RANSOMWARE PROTECTION (HUMAN ERROR A BID TO MITIGATE RANSOMWARE ATTACK) BY OMITIRAN ADEFIOLA CHRISTIANA 2005022057 SUBMITTED TO THE DEPARTMENT OF COMPUTER SCIENCE, SCHOOL OF TECHNOLOGY, LAGOS STATE POLYTECHNIC IKORODU CAMPUS IN FULFILMENT TO THE AWARD OF HIGHER NATIONAL DIPLOMA IN COMPUTER SCIENCE LAGOS STATE POLYTECHNIC IKORODU JANUARY, 2023 1 CERTIFICATION This is to certify that this research project was carried by OMITIRAN ADEFIOLA CHRISTIANA with Matriculation Number 2005022057 in fulfillment of the requirements for the award of Higher National Diploma (HND) in the Department of Computer Science, Lagos State Polytechnic, Ikorodu. ________________________ ______________________ DATE DR. AKANJI WASIU PROJECT SUPERVISOR _________________________ _______________________ DR. ADERIBIGBE S.O DATE HEAD OF DEPARTMENT 2 DEDICATION We dedicated this project to the Almighty God for his protection and grace on my life throughout our period of study. 3 ACKNOWLEDGEMENT My gratitude goes to God for his guidance and grace on me if not for him we might not have got to this level May his blessing on me continue to blossom I also acknowledged this research work to the entire our family for their support both morally and financially may God continue to bless them and guide them. My appreciation goes to our ever-supporting supervisor Mr. Idris Aremu Abiodun who create time out of his tight schedule to correct and adjust the project work until it came to a perfect stage. May God continue to bless you and your family abundantly. I will also like say a big thank you to all other lecturer for their support educationally may God continue to grant them wisdom and knowledge (Amen) 4 TABLE OF CONTENT Title page i Certification ii Dedication iii Acknowledgment iv Tables of content v Abstract vii CHAPTER ONE INTRODUCTION 1.1 Background of Study 1 1.2 Problem Statement 8 1.3 Aim and Objectives 9 1.4 Definition of Terms 10 1.5 List of Acronyms 13 CHAPTER TWO LITERATURE REVIEW 2.1 Introduction 14 2.2 Human error 15 5 2.2.1 Human Performance 16 2.2.2 Human error in Cyber security 17 2.3 Ransomware 19 2.3.1 Ransomware Sources 23 2.3.2 Types of Ransomware 24 2.3.2.1 Crypto Ransomware 24 2.3.2.2 The Role of Cryptocurrencies in ransomware attack 25 2.3.3 Locker Ransomware 26 2.4 27 Statistic on Human Error in Ransomware Attack 2.4.1 Human Errors and Violations 27 2.4.2 Phishing 28 CHAPTER THREE 3.0 Exiting Solution to Ransomware Protection 3.1 Existing Solutions to Reduce Human Error in Ransomware Attack and in IT Security in General 36 36 3.1.2 Tackling phishing with signal-sharing and machine learning by Microsoft 37 3.1.2 Avast protection 43 6 CHAPTER FOUR 4.0 Gap in Existing Solution 46 4.1 Gaps in Existing Solution to Reduce Human Error as a Form of Ransomware Attack 46 CHAPTER FIVE 5.0 Summary, Conclusion and Recommendation 52 5.1 Summary 52 5.2 Conclusion 53 5.3 Recommendation 56 Reference 7 ABSTRACT In Norman’s (1983), research on cognitive engineering “System design principles can be derived from classes of human error” (p. 254). Norman (1983), bases his research on high level specifications of desired actions known as intention. The intentions are broken down into mistakes and slips that were researched by Liginlal et al. (2009), and Reason (1990). In trying to find the casual factors in an organization that cause human error to occur the use of experimental psychology and human factors engineering the probability of human error can be directly measured, (Wood & Banks, 1993). System design and human interaction both play a role in how often human error occurs particularly when there is a slight mismatch between the system design and the person operating it, (Wood & Banks, 1993). One major problem with systems design is that they are designed for simplicity which can lead a normally privacy conscious person to make bad security decisions, (Bratus et al., 2008). 8 CHAPTER ONE INTRODUCTION 1.1 Background of Study The digital era ushered in the use of computers as a tool of the people. The internet expanse where computers connect, has become known as cyberspace. Many economic outlets, cultural resources, social platforms, as well as government services operate on the internet. The offering of services in person to cyberspace is known as digitization. Digitization has had positive effects on efficacy. Several types of security issues have revealed exploitation and vulnerabilities in cyberspace. Sophisticated and diverse types of cyberspace based attacks have materialized. Any type of disruption of integrity, authenticity and availability of data or information is termed as a cyberattack. Private companies and government organizations are facing security exploitation issues globally in cyberspace. The purpose of such attacks differ based on what information is threatened. Attackers are most often driven by financial gain, government Intel, or political influence. Vulnerabilities are widening for individuals to be targeted. The opportunities for the public to gain awareness of potential dangers arise from cyberattacks. Ransomware attacks have become more prevalent, brutal and recurrent. Factors such as anonymous payment processing and new sophisticated encryption methods have contributed to the rapid growth of ransomware nowadays (Balogun, 2018). In 2017, the FBI’s Internet Crime Complaint Center (IC3) received 1,783 ransomware complaints that cost victims over $2.3 million (De Groot, 2019). According to Luo & Liao (2017), ransomware targets files with the following file name extension: (.txt, .doc, .rft, .ppt, .cbm, .cpp, .asm, .db, .db1, .db1, .dbx, .cgi, .dsw, .gzip, .zip, jpeg, .key, .mdb, .pgp, .pdf.). Knowing these files are of possible crucial importance to the victims, the attacker encrypts these files, making them impossible for the victim or owner to access. (Luo & Liao, 2017). Anyone with important data stored on their computer or network is at risk, including government or law enforcement agencies and healthcare systems or other critical infrastructure entities (Us-cert, n.d.) Cybersecurity is the means of defending computers, servers, IoT devices, networks, and data from malicious attacks. Another name for cybersecurity is information technology security. Since the 9 introduction of the computer, Cyberattack has been a major problem faced by organizations and individuals over the years and the rate of cyberattack has increased exponentially. Human factors are regularly underestimated and overlooked (Hadlington, 2017) and are vital factors that affect a business's information security hygiene (Anwar et al., 2016). The challenge stems from the diverse range of human errors which ultimately grant unauthorized access to sensitive information and other business assets, resulting in significant data and security breaches. Employee mistakes pose a risk in companies. In fact, the rise and severity of security problems reported in recent years suggest that organizations are more vulnerable than ever (Sasse, Brostoff & Weirich, 2001). As illustrated in Figure 2, human errors are influenced by certain attitudes, behaviors, and actions that promote unsecured connections. These ignorant actions expose valuable, sensitive business information and resources to opportunistic criminals. Criminals then highjack secure sessions to violate privacy (Wallace et al., 2021). When cybercriminals take over, they compromise information security principles like data confidentiality, availability, and integrity. Confidentiality, a fundamental principle to promote protection against unauthorized disclosure of data or information, focuses on keeping information private. Data is only available to or can only be accessed by the correct recipient to carry out expected duties (Njoroge, 2020). The confidentiality principle includes people protecting others by restricting personal or sensitive information sharing unless explicit permission is granted (Alexei & Alexei, 2021) Common human mistakes Cybersecurity risks relating to human mistakes affect various businesses because of the connection to standalone or networked computers. Moreover, Kobis (2021) believes that the human factor is the leading factor in infiltrating sensitive information. For standalone computers, employees may use memory sticks which a virus may infect. Or, for example, employees may follow a website's links or accidentally respond to unknown links that gather sensitive information. Increasingly, data breaches occur through the unauthorized disclosure of personal information (Richardson et al., 2020). Another example is when users curiously, recklessly, and ignorantly open fake emails containing malware attachments which automatically installs when opened. Moreover, a user could install malware attached to standard applications. Often the infected installation package is available on a website to trap unknowledgeable users. In this case, the unaware user downloads and installs software from unverified sources (Kobis, 2021). Other users serve as a channel for criminals by the way they handle their passwords. Such behavior 10 may result from a poor ability to remember accepted characters for password criteria, understaffing, and employee overload with work demands. At times, unacceptable user behavior is exacerbated by a lack of support or the absence of relevant training. This mistake is a gap that influences poor decision-making (Sasse, Brostoff & Weirich, 2001). Some user attitudes affect common mistakes; for example, when a user insists, "It won't happen to me" (Richardson et al., 2020). According to a IBM’s Security Services 2014 Cybersecurity Intelligence Index, human error played a role in more than 95% of all security breaches (IBM Security Services 2014) as opposed to those caused strictly by unanticipated vulnerabilities in system security. IBM’s report is based upon nearly 1000 clients in 133 countries and literally billions of events per year. IBM reports that human errors include those made by IT professionals such as improper system security configurations and poor patch management, and those made by end-users such as weak or shared passwords, loss of devices containing sensitive information, and the single most prevalent: opening an unsafe attachment or accessing an unsafe URL. The report describes a typical human error involving the use of social media to initiate an attack. A scenario described is that the attacker contacts a user inside an organization via social media and directs the user to a malicious website or gets the user to open a malware attachment in email. Since the user is using organizational resources, the entire organization is potentially exposed to the exploit. In the United States (US), data breaches that compromise 500 or more individuals’ health records must be reported to the US Department of Health and Human Services (HHS) (US Department of Health and Human Services Office for Civil Rights, 2022). All 50 US states have laws that require breached companies to notify residents that their data was compromised (Steptoe & Johnson LLP, 2019). Causes for data breaches are attributed to system glitches, external actors, and internal actors (insiders) (Garrison & Ncube, 2019; Kennedy, 2020; Pigni et al., 2018; Ramim & Levy, 2019; Zimmerman & Renaud, 2019). Insiders are organizational members with privileged access to persons, systems, processes, and facilities (Clarke & Levy, 2022; Hua & Bapna, 2021; Nurse et al., 2019; Zimmermann & Renaud, 2021). Organizational