Cyber Attacks, Contributing Factors, and Tackling ...
Transcript of Cyber Attacks, Contributing Factors, and Tackling ...
1
Cyber Attacks, Contributing Factors, and Tackling Strategies:
The Current Status of the Science of Cybersecurity
Samantha Bordoff, Quan Chen, Zheng Yan
University at Albany, SUNY
2
Abstract
As access to the Internet has increased, cybersecurity has become important, with
businesses and the government spending much time and resources to combat cyber
attacks. The purpose of this study was to review the existing literature related to
cybersecurity. Specifically, the review synthesizes the empirical research in (1) various
types of cyber attacks, (2) contributing factors related to cybersecurity behavior, and (3)
strategies to improve cybersecurity behavior. The most developed line of research in this
area has been focusing on the strategies to improve cybersecurity behavior, showing a
questionable trend of quickly creating solutions before fully conceptualizing the problem.
Keywords: cybersecurity, cyber attack, risk management, computer crime, cyber
threats, cyber security strategy
3
Cyber Attacks, Contributing Factors, and Tackling Strategies:
The Current Status of the Science of Cybersecurity
Introduction
As Internet technologies become more ubiquitous throughout societies the threat
of cyber attacks and the need for cyber security becomes even more important. Today,
people access to the Internet from their pockets or backpacks by having wireless
technologies such as smartphones and tablets that are able to access wireless networks
almost everywhere. However, for Internet technologies used in cyberspace, as with
almost all new technologies, along with the good comes some bad.
Cyber attacks, an attempt to hack into or otherwise disrupt or destroy computer
networks or other Internet devices, are one of the prominent negative outcomes to occur
from this boom in Internet technologies (Bedser, 2007). A cyber attack could range from
something as minor as an individual downloading a computer virus, to something as
major as entire multinational corporations being hacked in order to gain insider
knowledge or steal financial information from customers. Cyber attacks can lead to a
person’s identity or financial information being stolen and to small businesses going out
of business due to the results of these attacks.
Cybersecurity is not a new research topic, but it has been a major national
challenge for over 20 years and led to a rapid growth of the research literature in the past
10 years (e.g., Clark, Berson, & Lin, 2014; CSTB, 2002; USEOP, 2010 & 2011;
USOWH, 2009). Since 1991, the Computer Science and Telecommunications Board
(CSTB) of the National Research Council alone has produced seven major research
reports, recognizing cybersecurity as a national challenge and summarizing various types
4
of technical and nontechnical strategies to meet the challenge. However, in 2002, after 10
years of work on cybersecurity, CSTB stated that “there is a deep frustration that research
and recommendations do not seem to translate easily into deployment and utilization”
(CSTB, 2002). In 2014, after 20 years of work on cybersecurity, CSTB reported that
“relatively little progress has been made in cybersecurity despite the recommendations of
many reports from the Academies and elsewhere, and potential policy responses” (Clark,
Berson, & Lin, 2014).
Given the fast-growing literature and the existing challenges in cybersecurity, the
motivation of the current review article is to synthesize the current literature for
researchers, policy makers, practitioners, and even general public. The first and the most
systematical literature review was published in 2006 by Cannoy, Palvia, and Schilhavy,
three scholars from North Carolina. In this review, Cannoy, Palvia, and Schilhavy
searched the existing literature published between 1996-2005 in top journals in the field
of information system and located 82 articles for their review. Specifically, they
identified nine major areas focused in the existing literature (e.g., legal issues, monitoring
and morality, vulnerabilities and risks, and detection) and developed a thoughtful
framework to theorize major constructs and their relationships for the information system
security research. This important review has made strong contributions to cybersecurity
research by synthesizing the existing literature and presenting a comprehensive
framework.
Built upon and motivated by this important review, the present review is intended
to make new knowledge-synthesis contributions to cybersecurity research in three
aspects. First, we searched the current literature between 2005-2015 to provide an update
5
after the Cannoy, Palvia, and Schilhavy review between 1996-2005. Second, we
expanded the literature search from information system security in specific to
cybersecurity in general, including personal cybersecurity, business cybersecurity, and
government cybersecurity, in order to develop a big picture of the current cybersecurity
research. Third, we developed a broad framework that synthesizes the current
cybersecurity literature by focusing on three sequentially interconnected major topics,
that is, various cyber attacks, various factors contributing to cyber attacks, and various
strategies to tackle cyber attacks.
Method
To locate the existing research, multiple literature search methods were utilized,
including computer search of electronic databases and major journals, manual search of
references of identified articles, and consultation with experiences librarians. Major
electronic databases, such as PsychInfo, Pubmed, Web of Science, and Science Direct,
and major journals related to Internet behaviors, such as Computers in Human Behavior,
Journal of Information Privacy and Security, Behavior and Information Technology,
Information Systems Journal, and Information Systems Review were searched to find
relevant journal articles. Pubmed was used as a database in order to include cyber threats
to medical technologies. Key words that were used include: “cyber security”,
“cybersecurity”, “internet security”, “information security” “internet security measures”
“internet privacy” “privacy” and “security”. “Cyber attacks” and its single work form
“Cyberattack” has been used interchangeably (Gewirtz, 2011). In this study, we used
both forms when searching the literature and we use the dual word form “Cyber attacks”
6
in the current article for consistence in writing. The same rule applies to “Cyber security”
and “Cybersecurity” as well.
A total of 536 articles on cyber security were identified through the initial search.
These articles were further examined using the following three criteria to select studies
under review: firstly, the studies included in the review must explicitly examined the
human factors related to cyber security and the effects of cyber security; secondly, the
studies should be published in peer-reviewed journals; and thirdly, the studies should not
focus on the technology aspect of cyber security. After applying for these three criteria,
222 were selected and reviewed in three major areas, cyber attacks, contributing factors,
and tackling strategies.
Cyber Attacks
Identify
The first core function of cyber security is to identify cyber attacks (National
Institute of Standards and Technology, 2014). This includes understanding the risk
associated with cyber attacks and how to manage these risks. There exists relative small
amount of research literature on cyber attacks. It mainly focuses on three topics, types of
cyber attacks, technologies used in cyber attacks, and effects of cyber attached. About
31.5% of the articles found were related to this area (the total amount of studies discussed
will exceed 100% due to some articles being relevant to more than one category).
