CYBER HUMAN FACTORS

PAGE \* MERGEFORMAT 1
 CONTENTS
Introduction 3

Study 1 - Phishing Tool - Measuring the Human Factor 4

Related Studies 4
Analysis and Results 4-7
Challenges Faced 8
Study 1 - Conclusion 8

Study 2 - Thumb Drive Exploitation 8-10

Analysis and Results 10
Study 2 - Conclusion 10

Social Engineering 11
Related Studies 11
Social Engineering - Conclusion 12

Report Conclusion 12
References 13-14

I. INTRODUCTION
Computer security is not just about technology and systems. It is also about the people who use
those systems – how their behaviour can be exploited. The Verizon Data Breach Investigations Report
details that 28% of the breaches were from social attacks, with a quarter of those occurred due to
phishing. In a phishing attack, victims are sent a spoofed email that appear amiable notifications from a
bank, service provider or social networking website. Figure 1 shows an example of a phishing email from

PAGE \* MERGEFORMAT 1
the company “1&1 IONOS”. There have been many technological advances towards preventing these
types of attacks, however, none have been able to prevent them completely, and the attack on RSA in
2011 is evidence of this.
Despite the increased awareness of threats to information security, there are still violations that
elude our ability to defend against attacks, leading to millions of pounds loss each year (Bresz, 2004).
Many countermeasures can be automated through the continuous development of technology, this alone
can not solve the problem (Ruighaver, Maynard and Chang, 2007).
Organizational and system security only covers part of ensuring the confidentiality, integrity and

accessibility of data – ensuring the workforce is cyber-aware and educating uses to be cautious of
potential security breaches is, arguably, of greater importance. It is important to consider how the
workforce will respond to a potential breach. If a user receives a phishing email, how would they handle
it? Are the appropriate processes available to protect other users if they report the phishing email, or do
they delete it? Ensuring effective systems are available and having them articulated are essential parts in
minimizing the potential risk caused by people.
This paper will discuss various methods used that exploit the human factor in an organization,
including Phishing tools, USB exploitation and Social Engineering - critically analysing methods to
measure a workforces knowledge of these attacks, and how users can be educated to not fall victim.
II. STUDY 1 - PHISHING TOOL– MEASURING THE HUMAN FACTOR
To conduct this study, IONOS will test user vulnerability by sending out decoy emails; users that
interact with the emails are informed so they can change their behavior in future. Traditionally, users
attend a training session and are informed of the threat that can posed by phishing emails – user
awareness has improved by changing the methods used through demonstrating their vulnerability (“Gone
Phishing”, 2005). Tools have become available that test sending fake phishing emails, but require an

PAGE \* MERGEFORMAT 1
administrator to create and send the email; none of these tools provide statistics for measuring security
within an organization, such as the average amount of users interacting with a phishing email (Core
Security, 2010).
III. RELATED STUDIES
Computer security demands for various techniques to be developed that evaluate and compare the
design of security infrastructure, organizations and processes (S. Stolfo, S. Bellovin and D. Evans, 2011).
Typically, these focus on system security rather than people. The study conducted by IONOS is intended
to educate a portion of its customer base using decoy emails. Whilst there are more traditional methods of
training, such as seminars or articles, the necessary resources to conduct these are not always available (P.
Kumaraguru et al., 2007).
A similar study was conducted at Indiana University Bloomington that focused on social phishing
and spoofing (T. N. Jagatic, N. A. Johnson, M. Jakobsson and F. Menczer, 2007). The study sent
harmless phishing attacks to students aged 18-24, intending to show that effecting phishing can exploit
social desires. However, there was no research on how the results of the testing could be used to
improving organizational security and raising awareness.
IV. ANALYSIS AND RESULTS
The Phishing tool recycles an existing product provided by IONOS to provide the means to create
and send phishing emails, the data can be evaluated within the system and used to measure the
organizations security and educate users. The systems components and process can be evaluated in Figure
2.
a) Email Generator:: The email generator repurposes IONOS’ “email marketing” tool to create
a custom email that looks like an official benign. Within the tool, a list of targets/ address
book can be inputted to send the phishing email to. The tool allows the creation of multiple
phishing emails to be send out to a percentage of the users, and evaluate who interacts
with it as shown in Figure 3.
b) Website:: As all the interaction data will be compiled in the Email Generator, the website, see
Figure 4, will be a page designed to educate users on phishing emails and provide a survey
for them to leave feedback. The form does not require users to identify themselves, only the
time they clicked the link in the email, the department the user belongs to and the role of the
user within the organization, Figure 4 provides a demonstration of the website.
In order to compile sufficient data, 200 emails were sent using 4 different types of decoy emails.
This sample size was significant in measuring different parameters – such as whether a user opens the
email. Another reason for using 200 users was to have a large enough sample to ascertain a significant
solution without being a burden to users or arousing suspicion. With permission from IONOS, all of the
subjects were unaware of the experiment. This experiment has the potential to cause frustration and cost
user’s time, starting with 200 users is a small percentage of the total amount of employee’s and won’t
affect business operation.