insider threats can be malicious or nonmalicious (Hua & Bapna, 2019; Nurse et al., 2019; Vroom & von Solms, 2020; Zimmerman & Renaud, 2019). Human error has increasingly been attributed as a significant cause for data breaches (Chernyshev et al., 2019; Evans et al., 2019; Metalidou et al., 2021). The Identity Theft 11 Resource Center (ITRC) (2022) estimated that for 2017, their Data Breach Employee Error / Negligence / Improper Disposal / Loss attack category accounted for only 15.4% of data breach cases, but accounted for 102.5% of records breached. Furthermore, ITRC’s other categories may also involve human error as a contributor to the breach. Although human error is known to be a contributor to data breaches, the understanding of what causes human error in cybersecurity contexts is extremely limited. On the other hand, human error in safety in the context of manufacturing, healthcare, nuclear, laboratory, plants, transportation, aerospace, etc. is relatively well researched and funded 3 (Senders & Moray, 1991; Xing et al., 2017). In fact, formal Human Reliability Analysis (HRA) methods have been developed in safety applications with an aim to reduce the likelihood and consequence of human errors in complex systems (Evans, et al., 2019; Groth, 2009). A key component of HRA methods are Performance Influencing Factors (PIF) the various circumstantial and contextual factors that influence human performance to cause, or contribute to, human error (Franciosi et al., 2019; Groth, 2009). Internal (individual) or external (organizational and contextual) PIFs were assessed; following Curado et al. (2018), assessing that the antecedent at only one level does not fully explain the relationship between conditions and outcomes. In this study, PIFs in cybersecurity contexts are titled Cybersecurity PIF (CS-PIF), and human error in cybersecurity contexts are titled Cybersecurity Human Error (CS-HE). This research examined CS-PIFs as contributors to CS-HE resulting in data breaches using existing known and documented incidents. Fuzzy-set theory was used to calibrate the degree of membership (i.e. presence or absence) of CS-PIFs and CS-HE in each case, which is appropriate as CS-PIFs and CS-HE can vary by level or degree (Pena & Curado, 2007; Ragin, 2009). Groth (2009) found that PIFs have varying levels of interdependencies and interactions to result in a human error. Thus, Fuzzy-Set Qualitative Comparative Analysis (fsQCA) was used to examine the conjunctural causal relationship of CS-PIFs resulting in CS-HE leading to the data breaches (Rihoux, 2006). Schneider & Rohlfing (2016) defined conjunctural causation as when "multiple conditions occur together for producing the outcome" (p. 530) This research is presented alongside the alarming increase in cyber incidents caused by human behaviors within the small business space. This paper responds to the study of Ncubukezi, Mwansa, and Rocaries (2021), explaining that human-generated mistakes should be acknowledged when planning and implementing best practices to promote good cyber hygiene. The current work examines human errors fuelled by actions, attitudes, and behaviors that have emerged recently as 12 a serious concern and a door to increased in ransomware attack to organization. This paper further presents the common types of human errors, their impact, and vulnerability mitigation strategies to improve the overall security of information processing and also different type of ransomware attack over the years, and lastly provide possible solution to reducing the of human, by education user’s and small business more about phishing links. Cybersecurity has many dimensions – cyberspace, information security, human factors, and computer security –necessitates that organizations identify loopholes and protect themselves from various cybercriminals (Ncubukezi & Mwansa, 2021) 1.2 PROBLEM STATEMENT The problem set of human error is not new, the two main themes of this research are ransomware and human error; the relationship between both and reducing human error in a bid to mitigate ransomware attacks. The research problem that this study addressed is that human error is one of the major cause of ransomware attack, and phishing links and social engineering are the most way attackers use to get access to organization data. The problem set of human error is not new, and Reason (1990) defined human error as “a generic term to encompass all those occasions in which a planned sequence of mental or physical activities fails to achieve its intended outcome, and when these failures cannot be attributed to the intervention of some chance agency” (p. 9). Human error has been examined broadly in the literature mostly on the topic of cybersecurity, aviation (Miller, 1976; Miranda, 2018; Shappell et al., 2007), space exploration (Boring et al., 2019; Maluf et al., 2005), nuclear reactors, and others (Reason, 1990). Human errors are inevitable. Humans are not perfect in their activities and errors are often necessary for human evolution when negative consequences are minimized for benefits to include “learning, adaptation, creativity, and survival” (Senders & Moray, 1991, p. 37). In addition, some errors are acceptable dependent on the risk to the organization and the user (Abdolrahmani et al., 2017; Zimmerman & Renaud, 2019). The Local Rationality Principle states that people do reasonable things given their goals, knowledge, and focus of attention (Dekker, 2006). However, high level of knowledge, skills, and abilities are the critical corner stone to ensure high level of competency, or lower level of human error during ones’ operations (Carlton & Levy, 2017). 13 1.3 AIM AND OBJECTIVES The main aim of this research study is to employ an awareness platform to educate organization an end-user’s of ransom ware attack via phishing links and also use the platform to communicate with user’s and recent attack and possible way to mitigate them, latest this study will keep user’s update on new detected scam and how to mitigate them. Objectives This research study had four specific objectives. The first goal of this objectives study identified, using cyber security awareness platform (CAP) to educate user on unintended disclosure; system misconfiguration; social engineering; and poor cyber security hygiene in the largest data breaches. To simulate a phishing attacker. To update organization and end-user’s on latest cyber news which will enable to update their security system to avoid being a victim of any upcoming attack. 1.4 To create a community where users can interact about their experience on recent attack. DEFINITION OF TERMS Awareness: the state of knowing something, such as the awareness that the sun comes up every morning. Cyber security: the practice of defending computers, servers, mobile devices, electronic systems, networks, and data from malicious attacks Cyber-attack: a malicious and deliberate attempt by an individual or organization to breach the information system of another individual or organization. Cyber terrorism: any premeditated, politically motivated attack against information systems, programs and data that threatens violence or results in violence. 14 Cyber-security Performance Influencing Factors (CS-PIF) A term coined in this research to reference performance influencing factors that contribute to human error leading to cyber security contexts (Groth, 2009). Generic Error-Modelling System (GEMS) A conceptual framework “within which to locate the origins of the basic human error types” (p. 53) which are skill-based slips (and lapses), rule-based mistakes, and knowledge-based mistakes (Reason, 1990). The structure was “derived in large part from Rasmussen’s skill-rule-knowledge classification of human performance” (Reason, 1990, p. 53). Human error“ a generic term to encompass all those occasions in which a planned sequence of mental or physical activities fails to achieve its intended outcome, and when these failures cannot be attributed to the intervention of some chance agency” (Reason, 1990, p. 9). Human Reliability Analysis (HRA)" Formal qualitative analysis and quantification methods available for use as part of Probabilistic Risk Assessments (PRAs) in modeling risk in Nuclear Power Plants (NPPs)” (p.1), more generally modelling human error (Whaley et al., 2016). Knowledge-Based Mistake (KBM) Lack of knowledge failure occurs during knowledge-based performance “in novel situations where the solution to a problem has to be worked out on the spot without the help of preprogrammed solutions” (Reason, 1995, p. 81). Knowledge-Based Performance (KBP) During unfamiliar situations, faced with an environment for which no know-how or rules for control are available from previous encounters, the control of performance must move to a higher conceptual level, in which performance is goal-controlled” (Rasmussen, 1983, p. 259). Malware: short for “malicious software,” refers to any intrusive software developed by cybercriminals (often called “hackers”) to steal data and damage or destroy computers and computer systems. Phishing: a type of social engineering attack often used to steal user data, including login credentials and credit card numbers. 15 Ransomware: Ransomware is a type of malicious software, or malware, that prevents you from accessing your computer files, systems, or networks and demands you pay a ransom for their return. Rule-Based Performance (RBP) A problem-solving activity “typically controlled by a stored rule or procedure which may have been derived empirically during previous occasions, communicated from other persons’ know-how as instruction or a cookbook recipe, or it may be prepared on occasion by conscious problem solving and planning” (Rasmussen, 1983, p. 259). Skill-Based Error (SBE) Failures during skill-based performance termed as slips (failure of action) and lapses (failure of memory) (Reason, 1995). Skill-Based Performance (SBP) “Sensory-motor performance during acts or activities which, following a statement of an intention, take place without conscious control as smooth, automated, and highly integrated patterns of behavior” (Rasmussen, 1983, p. 258). SBP occurs during routine and familiar activities where there are no problems identified (Reason, 1990). Skill-rule-knowledge framework Jens Rasmussen’s (1983) categorization of the “three levels of performance correspond to decreasing levels of familiarity with the environment or task” (Reason, 1990, p. 43). 