about preventive
thus research on security-related decisions and actions measures to be followed before and after an attack must
based on human "information-processing and decision- also be undertaken.
making principles" is necessary [1]. Cyber security’s The age, gender, or cultural background may make
"human factors" are concerned with the role that hu- a person more susceptible to some malicious act [5, 6].
man behaviour plays in preventing and responding to Researchers have found that women are more likely to
cyberattacks [2]. Additionally to cyberattacks aimed at fall victim to phishing scams than men, and so are people
targeting network infrastructures, a variant of cyberat- between 18 to 25 years of age [7]. In order to combat such
tack, designed specifically to exploit the vulnerabilities of limitations and biases, companies should establish clear
individuals; these are social engineering attacks [2]. So- security guidelines and educate their employees about
cial engineering aims to obtain illegal access to sensitive them. Organizations can achieve satisfying results in
and confidential information by manipulating individ- response to social engineering attacks by improving their
uals’ psychological states [3]. Because employees can information security frameworks including the training
contribute to protect the interests of organizations in and awareness programs.
the face of social engineered attacks, organizations find In this research we aim to address the two key
the need to implement information security awareness research questions:
programs to secure their data [3]. Understanding the se-
curity behaviour of both men and women, and whether RQ1 – What factors that influence human suscepti-
their security behaviours are similar or different, is es- bility to cybercrime and social engineering attacks are
reported in the peer reviewed literature?
Asia-Pacific software engineering and diversity, equity, and inclusion Individuals are more susceptible to social engineering
(APSEDEI), Japan, Nov. 15-21, 2022 attacks for a variety of reasons. In general, social
*
Corresponding author.
† engineering attempts appear more effective if the
These authors contributed equally.
attacker is able to establish trust with the victim, putting
$ kalpit1612kpj@gmail.com (K. Jadhav);
sherif.haggag@adelaide.edu.au (S. Haggag); them at greater risk [8]. Individual factors or personality
hussein.haggag@umu.se (H. Haggag) traits can also increase the likelihood of someone falling
� 0000-0002-XXXX-XXXX (K. Jadhav); 0000-0001-XXXX-XXXX victim to social engineering attacks. It is possible
(S. Haggag); 0000-0002-XXXX-XXXX (H. Haggag) to increase the effectiveness of phishing emails and
© 2022 Copyright for this paper by its authors. Use permitted under Creative Commons License
Attribution 4.0 International (CC BY 4.0). illegitimate websites by using a number of strategies. In
CEUR
Workshop
Proceedings
http://ceur-ws.org
ISSN 1613-0073
CEUR Workshop Proceedings (CEUR-WS.org)
�this research, we highlight the various human factors goes on to more advanced learning methods which in-
that can make an individual more susceptible to attack volve multiple hands-on exercises on emulated/simulated
as reported in the academic literature. components [5]. The performance is evaluated and a
preliminary application is presented, where a training
RQ2 – Why do we need a personalised cyber programme for smart shipping personnel is established
security framework for training employees within an [5].
organisation? Factors that may help overcome the difficulties posed
Personalized cyber security frameworks will enhance the by implementing a training and awareness program
existing security protocols and methodologies followed against social engineering are studied in research by Al-
during training and will incorporate new security layers dawood and Skinner [3]. The authors describe the need of
which will consider even the human factors that impact information security training and awareness programs is
an individual’s cyber behaviour and awareness. to harness employees with skills to identify, disable, and
report any social engineering attempts to misuse their
Section 2 of this research highlights the aims and chal- resources. The study also makes recommendations based
lenges that this paper intends to overcome. Section 3 on the viewpoint of security decision makers within or-
presents literature review studied from different research ganizations on how to address challenges [9, 10, 11, 12].
