1

Cyber Attacks, Contributing Factors, and Tackling Strategies:

The Current Status of the Science of Cybersecurity

Samantha Bordoff, Quan Chen, Zheng Yan

University at Albany, SUNY

2

Abstract

As access to the Internet has increased, cybersecurity has become important, with

businesses and the government spending much time and resources to combat cyber

attacks. The purpose of this study was to review the existing literature related to

cybersecurity. Specifically, the review synthesizes the empirical research in (1) various

types of cyber attacks, (2) contributing factors related to cybersecurity behavior, and (3)

strategies to improve cybersecurity behavior. The most developed line of research in this

area has been focusing on the strategies to improve cybersecurity behavior, showing a

questionable trend of quickly creating solutions before fully conceptualizing the problem.

Keywords: cybersecurity, cyber attack, risk management, computer crime, cyber

threats, cyber security strategy

3

Cyber Attacks, Contributing Factors, and Tackling Strategies:

The Current Status of the Science of Cybersecurity

Introduction

As Internet technologies become more ubiquitous throughout societies the threat

of cyber attacks and the need for cyber security becomes even more important. Today,

people access to the Internet from their pockets or backpacks by having wireless

technologies such as smartphones and tablets that are able to access wireless networks

almost everywhere. However, for Internet technologies used in cyberspace, as with

almost all new technologies, along with the good comes some bad.

Cyber attacks, an attempt to hack into or otherwise disrupt or destroy computer

networks or other Internet devices, are one of the prominent negative outcomes to occur

from this boom in Internet technologies (Bedser, 2007). A cyber attack could range from

something as minor as an individual downloading a computer virus, to something as

major as entire multinational corporations being hacked in order to gain insider

knowledge or steal financial information from customers. Cyber attacks can lead to a

person’s identity or financial information being stolen and to small businesses going out

of business due to the results of these attacks.

Cybersecurity is not a new research topic, but it has been a major national

challenge for over 20 years and led to a rapid growth of the research literature in the past

10 years (e.g., Clark, Berson, & Lin, 2014; CSTB, 2002; USEOP, 2010 & 2011;

USOWH, 2009). Since 1991, the Computer Science and Telecommunications Board

(CSTB) of the National Research Council alone has produced seven major research

reports, recognizing cybersecurity as a national challenge and summarizing various types

4

of technical and nontechnical strategies to meet the challenge. However, in 2002, after 10

years of work on cybersecurity, CSTB stated that “there is a deep frustration that research

and recommendations do not seem to translate easily into deployment and utilization”

(CSTB, 2002). In 2014, after 20 years of work on cybersecurity, CSTB reported that

“relatively little progress has been made in cybersecurity despite the recommendations of

many reports from the Academies and elsewhere, and potential policy responses” (Clark,

Berson, & Lin, 2014).

Given the fast-growing literature and the existing challenges in cybersecurity, the

motivation of the current review article is to synthesize the current literature for

researchers, policy makers, practitioners, and even general public. The first and the most

systematical literature review was published in 2006 by Cannoy, Palvia, and Schilhavy,

three scholars from North Carolina. In this review, Cannoy, Palvia, and Schilhavy

searched the existing literature published between 1996-2005 in top journals in the field

of information system and located 82 articles for their review. Specifically, they

identified nine major areas focused in the existing literature (e.g., legal issues, monitoring

and morality, vulnerabilities and risks, and detection) and developed a thoughtful

framework to theorize major constructs and their relationships for the information system

security research. This important review has made strong contributions to cybersecurity

research by synthesizing the existing literature and presenting a comprehensive

framework.

Built upon and motivated by this important review, the present review is intended

to make new knowledge-synthesis contributions to cybersecurity research in three

aspects. First, we searched the current literature between 2005-2015 to provide an update

5

after the Cannoy, Palvia, and Schilhavy review between 1996-2005. Second, we

expanded the literature search from information system security in specific to

cybersecurity in general, including personal cybersecurity, business cybersecurity, and

government cybersecurity, in order to develop a big picture of the current cybersecurity

research. Third, we developed a broad framework that synthesizes the current

cybersecurity literature by focusing on three sequentially interconnected major topics,

that is, various cyber attacks, various factors contributing to cyber attacks, and various

strategies to tackle cyber attacks.

Method

To locate the existing research, multiple literature search methods were utilized,

including computer search of electronic databases and major journals, manual search of

references of identified articles, and consultation with experiences librarians. Major

electronic databases, such as PsychInfo, Pubmed, Web of Science, and Science Direct,

and major journals related to Internet behaviors, such as Computers in Human Behavior,

Journal of Information Privacy and Security, Behavior and Information Technology,

Information Systems Journal, and Information Systems Review were searched to find

relevant journal articles. Pubmed was used as a database in order to include cyber threats

to medical technologies. Key words that were used include: “cyber security”,

“cybersecurity”, “internet security”, “information security” “internet security measures”

“internet privacy” “privacy” and “security”. “Cyber attacks” and its single work form

“Cyberattack” has been used interchangeably (Gewirtz, 2011). In this study, we used

both forms when searching the literature and we use the dual word form “Cyber attacks”

6

in the current article for consistence in writing. The same rule applies to “Cyber security”

and “Cybersecurity” as well.

A total of 536 articles on cyber security were identified through the initial search.

These articles were further examined using the following three criteria to select studies

under review: firstly, the studies included in the review must explicitly examined the

human factors related to cyber security and the effects of cyber security; secondly, the

studies should be published in peer-reviewed journals; and thirdly, the studies should not

focus on the technology aspect of cyber security. After applying for these three criteria,

222 were selected and reviewed in three major areas, cyber attacks, contributing factors,

and tackling strategies.

Cyber Attacks

Identify

The first core function of cyber security is to identify cyber attacks (National

Institute of Standards and Technology, 2014). This includes understanding the risk

associated with cyber attacks and how to manage these risks. There exists relative small

amount of research literature on cyber attacks. It mainly focuses on three topics, types of

cyber attacks, technologies used in cyber attacks, and effects of cyber attached. About

31.5% of the articles found were related to this area (the total amount of studies discussed

will exceed 100% due to some articles being relevant to more than one category).

First, there is accumulated knowledge focusing on specific types of cyber attacks,

such as phishing (e.g. Arachchilage & Love, 2014; Bose & Leung, 2014) malware (e.g.

