research-article

Human Factors in Cybersecurity: A Scoping Review

Authors:

Tashfiq Rahman,

Prasert KanthamanonAuthors Info & Claims

IAIT '21: Proceedings of the 12th International Conference on Advances in Information Technology

Article No.: 5, Pages 1 - 11

https://doi.org/10.1145/3468784.3468789

Published: 20 July 2021 Publication History

Abstract

Humans are often considered to be the weakest link in the cybersecurity chain. However, traditionally the Computer Science (CS) researchers have investigated the technical aspects of cybersecurity, focusing on the encryption and network security mechanisms. The human aspect although very important is often neglected. In this work we carry out a scoping review to investigate the take of the CS community on the human-centric cybersecurity paradigm by considering the top conferences on network and computer security for the past six years. Results show that broadly two types of users are considered: expert and non-expert users. Qualitative techniques dominate the research methodology employed, however, there is a lack of focus on the theoretical aspects. Moreover, the samples have a heavy bias towards the Western community, due to which the results cannot be generalized, and the effect of culture on cybersecurity is a lesser known aspect. Another issue is with respect to the unavailability of standardized security-specific scales that can measure the cybersecurity perception of the users. New insights are obtained and avenues for future research are presented.

References

[1]

Acar, Y. 2017. Security Developer Studies with GitHub Users: Exploring a Convenience Sample. Proceedings of the Thirteenth Symposium on Usable Privacy and Security (SOUPS 2017) (2017), 81–95.

[2]

Acar, Y. 2016. You Get Where You're Looking for: The Impact of Information Sources on Code Security. Proceedings - 2016 IEEE Symposium on Security and Privacy, SP 2016 (2016), 289–305.

[3]

Adams, D. 2019. Ethics emerging: The story of privacy and security perceptions in virtual reality. Proceedings of the 14th Symposium on Usable Privacy and Security, SOUPS 2018 (2019), 427–442.

[4]

Alomar, N. 2020. “You've got your nice list of bugs, now what?” Vulnerability discovery and management processes in the wild. Proceedings of the 16th Symposium on Usable Privacy and Security, SOUPS 2020 (2020), 319–340.

[5]

Angulo, J. 2015. “WTH.!?!” Experiences, reactions, and expectations related to online privacy panic situations. Symposium on Usable Privacy and Security (2015), 19–38.

[6]

Baki, S. 2017. Scaling and effectiveness of email masquerade attacks: Exploiting natural language generation. ASIA CCS 2017 - Proceedings of the 2017 ACM Asia Conference on Computer and Communications Security (2017), 469–482.

Digital Library

[7]

Le Blond, S. 2018. On Enforcing the Digital Immunity of a Large Humanitarian Organization. Proceedings - IEEE Symposium on Security and Privacy (2018), 424–440.

[8]

Blythe, J.M. 2019. Unpacking security policy compliance: The motivators and barriers of employees’ security behaviors. SOUPS 2015 - Proceedings of the 11th Symposium on Usable Privacy and Security (2019), 103–122.

[9]

Chen, P. 2007. Finding scientific gems with Google's PageRank algorithm. Journal of Informetrics. 1, 1 (2007), 8–15.

[10]

Dunn, M.H. and Merkle, L.D. 2018. Assessing the Impact of a National Cybersecurity Competition on Students’ Career Interests. Proceedings of the 49th ACM Technical Symposium on Computer Science Education (New York, NY, USA, 2018), 62–67.

[11]

Enev, M. 2015. Automobile Driver Fingerprinting. Proceedings on Privacy Enhancing Technologies (2015), 34–50.

[12]

Faklaris, C. 2019. A self-report measure of end-user security attitudes (SA-6). Proceedings of the 15th Symposium on Usable Privacy and Security, SOUPS 2019 (2019), 61–77.

[13]

Frik, A. 2019. Privacy and security threat models and mitigation strategies of older adults. Proceedings of the 15th Symposium on Usable Privacy and Security, SOUPS 2019 (2019), 21–40.

[14]

Frik, A. 2020. The impact of ad-blockers on product search and purchase behavior: A lab experiment. Proceedings of the 29th USENIX Security Symposium (2020), 163–179.

Digital Library

[15]

Hamm, P. 2019. A Systematic Analysis of User Evaluations in Security Research. Proceedings of the 14th International Conference on Availability, Reliability and Security (New York, NY, USA, 2019).