papers in order to formulate results. The design and Key issues faced by cyber security training and aware-
plan followed in this research has been presented in sec- ness programs have been identified in research by Kor-
tion 4. The results identified and formulated have been pela [7] and the probable benefits that can be derived by
explained and tabulated in section 5. combining existing data sources to enhance these pro-
grams using learning analytics which is an upcoming
field in data analytics has been explained. The author
2. Aims and challenges even mentions that in order to potentially improve cyber
security metrics, organizations and professionals should
Training and awareness programs present several chal-
harness the use of data analytics to tackle the issues of
lenges such as "business environmental, social, constitu-
how users fail to identify risks and a ’lack of understand-
tional, organizational, economical, and personal". ’Trust-
ing on how cyber security is best learned by its users
ing nature of humans’ is another factor that hinders
[7].
awareness and training programs against social engineer-
Importance of putting in place formal educational and
ing is a low level of interest found within the personnel.
training standards to enable organisations to manage
Moreover, problem with modern training techniques is
human factors related to cyber security effectively has
that they take a lot of time and even lack training budget
been highlighted in the research of Nifakos et al [2], ul-
[3].
timately reducing cyber risks. The research examined
The absence of cybercrime, which is instrumental in
human factors, but a systematic methodology for har-
exploiting both the vulnerabilities of systems and human
monising the research findings should be developed to
weaknesses, is one of the biggest obstacles to implement-
allow cyber security experts to objectively evaluate these
ing digital transformation strategies. Employees must be
findings in order to support securing the IT infrastructure
provided with the proper training in order for them to
of healthcare facilities in future research [2].
be able to recognize, flag, evade, and disable malicious
How an interdisciplinary approach based on a human
attacks [3]. To upgrade the cyber security training pro-
factors approach can contribute to the science of security
grammes more human centric, an awareness or training
has been conveyed in the research of Proctor and Chen
framework must be implemented for all personnel, which
[1]. The authors describe the importance of human fac-
include the major cyber risk aspects and its awareness
tors in security by using two examples that illustrate the
factors [5].
contribution of a scientific approach to security detection
There is a need to investigate the similarities and dif-
of phishing attacks and the selection of mobile applica-
ferences between men and women with regard to cyber
tions [1]. Finally, they conclude that in order to con-
security beliefs and behaviours like personality, cultural
tribute to cyber security, human factors experts should
background, emotion reaction, age, and motivation.
utilize their existing knowledge of applied information
processing and decision making [1].
3. Literature review Methods for measuring, quantifying, and evaluating
human organizations’ security posture, especially those
Hatzivasilis et al. in [5], describe a methodology to adapt within large corporations and government organizations
cyber security training programmes dynamically. They have been investigated by Brian et al in their research
mention how a trainee consumes the primary teaching [13]. The study presents the results of two rounds of
materials such as lectures, tutorials, videos, etc. and experiments conducted at Columbia University using bo-
�gus phishing emails to train approximately 4000 staff and by a second phishing attack that had different content
students [13]. The authors further suggest that it is pos- [17]. According to the results of the study, gender plays
sible to train users using decoy technology to anticipate a significant role in cyber security awareness within the
possible threats, and the measurements can be applied to Thai cyber ecosystem since Thai female employees have
multiple organizations in order to gauge their security a higher level of cyber security awareness than male
posture as compared to each other [13]. employees as well as the differences between the ages
Correlation of human characteristics with cyber secu- of Thai users’ cyber security awareness [17]. Although
rity behaviour intentions has been researched by Gratian this research is just limited to Thai employees but can be
et al [14]. The study estimated that 5 to 23 percent of considered in general sense too.
the variance in the reported cyber security behaviour in- By identifying effective ways to encourage cyber secu-
tentions was attributable to individual differences based rity education development and address gender gaps in
on demographic factors, personality traits, risk-taking the cyber security workforce, the overall goal in study by
preferences, and decision-making styles in 369 students, Amo et al. [18] is to contribute to the literature on cyber
faculty, and staff at a large public university [14]. security education. Their findings indicate that female
The purpose of study by Anwar et al. [4] was to in- students were significantly more engaged and efficacious
vestigate the effect of gender as a deciding variable in in cyber security, which is quite promising in regards to
the relationship among the psychosocial factors and self- gender gaps in cyber security [18].