First, there is accumulated knowledge focusing on specific types of cyber attacks,
such as phishing (e.g. Arachchilage & Love, 2014; Bose & Leung, 2014) malware (e.g.
Jansson & von Solms, 2013; Jang-Jaccard & Nepal, 2014), hacking (e.g. Papadimitriou,
2009; Huang, Rau, & Salvendy, 2010; Kumar, Mohan, & Holowczak, 2008), and fraud
7
(e.g. Vahdati & Yasini, 2015; Mann, 2004). Bagchi and Udo (2003) made contributions
to an understanding of the rate of different types of cyber attacks. Information theft,
fraud, and viruses were projected to increase the most over time in comparison to other
computer related crimes, such as theft of laptops and unauthorized insider access.
However, there are other types of cyber attacks not explored in the literature, such as
social engineering and computer viruses.
Second, the technologies involved in these attacks could include smartphones,
PDA’s, tablets, laptop computers, and personal computers [yan: citations?]. There is also
an initial understanding on cyber threats to medical technologies (Coronado & Wong,
2014; Rios, 2015; Fu & Bum, 2014).
Third, knowledge is accumulating about the immediate effects from cyber attacks.
This includes having personal information stole (Gerard et al., 2013), money stolen
(Davinson & Sillence, 2014; Mann, 2004), intellectual property stolen (Andrijcic &
Horowitz, 2006), data loss (Bartlett & Smith, 2008; Khey & Sainato, 2013; Densham,
2015; Perkel, 2010), and web traffic loss for businesses (Davis, Garcia & Zhang, 2009).
Yet, there is little knowledge about how cyber attacks effect the individual in the long-
term. For instance, are there any psychological effects from being a victim of a cyber
attack? Do people approach cyber security differently after falling victim to an attack?
Similarly, how long would it take the average Internet user to even notice that they had
fallen victim to a cyber attack? These are all avenues that have not been explored in the
current literature. Another possible effect of cyber attacks discussed throughout the
literature is the possibility of cyber warfare (McGraw, 2013; Weinberger, 2011). This
8
could be inevitable if better strategies to combat cyber attacks are not created and
utilized.
Contributing Factors
Human factors
Research related to the human factors that effect cyber security behavior is rapidly
emerging. In total 50.4% of the articles found for this review explored to the contributing
factors that affect the cyber security behaviors of individuals and businesses. As software
engineers create better and more complex systems to evade cyber attacks, the human
factors that lead to cyber attacks occurring are becoming even more important (Abawajy,
2014). The current literature in the area focuses on four main factors related to an
individual’s cyber security behavior: (1) knowledge and experience in cyber security, (2)
unrealistic trust or optimism in the cyber world, (3) demographic factors and individual
differences effecting cyber security, and (4) beliefs and perceptions towards cyber
security.
First, a person’s knowledge of cyber security (e.g. Arachchilage & Love, 2014;
Shillair et al., 2015; Ben-Asher & Gonzaelz, 2015; Slusky & Partow, 2012) and
experience with cyber technologies (e.g. Modic & Anderson, 2014; Vishwanath, Herath,
Chen, Wang & Rao, 2011) has been found to be positively associated with engaging in
cyber secure behaviors. For example, users who have a better understanding of computers
tend to keep malware warnings on (Modic & Anderson, 2014) and users who frequently
send and receive emails are less likely to fall victim to phishing (Vishwanath et al.,
2011). However, general cyber security knowledge can help an individual detect
malicious events, but it is not sufficient to pick up on the series of events that lead to a
9
cyber attack. Instead, experience with the network along with specific knowledge of
cyber security leads to better decision making regarding the cyber attck (Ben-Asher &
Gonzaelz, 2015).
Second, research has found substantial evidence of individuals’ unrealistic
optimism and trust in the cyber world, thinking that they are less at risk than others for
something negative (e.g., fraud or identity theft) to occur to them (e.g. Campbell,
Greenauer, Macaluso, & End, 2005; Corritore, Kracher, & Wiedenbeck, 2003). This trust
in the cyber world leads people to put themselves at risk in the cyber world. The more
time an individual spends on the Internet, the more likely he or she is to have this bias
(Campbell et al., 2005). However, other research indicates that the majority of IT
professionals believe that they will fall victim to a cyber attack at some point within the
next year (Strand, 2014), suggesting that knowledge and experience may moderate this
effect and more research is needed in order to understand this nuanced relationship.
Third, researchers have examined how demographic factors such as age and
gender (e.g. Grimes, Hough, Mazur, & Signorella, 2010; Henson, Reyns, & Fisher, 2013)
and individual differences (Whitty, Doodson, Creese, & Hodges, 2015) are related to
cyber security. Older adults are less knowledgeable than younger adults about cyber
security, with older females being the least knowledgeable, thus the most susceptible to
cyber attacks (Grimes et al., 2010). Individuals with low levels of perseverance and high
levels of self-monitoring are less likely to share passwords (Whitty et al., 2015).
Fourth, research has been done to begin understanding people’s attitudes towards
cyber security (Chen, Chen, Lo, & Yang, 2008; Li, Sarathy, Zhang, & Luo, 2014) and
perceptions of cyber security technologies (Abawajy, 2015; Kim & Park, 2012; Agamba
10
& Keengwe, 2012; Herath, et al., 2014; Kumar, Mohan, & Holowczak, 2008; Huang,
Rau, & Salvendy, 2010). Convenience tends to outweigh other factors when it comes to
adopting cyber secure practices, such as having email authentication services and using
effective passwords (Herath et al., 2014; Kim & Park, 2012). When it comes to online
privacy, anonymity is a feature that is very important to Internet users (Chen et al., 2008).
In the current literature there are also multiple research models created to explain
the relationship between users and cyber security technologies (e.g. Corritore et al., 2003;
Tamjidyamcholo, Li, Sarathy, Zhang & Lou, 2014). The accumulated knowledge in
cyber security has addressed many factors, such as knowledge, experience, trust,
attitudes, age and gender that influence how a person behaves in cyber space. Cyber
attackers tend to look for the weakest link in order to break through a system, and
typically this weakest link is the individual as he or she engages in unsafe behavior.
Because of this, more research in this area is needed in order to create better strategies to
combat cyber attacks. thus researchers should continue to evaluate how individual’s put
themselves at risk in the cyber world.
