A Survey on Human and Personality Vulnerability Assessment in Cyber-security: Challenges, Approaches, and Open Issues

These days, cyber-criminals target humans rather than machines since they try to accomplish their malicious intentions by exploiting the weaknesses of end users. Thus, human vulnerabilities pose a serious threat to the security and integrity of computer systems and data. The human tendency to trust and help others, as well as personal, social, and cultural characteristics, are indicative of the level of susceptibility that one may exhibit towards certain attack types and deception strategies. This work aims to investigate the factors that affect human susceptibility by studying the existing literature related to this subject. The objective is also to explore and describe stateof-the-art human vulnerability assessment models, current prevention, and mitigation approaches regarding user susceptibility, as well as educational and awareness-raising training strategies. Following the review of the literature, several conclusions are reached. Among them, Human Vulnerability Assessment has been included in various frameworks aiming to assess the cyber security capacity of organizations, but it concerns a one-time-assessment rather than a continuous practice. Moreover, human maliciousness is still neglected from current Human Vulnerability Assessment frameworks; thus, insider threat-actors evade identification, which may lead to an increased cyber security risk. Finally, this work proposes a user susceptibility profile according to the factors stemming from our research.

[1]  A. J. Widdowson,et al.  CHEAT, an approach to incorporating human factors in cyber security assessments , 2015 .

[2]  Ross J. Anderson,et al.  We will make you like our research: The development of a susceptibility-to-persuasion scale , 2014, PloS one.

[3]  Zhen Qin,et al.  An Assessment of Data Location Vulnerability for Human Factors Using Linear Regression and Collaborative Filtering , 2020, Inf..

[4]  W. Worzel,et al.  Machiavellianism and psychopathy. , 1998, Journal of personality and social psychology.

[5]  Quan Chen,et al.  Finding the weakest links in the weakest link: How well do undergraduate students make cybersecurity judgment? , 2018, Comput. Hum. Behav..

[6]  Shelly Chaiken,et al.  The heuristic-systematic model in its broader context. , 1999 .

[7]  Wu He,et al.  Gender difference and employees' cybersecurity behaviors , 2017, Comput. Hum. Behav..

[8]  Leandros A. Maglaras,et al.  Human behaviour as an aspect of cybersecurity assurance , 2016, Secur. Commun. Networks.

[9]  M. Guha APA Dictionary of Psychology , 2007 .

[10]  K. Cameron,et al.  A practitioner's guide to persuasion: an overview of 15 selected persuasion theories, models and frameworks. , 2009, Patient education and counseling.

[11]  Marcus A. Butavicius,et al.  Predicting susceptibility to social influence in phishing emails , 2019, Int. J. Hum. Comput. Stud..

[12]  Jin-Hee Cho,et al.  Effect of personality traits on trust and risk to phishing vulnerability: Modeling and analysis , 2016, 2016 IEEE International Multi-Disciplinary Conference on Cognitive Methods in Situation Awareness and Decision Support (CogSIMA).

[13]  George R. S. Weir,et al.  that influence judgment of social engineering attacks in social networks , 2018 .

[14]  Tudor Dumitras,et al.  Toward a standard benchmark for computer security research: the worldwide intelligence network environment (WINE) , 2011, BADGERS '11.

[15]  V. Quinsey,et al.  The Mask of Sanity Revisited: Psychopathic Traits and Affective Mimicry , 2015 .

[16]  Gundars Alksnis,et al.  Security Evaluation of Wireless Network Access Points , 2017, Appl. Comput. Syst..

[17]  Sven Übelacker,et al.  The Social Engineering Personality Framework , 2014, 2014 Workshop on Socio-Technical Aspects in Security and Trust.

[18]  Julita Vassileva,et al.  Gender, Age, and Responsiveness to Cialdini's Persuasion Strategies , 2015, PERSUASIVE.

[19]  K A Kiehl,et al.  Assessing psychopathic attributes in a noninstitutionalized population. , 1995, Journal of personality and social psychology.

[20]  R. Yerkes,et al.  The relation of strength of stimulus to rapidity of habit‐formation , 1908 .

[21]  Hugo Barbosa,et al.  SOCIAL ENGINEERING AND CYBER SECURITY , 2017 .

[22]  Kent D. Fairfield Myers-Briggs Type Indicator (MBTI) , 2012 .

[23]  Xiangyu Liu,et al.  Social Engineering and Insider Threats , 2017, 2017 International Conference on Cyber-Enabled Distributed Computing and Knowledge Discovery (CyberC).

