RANSOMWARE PROTECTION (HUMAN ERROR A BID TO MITIGATE
RANSOMWARE ATTACK)
BY
OMITIRAN ADEFIOLA CHRISTIANA
2005022057
SUBMITTED TO
THE DEPARTMENT OF COMPUTER SCIENCE, SCHOOL OF
TECHNOLOGY, LAGOS STATE POLYTECHNIC IKORODU CAMPUS
IN FULFILMENT TO THE AWARD OF HIGHER NATIONAL DIPLOMA
IN COMPUTER SCIENCE LAGOS STATE POLYTECHNIC IKORODU
JANUARY, 2023
1
CERTIFICATION
This is to certify that this research project was carried by OMITIRAN ADEFIOLA
CHRISTIANA with Matriculation Number 2005022057 in fulfillment of the
requirements for the award of Higher National Diploma (HND) in the Department of Computer
Science, Lagos State Polytechnic, Ikorodu.
________________________
______________________
DATE
DR. AKANJI WASIU
PROJECT SUPERVISOR
_________________________
_______________________
DR. ADERIBIGBE S.O
DATE
HEAD OF DEPARTMENT
2
DEDICATION
We dedicated this project to the Almighty God for his protection and grace on my life throughout
our period of study.
3
ACKNOWLEDGEMENT
My gratitude goes to God for his guidance and grace on me if not for him we might not have got
to this level May his blessing on me continue to blossom I also acknowledged this research work
to the entire our family for their support both morally and financially may God continue to bless
them and guide them.
My appreciation goes to our ever-supporting supervisor Mr. Idris Aremu Abiodun who create time
out of his tight schedule to correct and adjust the project work until it came to a perfect stage. May
God continue to bless you and your family abundantly. I will also like say a big thank you to all
other lecturer for their support educationally may God continue to grant them wisdom and
knowledge (Amen)
4
TABLE OF CONTENT
Title page
i
Certification
ii
Dedication
iii
Acknowledgment
iv
Tables of content
v
Abstract
vii
CHAPTER ONE
INTRODUCTION
1.1
Background of Study
1
1.2
Problem Statement
8
1.3
Aim and Objectives
9
1.4
Definition of Terms
10
1.5
List of Acronyms
13
CHAPTER TWO
LITERATURE REVIEW
2.1
Introduction
14
2.2
Human error
15
5
2.2.1 Human Performance
16
2.2.2 Human error in Cyber security
17
2.3
Ransomware
19
2.3.1 Ransomware Sources
23
2.3.2 Types of Ransomware
24
2.3.2.1 Crypto Ransomware
24
2.3.2.2 The Role of Cryptocurrencies in ransomware attack
25
2.3.3 Locker Ransomware
26
2.4
27
Statistic on Human Error in Ransomware Attack
2.4.1 Human Errors and Violations
27
2.4.2 Phishing
28
CHAPTER THREE
3.0
Exiting Solution to Ransomware Protection
3.1
Existing Solutions to Reduce Human Error in Ransomware
Attack and in IT Security in General
36
36
3.1.2 Tackling phishing with signal-sharing and machine learning by Microsoft
37
3.1.2 Avast protection
43
6
CHAPTER FOUR
4.0
Gap in Existing Solution
46
4.1
Gaps in Existing Solution to Reduce Human Error as a Form of
Ransomware Attack
46
CHAPTER FIVE
5.0
Summary, Conclusion and Recommendation
52
5.1
Summary
52
5.2
Conclusion
53
5.3
Recommendation
56
Reference
7
ABSTRACT
In Norman’s (1983), research on cognitive engineering “System design principles can be derived
from classes of human error” (p. 254). Norman (1983), bases his research on high level
specifications of desired actions known as intention. The intentions are broken down into mistakes
and slips that were researched by Liginlal et al. (2009), and Reason (1990). In trying to find the
casual factors in an organization that cause human error to occur the use of experimental
psychology and human factors engineering the probability of human error can be directly
measured, (Wood & Banks, 1993). System design and human interaction both play a role in how
often human error occurs particularly when there is a slight mismatch between the system design
and the person operating it, (Wood & Banks, 1993). One major problem with systems design is
that they are designed for simplicity which can lead a normally privacy conscious person to make
bad security decisions, (Bratus et al., 2008).
