MJ
M. Junger
info
Please Note
<p>This page displays the records of the person named above and is not linked to a unique person identifier. This record may need to be merged to a profile.</p>
8 records found
1
Teaching Empirical Social-Science Research to Cybersecurity Students
The Case of "Thinking Like a Thief"
We report on an educational experiment where computer science students perform empirical research into the human factor in cyber security. Most courses restrict students to work in a lab environment,but we encouraged our students to conduct a realistic experiment with real -world subjects. The students wrote a research proposal that had to be approved by the IRB. They then executed the proposal, collecting and analysing the data. Finally the students wrote and presented a paper a student conference. The main method of assessment is by peer review. After teaching the course for six years, we report on the exciting ideas our students came up wi th, and on the lessons we learned in teaching the course. The main conclusions are (a) offering complete freedom to choose research topics inspires students to design creative projects, (b) working with real subjects creates a stimulating learning experience, and (c) peer-review is a useful assessment tool .
...
We report on an educational experiment where computer science students perform empirical research into the human factor in cyber security. Most courses restrict students to work in a lab environment,but we encouraged our students to conduct a realistic experiment with real -world subjects. The students wrote a research proposal that had to be approved by the IRB. They then executed the proposal, collecting and analysing the data. Finally the students wrote and presented a paper a student conference. The main method of assessment is by peer review. After teaching the course for six years, we report on the exciting ideas our students came up wi th, and on the lessons we learned in teaching the course. The main conclusions are (a) offering complete freedom to choose research topics inspires students to design creative projects, (b) working with real subjects creates a stimulating learning experience, and (c) peer-review is a useful assessment tool .
Putting the privacy paradox to the test
Online privacy and security behaviors among users with technical knowledge, privacy awareness, and financial resources
Journal article
(2019)
-
Susanne Barth, Menno D.T. de Jong, Marianne Junger, Pieter H. Hartel, Janina C. Roppelt
Research shows that people's use of computers and mobile phones is often characterized by a privacy paradox: Their self-reported concerns about their online privacy appear to be in contradiction with their often careless online behaviors. Earlier research into the privacy paradox has a number of caveats. Most studies focus on intentions rather than behavior and the influence of technical knowledge, privacy awareness, and financial resources is not systematically ruled out. This study therefore tests the privacy paradox under extreme circumstances, focusing on actual behavior and eliminating the effects of a lack of technical knowledge, privacy awareness, and financial resources. We designed an experiment on the downloading and usage of a mobile phone app among technically savvy students, giving them sufficient money to buy a paid-for app. Results suggest that neither technical knowledge and privacy awareness nor financial considerations affect the paradoxical behavior observed in users in general. Technically-skilled and financially independent users risked potential privacy intrusions despite their awareness of potential risks. In their considerations for selecting and downloading an app, privacy aspects did not play a significant role; functionality, app design, and costs appeared to outweigh privacy concerns.
...
Research shows that people's use of computers and mobile phones is often characterized by a privacy paradox: Their self-reported concerns about their online privacy appear to be in contradiction with their often careless online behaviors. Earlier research into the privacy paradox has a number of caveats. Most studies focus on intentions rather than behavior and the influence of technical knowledge, privacy awareness, and financial resources is not systematically ruled out. This study therefore tests the privacy paradox under extreme circumstances, focusing on actual behavior and eliminating the effects of a lack of technical knowledge, privacy awareness, and financial resources. We designed an experiment on the downloading and usage of a mobile phone app among technically savvy students, giving them sufficient money to buy a paid-for app. Results suggest that neither technical knowledge and privacy awareness nor financial considerations affect the paradoxical behavior observed in users in general. Technically-skilled and financially independent users risked potential privacy intrusions despite their awareness of potential risks. In their considerations for selecting and downloading an app, privacy aspects did not play a significant role; functionality, app design, and costs appeared to outweigh privacy concerns.
Every new technology brings new opportunity for crime, and information and communication technology (ICT) is no exception. This short article offers students of crime insights in the two main connections between ICT and criminology. On the one hand we show how ICT can be used as a tool, target, or location of crime. On the other hand we show how ICT can be used as a tool to study crime.
...
Every new technology brings new opportunity for crime, and information and communication technology (ICT) is no exception. This short article offers students of crime insights in the two main connections between ICT and criminology. On the one hand we show how ICT can be used as a tool, target, or location of crime. On the other hand we show how ICT can be used as a tool to study crime.
On the anatomy of social engineering attacks
A literature-based dissection of successful attacks
Journal article
(2018)
-
Jan Willem Hendrik Bullée, Lorena Montoya, Wolter Pieters, Marianne Junger, Pieter Hartel
The aim of this study was to explore the extent to which persuasion principles are used in successful social engineering attacks. Seventy-four scenarios were extracted from 4 books on social engineering (written by social engineers) and analysed. Each scenario was split into attack steps, containing single interactions between offender and target. For each attack step, persuasion principles were identified. The main findings are that (a) persuasion principles are often used in social engineering attacks, (b) authority (1 of the 6 persuasion principles) is used considerably more often than others, and (c) single-principle attack steps occur more often than multiple-principle ones. The social engineers identified in the scenarios more often used persuasion principles compared to other social influences. The scenario analysis illustrates how to exploit the human element in security. The findings support the view that security mechanisms should include not only technical but also social countermeasures.