Digital Library

[16]

Humayun, M. 2020. Cyber Security Threats and Vulnerabilities: A Systematic Mapping Study. Arabian Journal for Science and Engineering. 45, 4 (2020), 3171–3189.

[17]

Jayakrishnan, G.C. 2020. Passworld: A Serious Game to Promote Password Awareness and Diversity in an Enterprise. Proceedings of the 16th Symposium on Usable Privacy and Security, SOUPS 2020 (2020), 1–18.

[18]

Jeong, J. 2019. Towards an Improved Understanding of Human Factors in Cybersecurity. 2019 IEEE 5th International Conference on Collaboration and Internet Computing (CIC) (2019), 338–345.

[19]

Kitkowska, A. 2020. Enhancing privacy through the visual design of privacy notices: Exploring the interplay of curiosity, control and affect. Proceedings of the 16th Symposium on Usable Privacy and Security, SOUPS 2020 (2020), 437–456.

[20]

Lebeck, K. 2018. Towards Security and Privacy for Multi-user Augmented Reality: Foundations with End Users. 2018 IEEE Symposium on Security and Privacy (SP) (2018), 392–408.

[21]

Lee, I. 2020. Internet of Things (IoT) Cybersecurity: Literature Review and IoT Cyber Risk Management. Future Internet .

[22]

Li, F. 2019. Keepers of the machines: Examining how system administrators manage software updates. Proceedings of the 15th Symposium on Usable Privacy and Security, SOUPS 2019 (2019), 273–288.

[23]

van der Linden, D. 2020. Pets without PETs: on pet owners’ under-estimation of privacy concerns in pet wearables. Proceedings on Privacy Enhancing Technologies (2020), 143–164.

[24]

Mathur, A. and Chetty, M. 2017. Impact of User Characteristics on Attitudes Towards Automatic Mobile Application Updates Impact of User Characteristics on Attitudes Towards. Proceedings of the Thirteenth Symposium on Usable Privacy and Security (SOUPS 2017) (2017), 175–193.

[25]

Michalec, O.A. 2020. Industry Responses to the European Directive on Security of Network and Information Systems ( NIS ): Understanding policy implementation practices across critical infrastructures This paper is included in the Proceedings of the Sixteenth Symposium on Usab. Soups (2020).

[26]

Minkov, M. and Hofstede, G. 2011. The evolution of Hofstede's doctrine. Cross Cultural Management: An International Journal. 18, 1 (Jan. 2011), 10–20.

[27]

Mu, D. 2018. Understanding the reproducibility of crowd-reported security vulnerabilities. Proceedings of the 27th USENIX Security Symposium (2018), 919–936.

Digital Library

[28]

Munn, Z. 2014. Establishing confidence in the output of qualitative research synthesis: the ConQual approach. BMC Medical Research Methodology. 14, 1 (2014), 108.

[29]

Nurse, J.R.C.C. 2018. “ It ’ s Scary ... It ’ s Confusing ... It ’ s Dull ”: How Cybersecurity Advocates Overcome Negative Perceptions of Security This paper is included in the Proceedings of the " It ’ s Scary ... It ’ s Confusing ... It ’ s Dull ": How Cybersecurity Advocate. Risk Analysis (2018), 1337–1342.

[30]

Oates, M. 2018. Turtles, locks, and bathrooms: Understanding mental models of privacy through illustration. Proceedings on Privacy Enhancing Technologies (2018), 5–32.

[31]

Oliveira, D.S. 2018. API Blindspots: Why Experienced Developers Write Vulnerable Code. Proceedings of the 14th Symposium on Usable Privacy and Security, SOUPS 2018 (2018), 315–328.

[32]

Palombo, H. 2020. An ethnographic understanding of software (In)security and a co-creation model to improve secure software development. Proceedings of the 16th Symposium on Usable Privacy and Security, SOUPS 2020 (2020), 205–220.

[33]

Palombo, H. 2020. An Ethnographic Understanding of Software (In)Security and a Co-Creation Model to Improve Secure Software Development. Sixteenth Symposium on Usable Privacy and Security ({SOUPS} 2020) (Aug. 2020), 205–220.

[34]

Peters, M.D.J. 2015. Guidance for conducting systematic scoping reviews. International journal of evidence-based healthcare. 13, 3 (Sep. 2015), 141–146.

[35]

Redmiles, E.M. 2019. How Well Do My Results Generalize? Comparing Security and Privacy Survey Results from MTurk, Web, and Telephone Samples. Proceedings - IEEE Symposium on Security and Privacy (2019), 1326–1343.