Business factors
Another emerging field of research in cyber security is the factors that affect
businesses cyber security practices and behaviors. The two main components in the
literature are how businesses should deal with employees in relation to cyber security and
the cost of both implementing and improving cyber security strategies, as well as the risk
associated with cutting corners in cyber security.
Businesses not only need to be concerned with keeping their network secure from
cyber attacks but they need to ensure that their employees are not putting the company at
11
risk. Research has focused on factors that may cause an employee to engage in risky
cyber behaviors while at work that could affect the business. These factors being
explored in the current literature include the employees’ motivation (Herath & Rao,
2009; Vance, Siponen, & Pahnila, 2012), stress (D’Arcy, Hearth, & Shoss, 2014), ethics
(Li, Sarathy, Zhang, & Luo, 2014), personality (Vahdati, & Yasini, 2015; Wall, 2013),
and knowledge of cyber security policies (San Nicolas-Rocca, Schooley, & Spears,
2014). Hearth and Rao (2009) found through surveying employees that both extrinsic
motivators, such as penalties for noncompliance, and intrinsic motivators, such as the
employees perceived effectiveness of complying with cyber security policies, were
important factors that influence an employee’s compliance with the businesses cyber
security policies. Lowry, Posey, Bennett and Roberts (2015) found that organizational
trust is another important factor in an employee’s compliance with cyber security
policies.
Research in the field has also begun to document the economic factors related to
cyber security. Various risk management analyses and economic analyses have been
conducted to examine how to implement cyber security strategies for businesses as well
as the economic loss associated with the attacks (e.g. Bojanc, Jerman-Blazic, 2008; Hsu,
Lee, & Straub, 2012; Yan, & Tayi, 2015). Additionally, there is an initial understanding
of the economic risks to a business if a cyber attack were to occur. One study of 259
businesses throughout the world found that if a business releases a phishing alert, the
business’ market value could decrease by US$ 411 million (Bose & Leung, 2014).
Alarmingly, another study found that 60% of small businesses who suffer a cyber attack
close within six months following the attack due to the economic loss (Tuttle, 2013).
12
The literature has also contributed knowledge to the unique factors influencing
the healthcare industry, while more mobile devices, such as laptops and tablets, are being
used (Harries & Yellowlees, 2013; Schneier, 2012). According to one study, 94% of
healthcare businesses have fallen victim to cyber attacks (Peraksilis, 2014). This initial
literature has focused on how to keep networks secure in order to ensure privacy for
patients as medical records are being kept electronically (Gerard, Kapadia, Acharya,
Chang & Lekovitz, 2013). Also, as medical devices become more advanced, requiring
software that is susceptible to malware, there has been initial research on how to keep
these devices secure from threats (Coronado & Wong, 2014; Rios, 2015).
Tackling Strategies
The largest amount of cyber security research is on strategies for improving cyber
security technology, and improving cyber security behavior among individuals, for
businesses, and through the government. In total, 75.2% of the articles found were related
to strategies for improving cyber security behaviors. Reducing opportunities for cyber
attackers to commit cybercrimes could be a promising line of research, as it is an
approach to reducing other crimes (Reyns, & Hansen, 2013; Maimon, Alper, Sobesto, &
Cukier, 2014; Hinduja, & Kooi, 2013).
Person strategies
The most examined strategy for increasing cyber security among individuals is
though training programs to educate and increase awareness of cyber security. This can
be through lectures or seminars, games, or simulations (e.g. Abawjy, 2014; Jansson &
von Solms, 2014; Martin & Rice, 2012). The most beneficial way to improve awareness
of cyber security is through a combination of various training methods (Abawjy, 2014).
13
The literature has also explored simpler ways of increasing cyber secure behaviors, such
as through increased warnings on computers (Carpenter, Zhu & Kolimi, 2014) or ways to
help users create better passwords (e.g. Jenkins, Grimes, Proudfoot, & Lowry, 2013; Vu
et al., 2007; Tam, Glassman, & Vandenwauver, 2010), such as using biometrics for
Smartphone users (Chae, Moon, Ko, Shin, & Pan, 2014).
Research has also explored how to use the knowledge of the human factors
related to cyber security in order to create better cyber security (e.g. Shillair, 2015; Modic
& Anderson, 2014; Dark 2015). Dark (2015) suggests it is important to combine what is
known about neuroscience and the science of learning in order to better educate
individuals in cyber security. This is still a small field of research and should be explored
further through interdisciplinary research, bringing together psychologists and cyber
security experts in order to create the best education possible.
Individuals have also taken it upon themselves to police the Internet for cyber
attacks (e.g. Huey, Nhan & Broll, 2012; Kelly, 2012). How, there is little knowledge
about these cyber vigilantes, their methods, and the effectiveness of their work.
In addition, throughout the literature there has been discussion for the need to
change and improve the discourse between cyber security professionals and others (Betz
& Stevens, 2013; Bolton, 2013; Quigley, Burns, & Stallard, 2015). The everyday person
has difficulty understanding the language used by cyber security professionals and this
could affect their willingness and ability to use cyber security technology.
Business strategies
A main strategy for improving cyber security discussed in the literature is through
businesses collaborating and sharing information with each other to increase everyone’s
14
cyber security (e.g. Gal-Or, & Ghose, 2005; Herath & Rao, 2009; Gordon, Loeb,
Lucyshyn, & Zhou, 2015). Initial concern about this strategy, however, is how to
appropriately share information yet protect the privacy of the company at the same time
(Mallinder & Drabwell, 2014).
In the literature there are also multiple models attempting to quantify the cyber
security risk for businesses in order to determine affordable yet effective strategies (e.g.
Bojanc & Jerman-Blazic, 2008; Mukhopadhyay et al., 2013)
Other strategies explored include training employees to be more cyber secure in
the workplace and ensure compliance with cyber security policies (r.g. Assante & Tobey,
2011; San Nicolas-Rocca, Schooley & Spears, 2014). However, training and education is
expensive. Forte and Power (2007) created a cyber security checklist for businesses to
utilize in order to help them educate their employees in an economical way. This
checklist includes information about password security, email security, security for home
computers, identity theft, child safety, social engineering, and security for mobile
devices. Although this does not cover all aspects of cyber security, it covers many
pertinent topics that employers would want their employees knowing about in order to
protect themselves and the business.