Jansson & von Solms, 2013; Jang-Jaccard & Nepal, 2014), hacking (e.g. Papadimitriou,

2009; Huang, Rau, & Salvendy, 2010; Kumar, Mohan, & Holowczak, 2008), and fraud

7

(e.g. Vahdati & Yasini, 2015; Mann, 2004). Bagchi and Udo (2003) made contributions

to an understanding of the rate of different types of cyber attacks. Information theft,

fraud, and viruses were projected to increase the most over time in comparison to other

computer related crimes, such as theft of laptops and unauthorized insider access.

However, there are other types of cyber attacks not explored in the literature, such as

social engineering and computer viruses.

Second, the technologies involved in these attacks could include smartphones,

PDA’s, tablets, laptop computers, and personal computers [yan: citations?]. There is also

an initial understanding on cyber threats to medical technologies (Coronado & Wong,

2014; Rios, 2015; Fu & Bum, 2014).

Third, knowledge is accumulating about the immediate effects from cyber attacks.

This includes having personal information stole (Gerard et al., 2013), money stolen

(Davinson & Sillence, 2014; Mann, 2004), intellectual property stolen (Andrijcic &

Horowitz, 2006), data loss (Bartlett & Smith, 2008; Khey & Sainato, 2013; Densham,

2015; Perkel, 2010), and web traffic loss for businesses (Davis, Garcia & Zhang, 2009).

Yet, there is little knowledge about how cyber attacks effect the individual in the long-

term. For instance, are there any psychological effects from being a victim of a cyber

attack? Do people approach cyber security differently after falling victim to an attack?

Similarly, how long would it take the average Internet user to even notice that they had

fallen victim to a cyber attack? These are all avenues that have not been explored in the

current literature. Another possible effect of cyber attacks discussed throughout the

literature is the possibility of cyber warfare (McGraw, 2013; Weinberger, 2011). This

8

could be inevitable if better strategies to combat cyber attacks are not created and

utilized.

Contributing Factors

Human factors

Research related to the human factors that effect cyber security behavior is rapidly

emerging. In total 50.4% of the articles found for this review explored to the contributing

factors that affect the cyber security behaviors of individuals and businesses. As software

engineers create better and more complex systems to evade cyber attacks, the human

factors that lead to cyber attacks occurring are becoming even more important (Abawajy,

2014). The current literature in the area focuses on four main factors related to an

individual’s cyber security behavior: (1) knowledge and experience in cyber security, (2)

unrealistic trust or optimism in the cyber world, (3) demographic factors and individual

differences effecting cyber security, and (4) beliefs and perceptions towards cyber

security.

First, a person’s knowledge of cyber security (e.g. Arachchilage & Love, 2014;

Shillair et al., 2015; Ben-Asher & Gonzaelz, 2015; Slusky & Partow, 2012) and

experience with cyber technologies (e.g. Modic & Anderson, 2014; Vishwanath, Herath,

Chen, Wang & Rao, 2011) has been found to be positively associated with engaging in

cyber secure behaviors. For example, users who have a better understanding of computers

tend to keep malware warnings on (Modic & Anderson, 2014) and users who frequently

send and receive emails are less likely to fall victim to phishing (Vishwanath et al.,

2011). However, general cyber security knowledge can help an individual detect

malicious events, but it is not sufficient to pick up on the series of events that lead to a

9

cyber attack. Instead, experience with the network along with specific knowledge of

cyber security leads to better decision making regarding the cyber attck (Ben-Asher &

Gonzaelz, 2015).

Second, research has found substantial evidence of individuals’ unrealistic

optimism and trust in the cyber world, thinking that they are less at risk than others for

something negative (e.g., fraud or identity theft) to occur to them (e.g. Campbell,

Greenauer, Macaluso, & End, 2005; Corritore, Kracher, & Wiedenbeck, 2003). This trust

in the cyber world leads people to put themselves at risk in the cyber world. The more

time an individual spends on the Internet, the more likely he or she is to have this bias

(Campbell et al., 2005). However, other research indicates that the majority of IT

professionals believe that they will fall victim to a cyber attack at some point within the

next year (Strand, 2014), suggesting that knowledge and experience may moderate this

effect and more research is needed in order to understand this nuanced relationship.

Third, researchers have examined how demographic factors such as age and

gender (e.g. Grimes, Hough, Mazur, & Signorella, 2010; Henson, Reyns, & Fisher, 2013)

and individual differences (Whitty, Doodson, Creese, & Hodges, 2015) are related to

cyber security. Older adults are less knowledgeable than younger adults about cyber

security, with older females being the least knowledgeable, thus the most susceptible to

cyber attacks (Grimes et al., 2010). Individuals with low levels of perseverance and high

levels of self-monitoring are less likely to share passwords (Whitty et al., 2015).

Fourth, research has been done to begin understanding people’s attitudes towards

cyber security (Chen, Chen, Lo, & Yang, 2008; Li, Sarathy, Zhang, & Luo, 2014) and

perceptions of cyber security technologies (Abawajy, 2015; Kim & Park, 2012; Agamba

10

& Keengwe, 2012; Herath, et al., 2014; Kumar, Mohan, & Holowczak, 2008; Huang,

Rau, & Salvendy, 2010). Convenience tends to outweigh other factors when it comes to

adopting cyber secure practices, such as having email authentication services and using

effective passwords (Herath et al., 2014; Kim & Park, 2012). When it comes to online

privacy, anonymity is a feature that is very important to Internet users (Chen et al., 2008).

In the current literature there are also multiple research models created to explain

the relationship between users and cyber security technologies (e.g. Corritore et al., 2003;

Tamjidyamcholo, Li, Sarathy, Zhang & Lou, 2014). The accumulated knowledge in

cyber security has addressed many factors, such as knowledge, experience, trust,

attitudes, age and gender that influence how a person behaves in cyber space. Cyber

attackers tend to look for the weakest link in order to break through a system, and

typically this weakest link is the individual as he or she engages in unsafe behavior.

Because of this, more research in this area is needed in order to create better strategies to

combat cyber attacks. thus researchers should continue to evaluate how individual’s put

themselves at risk in the cyber world.