1.5 LIST OF ACRONYMS Cybersecurity Awareness Platform (CAP) Cybersecurity Performance Influencing Factors (CS-PIF) Fuzzy-set Qualitative Comparative Analysis (fsQCA) Generic Error-Modelling System (GEMS) Human Event Repository and Analysis (HERA) Human Reliability Analysis (HRA) 16 Knowledge-Based Mistake (KBM) Knowledge-Based Performance (KBP) Performance Influencing Factor (PIF) Qualitative Comparative Analysis (QCA) Rule-Based Mistake (RBM) Rule-Based Performance (RBP) Skill-Based Error (SBE) Skill-Based Performance (SBP) Technique for Human Error-Rate Prediction (THERP) 17 CHAPTER TWO LITERATURE REVIEW 2.1 INTRODUCTION This chapter talks about the literature on ransomware protection and it spans the discipline of cybersecurity. First, Ransomware is defined, explained, and dissected. Second, human error is defined, dissected, and explained from a psychological perspective. Finally, the human error in a ransomware attack is explained. Due to the nature of this research, the literature review criteria had to be expanded in time and academic discipline. Some of the constructs and their influence on human error was recognized from the safety literature, but are always recognized in the cybersecurity literature as tying these constructs to human error in cybersecurity contexts. The two main themes of this research are ransomware and human error; the relationship between both and reducing human error in a bid to mitigate ransomware attacks. Cybersecurity is the means of defending computers, servers, IoT devices, networks, and data from malicious attacks. Another name for cybersecurity is information technology security. Since the introduction of the computer, Cyberattack has been a major problem faced by organizations and individuals over the years and the rate of cyberattack has increased exponentially. The first recorded cybercrime took place in the year 1820 by a man named Joseph Marie Jacquard. In 1820, Joseph Marie Jacquard, a textile manufacturer in France, produced the loom. This device allowed the repetition of a series of steps in weaving special fabrics. This brings about fear amongst Jacquard's employees that their traditional employment and livelihood were being threatened. They committed sabotage to discourage Jacquard from further using the new technology. This was the first cybercrime ever recorded. Accordingly, cybersecurity concerns are pervasive in contemporary discussions of and research about technology. Much emphasis is focused on technological solutions to cyber security concerns, often at the expense of considering important human issues in both creating and ameliorating cyber security vulnerabilities. 18 As companies around the world continue to expand their businesses and IT infrastructure by adding more devices and increasing connectivity across their organizations their volumes of data requiring 24x7 monitoring also continue to grow. That can increase an organization’s vulnerability by making it even more difficult to develop and deploy effective measures to fend off cyberattacks, but at the same time, such growth creates enormous quantities of data on security events. It also presents us with the challenge of understanding what all that data means and deciding what to do about it. (IBM Security Services 2014) 2.2 HUMAN ERROR As noted, most data breaches are caused by human error, and human error is the result of failure in human performance. Human error can never be exclusive to cybersecurity though, as a great deal of research has been done on human factors (Rasmussen, 1983), psychology (Reason, 1990), and human reliability analysis (Evans et al., 2019; French et al., 2011). Interest in these fields is warranted due to human error has caused, as of the time of their publication, over 90% of failures in the nuclear industry (Reason, 1990); over 80% of failures in the chemical and petrochemical industries, over 75% of marine casualties, and over 70% of aviation accidents (French et al., 2011). 2.2.1 Human Performance Rasmussen (1983) distinguished three levels of human performance: skill-based, rule-based, and knowledge-based performance. Skill-Based Performance (SBP) is performed during routine activities and does not involve conscious attention or control. Rule-Based Performance (RBP) is performed consciously, is goal-oriented, and accomplished using stored rules or procedures (acquired previously or provided). Knowledge-Based Performance (KBP) is performed consciously during unfamiliar situations, is goal-oriented, and is accomplished using higher-level decision-making. French et al. (2011) recognized that human behavior is complex and influenced by internal and external factors; this posits their position that terminology such as “error” in HRA is invalid as they are socially defined. In other words, the employee or user more often than not committed a reasonable action provided the internal and external condition influences (PIFs), and context that led to the unreasonable outcome. French et al. (2011) provided the example of the 19 Three Mile Island Accident in 1979, “where the formation of a hydrogen bubble which forced down cooling water exposing the core” (p. 758), was unanticipated and unprecedented in reactor designs; the operators behaved and executed as best as they could, provided the circumstances. Compare this to potential cybersecurity lapses where an effective zero-day social engineering tactic is used against a well-intentioned and security-aware user. 2.2.2 Human error in Cybersecurity Human error in cybersecurity are actions or events that result in a data breach. These factors largely result from a lack of awareness, negligence, or inappropriate access control. Regardless of the reason, the cost of human errors adds up. According to IBM, the average cost of data breaches from human error stands at $3.33 million. That’s a big expense that most SMEs can’t afford. Human error, however, is not so easy to resolve. You can’t resign a ‘faulty’ workforce like you could a faulty software product. There’s always a reason why humans make errors. The key is to understand why the errors were made and to find ways to avoid similar situations in the future. Human error have been studied in several areas, such as environmental design, health care, and also in cybersecurity (Human Factors Ergonomics Society. 2021) Great attention to human factors has been devoted to the domain of aviation. The Dirty Dozen proposed by Dupont refers to twelve of the most common errors in maintenance activities due to specific human error (Gordon Dupont. 1997); these errors are reported in the aviation domain as possible causes of accidents or incidents. However, there is neither a concise list of human factors within cybersecurity, nor a definitive description of relevant human factors. Thus, we have chosen to utilize the list outlined by Dupont as we consider it a valid basis for our investigation: Lack of Communication: people not communicating with each other within a working and/or online environment. Complacency: a feeling of self-confidence that can lead to a lack of awareness of potential dangers. 20 Lack of Knowledge: not having specific knowledge and enough experience that can lead to poor decisions. Distraction: when a user’s attention has been taken away from the task that they are required to do. Lack of Teamwork: not providing enough support towards a group of people, co-workers, etc, who rely on your support. Fatigue: it is a physiological reaction resulting from prolonged periods of work and stress. Lack of Resources: not having enough resources (e.g., time, tools, people, etc.) to complete a task. Even if in recent times publications on human factors within cybersecurity are gaining momentum, a wider picture to understand the current state of human factors within cybersecurity is still missing. This research is a contribution in this direction, since it analyzes human error in relation to a specific type of cybersecurity attack, namely ransomware. Pressure: pressure to meet a deadline interferes with our ability to complete tasks correctly. Lack of Assertiveness: not being able or allowed to express concerns or ideas. Stress: acute and chronic stress from working for long periods or other demanding issues such as family or financial problems. Lack of Awareness: not being aware of what happens in the surrounding (working or online) environment, often leading to an unconscious disconnection from what others are doing. Norms: workplace practices that develop over time, which can then influence other behaviors. 21 2.3 RANSOMWARE Ransomware is a type of malware designed to facilitate different nefarious activities, such as preventing access to personal data unless a ransom is paid (Khammas, 2020, Komatwar, Kokare, 2020). This ransom typically uses cryptocurrency like Bitcoin, which makes it difficult to track the recipient of the transaction and is ideal for attackers to evade law enforcement agencies (Kara, Aydos, 2020, Karapapas, Pittaras, Fotiou, Polyzos, 2020). There has been a surge in ransomware attacks in the past few years. For example, during the ongoing COVID-19 pandemic, an Android app called CovidLock was developed to monitor heat map visuals and statistics on COVID-19 (Saeed, 2020). The application tricked users by locking user contacts, pictures, videos, and access to social media accounts as soon as they installed it. To regain access, users were asked to pay some ransom in Bitcoin; otherwise, their data was made public (Hakak et al., 2020c). Another notorious example of ransomware is the WannaCry worm, which spread rapidly across many computer networks in May 2017 (Akbanov, Vassilakis, Logothetis, 2019, Mackenzie, 2019). Within days, it had infected over 200,000 computers spanning across 150 countries (Mattei, 2017). Hospitals across the U.K. were knocked offline (Chen and Bridges, 2017); government systems, railway networks, and private companies were affected as well (Cosic et al., 2019). Ransomware is considered one of the most dangerous variants of malware. This is primarily because it doesn’t even require much user interaction for privilege escalation. Even the usage of industry-standard tools and technologies have not been able to contain the wrath of Ransomware. Once Ransomware infects the device, it becomes impossible for the victim to access the files. Due to the ransom being paid using cryptocurrency, there is no way to track the perpetrators of the Ransomware attacks. Ransomware can be categorized into three main forms - locker, crypto, and scareware (GomezHernandez, Alvarez-Gonzalez, Garcia-Teodoro, 2018, Kok, Abdullah, Jhanjhi, Supramaniam, 2019). Scareware may use pop-up ads to manipulate users into assuming that they are required to download certain software, thereby using coercion techniques for downloading malware. In scareware, the cyber crooks exploit the fear rather than lock the device or encrypt any data (Andronio et al., 2015). This form of ransomware does not do any harm to the victim’s computer. The aim of locker ransomware is to block primary computer functions. Locker ransomware may 22 encrypt certain files which can lock the computer screen and/or keyboard, but it is generally easy to overcome and can often be resolved by rebooting the computer in safe mode or running an ondemand virus scanner (Adamu and Awan, 2019). Locker ransomware may allow limited user access. Crypto ransomware encrypts the user’s sensitive files but does not interfere with basic computer functions. Unlike locker ransomware, crypto ransomware is often irreversible as current encryption techniques (e.g., AES and RSA) are nearly impossible to revert if implemented properly (Gomez-Hernandez, Alvarez-Gonzalez, Garcia-Teodoro, 2018, Nadir, Bakhshi, 2018). The table below shows few popular ransomware families. Crypto ransomware can use one of three encryption schemes: symmetric, asymmetric, or hybrid (Cicala and Bertino, 2020). A purely symmetric approach is problematic as the encryption key must be embedded in the ransomware (Dargahi et al., 2019). This makes this approach vulnerable to reverse engineering. The second approach is to use asymmetric encryption. The issue with this approach is that asymmetric encryption is slow compared to symmetric encryption and hence struggles to encrypt larger files (Bajpai et al., 2018). Sophos (2020), almost 51% of the organizations worldwide were hit by highly sophisticated Ransomware attacks in 2020. These attacks were using advanced command