One challenge for businesses is that there is a lack of skilled cyber security
professionals for businesses to hire (Caldwell, 2013; Lyne, 2010; Paulsen, McDuffie,
Newhouse, & Toth, 2012). This has become such a problem for businesses that it is being
referred to as a “skills crisis” (Caldwell, 2013), as even many professionals in the field do
not have sufficient skills to protect the business’ systems. Hoffman, Burley, and Toregas
(2012) examined how to create a better cyber security workforce with a more holistic
15
approach, through integrating the work of educators, cyber security professionals, and the
government. Academics, and the government should work together to encourage
individuals from different backgrounds to pursue professional development in cyber
security. Additionally, educators and cyber security professionals should collaborate to
create more degree programs and training programs for individuals to pursue.
Government strategies
There is an emerging consensus in the literature that the national government in
the United States needs to take the lead in cyber security (Grant, 2010; Ghernouti-Helie,
2010; Etzioni, 2011; Chabinsky, 2010; Berkowitz, & Hahn, 2003; Assante & Tobey,
2010; Rees, Rakes, & Baker, 2011; Farber, 2003). It is argued that the government needs
to create policies that will enhance cyber security and programs that will train cyber
security professionals, as well as increase funding for research and the development of
new cyber security technologies. On the other hand, some theorists argue that the national
governments focus on cyber security is just an attempt to increase surveillance and
ultimately leads to less cyber security for citizens (Cavelty, 2014). What we do know is
that individuals, businesses and governments need to work together in order to enhance
cyber security for everyone (Hare, 2009; Matusitz, 2013; Quigley & Roy, 2011;
McDuffie, & Piotrowski, 2014).
Knowledge is accumulating in the literature about how countries and governments
throughout the globe have attempted to improve cyber security. This includes studies in
Estonia (Cardash, Cilluffo & Ottis, 2013), Croatia (Blythe, 2008), Holland (Clark,
Stikboort, Stofbergen, & van den Heuvel, 2014), Canada (Platt, 2011), and the United
Kingdom (Everett, 2010). Luiijf, Besseling, and De Graaf (2013) compared 19 country’s
16
national cyber security strategies, commenting on the similarities and weaknesses of
each. Since cyber security is a global problem, collaboration amongst countries
throughout the globe could be particularly useful in combating cyber security.
Conclusions
In the behavioral sciences, cyber security is still an emerging field of research. In
the field of information security and computer security, studies have highlighted many
critical topics, such as legal issues, monitoring and morality, vulnerabilities and risks,
awareness and motivations (Bulgurcus, Cavusoglu & Benbasat, 2010; Cannoy, Palvia &
Schilhavy, 2006; Ng, Kankanhali & Xu, 2009; Stanton, Stam, Mastrangelo & Jolton,
2005 and West, 2008). Built upon these studies, the present review expands the scope
from information system security in specific to cybersecurity in general and synthesizes
of the current literature on cyber attacks and potential effects of these attacks, various
factors that contribute to various cyber security behavior, and strategies to help
individuals and businesses make better decisions in cyber space. It also reveals the much
needed areas for future research.
First, cyber security research in the social sciences, related to the human aspect,
rather than the technology aspect, of cyber security, is an emerging field of literature. The
most prominent types of cyber attacks discussed in the literature include phishing and
hacking. There is a current understanding of the basic and immediate effect of cyber
attacks. However, little is known about the psychological and long-term effects of these
attacks on the individual. Future research could delve into this unexplored avenue of
cyber security research in order to better assist those who experience these unfortunate
attacks.
17
Second, much is known now about the factors that influence an individual’s cyber
security behavior. Factors such as knowledge and experience, unrealistic trust and
optimism, demographic factors and individual differences, and perceptions and beliefs
about cyber security, all have effects on how a person behaves on cyber space. While
most research up to this point has focused on just one of these factors, future research
could explore how a combination of these factors interact in order to impact an
individual’s behavior.
Furthermore, a businesses’ cyber security behavior is influenced not only by
financial motivations, but also by how their employees behave in cyber space. Businesses
need to constantly assess the cost/benefit ratio to implementing different types of cyber
security and multiple models have been created in order to help businesses achieve this
goal. Additionally, the factors that influence an individual’s cyber security behavior in a
business setting is different than the factors that influence his or her behavior at home or
with personal devices. At work, an employee will make cyber security decisions based on
factors such as motivation and the perceived effectiveness of their decisions.
Third, the most developed line of research in this field is strategies to improve a
person’s cyber security behavior, either at home or at their place of employment. The
trend that strategies for dealing with cyber attacks is the most prominent area of research
at this time exemplifies the hastiness of the field to give the prescription before fully
understanding the diagnosis, an ineffective strategy for solving a problem. Many
strategies have been deemed effective at improving cyber security, such as seminars and
games. One common finding, however, is that many researchers believe that the
government needs to play a larger role in leading the fight against cyber attacks.
18
Nevertheless, researchers need to play their part and come up with effective ways to keep
users safe from cyber attacks. Research needs to continue to explore the factors that
influence a person’s cyber security behavior in order to better come up with effective
strategies rather than being in a hurry to give solutions. It is important to draw upon both
what is known about how individual’s perceive cyber security, and what is known about
effective teaching and training methods, in order to create better strategies, since the
hackers will certainly keep reinventing ways to trick the user into gaining access to his or
her information.
19
References
Abawajy, J. (2014). User preference of cyber security awareness delivery
methods. Behaviour & Information Technology, 33(3), 237-248.
Agamba, J. J., & Keengwe, J. (2012). Pre-service teachers’ perceptions of information
assurance and cyber security. International Journal of Information and
Communication Technology Education, 8(2), 94-101.
Anderson, R. C., & Romney, G. W. (2014). Student experiential learning of cyber
security through virtualization. Journal of Research in Innovative Teaching, 7(1),
72–84.
Andrijcic, E., & Horowitz, B. (2006). A macro‐ economic framework for evaluation o
cyber security risks related to protection of intellectual property. Risk
Analysis, 26(4), 907-923.
Arachchilage, N. A. G., & Love, S. (2014). Security awareness of computer users: A
phishing threat avoidance perspective. Computers in Human Behavior,38, 304-
312.
Assante, M. J., & Tobey, D. H. (2011). Enhancing the cybersecurity workforce. IT
Professional, (1), 12-15.
