Traditional SETA No More: Investigating the Intersection Between Cybersecurity and Cognitive Neuroscience

We investigated the role automated behavior plays in contributing to security breaches. Using different forms of phishing, combined with multiple neurophysiological tools, we were able to more fully understand the approaches participants took when they engaged with a phishing campaign. The four participants of this pilot study ranged in their individual characteristics of gender and IT experience while controlling for age. It seems the biggest factor for awareness and successfully resisting a phishing campaign may be proximity of security training to engagement with that campaign. Neurophysiological tools helped illustrate the thought processes behind participants’ statements and actions; combined with consideration of individual characteristics, these tools help shed more light on human behavior. In the future, we plan to further enhance our testing environment by incorporating an emergent model that considers work task complexity and incorporate more industry participants with a range of IT experience.

[1]  John W. Rittinghouse,et al.  Cloud Computing: Implementation, Management, and Security , 2009 .

[2]  L. Spear The adolescent brain and age-related behavioral manifestations , 2000, Neuroscience & Biobehavioral Reviews.

[3]  R. Davidson Anterior cerebral asymmetry and the nature of emotion , 1992, Brain and Cognition.

[4]  Pamela E. Carter,et al.  A Comprehensive Conceputalization of the Post-Adoptive Behaviors Associated with IT-Enabled Work Systems , 2005 .

[5]  Lori M. Kaufman,et al.  Data Security in the World of Cloud Computing , 2009, IEEE Security & Privacy.

[6]  Sacha Brostoff,et al.  Transforming the ‘Weakest Link’ — a Human/Computer Interaction Approach to Usable and Effective Security , 2001 .

[7]  D. Kahneman Thinking, Fast and Slow , 2011 .

[8]  Humayun Zafar,et al.  Toward a More Secure HRIS: The Role of HCI and Unconscious Behavior , 2017, AIS Trans. Hum. Comput. Interact..

[9]  Mayank Upadhyay,et al.  Authentication at Scale , 2013, IEEE Security & Privacy.

[10]  David T. Neal,et al.  The habitual consumer. , 2009 .

[11]  B. Gardner,et al.  The Measurement of Habit , 2018 .

[12]  Naresh K. Malhotra,et al.  Research Note - Two Competing Perspectives on Automatic Use: A Theoretical and Empirical Comparison , 2005, Inf. Syst. Res..

[13]  Rui Chen,et al.  Why do people get phished? Testing individual differences in phishing vulnerability within an integrated, information processing model , 2011, Decis. Support Syst..

[14]  R. Homan,et al.  Cerebral location of international 10-20 system electrode placement. , 1987, Electroencephalography and clinical neurophysiology.

[15]  Michael P. Milham,et al.  Differential contributions of the middle frontal gyrus functional connectivity to literacy and numeracy , 2017, Scientific Reports.

[16]  R D Pascual-Marqui,et al.  Standardized low-resolution brain electromagnetic tomography (sLORETA): technical details. , 2002, Methods and findings in experimental and clinical pharmacology.

[17]  Geoffrey S. Hubona,et al.  The mediation of external variables in the technology acceptance model , 2006, Inf. Manag..

[18]  Sadie Creese,et al.  Individual Differences in Cyber Security Behaviors: An Examination of Who Is Sharing Passwords , 2015, Cyberpsychology Behav. Soc. Netw..

[19]  Merrill Warkentin,et al.  Behavioral and policy issues in information systems security: the insider threat , 2009, Eur. J. Inf. Syst..

[20]  Na Li,et al.  The Intellectual Development of Human-Computer Interaction Research: A Critical Assessment of the MIS Literature (1990-2002) , 2005, J. Assoc. Inf. Syst..

[21]  Jordan Shropshire,et al.  The influence of the informal social learning environment on information privacy policy compliance efficacy and intention , 2011, Eur. J. Inf. Syst..

[22]  Venkatesh,et al.  A Longitudinal Field Investigation of Gender Differences in Individual Technology Adoption Decision-Making Processes. , 2000, Organizational behavior and human decision processes.

[23]  Gabriele Lenzini,et al.  Maybe Poor Johnny Really Cannot Encrypt: The Case for a Complexity Theory for Usable Security , 2015, NSPW.

[24]  Wendy Wood,et al.  Habit and intention in everyday life: The multiple processes by which past behavior predicts future behavior. , 1998 .

[25]  Lorrie Faith Cranor,et al.  Who's viewed you?: the impact of feedback in a mobile location-sharing application , 2009, CHI.