...
The aim of this study was to explore the extent to which persuasion principles are used in successful social engineering attacks. Seventy-four scenarios were extracted from 4 books on social engineering (written by social engineers) and analysed. Each scenario was split into attack steps, containing single interactions between offender and target. For each attack step, persuasion principles were identified. The main findings are that (a) persuasion principles are often used in social engineering attacks, (b) authority (1 of the 6 persuasion principles) is used considerably more often than others, and (c) single-principle attack steps occur more often than multiple-principle ones. The social engineers identified in the scenarios more often used persuasion principles compared to other social influences. The scenario analysis illustrates how to exploit the human element in security. The findings support the view that security mechanisms should include not only technical but also social countermeasures.
Physical Location of Smart Key Activators
A Building Security Penetration Test
Purpose – When security managers choose to deploy a smart lock activation system, the number of units needed and their location needs to be established. This study presents the results of a penetration test involving smart locks in the context of building security. We investigated how the amount of effort an employee has to invest in complying with a security policy (i.e. walk from the office to the smart key activator) influences vulnerability. In particular, the attractiveness of a no-effort alternative (i.e. someone else walking from your office to the key activators to perform a task on your behalf) was evaluated. The contribution of this study relates to showing how experimental psychology can be used to determine the cost-benefit analysis (CBA) of physical building security measures.
Design/methodology/approach – Twenty-seven different ‘offenders’ visited the offices of 116 employees. Using a script, each offender introduced a problem, provided a solution and asked the employee to hand over their office key.
Findings – A total of 58.6% of the employees handed over their keys to a stranger; no difference was found between female and male employees. The likelihood of handing over the keys for employees close to a key activator was similar to that of those who were further away.Research limitations/implications – The results suggest that installing additional key activators is not conducive to reducing the building’s security vulnerability associated with the handing over of keys to strangers.
Originality/value – No research seems to have investigated the distribution of smart key activators in the context of a physical penetration test. This research highlights the need to raise awareness of social engineering and of the vulnerabilities introduced via smart locks (and other smart systems). ...
Design/methodology/approach – Twenty-seven different ‘offenders’ visited the offices of 116 employees. Using a script, each offender introduced a problem, provided a solution and asked the employee to hand over their office key.
Findings – A total of 58.6% of the employees handed over their keys to a stranger; no difference was found between female and male employees. The likelihood of handing over the keys for employees close to a key activator was similar to that of those who were further away.Research limitations/implications – The results suggest that installing additional key activators is not conducive to reducing the building’s security vulnerability associated with the handing over of keys to strangers.
Originality/value – No research seems to have investigated the distribution of smart key activators in the context of a physical penetration test. This research highlights the need to raise awareness of social engineering and of the vulnerabilities introduced via smart locks (and other smart systems). ...
Purpose – When security managers choose to deploy a smart lock activation system, the number of units needed and their location needs to be established. This study presents the results of a penetration test involving smart locks in the context of building security. We investigated how the amount of effort an employee has to invest in complying with a security policy (i.e. walk from the office to the smart key activator) influences vulnerability. In particular, the attractiveness of a no-effort alternative (i.e. someone else walking from your office to the key activators to perform a task on your behalf) was evaluated. The contribution of this study relates to showing how experimental psychology can be used to determine the cost-benefit analysis (CBA) of physical building security measures.
Design/methodology/approach – Twenty-seven different ‘offenders’ visited the offices of 116 employees. Using a script, each offender introduced a problem, provided a solution and asked the employee to hand over their office key.
Findings – A total of 58.6% of the employees handed over their keys to a stranger; no difference was found between female and male employees. The likelihood of handing over the keys for employees close to a key activator was similar to that of those who were further away.Research limitations/implications – The results suggest that installing additional key activators is not conducive to reducing the building’s security vulnerability associated with the handing over of keys to strangers.
Originality/value – No research seems to have investigated the distribution of smart key activators in the context of a physical penetration test. This research highlights the need to raise awareness of social engineering and of the vulnerabilities introduced via smart locks (and other smart systems).
Design/methodology/approach – Twenty-seven different ‘offenders’ visited the offices of 116 employees. Using a script, each offender introduced a problem, provided a solution and asked the employee to hand over their office key.
Findings – A total of 58.6% of the employees handed over their keys to a stranger; no difference was found between female and male employees. The likelihood of handing over the keys for employees close to a key activator was similar to that of those who were further away.Research limitations/implications – The results suggest that installing additional key activators is not conducive to reducing the building’s security vulnerability associated with the handing over of keys to strangers.
Originality/value – No research seems to have investigated the distribution of smart key activators in the context of a physical penetration test. This research highlights the need to raise awareness of social engineering and of the vulnerabilities introduced via smart locks (and other smart systems).