8
CHAPTER ONE
INTRODUCTION
1.1
Background of Study
The digital era ushered in the use of computers as a tool of the people. The internet expanse where
computers connect, has become known as cyberspace. Many economic outlets, cultural resources,
social platforms, as well as government services operate on the internet. The offering of services
in person to cyberspace is known as digitization. Digitization has had positive effects on efficacy.
Several types of security issues have revealed exploitation and vulnerabilities in cyberspace.
Sophisticated and diverse types of cyberspace based attacks have materialized. Any type of
disruption of integrity, authenticity and availability of data or information is termed as a
cyberattack. Private companies and government organizations are facing security exploitation
issues globally in cyberspace. The purpose of such attacks differ based on what information is
threatened. Attackers are most often driven by financial gain, government Intel, or political
influence. Vulnerabilities are widening for individuals to be targeted. The opportunities for the
public to gain awareness of potential dangers arise from cyberattacks.
Ransomware attacks have become more prevalent, brutal and recurrent. Factors such as
anonymous payment processing and new sophisticated encryption methods have contributed to the
rapid growth of ransomware nowadays (Balogun, 2018). In 2017, the FBI’s Internet Crime
Complaint Center (IC3) received 1,783 ransomware complaints that cost victims over $2.3 million
(De Groot, 2019). According to Luo & Liao (2017), ransomware targets files with the following
file name extension: (.txt, .doc, .rft, .ppt, .cbm, .cpp, .asm, .db, .db1, .db1, .dbx, .cgi, .dsw, .gzip,
.zip, jpeg, .key, .mdb, .pgp, .pdf.). Knowing these files are of possible crucial importance to the
victims, the attacker encrypts these files, making them impossible for the victim or owner to access.
(Luo & Liao, 2017). Anyone with important data stored on their computer or network is at risk,
including government or law enforcement agencies and healthcare systems or other critical
infrastructure entities (Us-cert, n.d.)
Cybersecurity is the means of defending computers, servers, IoT devices, networks, and data from
malicious attacks. Another name for cybersecurity is information technology security. Since the
9
introduction of the computer, Cyberattack has been a major problem faced by organizations and
individuals over the years and the rate of cyberattack has increased exponentially.
Human factors are regularly underestimated and overlooked (Hadlington, 2017) and are vital
factors that affect a business's information security hygiene (Anwar et al., 2016). The challenge
stems from the diverse range of human errors which ultimately grant unauthorized access to
sensitive information and other business assets, resulting in significant data and security breaches.
Employee mistakes pose a risk in companies. In fact, the rise and severity of security problems
reported in recent years suggest that organizations are more vulnerable than ever (Sasse, Brostoff
& Weirich, 2001). As illustrated in Figure 2, human errors are influenced by certain attitudes,
behaviors, and actions that promote unsecured connections. These ignorant actions expose
valuable, sensitive business information and resources to opportunistic criminals. Criminals then
highjack secure sessions to violate privacy (Wallace et al., 2021). When cybercriminals take over,
they compromise information security principles like data confidentiality, availability, and
integrity. Confidentiality, a fundamental principle to promote protection against unauthorized
disclosure of data or information, focuses on keeping information private. Data is only available
to or can only be accessed by the correct recipient to carry out expected duties (Njoroge, 2020).
The confidentiality principle includes people protecting others by restricting personal or sensitive
information sharing unless explicit permission is granted (Alexei & Alexei, 2021)
Common human mistakes Cybersecurity risks relating to human mistakes affect various businesses
because of the connection to standalone or networked computers. Moreover, Kobis (2021) believes
that the human factor is the leading factor in infiltrating sensitive information. For standalone
computers, employees may use memory sticks which a virus may infect. Or, for example,
employees may follow a website's links or accidentally respond to unknown links that gather
sensitive information. Increasingly, data breaches occur through the unauthorized disclosure of
personal information (Richardson et al., 2020). Another example is when users curiously,
recklessly, and ignorantly open fake emails containing malware attachments which automatically
installs when opened. Moreover, a user could install malware attached to standard applications.