PAGE \* MERGEFORMAT 1
Figure 1: System process and components

PAGE \* MERGEFORMAT 1
Figure 2: Phishing Email Generator

Figure 3: Website Survey

The decoy emails are sent using an external mail account from a common webmail provider.
Users that fail to identify the email as a phishing email are presented with the website shown in Figure 4
with the following notification:
“IONOS is conducting an experiment designed to test the security measures of organizations and to
educate users on safe practices to avoid falling victim to malicious emails. The emails are sent to IONOS
employee’s and used to test whether users violate security policies. Whilst these emails are not sent with
any malicious intent, there are many that are intended to trick unsuspecting users to giving up personal
information.

PAGE \* MERGEFORMAT 1
In 2020, it is common for users to be fooled in to installing malicious software following clicking on one
of these malicious emails that exploit a users device – such as Cryptomining”
As seen in Figure 3, all of the emails have a URL that’s written as an external, but point to an internal
address where the results are recorded by our Phishing tool.
Results of experiments
The below table provides the compiled results obtained from 5 sets of the experiment. Each set took place
over a 5 days, and not all users were emailed at the same time to prevent arousing suspicion. Victims
were repeatedly targeted until they stopped interacting with the email. The results show it took several
attempts to train users to be cautious of suspicious looking emails, but most users learned within 3 sets to
not interact with them. Figure 5 and 6 shows the results and additional metrics as seen in our Phishing
tool.

THE NUMBER OF RESPONSES FOR EACH SET, MEASURING THE USER RESPONSE TO THE
PHISHING EMAIL

1ST Set 2nd Set 3rd Set 4th Set 5th Set
161/200 142/200 3/200 1/200 0/200

Figure SEQ Figure \* ARABIC 6: Results as seen in Phishing tool for the first set

Figure SEQ Figure \* ARABIC 5: Additional Metrics from first set

V. CHALLENGES FACED
Various challenges occurred during these studies, such as the frustration generated by the participants.
Even though a message was provided describing why the study had occurred, many employees still had

PAGE \* MERGEFORMAT 1
issue. Alongside this, the users who were not fooled by the Phishing emails were not aware of the study
reported it to human resources.
VI. STUDY 1 - CONCLUSION
The results presented in the previous sections suggests that users can be trained using decoy
technology to be wary of potential threats. Applying this measurement across multiple organizations can
be effective in recording an organizations current level of security and educating its users.
VII. STUDY 2 - THUMB DRIVE EXPLOITATION
In a Universal Serial Bus (USB), or thumb drive, drop attack a potential attacker will leave a device
for people to find, then plug in to their computers. There are three primary types of attack (Zenko, 2015):

● Malicious Code – Once inserted into a device, a user will click on one of the files which
automatically launches malicious code, and can potentially begin downloading further
malware from the internet

● Social Engineering – The file can take a user to a phishing site, which tricks them in to
handing over their login credentials, see figure 7.

● Human Interface Device Spoofing – A more sophisticated attack that tricks a computer in to
thinking the device is a Keyboard, which injects keystrokes to give the hacker remote access
to the victims computer, see figure 8.