[24]  Nabie Y. Conteh,et al.  Cybersecurity:risks, vulnerabilities and countermeasures to prevent social engineering attacks , 2016 .

[25]  Philip A. Vernon,et al.  Lies and crimes: Dark Triad, misconduct, and high-stakes deception , 2016 .

[26]  Reginald A. Bruce,et al.  Decision-Making Style: The Development and Assessment of a New Measure , 1995 .

[27]  H. Raghav Rao,et al.  A User-Centered Approach to Phishing Susceptibility: The Role of a Suspicious Personality in Protecting Against Phishing , 2016, 2016 49th Hawaii International Conference on System Sciences (HICSS).

[28]  J. Rolland The Cross-Cultural Generalizability of the Five-Factor Model of Personality , 2002 .

[29]  Peter Fröhlich,et al.  Ethical Implications and Consequences of Phishing Studies in Organizations – An Empirical Perspective , 2016, CHI 2016.

[30]  Robert A Emmons,et al.  Narcissism: theory and measurement. , 1987, Journal of personality and social psychology.

[31]  Xin Luo,et al.  Investigating phishing victimization with the Heuristic-Systematic Model: A theoretical framework and an exploration , 2013, Comput. Secur..

[32]  Stelios C. A. Thomopoulos,et al.  Factors influencing crime rates: an econometric analysis approach , 2016, Defense + Security.

[33]  M. Kovács Cognitive therapy in depression. , 1980, The Journal of the American Academy of Psychoanalysis.

[34]  Nabie Y. Conteh,et al.  The Rise in Cybercrime and the Dynamics of Exploiting the Human Vulnerability Factor , 2016 .

[35]  Jens Lehmann,et al.  DBpedia: A Nucleus for a Web of Open Data , 2007, ISWC/ASWC.

[36]  Dennis F. Galletta,et al.  What Do Systems Users Have to Fear? Using Fear Appeals to Engender Threats and Fear that Motivate Protective Security Behaviors , 2015, MIS Q..

[37]  Rui Chen,et al.  An Exploration of Phishing Information Sharing: A Heuristic-Systematic Approach , 2015 .

[38]  Adam Sedgewick,et al.  Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0 , 2014 .

[39]  Gregory D. Webster,et al.  The dirty dozen: a concise measure of the dark triad. , 2010, Psychological assessment.

[40]  Hongsong Zhu,et al.  Social Engineering in Cybersecurity: Effect Mechanisms, Human Vulnerabilities and Attack Methods , 2021, IEEE Access.

[41]  Naima Kaabouch,et al.  Social Engineering Attacks: A Survey , 2019, Future Internet.

[42]  Chih-Wei Pai,et al.  Human Factors in the Cybersecurity of Autonomous Vehicles: Trends in Current Research , 2019, Front. Psychol..

[43]  J M AUSTIN-SMITH The role of the architect. , 1962, Proceedings of the Royal Society of Medicine.

[44]  Tanya J. McGill,et al.  Short-term and Long-term Effects of Fear Appeals in Improving Compliance with Password Guidelines , 2018, Commun. Assoc. Inf. Syst..

[45]  Tara Whalen,et al.  A Psychological Profile of Defender Personality Traits , 2007, J. Comput..

[46]  Thomas R. Devine,et al.  Human Risk Factors in Cybersecurity , 2019, SIGITE.

[47]  Ali Ismail Awad,et al.  Cyber and Physical Security Vulnerability Assessment for IoT-Based Smart Homes , 2018, Sensors.

[48]  Sharon Dunwoody,et al.  Linking the Heuristic-Systematic Model and Depth of Processing , 2002, Commun. Res..

[49]  Jennifer Urner,et al.  Studies In Machiavellianism , 2016 .

[50]  Hussain Aldawood,et al.  Reviewing Cyber Security Social Engineering Training and Awareness Programs - Pitfalls and Ongoing Issues , 2019, Future Internet.

[51]  Andrea J. Cullen,et al.  A Human Vulnerability Assessment Methodology , 2018, 2018 International Conference On Cyber Situational Awareness, Data Analytics And Assessment (Cyber SA).

[52]  D. Schacter,et al.  Priming and the Brain , 1998, Neuron.

[53]  D. Watson,et al.  Development and validation of brief measures of positive and negative affect: the PANAS scales. , 1988, Journal of personality and social psychology.

[54]  Hussain Aldawood,et al.  Educating and Raising Awareness on Cyber Security Social Engineering: A Literature Review , 2018, 2018 IEEE International Conference on Teaching, Assessment, and Learning for Engineering (TALE).