Bagchi, K., & Udo, G. (2003). An analysis of the growth of computer and Internet
security breaches. Communications of the Association for Information
Systems, 12(1), 46.
Bartlett, D., & Smith, L. (2008). Managing the data loss crisis. Risk Management, 55(6),
34.
20
Bauer, J. M., & van Eeten, M. J. G. (2009). Cybersecurity: Stakeholder incentives,
externalities, and policy options. Telecommunications Policy, 33(10–11), 706–
719. Doi:http://dx.doi.org/10.1016/j.telpol.2009.09.001
Bayuk, J. L., & Horowitz, B. M. (2011). An architectural systems engineering
methodology for addressing cyber security. Systems Engineering, 14(3), 294-304.
Bedser, J. R. (2007). The Impact of the Internet on Security. Security Journal, 20(1), 55-
56.
Ben-Asher, N., & Gonzalez, C. (2015). Effects of cyber security knowledge on attack
detection. Computers in Human Behavior, 48, 51-61.
Berkowitz, B., & Hahn, R. W. (2003). Cybersecurity: Who’s watching the store? Issues
in Science and Technology, 19(3), 55.
Betz, D. J., & Stevens, T. (2013). Analogical reasoning and cyber security. Security
Dialogue, 44(2), 147–164. Doi:10.1177/0967010613478323
Blythe, S. E. (2008). Croatia’s computer laws: Promotion of growth in e-commerce via
greater cyber-security. European Journal of Law and Economics, 26(1), 75-103.
Bojanc, & Jerman-Blažič, B. (2008). An economic modeling approach to information
security risk management. International Journal of Information Management,
28(5), 413-422.
Bolton, F. (2013). Cybersecurity and emergency management: encryption and the
inability to communicate. Journal of Homeland Security and Emergency
Management, 10(1), 379-385.
Boopathi, K., Sreejith, S., & Bithin, A. (2015). Learning cyber security through
gamification. Indian Journal of Science and Technology, 8(7), 642-649.
21
Bose, I., & Leung, A. C. M. (2014). Do phishing alerts impact global corporations? A
firm value analysis. Decision Support Systems, 64, 67-78.
Broggi, J. J. (2014). Building on executive order 13, 636 to encourage information
sharing for cybersecurity purposes. Harv. JL & Pub. Pol’y, 37, 653.
Bulgurcu, B., Cavusoglu, H., & Benbasat, I. (2010). Information security policy
compliance: an empirical study of rationality-based beliefs and information
security awareness. MIS quarterly, 34(3), 523-548.
Caldwell, T. (2013). Plugging the cyber-security skills gap. Computer Fraud & Security,
2013(7), 5–10.
Campbell, J., Greenauer, N., Macaluso, K., & End, C. (2007). Unrealistic optimism in
internet events. Computers in Human Behavior, 23(3), 1273-1284.
Cannoy, S., Palvia, P. C., & Schilhavy, R. (2006). A research framework for information
systems security. Journal of Information Privacy and Security, 2(2), 3-24.
Cardash, S. L., Cilluffo, F. J., & Ottis, R. (2013). Estonia’s cyber defence league: A
model for the United States?. Studies in Conflict & Terrorism, 36(9), 777-787.
Carpenter, S., Zhu, F., & Kolimi, S. (2014). Reducing online identity disclosure using
warnings. Applied Ergonomics, 45(5), 1337-1342.
Cavelty, M. D. (2014). Breaking the cyber-security dilemma: Aligning security needs and
removing vulnerabilities. Science and Engineering Ethics, 20(3), 701-715.
Chabinsky, S. R. (2010). Cybersecurity strategy: A primer for policy makers and those on
the front line. J. Nat’l Sec. L. & Pol’y, 4, 27.
Chae, S. H., Moon, D., Ko, K. R., Shin, J., & Pan, S. B. (2014). Security enhancement
22
for smartphone using biometrics in cyber-physical systems. International Journal
of Distributed Sensor Networks, 2014.
Chen, H. G., Chen, C. C., Lo, L., & Yang, S. C. (2008). Online privacy control via
anonymity and pseudonym: Cross-cultural implications. Behaviour & Information
Technology, 27(3), 229-242.
Chen, S., & Janeja, V. P. (2014). Human perspective to anomaly detection for
cybersecurity. Journal of Intelligent Information Systems, 42(1), 133-153.
Clark, K., Stikvoort, D., Stofbergen, E., & van den Heuvel, E. (2014). A Dutch approach
to cybersecurity through participation. Security & Privacy, IEEE, 12(5), 27-34.
Collier, Z. A., Linkov, I., & Lambert, J. H. (2013). Four domains of cybersecurity: a risk
based systems approach to cyber decisions. Environment Systems and
Decisions, 33(4), 469-470.
Ng, Boon-Yuen, Atreyi Kankanhalli, and Yunjie Calvin Xu. "Studying users' computer
security behavior: A health belief perspective." Decision Support Systems 46, no.
4 (2009): 815-825.
Cone, B. D., Irvine, C. E., Thompson, M. F., & Nguyen, T. D. (2007). A video game for
cyber security training and awareness. Computers & Security, 26(1), 63–72.
Doi:http://dx.doi.org/10.1016/j.cose.2006.10.005
Coronado, A. J., & Wong, T. L. (2014). Healthcare cybersecurity risk management: Keys
to an effective plan. Biomedical Instrumentation & Technology, 48(s1), 26-30.
Corritore, C. L., Kracher, B., & Wiedenbeck, S. (2003). On-line trust: concepts, evolving
themes, a model. International Journal of Human-Computer Studies,58(6), 737-
758.
23
D’Arcy, J., Herath, T., & Shoss, M. K. (2014). Understanding employee responses to
stressful information security requirements: A coping perspective. Journal of
Management Information Systems, 31(2), 285-318.
Dark, M. (2014). Advancing Cybersecurity Education. Security & Privacy, IEEE,12(6),
79-83.
Dark, M. (2015). Thinking about Cybersecurity. IEEE Security & Privacy, (1), 61-65.
Davinson, N., & Sillence, E. (2014). Using the health belief model to explore users’
perceptions of ‘being safe and secure’ in the world of technology mediated
financial transactions. International Journal of Human-Computer Studies, 72(2),
154-168.