reported cyber security behaviours among staff of diverse The study by Gillam and Waite [19] sought to iden-
organizations. The results of this study indicate statisti- tify the psychological factors that influence workplace IT
cally significant differences between men and women in end users’ motivation to learn about cyber awareness and
terms of computer skills, prior experience, cues-to-action, avoid threats. As a result of this study, gender-related
and security self-efficacy. Self-efficacy among women is considerations were revealed that can be used to guide
significantly lower than that among men, so they could cyber security training of IT end-users such as threat
be possibly targeted for intervention [4]. Thus, they con- avoidance in human resource development contexts, es-
clude that by addressing the relevant constructs of the pecially when it comes to motivation [19].
cyber security behaviour, we can develop gender-specific Study of ’Gender and locale differences in cybercrime
cyber security training and interventions to improve em- awareness among adolescents’ was conducted by Thakur
ployees’ attitudes and behaviour [4]. and Kaur [20]. The findings showed that there were
Human factor is one of the major contributors to the significant gender differences between rural and urban
vulnerabilities of an information system, and disparate young males and young females in terms of cybercrime
attack vectors which are being utilized today to exploit awareness.
human weaknesses have been examined in research by By bringing together research from unique and diverse
Radu et al [15]. The authors further state that a social en- disciplinary backgrounds, study by Jeong et al. [21] en-
gineering awareness and training program must ensure ables us to increase our understanding and provide a
that employees have a basic understanding of how social framework for effective cyber security strategies by pro-
engineering attacks are conducted [15]. Furthermore, viding a comprehensive overview of the socio-cultural
employees must have the knowledge and training neces- dimensions of cyber security. This special issue addresses
sary to detect an attack, respond appropriately, and find people, culture, and cyber security research that enriches
a way to prevent exposure to social engineering threats our understanding of them. Following the expert review
[15]. process, a framework and assessment tool were devel-
Review of relevant theories and principles which pro- oped to highlight strengths, weaknesses, and opportuni-
vide insight through an interdisciplinary framework that ties [21].
encompasses human factors, behavioural cyber secu- The analysis in research by Creese [22] identifies that
rity, and modelling and simulation has been carried out on the basis of their development and the extent of
Maalem et al [16]. The authors mention that it is impor- their Internet use, some countries have demonstrated
tant to customize cyber awareness training to employees greater maturity in capacity building than were expected.
considering their different credentials and levels of access. Through a cross-national and cross-regional compari-
They further state that employees need to be trusted, but son of capacity building, this paper shows regional dif-
they must also be taught technology and cyber aware- ferences are largely influenced by two key national dif-
ness, and compliance needs to be verified [16]. ferences in the extent of Internet use and the level of
An extensive financial institution in Thailand con- development [22].
ducted study in research by Daengsi et al. [17] to assess A three-part study of people’s perceptions of cyber se-
cyber security awareness among approximately 20,000 curity is presented by Renaud et al [23]. Several aspects
employees. An initial phishing attack was conducted of people’s lived cyber security experiences were con-
where knowledge transfer was achieved and followed firmed by the investigation where one blind spot issue
� The figure 1 shows that existing cyber training and
awareness programs are modified by adding the different
human factors which have been mentioned in the paper.
This helps to develop a personalised cyber training frame-
work. The framework developed and evaluated would
be used to train an individual exhibiting specific human
centeric factors to build their cyber awareness.
5. Results
Figure 1: Research design
5.1. Gender:
Study has been conducted for cyber risk assessment
where as a part of the test, a phishing email offering
was identified along with negative attitude of people to- more Gmail storage was sent by the experts [17]. The
ward cyber security that are widespread but not universal data from this test was gathered, processed, and analysed
is studied [23]. and found that female employees’ responses were always
Using open-ended responses from a pilot study and lower than those of male employees [17]. It indicates that
congressional debates, research by Cheung-Blunden et females have a better level of cyber security awareness
al. [24] sought to identify behavioral categories in cyber of phishing than males [17]. A positive growth pattern
security solutions. By distinguishing fear, three types of in cyber security self-efficacy is observed in females com-
safety behaviors which are avoidance, surveillance and pared to males and females gained more problem-solving
vigilance were identified in this study and were expected proficiency than males over time [18]. While young fe-
to be mutually exclusive because emotion was expected males have higher mean values than young males in cases
to have unique motivational power [24]. where there is a high level of cybercrime awareness, they
A hacking of one’s smart security camera represents are ahead in cases of medium levels, and in cases where
one of the most emblematic examples of a cyber security there is a low level of cybercrime awareness, young fe-
breach, and study by Budimir et al. [25] explored which males tend to have higher mean values than young males
personality characteristics systematically relate to these [20].