and control servers, making them challenging to reverse engineer. Among all the countries studied in the report, India was affected the most by the deadly Ransomware attacks, with almost eighty-two percent of organizations being hit by Ransomware. Netwalker is one of the newest and most dangerous Ransomware strands (AH. et al., 2021) Its popularity is the method of propagation, using phishing emails related to COVID-19, thus luring the victim to download the attachments resulting in the execution of the portable binaries and system infection. February 2021, the latest Ransomware strand, Zeoticus 2.0, successor to the infamous strand Zeoticus was released. Zeoticus 2.0 has raised the stakes since it is now proving extremely hard to control and mitigate. It can execute completely offline without requiring any command and control server. For receiving the Ransom payment, Zeoticus uses highly secure and encrypted Proton mail accounts to evade tracing. The history of Ransomware dates back to the late 1980s. The first Ransomware named Acquired Immunodeficiency Syndrome (AIDS) Trojan, was released via a floppy disk. The AIDS Trojan contained a program that would count the number of times a computer system was started, and 23 once this count reached the number 90, all of the files would be encrypted. The only way to be able to use them again was to pay a ransom amount of $189 (Kalaimannan et al., 2016). During the early days, Ransomware authors attacked victims to showcase their technical prowess. It was not until the early 2000s that cybercriminals began to exploit users for financial gains as data gained primacy. In 2004, a Ransomware strand named GPCode was released. GPCode infected Windows Machines via e-mail attachments. It used a 660-Bit RSA key to encrypt files and folders (Bodkhe, et al., 2021; Emm, 2008). Since then, Ransomware families like WannaCry, Cerber, Petya, etc., have evolved and caused monetary damage worth billions of dollars. Ransomware evolution and trends 198 9 200 4 201 2 AIDS Trojan GP Code Reveton *Spread via floppy disk *Used Symmetric Cryptography *Monitored boot time count *Spread via Phishing Emails *Used Asymmetric Cryptography *Encrypted ‘My Documents’ Directory 201 3 Cryptolocker *Spread via Outdated Plugin *Used Symmetric Cryptography *used an unstoppable DLL *Spread via Phishing Emails *Used Asymmetric Cryptography * Encrypted ‘My Documents’ Directory 201 4 201 5 201 6 201 7 202 0 Syeng Encoder KeRanger WannaCry Netwalker *Spread via Emails attachments * Used Asymmetric Cryptography *Payload Added themselves to the registry entries via bypassing *Spread via a Backdoor in Magento CMS * Used Symmetric Cryptography *Payload replicated itself in every directory with SUID permission *Spread via flaw in BitTorrent * Used Asymmetric Cryptography *Bypassed gatekeeper to infect the system with .RTF *Spread via COVID-19 advisory Emails ** Used Asymmetric Cryptography *Used a VB script for UAC bypassing *Spread via flaw in SMB server * Used Asymmetric Cryptography *Used a Backdoor called Doublepulsar to Lock registry. Despite adopting sophisticated cyber security technology, one simple human error is all it takes for the door to your organisation to be flung wide open to cyber criminals. Yet organisations 24 repeatedly neglect investing in human factor cybersecurity. It’s an oversight that can leave your organisation exposed to a range of serious cyber breaches. 2.3.1 Ransomware Sources Ransomware propagates primarily due to a lack of Cyber-hygiene at the individual level. Cyberhygiene refers to all aspects of online safety (Maennel, O et al., 2018) including browsing behavior, availability and consistent updating of antivirus software, installing third-party software, and user awareness. Cyber-hygiene must be practiced for keeping Ransomware and other strands of malware away. Despite improving security standards and protocols, Ransomware families have managed to penetrate the defense systems of organizations, governments, and individual users. Some of the main sources of Ransomware include: Email Attachments: Email attachments usually contain Portable Document Format (PDF) documents, voicemails, images, e-invites, etc. These attachments using various steganographic techniques contain embedded malicious files. Ransomware perpetrators use techniques that make an email look like it was sent from a trusted and known sender. There are various tools available through which attackers with no technical knowledge can craft malicious emails. Removable Media: Removable Media is not considered as an entry portal for Ransomware by many. However, (Tischer et al. 2016) conducted a survey, revealing that people are really intrigued by what might be there in a random Universal Serial Bus (USB) drives lying at a public place. A lot of Organizations that did not disable USB ports have been hit by Ransomware via this mode (Lee, J.K., 2017). Malvertising: Malvertising (Sood, A.K., & Enbody, R.J. (2011) is the organized practice of infecting the advertising infrastructure that websites use for displaying online advertisements. Malvertising has proved to be another popular technique for infecting systems with Ransomware. It has infected systems even via browsing trusted sites like British Broadcasting Corporation (BBC) News, America Online (AOL) and Microsoft Network (MSN) (Hernandez J. et al., 2017 ). It tricks the browser into downloading malicious file extensions automatically. Exploit rootkits like Angler, Magnitude and Nuclear are then able to help the attacker gain access to the victim’s device (Mansfield, S., 2016 & Hathaliya, J.J., et al., 2019). 25 Social Media & SMS: This type of Ransomware propagation falls under the category of Social Engineering, where the victim is lured into clicking links that they should not. Attackers use the technique of Uniform Resource Locator (URL) shortening in order to add obscurity to the original link. Users with poor Cyber-hygiene are lured into clicking these links. Sometimes, users also receive SMS messages that depict urgency and force them into clicking those links (Salvi, M.H.U., & Kerkar, M.R.V., 2016). Ransomware as a Service Like other hosting services on the Dark Web that offer anonymity, Ransomware-asa-Service (RaaS) has emerged as a marketplace exclusively for attackers with insufficient programming skills to easily propagate Ransomware. The RaaS service providers either take a cut from the buyer or charge service usage fees. 2.3.2 Types of Ransomware There are mainly two prevalent types of Ransomware, known as Crypto Ransomware and Locker Ransomware. 2.3.2.1 Crypto Ransomware Crypto Ransomware uses encryption algorithms to encrypt the victims’ data using two approaches. In case of a Symmetric Algorithm, there is just one key that is used for both encryption and decryption. The second algorithm which is more prevalent is the Asymmetric Algorithm through which the data is encrypted using a public key and the victim can only get their data back when they pay for the decryption key (Yaqoob, I., et. Al., 2017). Over the years, attackers have made it difficult for reverse engineers trying to decrypt the data without paying the ransom. Attackers now use a combination of both symmetric and asymmetric algorithms to make the decryption process more challenging. Victim’s data is encrypted using a symmetric algorithm due to its speed (Simmons, G.J., 1979 & Yassein, M.B., 2017). Then, the key used is encrypted using the public key possessed by the malicious actor (Bajpai, P., et al., 2018). 26 2.3.2.2 The Role of Cryptocurrencies in ransomware attack In the early days of Ransomware, attackers would demand money in the form of direct bank deposit or via money transfer agencies. These methods of payment could be traced back to the attacker. Since emergence of cryptocurrencies, Ransomware attacks have exploded. This is majorly due to the fact that cryptocurrencies introduce the concept of anonymity. Cryptocurrencies facilitate the creation of strong Ransomware which, instead of deploying a direct one-to-one payment method, used a third-party payment gateway so that the risk of being traced is minimized. The first ever Ransomware that proved to be really strong in terms of maintaining anonymity & use of a well-built encryption algorithm was CTB Locker. CTB locker stood for Curve, The Onion Routing (TOR) and Bitcoin locker. It used elliptic curve cryptography to encrypt the data, TOR Protocol for anonymous means of communication between the victim and the attacker and Bitcoin as a payment method for paying the ransom in a way that the transfer wouldn’t be traced [23]. Usually, when a cryptocurrency is set up as a payment method, an attacker passively watches the blockchain, an enabler for cryptocurrencies to check if the ransom amount has been paid or not. Once, the payment is made, the process of sending the decryption key to the victim can be initiated via automation. This puts the theory of anonymity and un-traceability into practice. Cryptocurrencies also play a very important role in distribution of Ransomware via the dark web. Script Kiddies make use of platforms like RaaS to buy customized strands from exploit developers. Evidence suggests that most of the Ransomware families such as WannaCry have been successful because of the un-traceability provided to cyber-criminals by cryptocurrencies. 3. State-of-the-Art Researchers, cyber-security firms and government agencies have researched all aspects of Ransomware propagation, operation and devising effective combat techniques. Although, a few of them were adopted by organizations and governments; most of the frameworks have not proved successful in practice. This is due to the fact that security is multi-dimensional encompassing network security, data security, application security and finally individual Cyber-hygiene practices 2.3.3 Locker Ransomware As the name indicates, Locker Ransomware locks the device instead of encrypting the files and folders. Upon being infected, the victim’s device is prevented from bring accessed. The data inside is untouched. This type of Ransomware is less effective than Crypto Ransomware, because the 27 data can still be accessed by moving the storage device to another computer (Savage, K., et al., 2015). Result After the third stage, it is up to the user to either pay the ransom amount or not. There are three outcomes that result at this stage. If the victim decides to pay the ransom, then they will be provided with a decryption key to unlock access back to their devices. Another outcome can result when the victim has strong technical skills or can take the help of reverse engineers to reverse the Ransomware operations and get the files back. The third outcome results from the situation when the victim is unable to pay the ransom. This results in permanent damage and complete loss of data. 2.4 STATISTIC ON HUMAN ERROR IN RANSOMWARE ATTACK 2.4.1 Human Errors and Violations Following Rasmussen’s (1983) Skill, Rule, and Knowledge (SRK) based performance framework, Reason (1990) developed the Generic Error Modelling System (GEMS) that ties the three levels of human performance to human error. Skill-Based Errors (SBE) occur during periods of SBP. SBE can be separated into slips and lapses a slip is the failure of action (Norman, 1981) and a lapse is the failure of memory (Reason, 1990). Rule-Based Mistakes (RBM) occur during RBP when the actor misapplies a good rule or applies a bad rule. Knowledge-Based