Davis, G., Garcia, A., & Zhang, W. (2009). Empirical analysis of the effects of cyber
security incidents. Risk Analysis, 29(9), 1304-1316.
Densham, B. (2015). Three cyber-security strategies to mitigate the impact of a data
breach. Network Security, 2015(1), 5-8.
Etzioni, A. (2011). Cybersecurity in the private sector. Issues in Science and Technology,
(Fall 2011), 58-62.
Farber, D. (2003). Fame, but no riches, for cybersecurity. Spectrum, IEEE,40(1), 51-52.
Forte, D., & Power, R. (2007). The ultimate cybersecurity checklist for your
workforce. Computer Fraud & Security, 2007(9), 14-19.
Fu, K., & Blum, J. (2013). Controlling for cybersecurity risks of medical device
software. Communications of the ACM, 56(10), 35-37.
Furman, S. M., Theofanos, M. F., Choong, Y. Y., & Stanton, B. (2011). Basing
cybersecurity training on user perceptions. IEEE Security & Privacy, (2), 40-49.
24
Gal-Or, E., & Ghose, A. (2005). The economic incentives for sharing security
information. Information Systems Research, 16(2), 186-208.
Gerard, P., Kapadia, N., Acharya, J., Chang, P. T., & Lefkovitz, Z. (2013). Cybersecurity
in radiology: access of public hot spots and public Wi-Fi and prevention of
cybercrimes and HIPAA violations. American Journal of Roentgenology, 201(6),
1186-1189.
Gewirtz, D. (2011). When it comes to cyber-attack, does the left prefer cyberattack and
the right cyber attack? Retrieved from http://www.zdnet.com/article/when-it-
comes-to-cyber-attack-does-the-left-prefer-cyberattack-and-the-right-cyber-
attack/
Gordon, L. A., Loeb, M. P., Lucyshyn, W., & Zhou, L. (2015). The impact of
information sharing on cybersecurity underinvestment: A real options
perspective. Journal of Accounting and Public Policy.
Grant, J. (2010). Will there be cybersecurity legislation. J. Nat’l Sec. L. & Pol’y, 4, 103.
Grimes, G. A., Hough, M. G., Mazur, E., & Signorella, M. L. (2010). Older adults’
knowledge of Internet hazards. Educational Gerontology, 36(3), 173-192.
Hare, F. B. (2009). Private sector contributions to national cyber security: A preliminary
analysis. Journal of Homeland Security and Emergency Management, 6(1).
Harries, D., & Yellowlees, P. M. (2013). Cyberterrorism: Is the US healthcare system
safe? Telemedicine and e-Health, 19(1), 61-66.
Harris, M. A., Furnell, S., & Patten, K. (2014). Comparing the mobile device security
behavior of college students and information technology professionals. Journal of
Information Privacy and Security, 10(4), 186-202.
25
Henson, B., Reyns, B. W., & Fisher, B. S. (2013). Does gender matter in the virtual
world?; Examining the effect of gender on the link between online social network
activity, security and interpersonal victimization. Security Journal, 26(4), 315-
330.
Herath, T., Chen, R., Wang, J., Banjara, K., Wilbur, J., & Rao, H. R. (2014). Security
services as coping mechanisms: an investigation into user intention to adopt an
email authentication service. Information systems journal, 24(1), 61-84.
Herath, T., & Raghav Rao, H. (2009). Control mechanisms in information security: a
principal agent perspective. International Journal of Business Governance and
Ethics, 5(1-2), 2-13.
Hinduja, S., & Kooi, B. (2013). Curtailing cyber and information security vulnerabilities
through situational crime prevention. Security Journal, 26(4), 383-402.
Hoffman, L. J., Burley, D. L., & Toregas, C. (2012). Holistically building the
cybersecurity workforce. Security & Privacy, IEEE, 10(2), 33-39.
Holm, H., Sommestad, T., Ekstedt, M., & Honeth, N. (2014). Indicators of expert
judgement and their significance: an empirical investigation in the area of cyber s
ecurity. Expert Systems, 31(4), 299-318.
Hsu, C., Lee, J. N., & Straub, D. W. (2012). Institutional influences on information
systems security innovations. Information systems research, 23(3-part-2), 918-
939.
Huang, D. L., Rau, P. L. P., & Salvendy, G. (2010). Perception of information
security. Behaviour & Information Technology, 29(3), 221-232.
Huang, D. L., Rau, P. L. P., Salvendy, G., Gao, F., & Zhou, J. (2011). Factors affecting
26
perception of information security and their impacts on IT adoption and security
practices. International Journal of Human-Computer Studies, 69(12), 870-883.
Huey, L., Nhan, J., & Broll, R. (2012). ‘Uppity civilians’ and ‘cyber-vigilantes’: The role
of the general public in policing cyber-crime. Criminology and Criminal Justice,
13(1), 81-97.
Imgraben, J., Engelbrecht, A., & Choo, K. K. R. (2014). Always connected, but are smart
mobile users getting more security savvy? A survey of smart mobile device
users. Behaviour & Information Technology, 33(12), 1347-1360.
Jang-Jaccard, J., & Nepal, S. (2014). A survey of emerging threats in
cybersecurity. Journal of Computer and System Sciences, 80(5), 973-993.
Jansson, K., & von Solms, R. (2013). Phishing for phishing awareness. Behaviour &
Information Technology, 32(6), 584-593.
Jenkins, J. L., Grimes, M., Proudfoot, J. G., & Lowry, P. B. (2014). Improving password
cybersecurity through inexpensive and minimally invasive means: Detecting and
deterring password reuse through keystroke-dynamics monitoring and just-in-time
fear appeals. Information Technology for Development, 20(2), 196-213.
Kelly, B. B. (2012). Investing in a centralized cybersecurity infrastructure: Why
hacktivism can and should influence cybersecurity reform. BUL Rev., 92, 1663.
Khey, D. N., & Sainato, V. A. (2013). Examining the correlates and spatial distribution of
organizational data breaches in the United States. Security Journal, 26(4), 367-
382.
Kim, B. C., & Park, Y. W. (2012). Security versus convenience? An experimental study
27
of user misperceptions of wireless internet service quality. Decision Support
Systems, 53(1), 1-11.