processes. An important link between a cyber security Males tend to react more aggressively to cyberbully-
breach situation and possible long-term mental health ing and have a deeper emotional response in situations
effects was discovered in this study [25]. of hacking, while females tend to have more intense
emotional reactions. Using digital technologies, cyber-
bullying involves repeated behavior meant to intimidate,
4. Research plan and Methodology anger, or shame the target [26]. Mobile phones, mes-
saging platforms, gaming platforms, and social media
The research implementation is carried out in two phases. platforms can all be used for this [26]. ’Remote sexual
The first phase is about carrying out an in depth analysis abuse’ occurs more often against women and girls than
and researching into the topic of human centric issues men - coerced to pose naked online or stalked via internet
of cyber security. It involves referring of research pa- [27]. The term cyberstalking means stalking someone
pers and articles through the use of university library through the use of the internet. Stalkers are using email
and other platforms. Investigation on the importance of message applications, posting messages on the web, and
human centric aspects in cyber security, how to build sometimes even social media, such as Facebook, Insta-
apps and training materials applicable with personality, gram, and many more, to continually try to approach
gender, cultural background, emotion reaction, age, moti- someone online without their consent [27].
vation, and hidden biases is carried out. The second phase Based on the observations and results of the studies
involves development of a framework which includes the that have been referred to for this research, the Table 1
above-mentioned aspects and to provide guidelines as to shows the things that need to be considered for cyber
how the framework can be useful for organizations for training specific to an individual’s gender.
carrying out cyber trainings and awareness programmes.
A secondary research methodology is employed in this
5.2. Age:
research, since this study relies on already existing data.
Various sources such as published journals and reports A person’s age can also be considered a crucial factor
in the University library and websites are used for the when determining a person’s identity, since people at
collection, organization, and analysis of data.
�Table 1 Table 2
Cyber-awareness required for specific Gender Cyber-awareness required for specific Age
Identifying as Male Identifying as Female 0-18 18-25 25–50 50+
Phishing crimes Phishing crimes Self- Cybercrime Awareness Awareness
Develop cybercrime aware- Develop cybercrime aware- efficacy awareness of phishing of phishing
ness ness Internet Internet ad- Financial Financial at-
Building self-efficacy Improving self-efficacy addiction diction attacks tacks
Generating strong pass- Generating strong pass- Fraud Awareness Password Knowledge
words words attacks of phishing security of viruses
Awareness of cyberbully- Awareness of cyberbully- and soft-
ing ing ware
Build online sexual abuse Fraud at- Backing up Fraud at-
awareness tacks files tacks
Awareness against Knowledge Password
cyber-stalking and cyber- of viruses security
harassment and soft-
ware
Knowledge
different stages of life experience different social, organi- of Cyber-
bullying
zational and environmental challenges and contexts [17].
Self-efficacy and precautionary behavior were signifi-
cantly positively correlated with self-efficacy in young-
sters, but in older group the correlation was negatively up files to prevent future issues [30].
significant, but not statistically significant [19]. As internet use among seniors increases, the elderly
Adolescents are most at risk for Cybercrime due to have become more vulnerable to online scams [31]. A
their attraction to the internet [20]. Therefore, adoles- majority of seniors don’t protect their internet-connected
cents are very much in need of awareness/knowledge devices with passwords, leaving them vulnerable to those
related to cybercrime, since failure to do so can harm who pick them up [31]. This group is also more likely to
them financially or emotionally [20]. The teenager is be at risk because they share their personal information
already seeking the truth only through his own experi- through social media platforms like Facebook and Twitter,
ences, if the child is ready to obey the authority of an as well as have to use online services and apps to access
adult, this is the age of active knowledge and personal health care, insurance, housing, voting, financial, and
development [28]. Teenagers often commit acts that can voting services [31].
lead to undesirable consequences for the simple reason Based on the observations and results of the studies
that they try to protect themselves from adults’ influence, that have been referred to for this research, the Table 2
and they are easy targets for criminals because of their shows the things that need to be considered for cyber
curiosity, openness, and lack of experience [28]. training specific to an individual’s age.