Mistakes (KBM) occur during KBP and are a result of a lack of expertise. The fourth departure from the desired human performance is violations. While SBE, RBM, and KBM are committed due to faulty information and cognitive processing, violations are undesired deliberate acts in the social context of those that oppose governed policies and procedures (Reason et al., 1990). Violations can be deliberate, but non-malicious (Kraemer & Carayon, 2007). Cybersecurity human error can occur in all levels of the organization from the end user, the system administrators, to the policy makers and management that institute corporate strategy and guidance. An end user may engage in unsafe web browsing at work that can lead to inadvertent actions resulting in malware or data breach (Goode et al., 2018). This consequence may have been a result of a (ill-advised) violation against policy. Some users make a rationalized decision to 28 commit violations of organization IT policies that put the system at risk (Barlow et al., 2013; Gcaza et al., 2017; Siponen & Vance, 2010). The user’s intention may not be to cause malice, but rather, circumvent the policies to achieve a positive business outcome (Vance & Siponen, 2012). The policy by itself may not be sufficient for compliance, but in conjunction with training or education to understand the “why” the policy is in place Other examples of human error may not be so clearcut or identifiable as to which human error type it is. As an example, an experienced network engineer setting up a new network may inadvertently open a security exploit in the network configuration, by committing a SBE, RBM, or KBM—depending on the circumstance or context. For example, the engineer may have been distracted and misconfigured the switch (SBE) or inexplicably forgot to save the configuration (SBE); followed a bad procedure (RBM), or their lack of experience failed them in configuring the switch properly (KBM) (Pollini et al., 2021; Stanton et al., 2005). Configuration mistakes can leave security applications, systems, or network boundaries vulnerable (Ahmed et al., 2012; Pollini et al., 2021). In the safety industry, human reliability analysis helps to understand the problem of human error. 2.4.2 Phishing Cybersecurity attacks can be successful because users are not aware of their vulnerabilities and because of their Lack of Knowledge about consequences and risks. With social media users tending to share a lot of their lives online, it is significantly easier for attackers to find ways to gather information about users and use it in ways to “convince” them that their identity and intentions are legitimate. Phishing is one of the most effective cyber-attacks. Various authors define phishing in slightly different ways. In this article, we adopt the definition of phishing proposed by Lastdrager in his literature survey on phishing attacks (Elmer EH Lastdrager. 2014), where phishing is defined as: “a scalable act of deception whereby impersonation is used to obtain information from a target”. A phishing attack usually consists of sending a message (e.g., an email), which appears as from a reputable organization (e.g., a bank), sounds urgent, claims to enclose important information, and invites the victims to open a website that is a clone of the original one (e.g., a clone of their own bank website). In the message, the victims are invited to provide personal information on the website, for example, they are required to login to the website for updating their profile information. In most cases, the victims are unlikely to check or question the website validity; thus, they open it providing the required information that, unfortunately, is 29 stolen by the attackers who can use it, for example, to enter on the bank account on behalf of the victims to steal their money. Phishing is often successful due to the vulnerabilities of users, namely to human factors related issues. A phishing attack requires preparation for it to be successful, which involves studying users, their behavior, their online posts, and even watching them online to gain valuable knowledge to use in a targeted approach. Also target websites are considered by the attackers to improve the effectiveness of their attacks, for example, by looking at the schedule where servers go down for (regular) maintenance, their content, etc. On one side, knowledge about victims allows attackers to send customized messages, for example, fans of a soccer team may receive an email regarding an offer to purchase their club’s jerseys (in this case, the phishing website aims to steal their credit card information). On the other side, knowledge about target websites can improve the trustability of phishing messages; for instance, if a website has scheduled maintenance, its users may receive an email asking them to unlock their account after the maintenance by clicking on a link and sign in on the website (in this case, the phishing website aims to steal users’ credentials). Phishing does not only occur via email. In several cases, users receive fraudulent phone calls or text messages that appear as though they have legitimately come from a company that the user has an account or service. As a result, some users are unlikely to check or question their validity and unknowingly hand over their personal data to scammers, hackers, and other persons with malicious intentions. In addition, as a response to continuous updates of defensive solutions against phishing attacks, increasingly sophisticated and diversified attacks are proposed. A comprehensive overview of the variants of phishing attacks is reported by Chiew et al. 2018, where a classification of the main components characterizing this attack is derived. This classification firstly identifies the medium, which is used to start the attack, namely, Internet, SMS, and voice. Each medium may use a vector, i.e., the vehicle for launching the attack. Examples of vectors for the Internet are e-mail, eFax, instant messaging (e.g., social network messages), and websites. The last layer of this classification is called technical approaches and reports all the technological solutions available to deploy a phishing attack, for example, JavaScript obfuscation, man-in-the-middle, and SQL injection. Each vector can exploit one or more of these technical approaches to perform the attack. From this classification, it emerges that a phishing attack is very complex and it can be performed in several ways. This has led to the spreading of new terms indicating variations of phishing attacks. Some of the most popular variants are: 30 Spear-Phishing: it is the fraudulent practice of sending emails that appear to be from a known or trusted sender and are targeted to individuals to reveal confidential information. Vishing: it is the fraudulent practice of making phone calls or leaving voice messages appearing to be from reputable companies to obtain personal information SMiShing: also known as SMS phishing, it consists of sending SMS or instant messages on victim’s smartphone; such messages appear as sent by a trusted source (e.g., our bank) and invite the victim to click a link as in the case of more traditional phishing, or even to download an attachment. In this last case, the attachment installs malware like a rootkit or a backdoor to guarantee the scammers to access to everything (contacts, email messages, application data, etc.). Pharming: it is a scamming practice where malicious code is installed on a personal computer or server, which in-turns misdirects users to fraudulent sites without their knowledge or consent. A phishing attack is successful for several reasons. For example, the attacker can gain an advantage by performing reconnaissance about users and/or the company they work for. This information allows the attacker to communicate with a user by using familiar terms or colloquial phrases. As a result, the attackers can improve the “legitimacy” as being someone the user can trust. Therefore, users are likely to feel more comfortable with who they are interacting with and subsequently lower their guard. The COVID-19 pandemic has provided the opportunity for increasing attacks based on the fear of users and their working situation (i.e. working from home) (Jessica Ellis. & Elizabeth Montalbano. 2020). A framework reporting the main components of a phishing attack and the relationships among them. 31 According to data gathered and analyzed by Atlas VPN1 , the number of phishing websites spiked by 250% amid COVID-19 quarantine (John C. 2020.), with 18 million scam emails being blocked by Google daily (Joe Tidy. 2020), and thousands of malicious coronavirus-related websites being created daily (John C. 2020.) The attack increase is echoed by several security experts and companies (Dean Takahashi. 2020.) however, while users’ knowledge and awareness of phishing and security-related issues should be improved, other human factors issues should be addressed. For example, high-pressure workplaces (resulting in high levels of Stress) or situations with a strong cultural influence (e.g., Norms) should be considered in the analysis, and approaches to mitigate the risks have to be devised Literature reviews and surveys on phishing The complexity and importance of phishing attacks have been demonstrated by increasingly growing research activity that is framed in different surveys and literature reviews. Although phishing attacks exploit social and psychological aspects of victims, most of the research is focused on technical aspects. In the survey reported in (A. Almomani et al., 2013), the authors evaluated and compared different techniques, focusing on machine learning solutions, to detect phishing emails. In (M. Khonji et al., 2013), it has been proposed a survey on phishing mitigation techniques like detection, offensive defense, correction, and prevention. To the best of our knowledge, that survey is the only one that marginally covers human factors in phishing, as part of the defensive mechanisms. However, similar to the other surveys, the emphasis is on the technical and procedural aspects. A few literature reviews deal with the topic of human factors in cybersecurity, marginally covering phishing attacks. For example, in (Xichen Zhang & Ali A Ghorbani. 2020) papers on human factors and their related issues in cybersecurity and privacy are reviewed, focusing the attention on big data. In particular, human factors are analyzed by considering desktop behaviors, mobile behaviors, and online behaviors, and security and privacy issues in daily human practices are identified and used to propose both users’ behavioral patterns and solutions to detect abnormal, vulnerable and malicious actions. A literature review on information security culture is presented in (Henry W Glaspie & Waldemar Karwowski. 