[36]

Redmiles, E.M. 2019. “Should I Worry?” A Cross-Cultural Examination of Account Security Incident Response. 2019 IEEE Symposium on Security and Privacy (SP) (2019), 920–934.

[37]

Ruoti, S. 2019. A comparative usability study of key management in secure email. Proceedings of the 14th Symposium on Usable Privacy and Security, SOUPS 2018 (2019), 375–394.

[38]

Ruoti, S. 2019. Weighing Context and Trade-offs: How suburban adults selected their online security posture. Proceedings of the 13th Symposium on Usable Privacy and Security, SOUPS 2017 (2019), 211–228.

[39]

Sánchez-Gordón, M. and Colomo-Palacios, R. 2020. Security as Culture: A Systematic Literature Review of DevSecOps. Proceedings of the IEEE/ACM 42nd International Conference on Software Engineering Workshops (New York, NY, USA, 2020), 266–269.

Digital Library

[40]

Suryotrisongko, H. and Musashi, Y. 2019. Review of Cybersecurity Research Topics, Taxonomy and Challenges: Interdisciplinary Perspective. 2019 IEEE 12th Conference on Service-Oriented Computing and Applications (SOCA) (2019), 162–167.

[41]

Švábenský, V. 2020. What Are Cybersecurity Education Papers About? A Systematic Literature Review of SIGCSE and ITiCSE Conferences. Proceedings of the 51st ACM Technical Symposium on Computer Science Education (New York, NY, USA, 2020), 2–8.

Digital Library

[42]

Tahaei, M. and Vaniea, K. 2019. A Survey on Developer-Centred Security. 2019 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW) (2019), 129–138.

[43]

Tiefenau, C. 2020. Security, availability, and multiple information sources: Exploring update behavior of system administrators. Proceedings of the 16th Symposium on Usable Privacy and Security, SOUPS 2020 (2020), 239–258.

[44]

van de Ven, A.H. 1989. Nothing Is Quite so Practical as a Good Theory. The Academy of Management Review. 14, 4 (1989), 486–489.

[45]

Votipka, D. 2018. Hackers vs. Testers: A Comparison of Software Vulnerability Discovery Processes. Proceedings - IEEE Symposium on Security and Privacy (2018), 374–391.

[46]

Zhang-Kennedy, L. 2018. The aftermath of a crypto-ransomware attack at a large academic institution. Proceedings of the 27th USENIX Security Symposium (2018), 1061–1078.

Digital Library

[47]

Zhu, F. 2011. Reciprocity Attacks. Proceedings of the Seventh Symposium on Usable Privacy and Security (New York, NY, USA, 2011).

Cited By

Nobles CRangarajan ABurrell D(2025)Human Factors Engineering-as-a-Service in CybersecurityNew Horizons in Leadership10.4018/979-8-3693-6437-6.ch014(315-342)Online publication date: 28-Feb-2025
https://doi.org/10.4018/979-8-3693-6437-6.ch014
Vasalou ABenton LSerta AGauthier ABesevli CTurner SGill RPayler RRoesch EMcAreavey KBauters KLiu WChen HIvory DPanaousis MLoukas G(2025)Doing cybersecurity at homeComputers and Security10.1016/j.cose.2024.104112148:COnline publication date: 1-Jan-2025
https://dl.acm.org/doi/10.1016/j.cose.2024.104112
Rohan RChutimaskul WRoy RHautamäki JFunilkul SPal D(2025)Developing a scale for measuring the information security awareness of stakeholders in higher education institutionsEducation and Information Technologies10.1007/s10639-024-13307-5Online publication date: 23-Jan-2025
https://doi.org/10.1007/s10639-024-13307-5
Show More Cited By

Index Terms

Human Factors in Cybersecurity: A Scoping Review

Index terms have been assigned to the content through auto-classification.

Recommendations

Human Factors in Phishing Attacks: A Systematic Literature Review
Phishing is the fraudulent attempt to obtain sensitive information by disguising oneself as a trustworthy entity in digital communication. It is a type of cyber attack often successful because users are not aware of their vulnerabilities or are unable to ...
A New Hope: Human-Centric Cybersecurity Research Embedded Within Organizations
HCI for Cybersecurity, Privacy and Trust
Abstract
Humans are and have been the weakest link in the cybersecurity chain (e.g., [1–3]). Not all systems are adequately protected and even for those that are, individuals can still fall prey to cyber-attack attempts (e.g., phishing, malware, ransomware)...
Understanding the Last Line of Defense: Human Response to Cybersecurity Events
HCI for Cybersecurity, Privacy and Trust
Abstract
Cybersecurity in consumer, corporate, and military settings, continues to be a growing concern in the modern and technologically driven world. As Wiederhold (2014) puts it, “the human factor remains the security’s weakest link in cyberspace.” A ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