People between 18 and 25 years old are more vulnera-
ble to phishing scams [7]. Every day, college students use 5.3. Culture:
the internet for work and pleasure - to complete research
Social identity plays a definite role in how passwords
for essays and assignments, to stay connected on social
are generated in different countries, with different users’
media, to make online purchases, and to keep up-to-date
attitudes towards passwords [21]. Cyber security atti-
on entertainment news [29]. In the age of cybercrime,
tudes, values, and practices vary even among countries
the sheer amount of data we share online puts us all at
that share the same values, attitudes, and practices due
risk. It is more likely that young people and college stu-
to differences in development and Internet usage across
dents will fall for fraud scams as they use social media at
nations [21]. There is a significant difference between
higher rates than other age groups and are statistically
the average maturity stage of Europe and Americas com-
more susceptible to fraud scams [29].
pared with those of other regions, and the difference is
A survey of data protection and privacy profession-
large enough, that average maturity stages are the same
als found that 66 percent believed their employees were
across all regions [22]. There is no statistically signifi-
the weakest link in protecting their organizations from
cant difference in the average maturity stage between
cyberattacks [30]. In spite of the automation of tedious
the African and Asian regions, leading us to conclude
cyber security tasks, it’s still a good idea to provide em-
that they are approximately equal in maturity [22].
ployees with online security awareness trainings such as
America’s national and economic security is at risk
password security, phishing and importance of backing
from malicious cyber activity [32]. A key objective of the
�Table 3 5.4. Emotions:
Cyber-awareness required for specific Cultural background
Cyber security response is not captured meaningfully
America Europe Asia and Africa on a sad–happy scale, but may vary based on context,
Awareness of Awareness of Awareness of individual identity, and action [23]. Cyber security is
Ransomware Ransomware Ransomware
viewed negatively by most people and these negative
and Malware
emotions are expressed unprompted [23]. To ensure that
Knowledge of Awareness of Awareness of
politically moti- politically moti- politically moti-
unfamiliarity does not lead to uncertainty or negativity,
vated attacks vated attacks vated attacks cyber security training must take specific steps to ensure
Awareness of Awareness of Awareness of that they are sensitive to the fact that the concepts be-
Business Email Crypto-jacking Business Email ing introduced could trigger negative emotions and take
Compromise Compromise particular measures to avoid this [24].
Personal motive Denial of service Awareness of The emotions of women were more intense and af-
attacks attacks server attacks fective, and the feelings of men were more likely to be
Online payment Command-and- fight/flight reactions [25]. A female typically experiences
frauds control server more intense emotional reactions, more emotion during
attacks instances of cyberbullying, and is more prone to anxi-
ety during instances of hacking. A male typically reacts
more aggressively during such situations [25]. Similarly,
FBI’s cyber strategy is to put cyber adversaries at risk and older people experience less negative affective events
impose consequences on them, and to change the behav- and have better emotion control skills, older people were
ior of criminals and nation-states, who are confident they more likely to have proactive and cognitive/motivational
can compromise U.S. networks, steal intellectual property replies [25].
and financial assets, and threaten critical infrastructure Cyber criminals often involve peoples’ fears as primary
without taking any risks themselves [32]. weapons [36]. The ransomware that affects corporate net-
Based on publicly available data, ENISA Threat Land- works has caused havoc, and, while online media stokes
scape presents an overview of threats, threats agents, people’s fears, it may be easy to trick them into clicking
and threats trends in Europe, providing an independent links or opening emails that exploit these fears [36]. A
view of observed threats, agents, and trends [33]. Threats, data breach or other security incident tends to stress ev-
major trends, threat actors, and attack techniques such eryone out and can lead to a variety of feelings, including
as ransomware and malware, cryptojacking and online denial in the first moments, panic, anger, anxiety, even
payment frauds are outlined in the 2021 report, along guilt [37]. In the midst of a crisis, and even before it
with mitigation measures [33]. begins, it is imperative to remain calm and collected [37].