Figure 4: Social Engineering

PAGE \* MERGEFORMAT 1
Figure 5: HID

VIII. RELATED STUDIES

In 2016, a study conducted by Elie Burzstein at the University of Illinois tested how susceptible
users were to picking up and plugging in a USB drive they found. The USB drives had various labels on
them such as ‘exams’ and ‘confidential. Figure 9 displays the results in a visual graph.

PAGE \* MERGEFORMAT 1
 Table 1: Results of Burzstein’s study (Cluley, 2016).

IX. ANALASYS AND RESULTS

Burzstein claims that he dropped 298 USB sticks on the university campus at 30 unique locations,
finding that 98% of the drives were picked up and 45% were plugged in. Each USB drive contained
HTML files that were disguised as an image or document. Once opened, users were asked if they wished
to participate in a survey, but only 20% agreed. From a security perspective, a security breach will most
likely already have occurred by this point (Burzstein, E., et al., 2016).
The most simple attack that could have occurred would have been malicious code placed in the
HTML file that would have activated upon the file being opened, possibly downloading further malware
from the internet.

X. STUDY 2 - CONCLUSION
Similarly to the Phishing email study, this serves to educate users to not access an unknown USB
drive. This study is evidence that less technical attacks remain a threat and performing similar studies in
controlled environments will aid in educating users to not plug in unknown devices. However, there were
no follow up results showing whether or not users fell victim to this same attack again.

X. SOCIAL ENGINEERING
Social engineering, the manipulation of people to provide confidential information, is one of the
most common causes of data breach. Social engineers will attempt to persuade individuals by appealing
to their emotions or establishing interpersonal relationships or a sense of trust (Gao and Kim, 2017).
Promising financial incentive or a potential price, as seen in the Phishing email test, the emotional aspect
will distract victims.
Employees can have the biggest impact on an organizations security with severe consequences. A
GDPR violation can have significant financial impact as a fine is for a percentage of a company rather
than a flat fee. In 2019, IONOS were fined €9.55m for GDPR violations (Spadafora, A., 2019).

XI. RELATED STUDIES

In 2014, Andersson and Reimers found that employees do not consider themselves a part of an
organization, and often ignore the best interests of an organizations security. This study showed that
security culture in the workplace needed to be constantly evaluated and and improved. There are some
who will willingly provide sensitive data or information despite knowledge of the threats (Calluzo and
Cante, 2004). In many cases they are willing to trade an organizations privacy; often the release of critical
data in exchange for a small reward (Leyden, 2004).
This study proposed, through regional focus groups (“MOC Focus Groups”, 2010), that users
needed to be further educated on productivity tools, such as Microsoft Office as well as increase overall
awareness of technology and it’s appropriate uses.
Unfortunately, simply increasing awareness is not always the correct solution for users as most of
this knowledge may not be applied outside of the training sessions. Each industry and/ or organization

PAGE \* MERGEFORMAT 1
will need to apply a different strategy in order to effectively train their staff to not make mistakes when it
comes to ensuring the security of the organization they work for or their customers.
Castedo, L., et al., in 2016 conducted a study in to RFID (Radio Frequency Identification) to
evaluate their security and potential security risk. In recent years, various methods have been invented
that allow the cloning of RFID cards up to 3 metres away. A potential threat can potentially walk around
a building with a hidden device, such as the Proxmark3 as shown in figure 6 that can clone a cards unique
code and once cloned, they will be able to access the building and breach systems physically.

Figure 6: Hidden Proxmark3 - Kevin Mitnick opening Keynote

XII. SOCIAL ENGINEERING - CONCLUSION

Social engineering takes many different forms, and a major route for security breaches, yet there
is currently little to assist in solving the problem. Whilst it’s possible to develop methods to raise
awareness of Phishing attacks and USB drops, speaking to a user directly and appealing to their emotions
is the most straightforward way to exploit them. As such, other than risk assessments there is are very few
methods available to ensure users are not exploited.
Based on this, an organization will need to be able to assist it’s employee’s in recognizing when it
is appropriate to provide sensitive information - such as through security verification. Users will need to
be educated to have a sense of ethical conduct and responsibility, increasing commitment and reducing
the potential of information being leaked. Alongside this, compartmentalizing roles and allocating
information on a “need to know basis” ensures confidential information is not leaked; however, there is
no way to guarantee that employee’s will not “gossip” and sensitive information will spread regardless.