Often the infected installation package is available on a website to trap unknowledgeable users. In
this case, the unaware user downloads and installs software from unverified sources (Kobis, 2021).
Other users serve as a channel for criminals by the way they handle their passwords. Such behavior
10
may result from a poor ability to remember accepted characters for password criteria,
understaffing, and employee overload with work demands. At times, unacceptable user behavior
is exacerbated by a lack of support or the absence of relevant training. This mistake is a gap that
influences poor decision-making (Sasse, Brostoff & Weirich, 2001). Some user attitudes affect
common mistakes; for example, when a user insists, "It won't happen to me" (Richardson et al.,
2020).
According to a IBM’s Security Services 2014 Cybersecurity Intelligence Index, human error
played a role in more than 95% of all security breaches (IBM Security Services 2014) as opposed
to those caused strictly by unanticipated vulnerabilities in system security. IBM’s report is based
upon nearly 1000 clients in 133 countries and literally billions of events per year. IBM reports that
human errors include those made by IT professionals such as improper system security
configurations and poor patch management, and those made by end-users such as weak or shared
passwords, loss of devices containing sensitive information, and the single most prevalent: opening
an unsafe attachment or accessing an unsafe URL. The report describes a typical human error
involving the use of social media to initiate an attack. A scenario described is that the attacker
contacts a user inside an organization via social media and directs the user to a malicious website
or gets the user to open a malware attachment in email. Since the user is using organizational
resources, the entire organization is potentially exposed to the exploit.
In the United States (US), data breaches that compromise 500 or more individuals’ health records
must be reported to the US Department of Health and Human Services (HHS) (US Department of
Health and Human Services Office for Civil Rights, 2022). All 50 US states have laws that require
breached companies to notify residents that their data was compromised (Steptoe & Johnson LLP,
2019). Causes for data breaches are attributed to system glitches, external actors, and internal
actors (insiders) (Garrison & Ncube, 2019; Kennedy, 2020; Pigni et al., 2018; Ramim & Levy,
2019; Zimmerman & Renaud, 2019). Insiders are organizational members with privileged access
to persons, systems, processes, and facilities (Clarke & Levy, 2022; Hua & Bapna, 2021; Nurse et
al., 2019; Zimmermann & Renaud, 2021). Organizational insider threats can be malicious or nonmalicious (Hua & Bapna, 2019; Nurse et al., 2019; Vroom & von Solms, 2020; Zimmerman &
Renaud, 2019). Human error has increasingly been attributed as a significant cause for data
breaches (Chernyshev et al., 2019; Evans et al., 2019; Metalidou et al., 2021). The Identity Theft
11
Resource Center (ITRC) (2022) estimated that for 2017, their Data Breach Employee Error /
Negligence / Improper Disposal / Loss attack category accounted for only 15.4% of data breach
cases, but accounted for 102.5% of records breached. Furthermore, ITRC’s other categories may
also involve human error as a contributor to the breach. Although human error is known to be a
contributor to data breaches, the understanding of what causes human error in cybersecurity
contexts is extremely limited. On the other hand, human error in safety in the context of
manufacturing, healthcare, nuclear, laboratory, plants, transportation, aerospace, etc. is relatively
well researched and funded 3 (Senders & Moray, 1991; Xing et al., 2017). In fact, formal Human
Reliability Analysis (HRA) methods have been developed in safety applications with an aim to
reduce the likelihood and consequence of human errors in complex systems (Evans, et al., 2019;
Groth, 2009). A key component of HRA methods are Performance Influencing Factors (PIF) the
various circumstantial and contextual factors that influence human performance to cause, or
contribute to, human error (Franciosi et al., 2019; Groth, 2009). Internal (individual) or external
(organizational and contextual) PIFs were assessed; following Curado et al. (2018), assessing that
the antecedent at only one level does not fully explain the relationship between conditions and
outcomes. In this study, PIFs in cybersecurity contexts are titled Cybersecurity PIF (CS-PIF), and
human error in cybersecurity contexts are titled Cybersecurity Human Error (CS-HE). This