Business factors

Another emerging field of research in cyber security is the factors that affect

businesses cyber security practices and behaviors. The two main components in the

literature are how businesses should deal with employees in relation to cyber security and

the cost of both implementing and improving cyber security strategies, as well as the risk

associated with cutting corners in cyber security.

Businesses not only need to be concerned with keeping their network secure from

cyber attacks but they need to ensure that their employees are not putting the company at

11

risk. Research has focused on factors that may cause an employee to engage in risky

cyber behaviors while at work that could affect the business. These factors being

explored in the current literature include the employees’ motivation (Herath & Rao,

2009; Vance, Siponen, & Pahnila, 2012), stress (D’Arcy, Hearth, & Shoss, 2014), ethics

(Li, Sarathy, Zhang, & Luo, 2014), personality (Vahdati, & Yasini, 2015; Wall, 2013),

and knowledge of cyber security policies (San Nicolas-Rocca, Schooley, & Spears,

2014). Hearth and Rao (2009) found through surveying employees that both extrinsic

motivators, such as penalties for noncompliance, and intrinsic motivators, such as the

employees perceived effectiveness of complying with cyber security policies, were

important factors that influence an employee’s compliance with the businesses cyber

security policies. Lowry, Posey, Bennett and Roberts (2015) found that organizational

trust is another important factor in an employee’s compliance with cyber security

policies.

Research in the field has also begun to document the economic factors related to

cyber security. Various risk management analyses and economic analyses have been

conducted to examine how to implement cyber security strategies for businesses as well

as the economic loss associated with the attacks (e.g. Bojanc, Jerman-Blazic, 2008; Hsu,

Lee, & Straub, 2012; Yan, & Tayi, 2015). Additionally, there is an initial understanding

of the economic risks to a business if a cyber attack were to occur. One study of 259

businesses throughout the world found that if a business releases a phishing alert, the

business’ market value could decrease by US$ 411 million (Bose & Leung, 2014).

Alarmingly, another study found that 60% of small businesses who suffer a cyber attack

close within six months following the attack due to the economic loss (Tuttle, 2013).

12

The literature has also contributed knowledge to the unique factors influencing

the healthcare industry, while more mobile devices, such as laptops and tablets, are being

used (Harries & Yellowlees, 2013; Schneier, 2012). According to one study, 94% of

healthcare businesses have fallen victim to cyber attacks (Peraksilis, 2014). This initial

literature has focused on how to keep networks secure in order to ensure privacy for

patients as medical records are being kept electronically (Gerard, Kapadia, Acharya,

Chang & Lekovitz, 2013). Also, as medical devices become more advanced, requiring

software that is susceptible to malware, there has been initial research on how to keep

these devices secure from threats (Coronado & Wong, 2014; Rios, 2015).

Tackling Strategies

The largest amount of cyber security research is on strategies for improving cyber

security technology, and improving cyber security behavior among individuals, for

businesses, and through the government. In total, 75.2% of the articles found were related

to strategies for improving cyber security behaviors. Reducing opportunities for cyber

attackers to commit cybercrimes could be a promising line of research, as it is an

approach to reducing other crimes (Reyns, & Hansen, 2013; Maimon, Alper, Sobesto, &

Cukier, 2014; Hinduja, & Kooi, 2013).

Person strategies

The most examined strategy for increasing cyber security among individuals is

though training programs to educate and increase awareness of cyber security. This can

be through lectures or seminars, games, or simulations (e.g. Abawjy, 2014; Jansson &

von Solms, 2014; Martin & Rice, 2012). The most beneficial way to improve awareness

of cyber security is through a combination of various training methods (Abawjy, 2014).

13

The literature has also explored simpler ways of increasing cyber secure behaviors, such

as through increased warnings on computers (Carpenter, Zhu & Kolimi, 2014) or ways to

help users create better passwords (e.g. Jenkins, Grimes, Proudfoot, & Lowry, 2013; Vu

et al., 2007; Tam, Glassman, & Vandenwauver, 2010), such as using biometrics for

Smartphone users (Chae, Moon, Ko, Shin, & Pan, 2014).

Research has also explored how to use the knowledge of the human factors

related to cyber security in order to create better cyber security (e.g. Shillair, 2015; Modic

& Anderson, 2014; Dark 2015). Dark (2015) suggests it is important to combine what is

known about neuroscience and the science of learning in order to better educate

individuals in cyber security. This is still a small field of research and should be explored

further through interdisciplinary research, bringing together psychologists and cyber

security experts in order to create the best education possible.

Individuals have also taken it upon themselves to police the Internet for cyber

attacks (e.g. Huey, Nhan & Broll, 2012; Kelly, 2012). How, there is little knowledge

about these cyber vigilantes, their methods, and the effectiveness of their work.

In addition, throughout the literature there has been discussion for the need to

change and improve the discourse between cyber security professionals and others (Betz

& Stevens, 2013; Bolton, 2013; Quigley, Burns, & Stallard, 2015). The everyday person

has difficulty understanding the language used by cyber security professionals and this

could affect their willingness and ability to use cyber security technology.

Business strategies

A main strategy for improving cyber security discussed in the literature is through

businesses collaborating and sharing information with each other to increase everyone’s

14

cyber security (e.g. Gal-Or, & Ghose, 2005; Herath & Rao, 2009; Gordon, Loeb,

Lucyshyn, & Zhou, 2015). Initial concern about this strategy, however, is how to

appropriately share information yet protect the privacy of the company at the same time

(Mallinder & Drabwell, 2014).

In the literature there are also multiple models attempting to quantify the cyber

security risk for businesses in order to determine affordable yet effective strategies (e.g.

Bojanc & Jerman-Blazic, 2008; Mukhopadhyay et al., 2013)

Other strategies explored include training employees to be more cyber secure in

the workplace and ensure compliance with cyber security policies (r.g. Assante & Tobey,

2011; San Nicolas-Rocca, Schooley & Spears, 2014). However, training and education is

expensive. Forte and Power (2007) created a cyber security checklist for businesses to

utilize in order to help them educate their employees in an economical way. This

checklist includes information about password security, email security, security for home

computers, identity theft, child safety, social engineering, and security for mobile

devices. Although this does not cover all aspects of cyber security, it covers many

pertinent topics that employers would want their employees knowing about in order to

protect themselves and the business.