2017); a framework summarizing human factors that contribute to the security culture of an organization is also proposed. Human factors 32 play a central role in phishing attacks, which have rapidly and dramatically increased in the last years their number as well as their effectiveness. However, to date, there is no publication that surveys the literature on human factors in phishing attacks; this SLR aims to remedy this lack. Despite phishing attacks are widely recognized among the most spread and effective attacks and human factors play a central role in them, the SLR revealed a lack of systematized knowledge on these topics. Existing surveys and SLR dealt with phishing attacks from more technical and technological perspectives. Instead, the SLR presented in this article, through the analysis of the reviewed papers, provides answers to different research questions, leading to highlighting the most vulnerable human error exploited by attackers during phishing scams (Lack of Knowledge, Lack of Resources, Lack of Awareness, Norms, and Complacency). According to Lena Y. et al., 2020 various efforts to understand the factors that make individuals more prone to becoming victims. Drawing upon Lifestyle Theory and Routine Activity Theory, (Agustina 2015) proposes several behavioral and environmental factors that should, in theory at least, elevate the risk of being victimized. In practice, however, as found by (Ngo and Paternoster 2011), these theories do not hold up to empirical scrutiny. Our work differs from these previous studies in two ways: first, we are looking not at cybercrime in general, but specifically at ransomware attacks; secondly, this research is not focused is not only on individual victims, its include organizations. Don’t become an easy target, be careful what you reveal about your organization Targeted attacks were more likely than opportunistic ones to lead to severe consequences in the observed sample. This result is expected as targeted attacks require a lot of preparation, but the ‘prize’ is much higher: There is a recent trend of a particular variant of ransomware called BitPaymer, which is seen as a big problem. It seems to me to be much targeted because cybercriminals are making extremely large demands on the businesses, which I have never seen before – £30,000 –so they are clearly much targeted. Cybercriminals know the targets they are going after. (Detective Sergeant, CyberTL) Such attacks suggest that there is some kind of network reconnaissance behind, so cybercriminals know what company they are targeting and how much to ask for. Cybercriminals will say, ‘Wait there, your turnover is £400m so you can pay maybe £2m’. There are victims out there that have paid up to £1,000,000 or even more to get the decryption key. 33 (Detective Constable, CyberBR) Clearly, such extravagant amounts would have a more severe effect on an organization than, e.g. the typical £300–500 ransom. In our own sample, one small IT company (VirtOrgD) was asked to pay 75 bitcoins (approximate value £352 000 at the time of the attack), a ransom amount the victim could not afford to pay. After intense negotiations, hackers agreed to reduce the ransom amount to 65 bitcoins, but it was still too high for VirtOrgD. The victim had no choice but to recover from partial backups. In the first stages of recovery the management was not sure if the business was going to survive this attack as the VirtOrgD was rapidly losing its customer base. Through tremendous efforts of staff and with the help of external specialists, VirtOrgD managed to restore its business, although, inevitably, some substantial losses occurred. Similarly, another company (ITOrgJL) was asked to pay 100 bitcoins (approximate value of £470 000 at the time of the attack). ITOrgJL was able to negotiate the ransom down to 15 bitcoins and effectively recovered with a decryption key provided by hackers. Since 2013, ransomware has evolved considerably and become much more technically advanced and dangerous. Generation III is substantially more of a menace than Generation II because of its greater degree of contagiousness and ability to self-propagate across infected networks. However, we found that the propagation class of crypto-ransomware by itself had no effect on the severity of crypto-ransomware attacks in the observed sample. Regarding the attack target (i.e. machine vs. human), crypto-ransomware equally impacts victims despite the network access method (Lena Y. et al., 2020) 34 CHAPTER THREE EXITING SOLUTION TO RANSOMWARE PROTECTION 3.1 EXISTING SOLUTIONS TO REDUCE HUMAN ERROR IN RANSOMWARE ATTACK AND IN IT SECURITY IN GENERAL In Norman’s (1983), research on cognitive engineering “System design principles can be derived from classes of human error” (p. 254). Norman (1983), bases his research on high level specifications of desired actions known as intention. The intentions are broken down into mistakes and slips that were researched by Liginlal et al. (2009), and Reason (1990). In trying to find the casual factors in an organization that cause human error to occur the use of experimental psychology and human factors engineering the probability of human error can be directly measured, (Wood & Banks, 1993). System design and human interaction both play a role in how often human error occurs particularly when there is a slight mismatch between the system design and the person operating it, (Wood & Banks, 1993). One major problem with systems design is that they are designed for simplicity which can lead a normally privacy conscious person to make bad security decisions, (Bratus et al., 2008). The system design issue can be addressed through the creation of artifacts through design science (Johannesson & Perjons, 2014). A flexible methodology created by Peffers et al.(2007) consists of a six step design science research methodology (DSRM). Peffers et al. (2007) found that there was a serious lack of a DSRM in IS research even with 15 years of prior application of DS in the IS research discipline. According to Johannesson and Perjons (2014) design science is a study of artifacts like many other scientific disciplines. These artifacts are then developed to solve practical problems that people face. In the information systems (IS) perspective these problems involve systems and the people that operate them. Design science utilizes both qualitative and quantitative research methodologies according to Johannesson and Perjons (2014). According to Maher (2011) even though design is a complicated and complex process that includes formulation, synthesis, and analysis, the results can bring value to the processes and design. Some of the values in design sciences according to (Niiniluoto, 2014) are anecdotal conditions for actions. According to Niiniluoto(2014), design science is based the 19th century application of applied arts (industrial design) and design research based off Simon (1996). Some of the world greatest minds, da Vinci and Aristotle employed some 35 sort of design science in their time (Niiniluoto, 2014).This research tends to point out some existing attack and ways to prevent them; 3.1.2 Tackling phishing with signal-sharing and machine learning by Microsoft On December 19. 2018, Microsoft Defender Security Research Team Across services in Microsoft Threat Protection, the correlation of security signals enhances the comprehensive and integrated security for identities, endpoints, user data, cloud apps, and infrastructure. The Company’s leading visibility into the entire attack chain translates to enriched protection thats evident in many different attack scenarios, including flashy cyberattacks, massive malware campaigns, and even small-scale, localized attacks. Phishing is another area where this protection has proven effective. While phishing attacks have been part of the daily hum of cybercriminal activity for years, they remain some of the most prevalent threats to this day. Specialized machine learning-based detection algorithms in Windows Defender ATP zero in on non-executable file types like scripts and document files typically used for phishing and other social engineering attacks. These file type-specific classifiers are part of the metadata-based ML models that can make a verdict on suspicious files within a fraction of a second. Recently, anomaly detection algorithms in the Windows Defender ATP next-generation protection pointed to multiple PDF files that only Microsoft detects. These malicious PDF files were blocked by machine learning models that assimilate signals from other components of our protection stack, exemplifying how comprehensive telemetry, signal-sharing, and machine learning allows Microsoft to deliver best-in-class security. 36 One of several PDF files that only Microsoft was detecting (as Trojan:PDF/Sonbokli.A!cl) at the time it was first observed (Source: https://www.virustotal.com/) Machine learning-based detection of malicious PDF files used for phishing Windows Defender ATP uses multiple layers of machine learning models to correctly identify malicious content. Most attacks are caught by the first few layers, which swiftly make a verdict and protect customers at first sight during the early stages of attacks. More sophisticated attacks may need the more complex classifiers in further layers, which take more time but make sure additional protections catch attacks that evade the first, faster classifiers. 37 Multiple layers of machine learning in Windows Defender ATP To catch malicious PDF files that are used for phishing and other cyberattacks, we built and continuously train machine learning classifiers that are designed to catch malware using this specific file type. These classifiers inspect file metadata for malicious characteristics and content. These classifiers regularly catch PDF files used for phishing. 38 Typical malicious PDF files used for phishing (1) spoof a popular brand, app, or service, (2) contain a link to a phishing page, and (3) have the familiar social engineering techniques to convince recipients to click the link. Enrichment with URL and domain reputation Through the Microsoft Intelligent Security Graph, we enrich this detection algorithm with URL and domain reputation intelligence from Windows Defender SmartScreen, the technology that powers the anti-phishing technology in Microsoft Edge, as well as the Network protection capability in Windows Defender ATP. Windows Defender ATP queries URL and domain reputation in real time, so any PDF file that contains a known malicious domain or URL is detected by Windows Defender ATP. 39 Enriching detection with URL and domain reputation That is how Windows Defender ATP blocked several PDF files that no other antivirus solution knew were malicious at first sight. Sample malicious PDF files blocked by detection algorithms aided by URL and domain reputation 40 Enrichment with Office 365 ATP intelligence Windows Defender ATP also integrates with Office 365 ATP. This integration provides rich optics into threats like PDF files that are commonly distributed via email. When Office 365 ATP detects a suspicious file or URL in emails, it uses a detonation platform, heuristics, and machine learning to make a verdict. This verdict is shared to other services in Microsoft Threat Protection. In the case of PDF files, signals from Office 365 ATP enhances Windows Defender ATP’s capability to detect and block malicious PDF files on endpoints at first sight, even if they arrive through some other means or if they are observed in environments that don’t use Office 365 ATP. Enriching detection with URL and domain reputation with Officer 365 ATP intelligence What happened to Kaspersky? Kaspersky is an Editors' Choice in the antivirus realm, as is Kaspersky internet security in the security suite arena. Kaspersky's malware-fighting technology routinely earns perfect or nearperfect scores from independent antivirus testing labs around the world. This roundup used to include both products. 