IAIT '21: Proceedings of the 12th International Conference on Advances in Information Technology

June 2021

281 pages

ISBN:9781450390125

DOI:10.1145/3468784

Copyright © 2021 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 20 July 2021

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Conference

IAIT2021

IAIT2021: The 12th International Conference on Advances in Information Technology

June 29 - July 1, 2021

Bangkok, Thailand

Acceptance Rates

Overall Acceptance Rate 20 of 47 submissions, 43%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

26
Total Citations
View Citations
1,771
Total Downloads

Downloads (Last 12 months)612
Downloads (Last 6 weeks)70

Reflects downloads up to 05 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Nobles CRangarajan ABurrell D(2025)Human Factors Engineering-as-a-Service in CybersecurityNew Horizons in Leadership10.4018/979-8-3693-6437-6.ch014(315-342)Online publication date: 28-Feb-2025
https://doi.org/10.4018/979-8-3693-6437-6.ch014
Vasalou ABenton LSerta AGauthier ABesevli CTurner SGill RPayler RRoesch EMcAreavey KBauters KLiu WChen HIvory DPanaousis MLoukas G(2025)Doing cybersecurity at homeComputers and Security10.1016/j.cose.2024.104112148:COnline publication date: 1-Jan-2025
https://dl.acm.org/doi/10.1016/j.cose.2024.104112
Rohan RChutimaskul WRoy RHautamäki JFunilkul SPal D(2025)Developing a scale for measuring the information security awareness of stakeholders in higher education institutionsEducation and Information Technologies10.1007/s10639-024-13307-5Online publication date: 23-Jan-2025
https://doi.org/10.1007/s10639-024-13307-5
Ayyad WAl-Haija QAl-Masri H(2024)Human Factors in CybersecuritySmart and Agile Cybersecurity for IoT and IIoT Environments10.4018/979-8-3693-3451-5.ch011(235-256)Online publication date: 30-Jun-2024
https://doi.org/10.4018/979-8-3693-3451-5.ch011
Al-Majali O(2024)CYBERSECURITY CHALLENGES IN OPERATIONAL TECHNOLOGY ENVIRONMENTS: A COMPREHENSIVE THREAT ANALYSISJournal of Southwest Jiaotong University10.35741/issn.0258-2724.59.4.959:4Online publication date: 2024
https://doi.org/10.35741/issn.0258-2724.59.4.9
Al-Majali O(2024)IMPLEMENTING A CYBERSECURITY MANAGEMENT SYSTEM IN AN OPERATIONAL TECHNOLOGY ENVIRONMENTJournal of Southwest Jiaotong University10.35741/issn.0258-2724.59.3.2959:3Online publication date: 2024
https://doi.org/10.35741/issn.0258-2724.59.3.29
Nobles CRobinson N(2024)The Missing Engineering Discipline in Cybersecurity: Human Factors EngineeringProceedings of the Human Factors and Ergonomics Society Annual Meeting10.1177/1071181324127592668:1(226-229)Online publication date: 2-Sep-2024
https://doi.org/10.1177/10711813241275926
Hilowle MYeoh WGrobler MPye GJiang F(2024)Leveraging Human-Centric Cybersecurity to Improve Usage of National Digital Identity Systems in AustraliaComputer10.1109/MC.2024.339552357:7(87-98)Online publication date: 1-Jul-2024
https://dl.acm.org/doi/10.1109/MC.2024.3395523
Marcel Meyliana Hendric Spits Warnars HNugraha Mursitama T(2024)Leveraging Social Learning for Improved Cybersecurity Maturity: A Case Study Using the NIST Framework2024 International Conference on Information Technology and Computing (ICITCOM)10.1109/ICITCOM62788.2024.10762542(105-110)Online publication date: 7-Aug-2024
https://doi.org/10.1109/ICITCOM62788.2024.10762542
Przymus ZMałagocka KPrzybyszewski K(2024)The human factor in cybersecurity: from risk profiles to resilienceProcedia Computer Science10.1016/j.procs.2024.09.587246(1437-1445)Online publication date: 2024
https://doi.org/10.1016/j.procs.2024.09.587
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Figures

Tables

Media

View Table of Conten