Due to their weak cyber defenses, African countries There has always been a reluctance among companies to
have become a favourite target of international cyber- disclose data breaches, much of it due to simple embar-
criminals, and financial institutions are in particular at rassment [38]. A malicious actor can misuse curiosity to
risk of financial fraud, data theft, and malware attacks boost the effectiveness of their campaign by weaponiz-
[34]. The biggest cyber threats in an African context in- ing it [39]. Our curiosity can lead us to act impulsively,
clude: online scams (such as phishing), digital extortion, without thinking things through, and sometimes even in
business email compromise, ransomware and botnets an irrational manner [39]. The ability to manipulate the
[34]. More than half of Asian companies (64 percent) target so the malicious actors can get away with mistakes
have been affected by cyberattacks, and privacy breaches or inconsistencies that the target would otherwise notice
are the top concern for nearly 7 out of 10 respondents (68 allows them to get away with mistakes [39].
percent), followed by ransomware (58 percent) [35]. The Based on the observations and results of the studies
majority of Asians perceive privacy breaches and data that have been referred to for this research, the Table 4
loss as the top cyber threats, but 26 percent haven’t im- shows the things that need to be considered for cyber
proved their security systems, while 31 percent haven’t training specific to an individual’s emotions.
improved their data protection [35].
Based on the observations and results of the studies
that have been referred to for this research, the Table 3
shows the things that need to be considered for cyber Thus, the above results, studied and observed from the
training specific to an individual’s culture. previous studies referred for this research highlights
the need of a personalised cyber security framework,
answering the research questions (RQ1 And RQ2).
�Table 4
Cyber-awareness required for specific Emotion
Anger Curiosity Embarrassment Fear
Data Phishing Data breaches Phishing
breaches
Smishing Ransomware Ransomware
Figure 2: Framework Introduction
Figure 4: Awareness question example
four human factors, questions related to awareness/-
knowledge of specific topics are asked. If the individual
is not aware of a particular topic, he/she will be guided
to a link, providing the required knowledge. However,if
an individual answers "yes", he/she will be provided
with a test question to test their knowledge regarding
the respective topic. If the answer is correct, they
move to the next topic. However, if the test question is
answered wrong, they will be provided with a training
link that must be viewed to impart awareness about
cyber influence of that particular human behavior.
The link to the developed personalised framework is -
Figure 3: Questions on Human Factors https://5ugrgg9qtya.typeform.com/to/mvoXaGVn
6. Conclusion
5.5. Framework Implementation
Based on the observations and results, a personalised Research on existing cyber training and awareness pro-
framework is developed using Typeform forms [40]. The grammes has been carried out. Its pros and cons were
framework associates for cyber awareness training pro- noted and impact of human factors such as gender. age,
gram for individuals. Guideline for the framework is culture and emotions in context of cyber security were
provided in its introduction as shown in figure 2. studied. The research conducted, helped develop a frame-
Referring to figure 3, the ideology is, first questions work incorporating personalised training programme for
specific to the human factor (gender, age, culture and trainees within organization. The personalised frame-
emotion evaluation) are asked. For emotion factor, two work would help achieve the aims of this paper and over-
case scenarios are presented and options for individual’s come challenges from previous studies. The program
emotional reactions are provided. According to the op- would help an individual with specific age, gender, cul-
tions selected, the individual’s emotional behaviour will ture and emotions to build cyber awareness. The purpose
be identified. of this framework is to help organisations review their
As shown in figure 4, based on the responses to the security standards and improve them.
�References on Mobile Software Engineering and Systems 2022
(MobileSoft 2022), 2022.