41 For years, Kaspersky has faced accusations and censure based on its Russian origins, though none of the accusations have come backed by hard evidence of malicious behavior. the current war in Ukraine has raised the stakes. Governments and third parties are cutting ties with Kaspersky. The FCC labeled Kaspersky national security risk. 42 CHAPTER FOUR GAP IN EXISTING SOLUTION 4.1 GAPS IN EXISTING SOLUTION TO REDUCE HUMAN ERROR AS A FORM OF RANSOMWARE ATTACK The gaps in existing solution to reduce human error as a form of a ransomware attack is Lack of Knowledge, Lack of Resources, Lack of Awareness, Norms, and Complacency. There is an existing solution in reducing human error as a form of Ransomware attack below are some platform that help in protect end-user and organization from ransomware attack Table Showing The Existing platforms prons and cons Existing platform Broadcom About the Platform Prons Cons Broadcom is a CA PPM is for all It requires too much security software types of employees effort to link stories suite that consists of with busy schedules to features, it's too anti-malware, or who cannot work hard to see the details intrusion prevention in the office at a and requires too and firewall features certain time. much effort to do for server and desktop computers. that. Supports Scrum, Kanban, and other Because it is feature- Agile Frameworks. rich tool learning the It's very important for tool took a while, so a PPM tool because that training must do Agile Transformation so as well. is the Top Trend. Every PPM tool has The features are all a little bit hidden. It would be better to 43 to work with both improve the UI with frameworks. UX. CA Clarity's analysis License cost is quite functions are high as compared impressive, and give with other tools the best clean graphic representations depend on your data. The software, overall, is very feature-rich. Allows user’s to provide the right amount of detail within the stories and acceptance criteria. From tasks to stories, stories to features. Knowbe4 KnowBe4 is knowns Knowbe4 get to tell instead of making the world’s first and the percentages of users go through a largest security users who click on video and then asking awareness training links and who don't questions, it can have and simulated click on links. a video where they phishing platform click on the scenarios that helps manage the and have to make ongoing social Knowbe4 get an decisions. It can engineering problem. overall score or risk maybe have score from them. something like a live 44 simulation. It would It's already deployed be nice for users. in the cloud, and you don't have to install anything. You just upload your users to the cloud and tweak something if needed. Dispite the different language there is no Ukrainian and Russian languages. Confense Cofense delivers the Confense is email technology & security that advanced insight eliminates BEC and needed to rapidly Ransomware Is email security only detect, analyze and auto quarantine phishing attacks. Sophos Sophos is primarily Sophos develops Sophos does not focused on providing products for simulate attacks and security software to communication also does not provide 10- to 5,000-seat endpoint, encryption, awareness training organizations network security, email security, mobile security, and unified threat management. Hook Security Hook Security is a Hook Security Hook security only company that uses provides the toolkit for performs training on 45 psychological any company to create our to spot a phishing security training to a healthy security- attack help companies aware culture. create a securityaware culture Barracuda Phishline Barracuda The software helps The software is rather Phishline is an email create emails that difficult to work with. security awareness look exactly or Lots of options are a and phishing almost exactly the little bit "hidden" and simulation solution same as the phishing are difficult to find. designed to protect emails we found in organization against our email gateway. blacklisted targeted phishing attacks. Lots of URLs are The ESS gateway sometimes. user are from Barracuda kept in the loop but Networks, and in the changing to other TEP bundle, this URLs that are not software is included, blacklisted is very so it's not that much resource-intensive. work to also configure this. Ironscales Ironscales is a The report function The integration with platform that enables through Gmail is Google Suite needs to business security probably the most be better. teams and employees valuable feature. The through a multi- next most valuable layered self-learning features are IRONSCALES have no reminder mechanism threat . 46 simulation and training. Proofpoint is a cloud-based Short, quick, easy Integrating reporting training platform that training videos from other modules simulates threat scenarios (e.g. phishing) and also provides assessment testing developed by Wombat Technologies, which Rapid 7 PhishLabs would be helpful Phish alarm reporting capabilities are Auto-enrollment not excellent supported for clicks on data entry and Reporting makes it attachment easy to report metrics campaigns on education was acquired by Does not translate Proofpoint in March any custom templates 2018. or emails The Insight Platform Allow uses to The main gives protectors the customize my functionality of tools and clarity dashboard with identifying item they need to assess different widgets and endpoints that weren't their attack surface, different heat maps. properly patched or detect suspicious had vulnerabilities is behavior, and the solution's most respond valuable feature. IT Services and IT PhishLabs provides The Technical Consulting. Digital external threat Direction was Risk Protection intelligence, incident somewhat reactionary through curated threat response, and security awareness 47 when I worked there and visionary. intelligence and training solutions that complete mitigation. mitigate digital risks This research has pointed out that there is existing platform the helps in detecting ransomware attack using phishing links and some of this platform provides external threat intelligence, incident response, and security awareness training solutions that mitigate digital risks, high-cost rate of using it premium version. Some platform Does not translate any custom templates or emails, while other user interface is difficult to navigate for end-user. This research is tending to provide an automated platform that will report to the security team when a staff and also identify the particular staff that link on a malicious link and also the type of attack that the malicious link is about to perform. Provide a friendly user interface, tell the percentages of users who click on links and who don't click on links. And make you cost of using it premium version at a low rate. The aim of this research is to make the world a secure place to provide powerful tools that send random phishing templates at random times during business hours over a 24 hours time period including weekends because staff can be asked to work from home, this sending of phishing attack is to test their knowledge of how to identify malicious links The other tool is Community Templates where customers can share successful phishing templates with their peers. This research tends to provide security awareness training that goes from lunchroom to boardroom, and updates users of newly detected malicious attacks. 48 CHAPTER FIVE SUMMARY, CONCLUSION AND RECOMMENDATION 5.1 SUMMARY According to Reason (2019). In trying to find the casual factors in an organization that cause human error to occur the use of experimental psychology and human factors engineering the probability of human error can be directly measured, (Wood & Banks, 2021). System design and human interaction both play a role in how often human error occurs particularly when there is a slight mismatch between the system design and the person operating it, (Wood & Banks, 2020). One major problem with systems design is that they are designed for simplicity which can lead a normally privacy conscious person to make bad security decisions, (Bratus et al., 2018). This chapter has point out there are existing solution and also there are gaps in the existing solution to reduce human error as a form of a ransomware attack. Lack of Knowledge, Lack of Resources, Lack of Awareness, Norms, and Complacency and some of the gaps the research tends to amend. The main goal of this research study is to employ an awareness platform to educate organization an end-user’s of ransomware attack via phishing links and also use the platform to communicate with user’s and recent attack and possible way to mitigate them, latest this study will keep user’s update on new detected scam and how to mitigate them. 5.2 CONCLUSION The very first step in defense against ransomware attacks it to try and prevent them. Understanding how the infection takes place will allow to develop strategies to prevent the ransomware from entering the system. People are always the weakest link in the security chain and remain the biggest threat. Human error is the first cause of infection. The users should be informed and trained about the risks of opening attachments, visiting unknown websites, downloading suspicious software. However, even well trained users do make mistakes, which lead to infection. As spam emails are the widely used infection vector, email-filtering services need to be put in place to prevent malicious emails even before they reach the users. Emails should be scanned at endpoints to ensure that malicious content or JavaScript present within the email should be blocked. Finally, one useful 49 way to recover from a ransomware attack, or for that case any other kind of malware infection is to have a good backup stored on an external device. Maintaining regular backups will enable the user to restore from the point just before the infection happened. It is very important to remove the external device once the backup is finished as to prevent the ransomware from infecting this backup. If backups are taken at regular intervals, the systems can be restored with little data loss. 5.3 RECOMMENDATION Cybersecurity and data protection requires human buy-in. Otherwise, human error will negate defense-in-depth technology. Addressing the human element of data security requires the following steps. Cybersecurity awareness training: Training and awareness programs introduce the tenable prospect of threats into your employees’ working lives. These programs often provide real-time simulations that demonstrate what a threat can look like, and how employees can react. These, however, are not a ‘one and done’ deal. Organization must commit to the continuous education of the workforce because the threat landscape doesn’t just stop evolving when your employee’s cybersecurity training is done. Admittedly this type of program takes time and resources, but it can be as simple as a 10-minute commitment a few times a month. Access rights and privileges: Employees might want continuous access to all organization’s files, this is a dangerous proposition. By implementing and maintaining policies that restrict file access, you can prevent data theft from the inside. Proactively offer employees access to the files they need to do their jobs well. When employees require access to new files, set a limit to the time they may access these files. File management systems provide these privacy settings, so this level of regulation is accessible to businesses of all sizes. Require regular data backups: By encouraging employees to regularly backup their data can prevent data loss when disaster strikes. While this may be a hard policy to enforce while employees are working remotely, it remains a best practice. In many instances, devices can be set to backup to the cloud automatically. When relying on cloud storage remember that ransomware can take 50 control of cloud services. Any data stored in the cloud should also be backed up to an external hard drive from time to time. Data backups ensure that a business can continue to operate, even if resources are taken offline by a ransomware attack. Encourage good cyber hygiene: Out-of-date software or unpatched software can offer attackers a gateway into organization. Encourage employees to update the software on their devices and to enable all available security features, such as firewalls and anti-malware. It’s an easy form of prevention and an important defensive layer. 