Social engineering is een aanvalstechniek waarin misleiding en bedrog worden gebruikt om doelwitten actief te laten meewerken aan hun eigen slachtofferschap. In dit artikel wordt aan de hand van een praktisch voorbeeld en bijbehorende heorieën inzicht gegeven in social engineering-praktijken. Daarnaast zal er ook orden ingegaan op een drietal experimenten (i.e. face-to-face, telefoon en e-mail) waarin systematisch onderzoek naar dit gevaar centraal staat. De resultaten geven inzicht in hoe kwetsbaar een organisatie is voor social engineering en welke medewerkers het meeste baat hebben bij een bewustwordingscampagne.
...
Social engineering is een aanvalstechniek waarin misleiding en bedrog worden gebruikt om doelwitten actief te laten meewerken aan hun eigen slachtofferschap. In dit artikel wordt aan de hand van een praktisch voorbeeld en bijbehorende heorieën inzicht gegeven in social engineering-praktijken. Daarnaast zal er ook orden ingegaan op een drietal experimenten (i.e. face-to-face, telefoon en e-mail) waarin systematisch onderzoek naar dit gevaar centraal staat. De resultaten geven inzicht in hoe kwetsbaar een organisatie is voor social engineering en welke medewerkers het meeste baat hebben bij een bewustwordingscampagne.
Purpose - The purpose of this study is to explore how the opening phrase of a phishing email influences the action taken by the recipient. Design/methodology/approach - Two types of phishing emails were sent to 593 employees, who were asked to provide personally identifiable information (PII). A personalised spear phishing email opening was randomly used in half of the emails. Findings - Nineteen per cent of the employees provided their PII in a general phishing email, compared to 29 per cent in the spear phishing condition. Employees having a high power distance cultural background were more likely to provide their PII, compared to those with a low one. There was no effect of age on providing the PII requested when the recipient's years of service within the organisation is taken into account. Practical implications - This research shows that success is higher when the opening sentence of a phishing email is personalised. The resulting model explains victimisation by phishing emails well, and it would allow practitioners to focus awareness campaigns to maximise their effect. Originality/value - The innovative aspect relates to explaining spear phishing using four sociodemographic variables.
...
Purpose - The purpose of this study is to explore how the opening phrase of a phishing email influences the action taken by the recipient. Design/methodology/approach - Two types of phishing emails were sent to 593 employees, who were asked to provide personally identifiable information (PII). A personalised spear phishing email opening was randomly used in half of the emails. Findings - Nineteen per cent of the employees provided their PII in a general phishing email, compared to 29 per cent in the spear phishing condition. Employees having a high power distance cultural background were more likely to provide their PII, compared to those with a low one. There was no effect of age on providing the PII requested when the recipient's years of service within the organisation is taken into account. Practical implications - This research shows that success is higher when the opening sentence of a phishing email is personalised. The resulting model explains victimisation by phishing emails well, and it would allow practitioners to focus awareness campaigns to maximise their effect. Originality/value - The innovative aspect relates to explaining spear phishing using four sociodemographic variables.
User training is a commonly used method for preventing victimization from phishing attacks. In this study, we focus on training children, since they are active online but often overlooked in interventions. We present an experiment in which children at Dutch primary schools received an anti-phishing training. The subjects were subsequently tested for their ability to distinguish phishing from non-phishing. A control group was used to control for external effects. Furthermore, the subjects received a re-test after several weeks to measure how well the children retained the training. The training improved the children's overall score by 14%. The improvement was mostly caused by an increased score on the questions where they had to detect phishing. The score on recognizing legitimate emails was not affected by the training. We found that the improved phishing score returned to pre-training levels after four weeks. Conversely, the score of recognition of legitimate emails increased over time. After four weeks, trained pupils scored significantly better in recognizing legitimate emails than their untrained counterparts. Age had a positive effect on the score (i.e., older children scored higher than younger ones); but sex had no significant influence. In conclusion, educating children to improve their ability to detect phishing works in the short term only. However, children go to school regularly, making it easier to educate them than adults. An increased focus on the cybersecurity of children is essential to improve overall cybersecurity in the future.
...
User training is a commonly used method for preventing victimization from phishing attacks. In this study, we focus on training children, since they are active online but often overlooked in interventions. We present an experiment in which children at Dutch primary schools received an anti-phishing training. The subjects were subsequently tested for their ability to distinguish phishing from non-phishing. A control group was used to control for external effects. Furthermore, the subjects received a re-test after several weeks to measure how well the children retained the training. The training improved the children's overall score by 14%. The improvement was mostly caused by an increased score on the questions where they had to detect phishing. The score on recognizing legitimate emails was not affected by the training. We found that the improved phishing score returned to pre-training levels after four weeks. Conversely, the score of recognition of legitimate emails increased over time. After four weeks, trained pupils scored significantly better in recognizing legitimate emails than their untrained counterparts. Age had a positive effect on the score (i.e., older children scored higher than younger ones); but sex had no significant influence. In conclusion, educating children to improve their ability to detect phishing works in the short term only. However, children go to school regularly, making it easier to educate them than adults. An increased focus on the cybersecurity of children is essential to improve overall cybersecurity in the future.