research examined CS-PIFs as contributors to CS-HE resulting in data breaches using existing
known and documented incidents. Fuzzy-set theory was used to calibrate the degree of
membership (i.e. presence or absence) of CS-PIFs and CS-HE in each case, which is appropriate
as CS-PIFs and CS-HE can vary by level or degree (Pena & Curado, 2007; Ragin, 2009). Groth
(2009) found that PIFs have varying levels of interdependencies and interactions to result in a
human error. Thus, Fuzzy-Set Qualitative Comparative Analysis (fsQCA) was used to examine
the conjunctural causal relationship of CS-PIFs resulting in CS-HE leading to the data breaches
(Rihoux, 2006). Schneider & Rohlfing (2016) defined conjunctural causation as when "multiple
conditions occur together for producing the outcome" (p. 530)
This research is presented alongside the alarming increase in cyber incidents caused by human
behaviors within the small business space. This paper responds to the study of Ncubukezi,
Mwansa, and Rocaries (2021), explaining that human-generated mistakes should be acknowledged
when planning and implementing best practices to promote good cyber hygiene. The current work
examines human errors fuelled by actions, attitudes, and behaviors that have emerged recently as
12
a serious concern and a door to increased in ransomware attack to organization. This paper further
presents the common types of human errors, their impact, and vulnerability mitigation strategies
to improve the overall security of information processing and also different type of ransomware
attack over the years, and lastly provide possible solution to reducing the of human, by education
user’s and small business more about phishing links.
Cybersecurity has many dimensions – cyberspace, information security, human factors, and
computer security –necessitates that organizations identify loopholes and protect themselves from
various cybercriminals (Ncubukezi & Mwansa, 2021)
1.2
PROBLEM STATEMENT
The problem set of human error is not new, the two main themes of this research are ransomware
and human error; the relationship between both and reducing human error in a bid to mitigate
ransomware attacks. The research problem that this study addressed is that human error is one of
the major cause of ransomware attack, and phishing links and social engineering are the most way
attackers use to get access to organization data. The problem set of human error is not new, and
Reason (1990) defined human error as “a generic term to encompass all those occasions in which
a planned sequence of mental or physical activities fails to achieve its intended outcome, and when
these failures cannot be attributed to the intervention of some chance agency” (p. 9). Human error
has been examined broadly in the literature mostly on the topic of cybersecurity, aviation (Miller,
1976; Miranda, 2018; Shappell et al., 2007), space exploration (Boring et al., 2019; Maluf et al.,
2005), nuclear reactors, and others (Reason, 1990). Human errors are inevitable. Humans are not
perfect in their activities and errors are often necessary for human evolution when negative
consequences are minimized for benefits to include “learning, adaptation, creativity, and survival”
(Senders & Moray, 1991, p. 37). In addition, some errors are acceptable dependent on the risk to
the organization and the user (Abdolrahmani et al., 2017; Zimmerman & Renaud, 2019). The Local
Rationality Principle states that people do reasonable things given their goals, knowledge, and
focus of attention (Dekker, 2006). However, high level of knowledge, skills, and abilities are the
critical corner stone to ensure high level of competency, or lower level of human error during ones’
operations (Carlton & Levy, 2017).
13
1.3
AIM AND OBJECTIVES
The main aim of this research study is to employ an awareness platform to educate organization
an end-user’s of ransom ware attack via phishing links and also use the platform to communicate
with user’s and recent attack and possible way to mitigate them, latest this study will keep user’s
update on new detected scam and how to mitigate them.
Objectives
This research study had four specific objectives.

The first goal of this objectives study identified, using cyber security awareness platform
(CAP) to educate user on unintended disclosure; system misconfiguration; social
engineering; and poor cyber security hygiene in the largest data breaches.

To simulate a phishing attacker.

To update organization and end-user’s on latest cyber news which will enable to update
their security system to avoid being a victim of any upcoming attack.

