We report on an educational experiment where computer science students perform empirical research into the human factor in cyber security. Most courses restrict students to work in a lab environment,but we encouraged our students to conduct a realistic experiment with real -world subjects. The students wrote a research proposal that had to be approved by the IRB. They then executed the proposal, collecting and analysing the data. Finally the students wrote and presented a paper a student conference. The main method of assessment is by peer review. After teaching the course for six years, we report on the exciting ideas our students came up wi th, and on the lessons we learned in teaching the course. The main conclusions are (a) offering complete freedom to choose research topics inspires students to design creative projects, (b) working with real subjects creates a stimulating learning experience, and (c) peer-review is a useful assessment tool .@en

Purpose – When security managers choose to deploy a smart lock activation system, the number of units needed and their location needs to be established. This study presents the results of a penetration test involving smart locks in the context of building security. We investigated how the amount of effort an employee has to invest in complying with a security policy (i.e. walk from the office to the smart key activator) influences vulnerability. In particular, the attractiveness of a no-effort alternative (i.e. someone else walking from your office to the key activators to perform a task on your behalf) was evaluated. The contribution of this study relates to showing how experimental psychology can be used to determine the cost-benefit analysis (CBA) of physical building security measures. Design/methodology/approach – Twenty-seven different ‘offenders’ visited the offices of 116 employees. Using a script, each offender introduced a problem, provided a solution and asked the employee to hand over their office key. Findings – A total of 58.6% of the employees handed over their keys to a stranger; no difference was found between female and male employees. The likelihood of handing over the keys for employees close to a key activator was similar to that of those who were further away.Research limitations/implications – The results suggest that installing additional key activators is not conducive to reducing the building’s security vulnerability associated with the handing over of keys to strangers. Originality/value – No research seems to have investigated the distribution of smart key activators in the context of a physical penetration test. This research highlights the need to raise awareness of social engineering and of the vulnerabilities introduced via smart locks (and other smart systems).@en

Purpose - The purpose of this study is to explore how the opening phrase of a phishing email influences the action taken by the recipient. Design/methodology/approach - Two types of phishing emails were sent to 593 employees, who were asked to provide personally identifiable information (PII). A personalised spear phishing email opening was randomly used in half of the emails. Findings - Nineteen per cent of the employees provided their PII in a general phishing email, compared to 29 per cent in the spear phishing condition. Employees having a high power distance cultural background were more likely to provide their PII, compared to those with a low one. There was no effect of age on providing the PII requested when the recipient's years of service within the organisation is taken into account. Practical implications - This research shows that success is higher when the opening sentence of a phishing email is personalised. The resulting model explains victimisation by phishing emails well, and it would allow practitioners to focus awareness campaigns to maximise their effect. Originality/value - The innovative aspect relates to explaining spear phishing using four sociodemographic variables.

@en

This study investigates the relationships between users' routine activities and socio-economic characteristics and three forms of cybercrime victimization of 1) online shopping fraud, 2) online banking fraud and 3) cyber-attacks (i.e. DDoS attacks). Data from the Eurobarometer, containing a sample of 17,811 online European citizens was analyzed. The results generally support the Routine Activities Theory. There were few differences by sex. Younger respondents were more at risk of online purchase fraud, but older respondents more of online banking fraud. Few economic characteristics were related to victimization. The three forms of victimization were interrelated relatively strongly. The characteristic of victims of online crime differ from those of traditional crime. We propose that digitalization leads to a `normalization of victims' of cybercrime.@en