Kritzinger, E., & von Solms, S. H. (2010). Cyber security for home users: A new way of
protection through awareness enforcement. Computers & Security, 29(8), 840–
847. doi:http://dx.doi.org/10.1016/j.cose.2010.08.001
Kumar, N., Mohan, K., & Holowczak, R. (2008). Locking the door but leaving the
computer vulnerable: Factors inhibiting home users' adoption of software
firewalls. Decision Support Systems, 46(1), 254-264.
Li, H., Sarathy, R., Zhang, J., & Luo, X. (2014). Exploring the effects of organizational
justice, personal ethics and sanction on internet use policy
compliance. Information Systems Journal, 24(6), 479-502.
Lowry, P. B., Posey, C., Bennett, R. B. J., & Roberts, T. L. (2015). Leveraging fairness
and reactance theories to deter reactive computer abuse following enhanced
organisational information security policies: an empirical study of the influence of
counterfactual reasoning and organisational trust. Information Systems
Journal, 25(3), 193-273.
Luiijf, E., Besseling, K., & De Graaf, P. (2013). Nineteen national cyber security
strategies. International Journal of Critical Infrastructures 6, 9(1-2), 3-31.
Lyne, J. (2010). Cybersecurity recruitment challenge. Infosecurity, 7(5), 37.
Maimon, D., Alper, M., Sobesto, B., & Cukier, M. (2014). Restrictive deterrent effects of
a warning banner in an attacked computer system. Criminology, 52(1), 33-59.
Maisey, M. (2014). Moving to analysis-led cyber-security. Network Security,2014(5), 5-
12.
28
Mallinder, J., & Drabwell, P. (2014). Cyber security: A critical examination of
information sharing versus data sensitivity issues for organisations at risk of cyber
attack. Journal of business continuity & emergency planning, 7(2), 103-111.
Mann, P. (2004). Cybersecurity–the CTOSE project. Computer Law & Security
Review, 20(2), 125-126.
Martin, N., & Rice, J. (2012). Children's cyber-safety and protection in Australia: An
analysis of community stakeholder views. Crime Prevention & Community
Safety, 14(3), 165-181.
Matusitz, J. (2013). The networks that fight cyberterrorist networks. Journal of Human
Behavior in the Social Environment, 23(5), 616-626.
McDuffie, E. L., & Piotrowski, V. P. (2014). The future of cybersecurity
education. Computer, (8), 67-69.
McGraw, G. (2013). Cyber war is inevitable (unless we build security in). Journal of
Strategic Studies, 36(1), 109-119.
Mirkovic, J., & Benzel, T. (2012). Teaching cybersecurity with DeterLab. Security &
Privacy, IEEE, 10(1), 73-76.
Modic, D., & Anderson, R. (2014). Reading this may harm your computer: The
psychology of malware warnings. Computers in Human Behavior, 41, 71-79.
Mukhopadhyay, A., Chatterjee, S., Saha, D., Mahanti, A., & Sadhukhan, S. K. (2013).
Cyber-risk decision models: To insure IT or not? Decision Support Systems, 56,
11-26.
Ottis, R. (2014). Light weight tabletop exercise for cybersecurity education. Journal of
Homeland Security and Emergency Management, 11(4), 579-592.
29
Papadimitriou, F. (2009). A nexus of cyber-geography and cyber-psychology:
topos/“notopia” and identity in hacking. Computers in Human Behavior, 25(6),
1331-1334.
Patel, S. C., Bhatt, G. D., & Graham, J. H. (2009). Improving the cyber security of
SCADA communication networks. Communications of the ACM, 52(7), 139-142.
Paulsen, C., McDuffie, E., Newhouse, W., & Toth, P. (2012). NICE: Creating a
cybersecurity workforce and aware public. IEEE Security & Privacy, (3), 76-79.
Perakslis, E. D. (2014). Cybersecurity in health care. N Engl J Med, 371(5), 395-397.
Perkel, J. (2010). Cybersecurity: how safe are your data? Nature, 464(7293), 1260-1261.
Pfleeger, S. L., & Caputo, D. D. (2012). Leveraging behavioral science to mitigate cyber
security risk. Computers & security, 31(4), 597-611.
Platt, V. (2011). Still the fire-proof house? An analysis of Canada’s cyber security
strategy. International Journal VO - 67, (1), 155.
Proctor, R. W., & Chen, J. (2015). The role of human factors/ergonomics in the science
of security decision making and action selection in cyberspace. Human Factors:
The Journal of the Human Factors and Ergonomics Society, 0018720815585906.
Quigley, K., Burns, C., & Stallard, K. (2015). ‘Cyber Gurus’: A rhetorical analysis of the
language of cybersecurity specialists and the implications for security policy and
critical infrastructure protection. Government Information Quarterly, 32(2), 108-
117.
Rees, L. P., Deane, J. K., Rakes, T. R., & Baker, W. H. (2011). Decision support for
cybersecurity risk planning. Decision Support Systems, 51(3), 493-505.
Reyns, B. W., & Henson, B. (2013). Security in a digital world: Understanding and
30
preventing cybercrime victimization. Security Journal, 26(4), 311-314.
Rios, B. (2015). Cybersecurity expert: Medical devices have 'a long way to
go'. Biomedical Instrumentation & Technology, 49(3), 197-200.
Rosoff, H., Cui, J., & John, R. S. (2013). Heuristics and biases in cyber security
dilemmas. Environment Systems and Decisions, 33(4), 517-529.
Rue, R., & Pfleeger, S. L. (2009). Making the best use of cybersecurity economic
models. IEEE Security & Privacy, (4), 52-60.
Ryan, J. J., Mazzuchi, T. A., Ryan, D. J., De la Cruz, J. L., & Cooke, R. (2012).
Quantifying information security risks using expert judgment elicitation.
Computers & Operations Research, 39(4), 774-784.
San Nicolas-Rocca, T., Schooley, B., & Spears, J. L. (2014). Exploring the effect of
knowledge transfer practices on user compliance to is security
practices. International Journal of Knowledge Management, 10(2), 62-78.
Stanton, J. M., Stam, K. R., Mastrangelo, P., & Jolton, J. (2005). Analysis of end user
security behaviors. Computers & security, 24(2), 124-133.
Schneier, B. (2012). Securing medical research: a cybersecurity point of view.
Science, 336(6088), 1527-1529.
Shiffman, G., & Gupta, R. (2013). Crowdsourcing cyber security: A property rights view
of exclusion and theft on the information commons. International Journal of the
Commons, 7(1), 92-112.
