Society is becoming increasingly digital and we use the internet for more and more daily tasks. The downside of digitisation is that crime has also spread onto the internet, resulting in an ever-increasing number of IT incidents. Joakim Kävrestad, PhD Student in Informatics at the University of Skövde, has researched methods for training users in cyber security, to help them act securely when they find themselves in risky situations online.
More and more services are becoming digital. Today, many people do their banking, grocery shopping and ticket bookings online. A lot of people are completely dependent on digital services for personal day and professional life. As a result of the digitisation of society, crime has also moved to the digital world and the number of cyberattacks against authorities, companies, organisations and private individuals, is increasing.
Historically, cyber security research has focused on technical elements, such as crypto, firewalls and anti-virus software. However, reports from both research and practice show that the majority of all cyber security incidents result from, or begin with, an attack on users.
“You simply exploit the basic human functions to recieve information, or get a user to carry out actions that lead to an incident. This includes, for example, phishing or using weak passwords,” says Joakim Kävrestad.
New method supports the user
In his research, Joakim Kävrestad has focused on developing a method that support users when they find themselves in risky situations on the Internet. The methods commonly used today to provide users with security information have several problems, says Joakim.
“It is common to give lectures, send out information via e-mail or ask users to visit a web portal. The big challenge is to get the users to participate in the training and actually take in the information.”
Another challenge, according to Joakim, is that increased knowledge does not necessarily lead to better behaviour. For example, many users know not to click on links from unknown senders, but phishing is still an effective attack method. Clearly, today's training methods are not sufficient.
“In the training method I have developed, the user has an application that notices when they need support, and then offers the support. The effect is that the user receives information and at the same time is reminded to be on their guard. I have been able to show how this method is more effective than other security training methods when it comes to improving behaviour, and that the method is appreciated by users. Together with colleagues, I have also built two working softwares that provide training in this way.”
Services need to be adapted to humans
Joakim Kävrestad's research also shows that it is difficult for people to act securely in many situations. The demands placed on users are simply too high to meet. Even users who do "everything right" have difficulties determining whether phishing emails are legitimate or not.
“Therefore, it is reasonable to question how services work from a security perspective, and then think about how we can rebuild them so that they are better adapted to human abilities.”
The training method can now be used by companies developing cyber security training. It can also be used by those who are going to buy or use security training as a decision support when choosing between different methods. The software developed within the project is free for everyone to use as it is, or to modify it according to their own needs.
Joakim Kävrestad defends his thesis "Context-Based Micro-Training - Enhancing cybersecurity training for end-users" on Monday 17 October at ASSAR Industrial Innovation Arena.