[1] R. W. Proctor, J. Chen, The role of human factors/er- [13] B. M. Bowen, S. J. Stolfo, R. Devarajan, Measur-
gonomics in the science of security: Decision mak- ing the human factor of cyber security, Homeland
ing and action selection in cyberspace, Human security affairs 8 (2012).
factors 57 (2015) 721–727. [14] M. Gratian, S. Bandi, M. Cukier, J. Dykstra,
[2] S. Nifakos, K. Chandramouli, C. K. Nikolaou, P. Pa- A. Ginther, Correlating human traits and cyber
pachristou, S. Koch, E. Panaousis, S. Bonacina, In- security behavior intentions, Computers security
fluence of human factors on cyber security within 73 (2018) 345–358.
healthcare organisations: A systematic review, Sen- [15] M. R., Aspects of human weaknesses in cyber secu-
sors (Basel, Switzerland) 21 (2021) 5119–. rity, Scientific Bulletin ("Mircea cel Bătrân" Naval
[3] H. Aldawood, G. Skinner, Reviewing cyber secu- Academy) XXII (2019) 163–170.
rity social engineering training and awareness pro- [16] R. A. Maalem Lahcen, B. Caulkins, R. Mohapatra,
grams—pitfalls and ongoing issues, Future internet M. Kumar, Review and insight on the behavioral
11 (2019) 73–. aspects of cybersecurity, Cybersecurity 3 (2020)
[4] M. Anwar, W. He, I. Ash, X. Yuan, L. Li, L. Xu, 1–18.
Gender difference and employees’ cybersecurity [17] T. Daengsi, P. Pornpongtechavanich, P. Wuttiditta-
behaviors, Computers in human behavior 69 (2017) chotti, Cybersecurity awareness enhancement: A
437–443. study of the effects of age and gender of thai em-
[5] G. Hatzivasilis, S. Ioannidis, M. Smyrlis, ployees associated with phishing attacks, Education
G. Spanoudakis, F. Frati, L. Goeke, T. Hildebrandt, and information technologies 27 (2021) 4729–4752.
G. Tsakirakis, F. Oikonomou, G. Leftheriotis, [18] L. C. Amo, R. Liao, E. Frank, H. R. Rao, S. Upadhyaya,
H. Koshutanski, Modern aspects of cyber-security Cybersecurity interventions for teens: Two time-
training and continuous adaptation of programmes based approaches, IEEE transactions on education
to trainees, Applied sciences 10 (2020) 5702–. 62 (2019) 134–140.
[6] O. Haggag, J. Grundy, M. Abdelrazek, S. Haggag, [19] A. R. Gillam, A. M. Waite, Gender differences in pre-
A large scale analysis of mhealth app user reviews, dictors of technology threat avoidance, Information
in: Empir Software Eng 27, 196 (2022), 2022. and computer security 29 (2021) 393–412.
[7] K. Korpela, Improving cyber security awareness [20] A. Thakur, T. K. Kang, Gender and locale differ-
and training programs with data analytics, Infor- ences in cyber crime awareness among adolescents,
mation security journal. 24 (2015) 72–77. Indian journal of health and wellbeing 9 (2018) 906–
[8] K. Parsons, A. McCormac, M. Butavicius, L. Fergu- 916.
son, Human Factors and Information Security: In- [21] J. J. Jeong, G. Oliver, E. Kang, S. Creese, P. Thomas,
dividual, Culture and Security Environment, 2010. The current state of research on people, culture and
[9] O. Haggag, Better identifying and addressing di- cybersecurity, Personal and ubiquitous computing
verse issues in mhealth and emerging apps using 25 (2021) 809–812.
user reviews, in: The International Conference on [22] S. Creese, W. H. Dutton, P. Esteve-González, The
Evaluation and Assessment in Software Engineer- social and cultural shaping of cybersecurity capac-
ing 2022, 2022, pp. 329–335. ity building: a comparative study of nations and
[10] O. Haggag, S. Haggag, J. Grundy, M. Abdelrazek, regions, Personal and ubiquitous computing 25
Covid-19 vs social media apps: Does privacy really (2021) 941–955.
matter?, in: 2021 IEEE/ACM 43rd International [23] K. Renaud, V. Zimmermann, T. Schürmann,
Conference on Software Engineering: Software En- C. Böhm, Exploring cybersecurity-related emo-
gineering in Society (ICSE-SEIS), IEEE, 2021, pp. tions and finding that they are challenging to mea-
48–57. sure, Humanities social sciences communications
[11] O. Haggag, J. Grundy, M. Abdelrazek, S. Haggag, 8 (2021) 1–17.