One challenge for businesses is that there is a lack of skilled cyber security

professionals for businesses to hire (Caldwell, 2013; Lyne, 2010; Paulsen, McDuffie,

Newhouse, & Toth, 2012). This has become such a problem for businesses that it is being

referred to as a “skills crisis” (Caldwell, 2013), as even many professionals in the field do

not have sufficient skills to protect the business’ systems. Hoffman, Burley, and Toregas

(2012) examined how to create a better cyber security workforce with a more holistic

15

approach, through integrating the work of educators, cyber security professionals, and the

government. Academics, and the government should work together to encourage

individuals from different backgrounds to pursue professional development in cyber

security. Additionally, educators and cyber security professionals should collaborate to

create more degree programs and training programs for individuals to pursue.

Government strategies

There is an emerging consensus in the literature that the national government in

the United States needs to take the lead in cyber security (Grant, 2010; Ghernouti-Helie,

2010; Etzioni, 2011; Chabinsky, 2010; Berkowitz, & Hahn, 2003; Assante & Tobey,

2010; Rees, Rakes, & Baker, 2011; Farber, 2003). It is argued that the government needs

to create policies that will enhance cyber security and programs that will train cyber

security professionals, as well as increase funding for research and the development of

new cyber security technologies. On the other hand, some theorists argue that the national

governments focus on cyber security is just an attempt to increase surveillance and

ultimately leads to less cyber security for citizens (Cavelty, 2014). What we do know is

that individuals, businesses and governments need to work together in order to enhance

cyber security for everyone (Hare, 2009; Matusitz, 2013; Quigley & Roy, 2011;

McDuffie, & Piotrowski, 2014).

Knowledge is accumulating in the literature about how countries and governments

throughout the globe have attempted to improve cyber security. This includes studies in

Estonia (Cardash, Cilluffo & Ottis, 2013), Croatia (Blythe, 2008), Holland (Clark,

Stikboort, Stofbergen, & van den Heuvel, 2014), Canada (Platt, 2011), and the United

Kingdom (Everett, 2010). Luiijf, Besseling, and De Graaf (2013) compared 19 country’s

16

national cyber security strategies, commenting on the similarities and weaknesses of

each. Since cyber security is a global problem, collaboration amongst countries

throughout the globe could be particularly useful in combating cyber security.

Conclusions

In the behavioral sciences, cyber security is still an emerging field of research. In

the field of information security and computer security, studies have highlighted many

critical topics, such as legal issues, monitoring and morality, vulnerabilities and risks,

awareness and motivations (Bulgurcus, Cavusoglu & Benbasat, 2010; Cannoy, Palvia &

Schilhavy, 2006; Ng, Kankanhali & Xu, 2009; Stanton, Stam, Mastrangelo & Jolton,

2005 and West, 2008). Built upon these studies, the present review expands the scope

from information system security in specific to cybersecurity in general and synthesizes

of the current literature on cyber attacks and potential effects of these attacks, various

factors that contribute to various cyber security behavior, and strategies to help

individuals and businesses make better decisions in cyber space. It also reveals the much

needed areas for future research.

First, cyber security research in the social sciences, related to the human aspect,

rather than the technology aspect, of cyber security, is an emerging field of literature. The

most prominent types of cyber attacks discussed in the literature include phishing and

hacking. There is a current understanding of the basic and immediate effect of cyber

attacks. However, little is known about the psychological and long-term effects of these

attacks on the individual. Future research could delve into this unexplored avenue of

cyber security research in order to better assist those who experience these unfortunate

attacks.

17

Second, much is known now about the factors that influence an individual’s cyber

security behavior. Factors such as knowledge and experience, unrealistic trust and

optimism, demographic factors and individual differences, and perceptions and beliefs

about cyber security, all have effects on how a person behaves on cyber space. While

most research up to this point has focused on just one of these factors, future research

could explore how a combination of these factors interact in order to impact an

individual’s behavior.

Furthermore, a businesses’ cyber security behavior is influenced not only by

financial motivations, but also by how their employees behave in cyber space. Businesses

need to constantly assess the cost/benefit ratio to implementing different types of cyber

security and multiple models have been created in order to help businesses achieve this

goal. Additionally, the factors that influence an individual’s cyber security behavior in a

business setting is different than the factors that influence his or her behavior at home or

with personal devices. At work, an employee will make cyber security decisions based on

factors such as motivation and the perceived effectiveness of their decisions.

Third, the most developed line of research in this field is strategies to improve a

person’s cyber security behavior, either at home or at their place of employment. The

trend that strategies for dealing with cyber attacks is the most prominent area of research

at this time exemplifies the hastiness of the field to give the prescription before fully

understanding the diagnosis, an ineffective strategy for solving a problem. Many

strategies have been deemed effective at improving cyber security, such as seminars and

games. One common finding, however, is that many researchers believe that the

government needs to play a larger role in leading the fight against cyber attacks.

18

Nevertheless, researchers need to play their part and come up with effective ways to keep

users safe from cyber attacks. Research needs to continue to explore the factors that

influence a person’s cyber security behavior in order to better come up with effective

strategies rather than being in a hurry to give solutions. It is important to draw upon both

what is known about how individual’s perceive cyber security, and what is known about

effective teaching and training methods, in order to create better strategies, since the

hackers will certainly keep reinventing ways to trick the user into gaining access to his or

her information.

19

References

Abawajy, J. (2014). User preference of cyber security awareness delivery

methods. Behaviour & Information Technology, 33(3), 237-248.

Agamba, J. J., & Keengwe, J. (2012). Pre-service teachers’ perceptions of information

assurance and cyber security. International Journal of Information and

Communication Technology Education, 8(2), 94-101.

Anderson, R. C., & Romney, G. W. (2014). Student experiential learning of cyber

security through virtualization. Journal of Research in Innovative Teaching, 7(1),

72–84.

Andrijcic, E., & Horowitz, B. (2006). A macro‐ economic framework for evaluation o

cyber security risks related to protection of intellectual property. Risk

Analysis, 26(4), 907-923.

Arachchilage, N. A. G., & Love, S. (2014). Security awareness of computer users: A

phishing threat avoidance perspective. Computers in Human Behavior,38, 304-

312.

Assante, M. J., & Tobey, D. H. (2011). Enhancing the cybersecurity workforce. IT

Professional, (1), 12-15.

