Note: When clicking on a Digital Object Identifier (DOI) number, you will be taken to an external site maintained by the publisher.
Some full text articles may not yet be available without a charge during the embargo (administrative interval).
What is a DOI Number?
Some links on this page may take you to non-federal websites. Their policies may differ from this site.
-
While security technology can be nearly impenetrable, the people behind the computer screens are often easily manipulated, which makes the human factor the biggest threat to cybersecurity. This study examined whether college students disclosed private information about themselves, and what type of information they shared. The study utilized pretexting, in which attackers impersonate individuals in certain roles and often involves extensive research to ensure credibility. The goal of pretexting is to create situations where individuals feel safe releasing information that they otherwise might not. The pretexts used for this study were based on the natural inclination to help, where people tend to want to help those in need, and reciprocity, where people tend to return favors given to them. Participants (N=51) answered survey questions that they thought were for a good cause or that would result in a reward. This survey asked for increasingly sensitive information that could be used maliciously to gain access to identification, passwords, or security questions. Upon completing the survey, participants were debriefed on the true nature of the study and were interviewed about why they were willing to share information via the survey. Some of the most commonly skipped questions included “Student ID number” and “What is your mother’s maiden name?”. General themes identified from the interviews included the importance of similarities between the researcher and the subject, the researcher’s adherence to the character role, the subject’s awareness of question sensitivity, and the overall differences between online and offline disclosure. Findings suggest that college students are more likely to disclose private information if the attacker shares a similar trait with the target or if the attacker adheres to the character role they are impersonating. Additionally, this study sheds light on the research limitations, emphasizes the relevance of the human factor in security and privacy, and offers recommendations for future research.more » « less
-
Cyberattacks are a major threat in the modern era, yet there is a lack of information on how cybercrime groups think and operate. This paper aims to better understand cyber adversaries by analyzing penetration testing teams during the 2018 and 2019 National Collegiate Penetration Testing Competition, in which groups of students performed similar actions as cybercriminals, attempting to identify and exploit system vulnerabilities. Using penetration testing teams as an ethical proxy for cybercrime groups allows the researchers to study group dynamics as well as factors impacting the rationality of cybercriminals. Themes identified in manually coded interview transcripts are compared to the existing literature on cybercrime groups. Similar to what is established in the prior research, themes emerged in the interviews on the group structure and dynamics of each team, featuring elements of leadership, division of labor, the role of each team member, the presence of partners and subgroups, communication within the team, and interpersonal team member relationships. Other apparent factors that specifically impacted the bounded, or limited, rationality of the team members included setbacks and problem solving, the competition environment, stress, and issues with morale. This comparison of penetration testing groups with cybercrime groups allows for the development of a better understanding of the operations and rational thinking of a criminal organization, which may lead to a better understanding of how to prevent or defend against cyberattacks, such as by improving response times of the security team or by increasing the difficulty of penetrating the technical environmentmore » « less