The Human Factor of Information Security: Phishing in Cybercrime
DOI:
https://doi.org/10.58423/2786-6742/2024-6-223-234Keywords:
cybersecurity, user, phishing, information, dataAbstract
This study investigates public awareness of phishing practices in Hungary, emphasizing the evolving landscape of cybercrime and the strategic importance of information in contemporary society. The research examines the methods and factors contributing to successful phishing schemes, employing statistical data to enhance understanding and defense mechanisms against such attacks. By delving into the techniques and psychological triggers used to deceive victims, the study aims to provide a comprehensive view of phishing threats. The research explores whether demographic differences, education, and internet use influence susceptibility to phishing attacks. Two primary assumptions are tested: that demographic factors affect knowledge and attitudes about phishing, and that individuals frequently fail to recognize phishing attempts. Highlighting the importance of process-based protection over purely technical tools, the study stresses that user decisions and knowledge are crucial in defending against phishing. Process-based security, including blocking malicious sites and notifying users, is essential, with a significant responsibility resting on service providers, state, and national security agencies. However, the user's role is critical as the weakest link in the security chain. Technological advancements in defense methods are discussed, noting that as these methods become more effective, attackers shift their focus from systems to the personnel operating them. This shift underscores the increasing significance of the human factor in internet security. Phishing incidents often go unreported as companies prefer to absorb losses rather than reveal vulnerabilities, fearing significant customer loss. The study emphasizes the value of information, both as a target for criminals and as crucial knowledge for prevention. Protecting data and disseminating knowledge are essential tasks in combating IT crime, underscoring the need for ongoing research and awareness.
References
Anti-Phishing Working Group (2009-2018) Phishing Activity Trends. Available from: https://www.antiphishing.org/resources/apwg-reports/ (last accessed: February 2, 2024)
Arachchilage and Love, S. (2013). A game design framework to avoid phishing attacks. Computers in Human Behavior 29 (3), 706-714. DOI : https://doi.org/10.1016/j.chb.2012.12.018 DOI: https://doi.org/10.1016/j.chb.2012.12.018
Borbíró, A. (2016). Kriminológiaelmélet: bűnözésmagyarázatok (Theory of Criminology. Crime Explains – in Hungarian) In: Borbíró, A., Gönczöl, K., Kerezsi, K., Lévay, M. (szerk.). Kriminológia. Budapest: Wolters-Kluwer, 29-313. o.
CERT Insider Threat Team (2013). Unintentional Insider Threats: A Foundational Study. Available from: http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=58744 (last accessed: March 3, 2024)
Cohen, LE and Felson, M. (1979). Social Change and Crime Rate Trends : The Routine Activity Approach. American Sociological Review, 44 (4), 588-608. DOI : 10.2307/2094589 DOI: https://doi.org/10.2307/2094589
Cranor, LF (2008). Framework for Reasoning About the Human in the Loop. Proceedings of Usability, Psychology & Security (UPSEC). Available at: https://www.usenix.org/legacy/event/upsec08/ tech/full_papers/cranor/cranor.pdf (last accessed: April 4, 2024)
Europol (2018). Internet organised crime threat assessment (IOCTA). Available from: https://www.europol.europa.eu/activities-services/main-reports/internet-organised-crime-threat-assessment-iocta-2018 (last accessed: May 5, 2024) DOI: https://doi.org/10.1016/S1353-4858(18)30096-5
Gupta, S. and Kumaraguru, P. (2014). Emerging Phishing Trends and Effectiveness of the Anti- Phishing Landing Page. APWG Symposium you Electronic Crime Research (eCrime). 36-47. DOI: 10.1109/ecrime.2014.6963163 DOI: https://doi.org/10.1109/ECRIME.2014.6963163
Gupta, BB, Nalin, A., & Kostas, P. (2017). Defending against Phishing Attacks: Taxonomy of Methods, Current Issues and Future Directions. Telecommunication Systems. DOI : 10.1007/s11235-017-0334-z DOI: https://doi.org/10.1007/s11235-017-0334-z
Hadnagy, C. & Fincher, M. (2015). Phishing Dark Waters – The Offensive and Defensive Sides of Malicious Emails, Indianapolis: Wiley. Available from: https://the-eye.eu/public/Books/HumbleBundle/phishingdarkwaters.pdf (last accessed: June 6, 2024) DOI: https://doi.org/10.1002/9781119183624
Haig, Zs. & Várhegyi, I. (2005). Hadviselés az információs hadszíntéren (Warfare on the information battlefield – in Hungarian). Budapest: Zrínyi Kiadó.
Haig, Zs., Hajnal, B., Kovács, L., Muha, L. & Sik Z. N. (2009). A kritikus információs infrastruktúrák meghatározásának módszertana (Methodology for defining critical information infrastructures – in Hungarian). ENO Advisory Kft.