Bagchi, K., & Udo, G. (2003). An analysis of the growth of computer and Internet

security breaches. Communications of the Association for Information

Systems, 12(1), 46.

Bartlett, D., & Smith, L. (2008). Managing the data loss crisis. Risk Management, 55(6),

34.

20

Bauer, J. M., & van Eeten, M. J. G. (2009). Cybersecurity: Stakeholder incentives,

externalities, and policy options. Telecommunications Policy, 33(10–11), 706–

719. Doi:http://dx.doi.org/10.1016/j.telpol.2009.09.001

Bayuk, J. L., & Horowitz, B. M. (2011). An architectural systems engineering

methodology for addressing cyber security. Systems Engineering, 14(3), 294-304.

Bedser, J. R. (2007). The Impact of the Internet on Security. Security Journal, 20(1), 55-

56.

Ben-Asher, N., & Gonzalez, C. (2015). Effects of cyber security knowledge on attack

detection. Computers in Human Behavior, 48, 51-61.

Berkowitz, B., & Hahn, R. W. (2003). Cybersecurity: Who’s watching the store? Issues

in Science and Technology, 19(3), 55.

Betz, D. J., & Stevens, T. (2013). Analogical reasoning and cyber security. Security

Dialogue, 44(2), 147–164. Doi:10.1177/0967010613478323

Blythe, S. E. (2008). Croatia’s computer laws: Promotion of growth in e-commerce via

greater cyber-security. European Journal of Law and Economics, 26(1), 75-103.

Bojanc, & Jerman-Blažič, B. (2008). An economic modeling approach to information

security risk management. International Journal of Information Management,

28(5), 413-422.

Bolton, F. (2013). Cybersecurity and emergency management: encryption and the

inability to communicate. Journal of Homeland Security and Emergency

Management, 10(1), 379-385.

Boopathi, K., Sreejith, S., & Bithin, A. (2015). Learning cyber security through

gamification. Indian Journal of Science and Technology, 8(7), 642-649.

21

Bose, I., & Leung, A. C. M. (2014). Do phishing alerts impact global corporations? A

firm value analysis. Decision Support Systems, 64, 67-78.

Broggi, J. J. (2014). Building on executive order 13, 636 to encourage information

sharing for cybersecurity purposes. Harv. JL & Pub. Pol’y, 37, 653.

Bulgurcu, B., Cavusoglu, H., & Benbasat, I. (2010). Information security policy

compliance: an empirical study of rationality-based beliefs and information

security awareness. MIS quarterly, 34(3), 523-548.

Caldwell, T. (2013). Plugging the cyber-security skills gap. Computer Fraud & Security,

2013(7), 5–10.

Campbell, J., Greenauer, N., Macaluso, K., & End, C. (2007). Unrealistic optimism in

internet events. Computers in Human Behavior, 23(3), 1273-1284.

Cannoy, S., Palvia, P. C., & Schilhavy, R. (2006). A research framework for information

systems security. Journal of Information Privacy and Security, 2(2), 3-24.

Cardash, S. L., Cilluffo, F. J., & Ottis, R. (2013). Estonia’s cyber defence league: A

model for the United States?. Studies in Conflict & Terrorism, 36(9), 777-787.

Carpenter, S., Zhu, F., & Kolimi, S. (2014). Reducing online identity disclosure using

warnings. Applied Ergonomics, 45(5), 1337-1342.

Cavelty, M. D. (2014). Breaking the cyber-security dilemma: Aligning security needs and

removing vulnerabilities. Science and Engineering Ethics, 20(3), 701-715.

Chabinsky, S. R. (2010). Cybersecurity strategy: A primer for policy makers and those on

the front line. J. Nat’l Sec. L. & Pol’y, 4, 27.

Chae, S. H., Moon, D., Ko, K. R., Shin, J., & Pan, S. B. (2014). Security enhancement

22

for smartphone using biometrics in cyber-physical systems. International Journal

of Distributed Sensor Networks, 2014.

Chen, H. G., Chen, C. C., Lo, L., & Yang, S. C. (2008). Online privacy control via

anonymity and pseudonym: Cross-cultural implications. Behaviour & Information

Technology, 27(3), 229-242.

Chen, S., & Janeja, V. P. (2014). Human perspective to anomaly detection for

cybersecurity. Journal of Intelligent Information Systems, 42(1), 133-153.

Clark, K., Stikvoort, D., Stofbergen, E., & van den Heuvel, E. (2014). A Dutch approach

to cybersecurity through participation. Security & Privacy, IEEE, 12(5), 27-34.

Collier, Z. A., Linkov, I., & Lambert, J. H. (2013). Four domains of cybersecurity: a risk

based systems approach to cyber decisions. Environment Systems and

Decisions, 33(4), 469-470.

Ng, Boon-Yuen, Atreyi Kankanhalli, and Yunjie Calvin Xu. "Studying users' computer

security behavior: A health belief perspective." Decision Support Systems 46, no.

4 (2009): 815-825.

Cone, B. D., Irvine, C. E., Thompson, M. F., & Nguyen, T. D. (2007). A video game for

cyber security training and awareness. Computers & Security, 26(1), 63–72.

Doi:http://dx.doi.org/10.1016/j.cose.2006.10.005

Coronado, A. J., & Wong, T. L. (2014). Healthcare cybersecurity risk management: Keys

to an effective plan. Biomedical Instrumentation & Technology, 48(s1), 26-30.

Corritore, C. L., Kracher, B., & Wiedenbeck, S. (2003). On-line trust: concepts, evolving

themes, a model. International Journal of Human-Computer Studies,58(6), 737-

758.

23

D’Arcy, J., Herath, T., & Shoss, M. K. (2014). Understanding employee responses to

stressful information security requirements: A coping perspective. Journal of

Management Information Systems, 31(2), 285-318.

Dark, M. (2014). Advancing Cybersecurity Education. Security & Privacy, IEEE,12(6),

79-83.

Dark, M. (2015). Thinking about Cybersecurity. IEEE Security & Privacy, (1), 61-65.

Davinson, N., & Sillence, E. (2014). Using the health belief model to explore users’

perceptions of ‘being safe and secure’ in the world of technology mediated

financial transactions. International Journal of Human-Computer Studies, 72(2),

154-168.

Davis, G., Garcia, A., & Zhang, W. (2009). Empirical analysis of the effects of cyber

security incidents. Risk Analysis, 29(9), 1304-1316.