XII. REPORT CONCLUSION

Protecting against the human factor in an organization can be done through various methods,
however, studies show that the most effective way is to perform a lab version of an attack. Whilst this can

PAGE \* MERGEFORMAT 1
have potential negative effects on the workforce, such as lowering morale or causing them to be
frustrated, they will have greater awareness of potential threats and how to prevent breaches.

XII. REFERENCES

Tischer, M. Durumeric Z. Foster, S. Duan, S. Mori, A. Bursztein, E and Bailey, M., (2016) Users Really
Do Plug in USB Drives They Find. Google: University of Michigan.
Barreto, C. Andersson, D. Reimers, K., (2014) Post-Secondary Education Network Security: Results of
Addressing the End-User Challenge. Spain: INTED 2014 Conference.
Techradar., (2019). 1&1 hit with million-euro GDPR fine [online]. Techradar. [Viewed February 4th
2020]. Available from: https://www.techradar.com/news/1and1-hit-with-million-euro-gdpr-fine

Fernández-Caramés, T. M. Fraga-Lamas, P. Suárez-Albela, M. Castedo, L., (2016). A

Methodology for Evaluating Security in Commercial RFID Systems. Radio Frequency Identifier
[online]. [Viewed February 17 2020]. Available from: DOI: 10.5772/64844
Bresz, F. (2006)., People - often the weakest link in security, but one of the best places to start.
Journal of Health Care Compliance, July-August: 57-60.
Rughaiver, A. B., Maynard. S. B. and Chang. S., (2007). Organizational security culture:
Extending the end-user perspective. Computers and Security, 26(1): 56-62.
Walters, N., (2005). Gone Phishing: The Internet and Identity Theft [online]. AARP. [Viewed
February 18 2020]. Available from:
https://www.aarp.org/money/scams-fraud/info-2005/fs118_phish.html
Core Security., (2010). Core Impact Pro [online]. Core Security. [Viewed February 18 2020].
Available from: https://coresecurity.com
S, Stolfo. S, Bellovin and D, Evans., (2011). Measuring Security. IEEESecurity & Privacy
Magazine, pp. 72-77.
P, Kumaraguru. Y, Rhee. A, Acquisti. L. F, Cranor. J, Hong and E, Nunge., (2007)., Protecting
people from phishing: The design and evaluation of an embedded training email system.
Proceedings of the SIGCHI conference on Human factors in computing systems. (CHI’07), San
Jose: California.
T. N, Jagatic. N.A, Johnson. M, Jakobsson and F, Menczer., (2007). Socialphishing.
Communications of the ACM [online]. [Viewed February 19 2020]. Available from:
http://doi.acm.org/10.1145/1290958.1290968
Zenko, M. (2015)., Red Team. Basic Books.

PAGE \* MERGEFORMAT 1
Gao, W. and Kim, J., (2007)., Robbing the cradle is like taking candy from a baby. Proceedings
of the Annual Conference of the Security Policy Institute (GCSPI). 1, 23-37. Netherlands:
Amsterdam.
U. J, Calluzzo and C. J, Cante., (2004). Ethics in Information Technology and Software use.
Journal of Business Ethics, 51(3), 301-312.
J, Leyde., (2004). Clueless office workers help spread computer viruses. The Register, pp. 17-21.
D, Andersson and K, Reimers., (2010). Utilizing software application tools to enhance online
student engagement and achievement [online]. Mount Olive College Focus Groups. [Viewed
February 22 2020]. Available from: https://files.eric.ed.gov/fulltext/EJ1098370.pdf
R, Richmond., (2011). The RSA Attack: How They Did It [online]. Bits. [Viewed February 5
2020]. Available from: https://bits.blogs.nytimes.com/2011/04/02/the-rsa-hack-how-they-did-it/

Word Count without references: 2522

PAGE \* MERGEFORMAT 1