Jakobsson, M. & Myers S. (2007). Phishing and countermeasures: understanding the increasing problem of electronic identity theft John Wiley & Sons, Inc. DOI: https://doi.org/10.1002/0470086106
Jakobsson, M. (2005). Modeling and Preventing Phishing Attacks. In: Patrick A.S. & Yung M. szerk., Financial Cryptography and Data Security Berlin: Springer, 89-108. o. DOI: 10.1007/11507840_9 DOI: https://doi.org/10.1007/11507840_9
Jansen, J. and Leukfeldt, R. (2016). Phishing and Malware Attacks on Online Banking Customers in the Netherlands: A Qualitative Analysis of Factors Leading lake Victimization. International Journal of Cyber Criminology, 10 (1), 79-91
Kiss, T. & Parti K., Prazsák G. (2019). Cyberdeviancia (Cyberdeviance – in Hungarian). Budapest: Dialóg Campus Kiadó, Budapest.
Kovács-Angel, M. (2019). 8 év börtönt kaphat az etikus hacker, aki szólt a Magyar Telekomnak egy biztonsági résről (The ethical hacker who told Magyar Telekom about a security hole could be jailed for 8 years – in Hungarian). 24.hu. január 27. Available: https://24.hu/belfold/2019/01/27/etikus-hacker-telekom/
Liang, H., & Xue, Y. (2009). Avoidance of Information Technology Threats: A Theoretical Perspective. MIS Quarterly 33 (1), 71-90. DOI: 10.2307/20650279 DOI: https://doi.org/10.2307/20650279
Long, RM (2013). Using Phishing to Test Social Engineering Awareness of Financial Employees. MSc. Eastern Washington University. doi : 10.13140/RG.2.1.3846.0565
Maimon, D., Kamerdze, A., Cukier, M., & Sobesto, B. (2013). Daily Trends and Origin of Computer- Focused Crimes Against a Large University Computer Network: An Application of the Routine-Activities and Lifestyle Perspective. British Journal of Criminology 53 (2), 319-343. doi : 10.1093/ bjc /azs067 DOI: https://doi.org/10.1093/bjc/azs067
Mendi-Kozma, L. (2016). A kiberbűnözés egyes aspektusai – az online zaklatás (Some Aspects of Cybercrime - Online Bullying – in Hungarian). Károli Gáspár Református Egyetem Állam-és Jogtudományi Kar
Nagy, Z. A. (2009). Bűncselekmények számítógépes környezetben (Crimes in a computer environment – in Hungarian). Budapest: Ad Librum Kft.
Noah, M., Nurse, JRC, Webb, H., & Goldsmith, M. (2019). Cybercrime Investigators are Users too! Workshop on Usable Security (USEC 2019). San Diego: Internet Society, California, February 24. DOI : 10.14722/usec.2019.23032
PhishLabs (2019). 2018 phishing trends & intelligence report. Available from: https://info.phishlabs.com/hubfs/2018%20PTI%20Report/PhishLabs%20Trend%20Report_2018-digital.pdf (last accessed: 5 January 2024)
Poonia, AS (2014). Cyber Crime : Challenges and its Classification. International Journal of Emerging Trends & Technology in Computer Science 3 (6), 119-121. He. Available: https://www.ijettcs.org/Volume3Issue6/IJETTCS-2014-12-08-96.pdf (last accessed: 4 April 2024)
Pratt, TC, Holtfreter, K., & Reisig, MD (2017). Routine Online Activity and Internet Fraud Targeting : Extending the Generality of Routine Activity Theory. Journal of Research in Crime and Delinquency 47 (3), 267-296. He. doi : 10.1177/0022427810365903 DOI: https://doi.org/10.1177/0022427810365903
Rogers, RW (1975). Protection motivation theory of fear appeals and attitudes change. Journal of Psychology 91 (1), 93-114. He. doi : 10.1080/00223980.1975.9915803 DOI: https://doi.org/10.1080/00223980.1975.9915803
Scamwatch (2019). Scam statistics. Available: https://www.scamwatch.gov.au/about-scamwatch/scam-statistics (last accessed: January 1, 2024)
Symantec (2019). Internet Security Threat Report. Available from: https://www.symantec.com/security-center/threat-report (last accessed: February 2, 2024)
Verizon (2019). 2018 Data Breach Investigations Report Executive Summary. Available: https://enterprise.verizon.com/resources/reports/DBIR_2018_Report.pdf (last accessed: Janruary 1, 2024)
World Economic Forum (WEF) (2019). The Global Risks Report 2019. Genf: WEF. Available: http://www3.weforum.org/docs/WEF_Global_Risks_Report_2019.pdf (last accessed: June 6, 2024)
Whittaker, C., Ryner, B., & Nazif, M. (2010). Large-scale automatic classification of phishing pages. Proceedings of the Network and Distributed System Security Symposium (NDSS). San Diego, Feb. 28 - March 3. Internet Society.
Wueest, C. (2014). Targeted Attacks Against the Energy Sector. Symantec. Avialable: https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/targeted_attacks_against_the_energy_sector.pdf (last accessed: May 5, 2024)
Downloads
Published
Issue
Section
License
Copyright (c) 2024 Nina Poyda-Nosyk, Botond Géza Kálmán, Szilárd Malatyinszki
This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.
Authors retain copyright and grant the journal right of first publication with the work simultaneously licensed under a Creative Commons CC BY-NC License.