1.4
To create a community where users can interact about their experience on recent attack.
DEFINITION OF TERMS
Awareness: the state of knowing something, such as the awareness that the sun comes up every
morning.
Cyber security: the practice of defending computers, servers, mobile devices, electronic systems,
networks, and data from malicious attacks
Cyber-attack: a malicious and deliberate attempt by an individual or organization to breach the
information system of another individual or organization.
Cyber terrorism: any premeditated, politically motivated attack against information systems,
programs and data that threatens violence or results in violence.
14
Cyber-security Performance Influencing Factors (CS-PIF) A term coined in this research to
reference performance influencing factors that contribute to human error leading to cyber security
contexts (Groth, 2009).
Generic Error-Modelling System (GEMS) A conceptual framework “within which to locate the
origins of the basic human error types” (p. 53) which are skill-based slips (and lapses), rule-based
mistakes, and knowledge-based mistakes (Reason, 1990). The structure was “derived in large part
from Rasmussen’s skill-rule-knowledge classification of human performance” (Reason, 1990, p.
53).
Human error“ a generic term to encompass all those occasions in which a planned sequence of
mental or physical activities fails to achieve its intended outcome, and when these failures cannot
be attributed to the intervention of some chance agency” (Reason, 1990, p. 9).
Human Reliability Analysis (HRA)" Formal qualitative analysis and quantification methods
available for use as part of Probabilistic Risk Assessments (PRAs) in modeling risk in Nuclear
Power Plants (NPPs)” (p.1), more generally modelling human error (Whaley et al., 2016).
Knowledge-Based Mistake (KBM) Lack of knowledge failure occurs during knowledge-based
performance “in novel situations where the solution to a problem has to be worked out on the spot
without the help of preprogrammed solutions” (Reason, 1995, p. 81).
Knowledge-Based Performance (KBP) During unfamiliar situations, faced with an environment
for which no know-how or rules for control are available from previous encounters, the control of
performance must move to a higher conceptual level, in which performance is goal-controlled”
(Rasmussen, 1983, p. 259).
Malware: short for “malicious software,” refers to any intrusive software developed by
cybercriminals (often called “hackers”) to steal data and damage or destroy computers and
computer systems.
Phishing: a type of social engineering attack often used to steal user data, including login
credentials and credit card numbers.
15
Ransomware: Ransomware is a type of malicious software, or malware, that prevents you from
accessing your computer files, systems, or networks and demands you pay a ransom for their
return.
Rule-Based Performance (RBP) A problem-solving activity “typically controlled by a stored rule
or procedure which may have been derived empirically during previous occasions, communicated
from other persons’ know-how as instruction or a cookbook recipe, or it may be prepared on
occasion by conscious problem solving and planning” (Rasmussen, 1983, p. 259).
Skill-Based Error (SBE) Failures during skill-based performance termed as slips (failure of
action) and lapses (failure of memory) (Reason, 1995).
Skill-Based Performance (SBP) “Sensory-motor performance during acts or activities which,
following a statement of an intention, take place without conscious control as smooth, automated,
and highly integrated patterns of behavior” (Rasmussen, 1983, p. 258). SBP occurs during routine
and familiar activities where there are no problems identified (Reason, 1990).
Skill-rule-knowledge framework Jens Rasmussen’s (1983) categorization of the “three levels of
performance correspond to decreasing levels of familiarity with the environment or task” (Reason,
1990, p. 43).
1.5
LIST OF ACRONYMS
Cybersecurity Awareness Platform (CAP)
Cybersecurity Performance Influencing Factors (CS-PIF)
Fuzzy-set Qualitative Comparative Analysis (fsQCA)
Generic Error-Modelling System (GEMS)
Human Event Repository and Analysis (HERA)
Human Reliability Analysis (HRA)
16
Knowledge-Based Mistake (KBM)
Knowledge-Based Performance (KBP)
Performance Influencing Factor (PIF)
Qualitative Comparative Analysis (QCA)
Rule-Based Mistake (RBM)
Rule-Based Performance (RBP)
Skill-Based Error (SBE)
Skill-Based Performance (SBP)
Technique for Human Error-Rate Prediction (THERP)
17
CHAPTER TWO
LITERATURE REVIEW
2.1
INTRODUCTION
This chapter talks about the literature on ransomware protection and it spans the discipline of
cybersecurity. First, Ransomware is defined, explained, and dissected. Second, human error is
defined, dissected, and explained from a psychological perspective. Finally, the human error in a
ransomware attack is explained.