Densham, B. (2015). Three cyber-security strategies to mitigate the impact of a data

breach. Network Security, 2015(1), 5-8.

Etzioni, A. (2011). Cybersecurity in the private sector. Issues in Science and Technology,

(Fall 2011), 58-62.

Farber, D. (2003). Fame, but no riches, for cybersecurity. Spectrum, IEEE,40(1), 51-52.

Forte, D., & Power, R. (2007). The ultimate cybersecurity checklist for your

workforce. Computer Fraud & Security, 2007(9), 14-19.

Fu, K., & Blum, J. (2013). Controlling for cybersecurity risks of medical device

software. Communications of the ACM, 56(10), 35-37.

Furman, S. M., Theofanos, M. F., Choong, Y. Y., & Stanton, B. (2011). Basing

cybersecurity training on user perceptions. IEEE Security & Privacy, (2), 40-49.

24

Gal-Or, E., & Ghose, A. (2005). The economic incentives for sharing security

information. Information Systems Research, 16(2), 186-208.

Gerard, P., Kapadia, N., Acharya, J., Chang, P. T., & Lefkovitz, Z. (2013). Cybersecurity

in radiology: access of public hot spots and public Wi-Fi and prevention of

cybercrimes and HIPAA violations. American Journal of Roentgenology, 201(6),

1186-1189.

Gewirtz, D. (2011). When it comes to cyber-attack, does the left prefer cyberattack and

the right cyber attack? Retrieved from http://www.zdnet.com/article/when-it-

comes-to-cyber-attack-does-the-left-prefer-cyberattack-and-the-right-cyber-

attack/

Gordon, L. A., Loeb, M. P., Lucyshyn, W., & Zhou, L. (2015). The impact of

information sharing on cybersecurity underinvestment: A real options

perspective. Journal of Accounting and Public Policy.

Grant, J. (2010). Will there be cybersecurity legislation. J. Nat’l Sec. L. & Pol’y, 4, 103.

Grimes, G. A., Hough, M. G., Mazur, E., & Signorella, M. L. (2010). Older adults’

knowledge of Internet hazards. Educational Gerontology, 36(3), 173-192.

Hare, F. B. (2009). Private sector contributions to national cyber security: A preliminary

analysis. Journal of Homeland Security and Emergency Management, 6(1).

Harries, D., & Yellowlees, P. M. (2013). Cyberterrorism: Is the US healthcare system

safe? Telemedicine and e-Health, 19(1), 61-66.

Harris, M. A., Furnell, S., & Patten, K. (2014). Comparing the mobile device security

behavior of college students and information technology professionals. Journal of

Information Privacy and Security, 10(4), 186-202.

25

Henson, B., Reyns, B. W., & Fisher, B. S. (2013). Does gender matter in the virtual

world?; Examining the effect of gender on the link between online social network

activity, security and interpersonal victimization. Security Journal, 26(4), 315-

330.

Herath, T., Chen, R., Wang, J., Banjara, K., Wilbur, J., & Rao, H. R. (2014). Security

services as coping mechanisms: an investigation into user intention to adopt an

email authentication service. Information systems journal, 24(1), 61-84.

Herath, T., & Raghav Rao, H. (2009). Control mechanisms in information security: a

principal agent perspective. International Journal of Business Governance and

Ethics, 5(1-2), 2-13.

Hinduja, S., & Kooi, B. (2013). Curtailing cyber and information security vulnerabilities

through situational crime prevention. Security Journal, 26(4), 383-402.

Hoffman, L. J., Burley, D. L., & Toregas, C. (2012). Holistically building the

cybersecurity workforce. Security & Privacy, IEEE, 10(2), 33-39.

Holm, H., Sommestad, T., Ekstedt, M., & Honeth, N. (2014). Indicators of expert

judgement and their significance: an empirical investigation in the area of cyber s

ecurity. Expert Systems, 31(4), 299-318.

Hsu, C., Lee, J. N., & Straub, D. W. (2012). Institutional influences on information

systems security innovations. Information systems research, 23(3-part-2), 918-

939.

Huang, D. L., Rau, P. L. P., & Salvendy, G. (2010). Perception of information

security. Behaviour & Information Technology, 29(3), 221-232.

Huang, D. L., Rau, P. L. P., Salvendy, G., Gao, F., & Zhou, J. (2011). Factors affecting

26

perception of information security and their impacts on IT adoption and security

practices. International Journal of Human-Computer Studies, 69(12), 870-883.

Huey, L., Nhan, J., & Broll, R. (2012). ‘Uppity civilians’ and ‘cyber-vigilantes’: The role

of the general public in policing cyber-crime. Criminology and Criminal Justice,

13(1), 81-97.

Imgraben, J., Engelbrecht, A., & Choo, K. K. R. (2014). Always connected, but are smart

mobile users getting more security savvy? A survey of smart mobile device

users. Behaviour & Information Technology, 33(12), 1347-1360.

Jang-Jaccard, J., & Nepal, S. (2014). A survey of emerging threats in

cybersecurity. Journal of Computer and System Sciences, 80(5), 973-993.

Jansson, K., & von Solms, R. (2013). Phishing for phishing awareness. Behaviour &

Information Technology, 32(6), 584-593.

Jenkins, J. L., Grimes, M., Proudfoot, J. G., & Lowry, P. B. (2014). Improving password

cybersecurity through inexpensive and minimally invasive means: Detecting and

deterring password reuse through keystroke-dynamics monitoring and just-in-time

fear appeals. Information Technology for Development, 20(2), 196-213.

Kelly, B. B. (2012). Investing in a centralized cybersecurity infrastructure: Why

hacktivism can and should influence cybersecurity reform. BUL Rev., 92, 1663.

Khey, D. N., & Sainato, V. A. (2013). Examining the correlates and spatial distribution of

organizational data breaches in the United States. Security Journal, 26(4), 367-

382.

Kim, B. C., & Park, Y. W. (2012). Security versus convenience? An experimental study

27

of user misperceptions of wireless internet service quality. Decision Support

Systems, 53(1), 1-11.