[55]  Ju-Sung Kang,et al.  Dynamic ransomware protection using deterministic random bit generator , 2017, 2017 IEEE Conference on Application, Information and Network Security (AINS).

[56]  DumitraşTudor,et al.  Understanding the Relationship between Human Behavior and Susceptibility to Cyber Attacks , 2017 .

[57]  Sadie Creese,et al.  Understanding Insider Threat: A Framework for Characterising Attacks , 2014, 2014 IEEE Security and Privacy Workshops.

[58]  Yoella Bereby-Meyer,et al.  “Leaving it to chance”—Passive risk taking in everyday life , 2012, Judgment and Decision Making.

[59]  Ashutosh Tiwari,et al.  Human factor security: evaluating the cybersecurity capacity of the industrial workforce , 2019, J. Syst. Inf. Technol..

[60]  Mohammad Hammoudeh,et al.  Social Engineering Attack Strategies and Defence Approaches , 2016, 2016 IEEE 4th International Conference on Future Internet of Things and Cloud (FiCloud).

[61]  Gregory D. Webster,et al.  A protean approach to social influence: Dark Triad personalities and social influence tactics ☆ , 2012 .

[62]  Christopher J. Novak,et al.  2009 Data Breach Investigations Report , 2009 .

[63]  Dietmar P. F. Möller,et al.  Automotive connectivity, cyber attack scenarios and automotive cyber security , 2017, 2017 IEEE International Conference on Electro Information Technology (EIT).

[64]  A. Furnham The big five versus the big four: the relationship between the Myers-Briggs Type Indicator (MBTI) and NEO-PI five factor model of personality , 1996 .

[65]  Shelby R. Curtis,et al.  Phishing attempts among the dark triad: Patterns of attack and vulnerability , 2018, Comput. Hum. Behav..

[66]  C. Nobles Botching Human Factors in Cybersecurity in Business Organizations , 2018, HOLISTICA – Journal of Business and Public Administration.

[67]  K. Chandrasekaran,et al.  A client-side anti-pharming (CSAP) approach , 2016, 2016 International Conference on Circuit, Power and Computing Technologies (ICCPCT).

[68]  George Mastorakis,et al.  Vulnerability assessment as a service for fog-centric ICT ecosystems: A healthcare use case , 2019, Peer-to-Peer Netw. Appl..

[69]  S. Srivastava,et al.  The Big Five Trait taxonomy: History, measurement, and theoretical perspectives. , 1999 .

[71]  R. Hare,et al.  Capturing the Four-Factor Structure of Psychopathy in College Students Via Self-Report , 2007, Journal of personality assessment.

[72]  Vladislav Daniel Veksler,et al.  Know Your Enemy: Applying Cognitive Modeling in Security Domain , 2016, CogSci.

[73]  L. R. Goldberg The structure of phenotypic personality traits. , 1993, The American psychologist.

[74]  C. M. Allwood,et al.  Decision-Making Styles and Stress , 2012 .

[75]  Hussain Aldawood,et al.  Analysis and Findings of Social Engineering Industry Experts Explorative Interviews: Perspectives on Measures, Tools, and Solutions , 2020, IEEE Access.

[76]  Dan Craigen,et al.  Defining Cybersecurity , 2014 .

[77]  Masayuki Higashino,et al.  A Design of an Anti-Phishing Training System Collaborated with Multiple Organizations , 2019, iiWAS.

[78]  Nik Thompson,et al.  Gender Differences in Information Security Perceptions and Behaviour , 2018, ACIS.

[79]  Asaf Shabtai,et al.  Passive- and not active-risk tendencies predict cyber security behavior , 2020, Comput. Secur..

[80]  M. Corbett From law to folklore: work stress and the Yerkes-Dodson Law , 2015 .

[81]  Serge Egelman,et al.  Scaling the Security Wall: Developing a Security Behavior Intentions Scale (SeBIS) , 2015, CHI.

[82]  R. Cialdini Influence: The Psychology of Persuasion , 1993 .

[83]  William L. Simon,et al.  The Art of Deception: Controlling the Human Element of Security , 2001 .

[84]  Li-fang Zhang,et al.  Thinking styles and the big five personality traits revisited. , 2006 .

[85]  Daniel N. Cassenti,et al.  Simulations in Cyber-Security: A Review of Cognitive Modeling of Network Attackers, Defenders, and Users , 2018, Front. Psychol..