Due to the nature of this research, the literature review criteria had to be expanded in time and
academic discipline. Some of the constructs and their influence on human error was recognized
from the safety literature, but are always recognized in the cybersecurity literature as tying these
constructs to human error in cybersecurity contexts. The two main themes of this research are
ransomware and human error; the relationship between both and reducing human error in a bid to
mitigate ransomware attacks.
Cybersecurity is the means of defending computers, servers, IoT devices, networks, and data from
malicious attacks. Another name for cybersecurity is information technology security. Since the
introduction of the computer, Cyberattack has been a major problem faced by organizations and
individuals over the years and the rate of cyberattack has increased exponentially.
The first recorded cybercrime took place in the year 1820 by a man named Joseph Marie Jacquard.
In 1820, Joseph Marie Jacquard, a textile manufacturer in France, produced the loom. This device
allowed the repetition of a series of steps in weaving special fabrics. This brings about fear amongst
Jacquard's employees that their traditional employment and livelihood were being threatened.
They committed sabotage to discourage Jacquard from further using the new technology. This was
the first cybercrime ever recorded.
Accordingly, cybersecurity concerns are pervasive in contemporary discussions of and research
about technology. Much emphasis is focused on technological solutions to cyber security concerns,
often at the expense of considering important human issues in both creating and ameliorating cyber
security vulnerabilities.
18
As companies around the world continue to expand their businesses and IT infrastructure by
adding more devices and increasing connectivity across their organizations their volumes of data
requiring 24x7 monitoring also continue to grow. That can increase an organization’s vulnerability
by making it even more difficult to develop and deploy effective measures to fend off cyberattacks,
but at the same time, such growth creates enormous quantities of data on security events. It also
presents us with the challenge of understanding what all that data means and deciding what to do
about it. (IBM Security Services 2014)
2.2
HUMAN ERROR
As noted, most data breaches are caused by human error, and human error is the result of failure
in human performance. Human error can never be exclusive to cybersecurity though, as a great
deal of research has been done on human factors (Rasmussen, 1983), psychology (Reason, 1990),
and human reliability analysis (Evans et al., 2019; French et al., 2011). Interest in these fields is
warranted due to human error has caused, as of the time of their publication, over 90% of failures
in the nuclear industry (Reason, 1990); over 80% of failures in the chemical and petrochemical
industries, over 75% of marine casualties, and over 70% of aviation accidents (French et al., 2011).
2.2.1 Human Performance
Rasmussen (1983) distinguished three levels of human performance: skill-based, rule-based, and
knowledge-based performance. Skill-Based Performance (SBP) is performed during routine
activities and does not involve conscious attention or control. Rule-Based Performance (RBP) is
performed consciously, is goal-oriented, and accomplished using stored rules or procedures
(acquired previously or provided). Knowledge-Based Performance (KBP) is performed
consciously during unfamiliar situations, is goal-oriented, and is accomplished using higher-level
decision-making. French et al. (2011) recognized that human behavior is complex and influenced
by internal and external factors; this posits their position that terminology such as “error” in
HRA is invalid as they are socially defined. In other words, the employee or user more often than
not committed a reasonable action provided the internal and external condition influences (PIFs),
and context that led to the unreasonable outcome. French et al. (2011) provided the example of the
19
Three Mile Island Accident in 1979, “where the formation of a hydrogen bubble which forced
down cooling water exposing the core” (p. 758), was unanticipated and unprecedented in reactor
designs; the operators behaved and executed as best as they could, provided the circumstances.
Compare this to potential cybersecurity lapses where an effective zero-day social engineering
tactic is used against a well-intentioned and security-aware user.