Kritzinger, E., & von Solms, S. H. (2010). Cyber security for home users: A new way of

protection through awareness enforcement. Computers & Security, 29(8), 840–

847. doi:http://dx.doi.org/10.1016/j.cose.2010.08.001

Kumar, N., Mohan, K., & Holowczak, R. (2008). Locking the door but leaving the

computer vulnerable: Factors inhibiting home users' adoption of software

firewalls. Decision Support Systems, 46(1), 254-264.

Li, H., Sarathy, R., Zhang, J., & Luo, X. (2014). Exploring the effects of organizational

justice, personal ethics and sanction on internet use policy

compliance. Information Systems Journal, 24(6), 479-502.

Lowry, P. B., Posey, C., Bennett, R. B. J., & Roberts, T. L. (2015). Leveraging fairness

and reactance theories to deter reactive computer abuse following enhanced

organisational information security policies: an empirical study of the influence of

counterfactual reasoning and organisational trust. Information Systems

Journal, 25(3), 193-273.

Luiijf, E., Besseling, K., & De Graaf, P. (2013). Nineteen national cyber security

strategies. International Journal of Critical Infrastructures 6, 9(1-2), 3-31.

Lyne, J. (2010). Cybersecurity recruitment challenge. Infosecurity, 7(5), 37.

Maimon, D., Alper, M., Sobesto, B., & Cukier, M. (2014). Restrictive deterrent effects of

a warning banner in an attacked computer system. Criminology, 52(1), 33-59.

Maisey, M. (2014). Moving to analysis-led cyber-security. Network Security,2014(5), 5-

12.

28

Mallinder, J., & Drabwell, P. (2014). Cyber security: A critical examination of

information sharing versus data sensitivity issues for organisations at risk of cyber

attack. Journal of business continuity & emergency planning, 7(2), 103-111.

Mann, P. (2004). Cybersecurity–the CTOSE project. Computer Law & Security

Review, 20(2), 125-126.

Martin, N., & Rice, J. (2012). Children's cyber-safety and protection in Australia: An

analysis of community stakeholder views. Crime Prevention & Community

Safety, 14(3), 165-181.

Matusitz, J. (2013). The networks that fight cyberterrorist networks. Journal of Human

Behavior in the Social Environment, 23(5), 616-626.

McDuffie, E. L., & Piotrowski, V. P. (2014). The future of cybersecurity

education. Computer, (8), 67-69.

McGraw, G. (2013). Cyber war is inevitable (unless we build security in). Journal of

Strategic Studies, 36(1), 109-119.

Mirkovic, J., & Benzel, T. (2012). Teaching cybersecurity with DeterLab. Security &

Privacy, IEEE, 10(1), 73-76.

Modic, D., & Anderson, R. (2014). Reading this may harm your computer: The

psychology of malware warnings. Computers in Human Behavior, 41, 71-79.

Mukhopadhyay, A., Chatterjee, S., Saha, D., Mahanti, A., & Sadhukhan, S. K. (2013).

Cyber-risk decision models: To insure IT or not? Decision Support Systems, 56,

11-26.

Ottis, R. (2014). Light weight tabletop exercise for cybersecurity education. Journal of

Homeland Security and Emergency Management, 11(4), 579-592.

29

Papadimitriou, F. (2009). A nexus of cyber-geography and cyber-psychology:

topos/“notopia” and identity in hacking. Computers in Human Behavior, 25(6),

1331-1334.

Patel, S. C., Bhatt, G. D., & Graham, J. H. (2009). Improving the cyber security of

SCADA communication networks. Communications of the ACM, 52(7), 139-142.

Paulsen, C., McDuffie, E., Newhouse, W., & Toth, P. (2012). NICE: Creating a

cybersecurity workforce and aware public. IEEE Security & Privacy, (3), 76-79.

Perakslis, E. D. (2014). Cybersecurity in health care. N Engl J Med, 371(5), 395-397.

Perkel, J. (2010). Cybersecurity: how safe are your data? Nature, 464(7293), 1260-1261.

Pfleeger, S. L., & Caputo, D. D. (2012). Leveraging behavioral science to mitigate cyber

security risk. Computers & security, 31(4), 597-611.

Platt, V. (2011). Still the fire-proof house? An analysis of Canada’s cyber security

strategy. International Journal VO - 67, (1), 155.

Proctor, R. W., & Chen, J. (2015). The role of human factors/ergonomics in the science

of security decision making and action selection in cyberspace. Human Factors:

The Journal of the Human Factors and Ergonomics Society, 0018720815585906.

Quigley, K., Burns, C., & Stallard, K. (2015). ‘Cyber Gurus’: A rhetorical analysis of the

language of cybersecurity specialists and the implications for security policy and

critical infrastructure protection. Government Information Quarterly, 32(2), 108-

117.

Rees, L. P., Deane, J. K., Rakes, T. R., & Baker, W. H. (2011). Decision support for

cybersecurity risk planning. Decision Support Systems, 51(3), 493-505.

Reyns, B. W., & Henson, B. (2013). Security in a digital world: Understanding and

30

preventing cybercrime victimization. Security Journal, 26(4), 311-314.

Rios, B. (2015). Cybersecurity expert: Medical devices have 'a long way to

go'. Biomedical Instrumentation & Technology, 49(3), 197-200.

Rosoff, H., Cui, J., & John, R. S. (2013). Heuristics and biases in cyber security

dilemmas. Environment Systems and Decisions, 33(4), 517-529.

Rue, R., & Pfleeger, S. L. (2009). Making the best use of cybersecurity economic

models. IEEE Security & Privacy, (4), 52-60.

Ryan, J. J., Mazzuchi, T. A., Ryan, D. J., De la Cruz, J. L., & Cooke, R. (2012).

Quantifying information security risks using expert judgment elicitation.

Computers & Operations Research, 39(4), 774-784.

San Nicolas-Rocca, T., Schooley, B., & Spears, J. L. (2014). Exploring the effect of

knowledge transfer practices on user compliance to is security

practices. International Journal of Knowledge Management, 10(2), 62-78.

Stanton, J. M., Stam, K. R., Mastrangelo, P., & Jolton, J. (2005). Analysis of end user

security behaviors. Computers & security, 24(2), 124-133.

Schneier, B. (2012). Securing medical research: a cybersecurity point of view.

Science, 336(6088), 1527-1529.

Shiffman, G., & Gupta, R. (2013). Crowdsourcing cyber security: A property rights view

of exclusion and theft on the information commons. International Journal of the

Commons, 7(1), 92-112.