51 REFERENCE Almomani, A., Gupta, B.B., Atawneh, S., & Meulenberg, A., 2013. A Survey of Phishing Email Filtering Techniques. IEEE Communications Surveys Tutorials 15, 4 (2013), 2070– 2090. https://doi.org/10.1109/SURV.2013.030713.00020 AH, A.K., CC, Y.Y., Ping, M., Zahra, F. (2021). Cybersecurity Issues and Challenges during COVID-19 Pandemic. Available online: https://cyber-trust.eu/2021/01/07/cybersecurity-challenges-during-the-covid-19-pandemic/ (accessed on 7 July 2022). Ahmed, M., Sharif, L., Kabir, M., & Al-Maimani, M. (2012). Human errors in information security. International Journal of Advanced Trends in Computer Science and Engineering, 1(3), 82–87. Agustina JR. Understanding cyber victimization: digital architectures and the disinhibition effect. Int J Cyber Criminol 2015;9:35–54 Aurangzeb, S., Aleem, M., Iqbal, M.A., & Islam, M.A. (2017). Ransomware: A survey and trends. J. Information Assurance Security 2017, 6, 48–58. Bajpai, P., Sood, A.K., & Enbody, R., (2018). A key-management-based taxonomy for ransomware. In Proceedings of the 2018 APWG Symposium on Electronic Crime Research (eCrime), San Diego, CA, USA, 15–17 May 2018; pp. 1–12 Barlow, J. B., Warkentin, M., Ormond, D., & Dennis, A. R. (2013). Don't make excuses! Discouraging neutralization to reduce IT policy violation. Computers & Security, 39, 145–159. https://doi.org/10.1016/j.cose.2013.05.006 Bodkhe, U., Tanwar, S. (2021). Secure data dissemination techniques for IoT applications: Research challenges and opportunities. Software Practice Exp. 2021, 51, 2469–2491 Chiew Kang Leng, Kelvin Sheng Chek Yong, and Choon Lin Tan. 2018. A survey of phishing attacks: Their types, vectors and technical approaches. Expert Systems with Applications 106 (2018), 1 – 20. https://doi.org/10.1016/j.eswa.2018.03.050 52 Dean Takahashi. 2020. Unit 42: Phishing attacks are thriving during the pandemic. https://venturebeat.com/2020/04/14/unit-42-phishing-attacksare-thriving-duringthe-pandemic/ Elizabeth Montalbano. 2020. Top Email Protections Fail in Latest COVID-19 Phishing Campaign. https://threatpost.com/top-email-protections-failcovid-19-phishing/154329/ Elmer EH Lastdrager. 2014. Achieving a consensual definition of phishing based on a systematic review of the literature. Crime Science 3, 1 (2014). https://doi.org/10.1186/s40163014-0009-y Emm, D., (2008). Cracking the code: The history of Gpcode. Computer. Fraud. Security. 2008, 2008, 15–17. Evans, M. G., He, Y., Yevseyeva, I., & Janicke, H. (2019). Published incidents and their proportions of human error. Information & Computer Security, 27(3). https://doi.org/10.1108/ICS-12-2018-0147 French, S., Bedford, T., Pollard, S. J., & Soane, E. (2011). Human reliability analysis: A critique and review for managers. Safety Science, 49(6), 753–763. https://doi.org/10.1016/j.ssci.2011.02.008 Gcaza, N., & von Solms, R. (2017). Cybersecurity culture: An ill-defined problem. Proceedings from IFIP World Conference on Information Security Education (pp. 98-109). https://doi.org/10.1007/978-3-319-58553-6_9 Genç, Z.A., Lenzini, G., & Ryan, P. (2017). The Cipher, the Random and the Ransom: A Survey on Current and Future Ransomware. In Advances in Cybersecurity; University of Maribor Press: Maribor, Slovenia, 2017. Goode, J., Levy, Y., Hovav, A., & Smith, J. (2018). Expert assessment of organizational cybersecurity programs and development of vignettes to measure cybersecurity countermeasures awareness. Online Journal of Applied Knowledge Management, 6(1), 67–80. https://doi.org/10.36965/OJAKM.2018.6(1)67-80 53 Gordon Dupont. 1997. The Dirty Dozen Errors in Maintenance. In 11th Meeting on Human Factors in Aviation Maintenance and Inspection Hathaliya, J.J., Tanwar, S., Tyagi, S., & Kumar, N. (2019) Securing electronics healthcare records in Healthcare 4.0: A biometric-based approach. Computer Electronic Engineering 2019, 76, 398–410. Henry W Glaspie & Waldemar Karwowski. 2017. Human Factors in Information Security Culture: A Literature Review. In Int. Conf. on Applied Human Factors and Ergonomics. Springer, 269–280. https://doi.org/10.1007/978-3-319-60585-2_25 Hernandez-Castro, J., Cartwright, E., & Stepanova, A., (2017). Economic Analysis of Ransomware. SSRN Electron. J. 2017, 1–14 Human Factors Ergonomics Society. 2021. Human Factors and Ergonomics Society - Technical Groups. https://www.hfes.org/Connect/TechnicalGroups. Accessed: 2021-06-10. IBM Security Services 2014 Cyber Security Intelligence Index. Online. Available: https://media.scmagazine.com/documents/82/ib m_cyber_security_intelligenc_20450.pdf Joe Tidy. 2020. Google blocking 18m coronavirus scam emails every day. https://www.bbc.com/news/technology-52319093 John C. 2020. Google Registers a 350% Increase in Phishing Websites Amid Quarantine. https://atlasvpn.com/blog/google-registers-a-350-increasein-phishing-websitesamid-quarantine Accessed: 2021-07-07. Kalaimannan, E., John, S., DuBose, T., & Pinto, A. (2016). Influences on ransomware’s evolution and predictions for the future challenges. J. Cyber Security Technology. 2016, 1, 1– 9. [CrossRef] Kok, S., Abdullah, A., Jhanjhi, N., Supramaniam, M. (2019). Ransomware, threat and detection techniques: A review. Int. J. Comput. Sci. Netw. Secur. 2019, 19, 136 54 Khonji, M., Iraqi, M., & Jones. A., 2013. Phishing Detection: A Literature Survey. IEEE Communications Surveys Tutorials 15, 4 (2013), 2091–2121. https://doi.org/10.1109/SURV.2013.032213.00009 Koyon, A., & Janabi, E. (2017, June 6). Social engineering attacks - JMEST. Retrieved October 26, 2021, from https://www.jmest.org/wpcontent/uploads/JMESTN42352270.pdf. Kraemer, S., & Carayon, P. (2007). Human errors and violations in computer and information security: The viewpoint of network administrators and security specialists. Applied Ergonomics, 38(2), 143–154. https://doi.org/10.1016/j.apergo.2006.03.010 Lena Y. C., David S., Wall., Michael L., & Bruce O., 2020. An empirical study of ransomware attacks on organizations: an assessment of severity and salient factors affecting vulnerability. Journal of Cybersecurity, 2020, 1–18 doi: 10.1093/cybsec/tyaa023 (accessed July 9,2022.) Lee, J.K., Moon, S.Y., & Park, J.H., (2017) CloudRPS: A cloud analysis based enhanced ransomware prevention system. J. Supercomput. 2017, 73, 3065–3084 Maennel, K., Mäses, S., & Maennel, O., (2018). Cyber Hygiene: The Big Picture. In Proceedings of the 23rd Nordic Conference, NordSec 2018, Oslo, Norway, 28–30 November 2018; pp. 291–305. Mansfield-Devine, S., (2016). Ransomware: taking businesses hostage. Netw. Secur. 2016, 2016, 8–17. Ngo F.T., & Paternoster R. Cybercrime victimization: an examination of Individual and situational level factors. Int J Cyber Criminol 2011;5: 773–93 Oz, H., Aris, A., Levi, A., & Uluagac, A.S. (2021). A Survey on Ransomware: Evolution, Taxonomy, and Defense Solutions. arXiv 2021, arXiv:2102.06249 Pollini, A., Callari, T. C., Tedeschi, A., Ruscio, D., Save, L., Chiarugi, F., & Guerri, D. (2021). Leveraging human factors in cybersecurity: An integrated methodological approach. Cognition, Technology & Work, 1-20. https://doi.org/10.1007/s10111- 021-00683-y 55 Rasmussen, J. (1983). Skills, rules, and knowledge; signals, signs, and symbols, and other distinctions in human performance models. IEEE transactions on systems, man, and cybernetics, 3, 257–266. https://doi.org/10.1109/TSMC.1983.6313160 Reason, J. (1990). Human error. Cambridge, UK: Cambridge University Press. Salahdine, F., & Kaabouch, N. (2019). Social Engineering Attacks: A Survey. Future Internet 2019, 11, 89. https://www.mdpi.com/1999-5903/11/4/89/html Salvi, M.H.U., & Kerkar, M.R.V., (2016). Ransomware: A cyber extortion. Asian J. Converg. Technol. (AJCT) 2016, 2, 1–6 Savage, K., Coogan, P., & Lau, H., (2015) The Evolution of Ransomware; Symantec: Mountain View, CA, USA, 2015. Shetty, D. (2017). Social Engineering - The Human factor. Retrieved October 26, 2021, from https://www.exploit-db.com/docs/english/18135-social-engineering---thehumanfactor.pdf. Simmons, G.J., (1979). Symmetric and asymmetric encryption. ACM Computer Surveillance (CSUR) 1979, 11, 305–330. Siponen, M., & Vance, A. (2010). Neutralization: new insights into the problem of employee information systems security policy violations. MIS Quarterly, 487– 502. https://doi.org/10.2307/25750688 Sood, A.K., & Enbody, R.J. (2011) Malvertising–exploiting web advertising. Comput. Fraud. Security. 2011, 2011, 11–16. Sophos. (2020). The State of Ransomware 2020. Available online: https://www.sophos.com/enus/medialibrary/Gated-Assets/whitepapers/sophos-the-state-of-ransomware-2020wp.pdf (accessed on 6 July 2022). 56 Stanton, J. M., Stam, K. R., Mastrangelo, P., & Jolton, J. (2005). Analysis of end user security behaviors. Computers & Security, 24(2), 124–133. https://doi.org/10.1016/j.cose.2004.07.001 Tailor, J.P., & Patel, A.D. (2017). A comprehensive survey: Ransomware attacks prevention, monitoring and damage control. Int. J. Res. Sci. Innov 2017, 4, 116–121. Tandon, A., & Nayyar, A. (2019). A comprehensive survey on ransomware attack: A growing havoc cyberthreat. In Data Management, Analytics and Innovation; Springer: Singapore , 2019; pp. 403–420. The Hackers News (2022) technique to uncover anonymized ransomware sites on Dark Web. Online. Available: https://thehackernews.com/2022/07/researchers-share-techniques-touncover.html (accessed on 8 July. 2022) Tischer, M., Durumeric, Z., Foster, S., Duan, S., Mori, A., Bursztein, E., & Bailey, M. (2016). Users Really Do Plug in USB Drives They Find. In Proceedings of the 2016 IEEE Symposium on Security and Privacy (SP), San Jose, CA, USA, 23–26 May 2016; pp. 306–319 Ung, S. T., & Shen, W. M. (2011). A novel human error probability assessment using fuzzy modeling. Risk Analysis: An International Journal, 31(5), 745–757. https://doi.org/10.1111/j.1539-6924.2010.01536.x Vance, A., & Siponen, M. T. (2012). IS security policy violations: A rational choice perspective. Journal of Organizational and End User Computing, 24(1), 21–41. https://doi.org/10.4018/joeuc.2012010102 Xichen Zhang & Ali A Ghorbani. 2020. Human Factors in Cybersecurity: Issues and Challenges in Big Data. In Security, Privacy, and Forensics Issues in Big Data. IGI Global, 66– 96. https://doi.org/10.4018/978-1-5225-9742-1.ch003 Yassein, M.B., Aljawarneh, S., Qawasmeh, E., Mardini, W., & Khamayseh, Y., (2017) Comprehensive study of symmetric key and asymmetric key encryption algorithms. 57 In Proceedings of the 2017 International Conference on Engineering and Technology (ICET), Antalya, Turkey, 21–24 August 2017; pp. 1–7 58