Better addressing diverse accessibility issues in [24] V. Cheung-Blunden, K. Cropper, A. Panis, K. Davis,
emerging apps: A case study using covid-19 apps, Functional divergence of two threat-induced emo-
in: 9th IEEE/ACM International Conference on Mo- tions: Fear-based versus anxiety-based cybersecu-
bile Software Engineering and Systems 2022 (Mo- rity preferences, Emotion (Washington, D.C.) 19
bileSoft 2022), 2022. (2019) 1353–1365.
[12] M. Fazzini, H. Khalajzadeh, O. Haggag, Z. Li, [25] S. Budimir, J. Fontaine, N. M. Huijts, A. Haans,
H. Obie, C. Arora, W. Hussain, J. Grundy, Char- G. Loukas, E. Roesch, Emotional reactions to cyber-
acterizing human aspects in reviews of covid-19 security breach situations: Scenario-based survey
apps, in: 9th IEEE/ACM International Conference study, Journal of medical Internet research 23 (2021)
� e24879–e24879.
[26] Cyberbullying: What is it and how to stop it,
???? URL: https://www.unicef.org/end-violence/
how-to-stop-cyberbullying.
[27] Cyber stalking and harassment on women, ????
URL: https://www.legalserviceindia.com/legal/
article-909-cyber-stalking-and-harassment-on-women.
html.
[28] E. Chernova, I. Gavrilova, Training teenagers to en-
sure their own cybersecurity, 2020. doi:10.2991/
aebmr.k.200312.417.
[29] Cybersecurity awareness for students, 2022.
URL: https://www.cyberdegrees.org/resources/
internet-safety-for-college-students/.
[30] R. Security, Cyber security training for em-
ployees, 2022. URL: https://blog.rsisecurity.com/
cyber-security-training-for-employees/.
[31] Training – cyber security for seniors, 2021.
URL: https://www.illuminancesolutions.com.au/
digital-literacy-seniors/.
[32] Cyber crime, 2016. URL: https://www.fbi.gov/
investigate/cyber#Overview.
[33] Threat landscape, 2022. URL: https://www.
enisa.europa.eu/topics/threat-risk-management/
threats-and-trends.
[34] J. Mitchell, J. Mitchell, Africa faces huge cyber crime
threat as the pace of digitalisation increases, 2022.
URL: https://www.investmentmonitor.ai/analysis/
africa-cyber-crime-threat-digitalisation.
[35] Livemint, 64 percent of firms in asia have been
impacted by cyberattacks: Survey, 2022. URL: https:
//www.livemint.com/technology/tech-news/
64-of-firms-in-asia-have-been-impacted-by-cyberattacks\
-survey-11657000676429.html.
[36] J. Bolden, Cybercriminals and the ex-
ploitation of fear, 2022. URL: https:
//www.questsys.com/security-blog/
Cybercriminals-and-the-Exploitation-of-Fear/.
[37] A. Fiscutean, The emotional stages of a data breach:
How to deal with panic, anger, and guilt, 2022.
URL: https://www.csoonline.com/article/3646616/
the-emotional-stages-of-a-data-breach-how-to-deal-with\
-panic-anger-and-guilt.html.
[38] E. Schuman, Don’t let embarrassment about
a data breach cost you even more, 2016. URL:
https://www.csoonline.com/article/3052193/
don-t-let-embarrassment-about-a-data-breach-cost-you\
-even-more.html.
[39] How hackers exploit curiosity, ????
URL: https://www.hoxhunt.com/blog/
youve-been-mentioned-how-hackers-exploit-curiosity.
[40] Forms that perform: Get feedback and leads with
ease, ???? URL: https://try.typeform.com/home/.