Shillair, R., Cotten, S. R., Tsai, H. Y. S., Alhabash, S., LaRose, R., & Rifon, N. J. (2015).

Online safety begins with you and me: Convincing Internet users to protect

themselves. Computers in Human Behavior, 48, 199-207.

31

Shin, J., Son, H., & Heo, G. (2015). Development of a cyber security risk model using

Bayesian networks. Reliability Engineering & System Safety, 134, 208-217.

Slusky, L., & Partow-Navid, P. (2012). Students information security practices and

awareness. Journal of Information Privacy and Security, 8(4), 3-26.

Srinidhi, B., Yan, J., & Tayi, G. K. (2015). Allocation of resources to cyber-security: The

effect of misalignment of interest between managers and investors. Decision

Support Systems, 75, 49-62.

Strand, C. (2014). Challenging confidence in cyber-security. Computer Fraud &

Security, 2014(12), 12-15.

Tam, L., Glassman, M., & Vandenwauver, M. (2010). The psychology of password

management: a tradeoff between security and convenience. Behaviour &

Information Technology, 29(3), 233-244.

Tamjidyamcholo, A., Baba, M. S. B., Tamjid, H., & Gholipour, R. (2013). Information

security–Professional perceptions of knowledge-sharing intention under self-

efficacy, trust, reciprocity, and shared-language. Computers & Education, 68,

223-232.

Thomson, R., Yuki, M., & Ito, N. (2015). A socio-ecological approach to national

differences in online privacy concern: The role of relational mobility and trust.

Computers in Human Behavior, 51, 285-292.

Tuttle, H. (2013). Taking Cybersecurity Seriously. Risk Management, 60(8), 18.

Vahdati, S., & Yasini, N. (2015). Factors affecting internet frauds in private sector: A

case study in cyberspace surveillance and scam monitoring agency of

Iran. Computers in Human Behavior, 51, 180-187.

32

Vance, A., Siponen, M., & Pahnila, S. (2012). Motivating IS security compliance:

Insights from habit and protection motivation theory. Information &

Management, 49(3), 190-198.

Vishwanath, A., Herath, T., Chen, R., Wang, J., & Rao, H. R. (2011). Why do people get

phished? Testing individual differences in phishing vulnerability within an

integrated, information processing model. Decision Support Systems, 51(3), 576-

586.

Vu, K. P. L., Proctor, R. W., Bhargav-Spantzel, A., Tai, B. L. B., Cook, J., & Schultz, E.

E. (2007). Improving password security and memorability to protect personal and

organizational information. International Journal of Human-Computer

Studies, 65(8), 744-757.

Wall, D. S. (2013). Enemies within: Redefining the insider threat in organizational

security policy. Security Journal, 26(2), 107-124.

Wiederhold, B. K. (2014). The role of psychology in enhancing cybersecurity.

Cyberpsychology, Behavior, and Social Networking, 17(3), 131-132.

Weinberger, S. (2011). Computer security: Is this the start of cyberwarfare? Nature

News, 474(7350), 142-145.

West, R. (2008). The psychology of security. Communications of the ACM, 51(4), 34-40.

Whitty, M., Doodson, J., Creese, S., & Hodges, D. (2015). Individual differences in

cyber security behaviors: an examination of who is sharing

passwords. Cyberpsychology, Behavior, and Social Networking, 18(1), 3-7.

Wong, A. K. (2010). Unlocking the door to better cybersecurity. Science, 327(5972),

1451-1451.

33

Wulf, W. A., & Jones, A. K. (2009). Reflections on cybersecurity. Science, 326(5955),

943-944.

Xu, J., Le, K., Deitermann, A., & Montague, E. (2014). How different types of users

develop trust in technology: A qualitative analysis of the antecedents of active and

passive user trust in a shared technology. Applied ergonomics,45(6), 1495-1503.

Younes, W. (2013). Cybersecurity Education Training and Awareness for K-12 Faculty

and Staff in Allegheny County (Doctoral dissertation, Robert Morris University).

Computer Science and Telecommunications Board (CSTB) (2002). Cybersecurity Today

and Tomorrow: Pay Now or Pay Later. Washington, D.C: National Academies

Press.

Clark, D., Berson, T., & Lin, H. S. (Eds.). (2014). At the Nexus of Cybersecurity and

Public Policy: Some Basic Concepts and Issues. Washington, D.C: National

Academies Press.

U.S. Executive Office of the President (USEOP). (2011) Trustworthy cyberspace:

Strategic plan for the federal cyber security research and development program.

Retrieved from

https://www.whitehouse.gov/sites/default/files/microsites/ostp/fed_cybersecurity_

rd_strategic_plan_2011.pdf

U.S. Executive Office of the President (USEOP). (2010). The comprehensive national

cybersecurity initiative. Retrieved from

https://www.whitehouse.gov/issues/foreign-policy/cybersecurity/national-

initiative.

34

United States Office of the White House (USOWH). (2009). Cyberspace policy review:

Assuring a trusted and resilient information and communications infrastructure.

Retrieved from

https://www.whitehouse.gov/assets/documents/Cyberspace_Policy_Review_final.

pdf.

Biography:

Samantha Bordoff is a Ph.D student at University at Albany, SUNY. Her research mainly

focuses on cognitive development in childhood. She recently co-authored a book chapter

published in the book Cognitive Development in Digital Contexts.

Quan Chen is a senior Ph.D. student at University at Albany, SUNY. Her research

focuses on off-task multitasking with mobile phone and its impact on performance (i.e.

driving, learning). She published articles in the journals Computers in Human Behavior

and International Journal of Cyber Behavior, Psychology and Learning. She contributed

chapters to the books Encyclopedia of Mobile Phone. Learning Environments:

Technologies, and Challenges and Impact Assessment.

Zheng Yan is Associate Professor of Developmental and Educational Psychology at

University at Albany since 2007. His research mainly concerns dynamic and complex

relations between contemporary technologies and human development as well as research

methodology of human development, and specifically focuses on computer behavior,

cyber behavior, and mobile phone behavior. He is the editor of Encyclopedia of Cyber

35

Behavior and Encyclopedia of Mobile Phone Behavior. His new book, Mobile Phone

Behavior, was published by Cambridge University Press in 2017.