[86]  Campus Universitário,et al.  A FORMAL CLASSIFICATION OF INTERNET BANKING ATTACKS AND VULNERABILITIES , 2011 .

[87]  Jason Earl Thomas Individual Cyber Security: Empowering Employees to Resist Spear Phishing to Prevent Identity Theft and Ransomware Attacks , 2018 .

[88]  Natalie C. Ebner,et al.  Uncovering Susceptibility Risk to Online Deception in Aging. , 2020, The journals of gerontology. Series B, Psychological sciences and social sciences.

[89]  Stephen Flowerday,et al.  Susceptibility to phishing on social network sites: A personality information processing model , 2020, Computers & Security.

[90]  Daniel N. Jones,et al.  Measures of Dark Personalities , 2015 .

[91]  Ben D. Sawyer,et al.  Hacking the Human: The Prevalence Paradox in Cybersecurity , 2018, Hum. Factors.

[92]  Jack F. Bravo-Torres,et al.  Social engineering as an attack vector for ransomware , 2017, 2017 CHILEAN Conference on Electrical, Electronics Engineering, Information and Communication Technologies (CHILECON).

[93]  T. Bereczkei The manipulative skill: Cognitive devices and their neural correlates underlying Machiavellian’s decision making , 2015, Brain and Cognition.

[94]  Marc Thomas Philipp Adam,et al.  Time pressure in human cybersecurity behavior: Theoretical framework and countermeasures , 2020, Comput. Secur..

[95]  Davide Ariu,et al.  The Dark Side of Open Data , 2016, KDWeb.

[96]  Xin Luo,et al.  How Could I Fall for That? Exploring Phishing Victimization with the Heuristic-Systematic Model , 2012, 2012 45th Hawaii International Conference on System Sciences.

[97]  I. B. Myers The myers-briggs type indicator , 1962 .

[98]  Pinar Sarisaray Boluk,et al.  An Intelligent Model for Vulnerability Analysis of Social Media User , 2016, 2016 IEEE 4th International Conference on Future Internet of Things and Cloud Workshops (FiCloudW).

[99]  Michel Cukier,et al.  Correlating human traits and cyber security behavior intentions , 2018, Comput. Secur..

[100]  I. Rosenstock The Health Belief Model and Preventive Health Behavior , 1974 .

[101]  E. Weber,et al.  A Domain-Specific Risk-Attitude Scale: Measuring Risk Perceptions and Risk Behaviors , 2002 .

[102]  Marianne Junger,et al.  Priming and warnings are not effective to prevent social engineering attacks , 2017, Comput. Hum. Behav..

[103]  Evangelos Pallis,et al.  Security Assessment as a Service Cross-Layered System for the Adoption of Digital, Personalised and Trusted Healthcare , 2019, 2019 IEEE 5th World Forum on Internet of Things (WF-IoT).

[104]  Zoe King,et al.  Characterizing and Measuring Maliciousness for Cybersecurity Risk Assessment , 2018, Front. Psychol..

[105]  Hein S. Venter,et al.  Towards an Ontological Model Defining the Social Engineering Domain , 2014, HCC.

[106]  H. Raghav Rao,et al.  An examination of the effect of recent phishing encounters on phishing susceptibility , 2020, Decis. Support Syst..

[107]  V. Reyna,et al.  The science of false memory , 2005 .

[108]  R. W. Rogers,et al.  A Protection Motivation Theory of Fear Appeals and Attitude Change1. , 1975, The Journal of psychology.

[109]  E. Weber,et al.  A Domain-Specific Risk-Taking (DOSPERT) Scale for Adult Populations , 2006, Judgment and Decision Making.

[110]  Arun Vishwanath,et al.  Suspicion, Cognition, and Automaticity Model of Phishing Susceptibility , 2018, Commun. Res..

[111]  Yajiong Xue,et al.  Understanding Security Behaviors in Personal Computer Usage: A Threat Avoidance Perspective , 2010, J. Assoc. Inf. Syst..

[112]  Takeo Kanade,et al.  Computer Security – ESORICS 2017 , 2017, Lecture Notes in Computer Science.

[113]  Cristian Barria,et al.  Security Evaluation in Wireless Networks , 2018 .

[114]  M. Sherif,et al.  The psychology of attitudes. , 1946, Psychological review.

[115]  Aaron C. T. Smith Older adults and technology use , 2014 .

[116]  Nadezhda N. Pokrovskaia,et al.  Social engineering and digital technologies for the security of the social capital' development , 2017, 2017 International Conference "Quality Management,Transport and Information Security, Information Technologies" (IT&QM&IS).