Shillair, R., Cotten, S. R., Tsai, H. Y. S., Alhabash, S., LaRose, R., & Rifon, N. J. (2015).
Online safety begins with you and me: Convincing Internet users to protect
themselves. Computers in Human Behavior, 48, 199-207.
31
Shin, J., Son, H., & Heo, G. (2015). Development of a cyber security risk model using
Bayesian networks. Reliability Engineering & System Safety, 134, 208-217.
Slusky, L., & Partow-Navid, P. (2012). Students information security practices and
awareness. Journal of Information Privacy and Security, 8(4), 3-26.
Srinidhi, B., Yan, J., & Tayi, G. K. (2015). Allocation of resources to cyber-security: The
effect of misalignment of interest between managers and investors. Decision
Support Systems, 75, 49-62.
Strand, C. (2014). Challenging confidence in cyber-security. Computer Fraud &
Security, 2014(12), 12-15.
Tam, L., Glassman, M., & Vandenwauver, M. (2010). The psychology of password
management: a tradeoff between security and convenience. Behaviour &
Information Technology, 29(3), 233-244.
Tamjidyamcholo, A., Baba, M. S. B., Tamjid, H., & Gholipour, R. (2013). Information
security–Professional perceptions of knowledge-sharing intention under self-
efficacy, trust, reciprocity, and shared-language. Computers & Education, 68,
223-232.
Thomson, R., Yuki, M., & Ito, N. (2015). A socio-ecological approach to national
differences in online privacy concern: The role of relational mobility and trust.
Computers in Human Behavior, 51, 285-292.
Tuttle, H. (2013). Taking Cybersecurity Seriously. Risk Management, 60(8), 18.
Vahdati, S., & Yasini, N. (2015). Factors affecting internet frauds in private sector: A
case study in cyberspace surveillance and scam monitoring agency of
Iran. Computers in Human Behavior, 51, 180-187.
32
Vance, A., Siponen, M., & Pahnila, S. (2012). Motivating IS security compliance:
Insights from habit and protection motivation theory. Information &
Management, 49(3), 190-198.
Vishwanath, A., Herath, T., Chen, R., Wang, J., & Rao, H. R. (2011). Why do people get
phished? Testing individual differences in phishing vulnerability within an
integrated, information processing model. Decision Support Systems, 51(3), 576-
586.
Vu, K. P. L., Proctor, R. W., Bhargav-Spantzel, A., Tai, B. L. B., Cook, J., & Schultz, E.
E. (2007). Improving password security and memorability to protect personal and
organizational information. International Journal of Human-Computer
Studies, 65(8), 744-757.
Wall, D. S. (2013). Enemies within: Redefining the insider threat in organizational
security policy. Security Journal, 26(2), 107-124.
Wiederhold, B. K. (2014). The role of psychology in enhancing cybersecurity.
Cyberpsychology, Behavior, and Social Networking, 17(3), 131-132.
Weinberger, S. (2011). Computer security: Is this the start of cyberwarfare? Nature
News, 474(7350), 142-145.
West, R. (2008). The psychology of security. Communications of the ACM, 51(4), 34-40.
Whitty, M., Doodson, J., Creese, S., & Hodges, D. (2015). Individual differences in
cyber security behaviors: an examination of who is sharing
passwords. Cyberpsychology, Behavior, and Social Networking, 18(1), 3-7.
Wong, A. K. (2010). Unlocking the door to better cybersecurity. Science, 327(5972),
1451-1451.
33
Wulf, W. A., & Jones, A. K. (2009). Reflections on cybersecurity. Science, 326(5955),
943-944.
Xu, J., Le, K., Deitermann, A., & Montague, E. (2014). How different types of users
develop trust in technology: A qualitative analysis of the antecedents of active and
passive user trust in a shared technology. Applied ergonomics,45(6), 1495-1503.
Younes, W. (2013). Cybersecurity Education Training and Awareness for K-12 Faculty
and Staff in Allegheny County (Doctoral dissertation, Robert Morris University).
Computer Science and Telecommunications Board (CSTB) (2002). Cybersecurity Today
and Tomorrow: Pay Now or Pay Later. Washington, D.C: National Academies
Press.
Clark, D., Berson, T., & Lin, H. S. (Eds.). (2014). At the Nexus of Cybersecurity and
Public Policy: Some Basic Concepts and Issues. Washington, D.C: National
Academies Press.
U.S. Executive Office of the President (USEOP). (2011) Trustworthy cyberspace:
Strategic plan for the federal cyber security research and development program.
Retrieved from
https://www.whitehouse.gov/sites/default/files/microsites/ostp/fed_cybersecurity_
rd_strategic_plan_2011.pdf
U.S. Executive Office of the President (USEOP). (2010). The comprehensive national
cybersecurity initiative. Retrieved from
https://www.whitehouse.gov/issues/foreign-policy/cybersecurity/national-
initiative.
34
United States Office of the White House (USOWH). (2009). Cyberspace policy review:
Assuring a trusted and resilient information and communications infrastructure.
Retrieved from
https://www.whitehouse.gov/assets/documents/Cyberspace_Policy_Review_final.
pdf.
Biography:
Samantha Bordoff is a Ph.D student at University at Albany, SUNY. Her research mainly
focuses on cognitive development in childhood. She recently co-authored a book chapter
published in the book Cognitive Development in Digital Contexts.
Quan Chen is a senior Ph.D. student at University at Albany, SUNY. Her research
focuses on off-task multitasking with mobile phone and its impact on performance (i.e.
driving, learning). She published articles in the journals Computers in Human Behavior
and International Journal of Cyber Behavior, Psychology and Learning. She contributed
chapters to the books Encyclopedia of Mobile Phone. Learning Environments:
Technologies, and Challenges and Impact Assessment.
Zheng Yan is Associate Professor of Developmental and Educational Psychology at
University at Albany since 2007. His research mainly concerns dynamic and complex
relations between contemporary technologies and human development as well as research
methodology of human development, and specifically focuses on computer behavior,
cyber behavior, and mobile phone behavior. He is the editor of Encyclopedia of Cyber
35
Behavior and Encyclopedia of Mobile Phone Behavior. His new book, Mobile Phone
Behavior, was published by Cambridge University Press in 2017.