2.2.2 Human error in Cybersecurity
Human error in cybersecurity are actions or events that result in a data breach. These factors largely
result from a lack of awareness, negligence, or inappropriate access control.
Regardless of the reason, the cost of human errors adds up. According to IBM, the average cost of
data breaches from human error stands at $3.33 million. That’s a big expense that most SMEs can’t
afford.
Human error, however, is not so easy to resolve. You can’t resign a ‘faulty’ workforce like you
could a faulty software product. There’s always a reason why humans make errors. The key is to
understand why the errors were made and to find ways to avoid similar situations in the future.
Human error have been studied in several areas, such as environmental design, health care, and
also in cybersecurity (Human Factors Ergonomics Society. 2021) Great attention to human factors
has been devoted to the domain of aviation. The Dirty Dozen proposed by Dupont refers to twelve
of the most common errors in maintenance activities due to specific human error (Gordon Dupont.
1997); these errors are reported in the aviation domain as possible causes of accidents or incidents.
However, there is neither a concise list of human factors within cybersecurity, nor a definitive
description of relevant human factors. Thus, we have chosen to utilize the list outlined by Dupont
as we consider it a valid basis for our investigation:
 Lack of Communication: people not communicating with each other within a working
and/or online environment.
 Complacency: a feeling of self-confidence that can lead to a lack of awareness of potential
dangers.
20
 Lack of Knowledge: not having specific knowledge and enough experience that can lead
to poor decisions.
 Distraction: when a user’s attention has been taken away from the task that they are
required to do.
 Lack of Teamwork: not providing enough support towards a group of people, co-workers,
etc, who rely on your support.
 Fatigue: it is a physiological reaction resulting from prolonged periods of work and stress.
 Lack of Resources: not having enough resources (e.g., time, tools, people, etc.) to
complete a task.
Even if in recent times publications on human factors within cybersecurity are gaining momentum,
a wider picture to understand the current state of human factors within cybersecurity is still
missing. This research is a contribution in this direction, since it analyzes human error in relation
to a specific type of cybersecurity attack, namely ransomware.
 Pressure: pressure to meet a deadline interferes with our ability to complete tasks
correctly.
 Lack of Assertiveness: not being able or allowed to express concerns or ideas.
 Stress: acute and chronic stress from working for long periods or other demanding issues
such as family or financial problems.
 Lack of Awareness: not being aware of what happens in the surrounding (working or
online) environment, often leading to an unconscious disconnection from what others are
doing.
 Norms: workplace practices that develop over time, which can then influence other
behaviors.
21
2.3
RANSOMWARE
Ransomware is a type of malware designed to facilitate different nefarious activities, such as
preventing access to personal data unless a ransom is paid (Khammas, 2020, Komatwar, Kokare,
2020). This ransom typically uses cryptocurrency like Bitcoin, which makes it difficult to track
the recipient of the transaction and is ideal for attackers to evade law enforcement agencies (Kara,
Aydos, 2020, Karapapas, Pittaras, Fotiou, Polyzos, 2020). There has been a surge in ransomware
attacks in the past few years. For example, during the ongoing COVID-19 pandemic, an Android
app called CovidLock was developed to monitor heat map visuals and statistics on COVID-19
(Saeed, 2020). The application tricked users by locking user contacts, pictures, videos, and access
to social media accounts as soon as they installed it. To regain access, users were asked to pay
some ransom in Bitcoin; otherwise, their data was made public (Hakak et al., 2020c). Another
notorious example of ransomware is the WannaCry worm, which spread rapidly across many
computer networks in May 2017 (Akbanov, Vassilakis, Logothetis, 2019, Mackenzie, 2019).
Within days, it had infected over 200,000 computers spanning across 150 countries (Mattei, 2017).
Hospitals across the U.K. were knocked offline (Chen and Bridges, 2017); government systems,
railway networks, and private companies were affected as well (Cosic et al., 2019).
Ransomware is considered one of the most dangerous variants of malware. This is primarily
because it doesn’t even require much user interaction for privilege escalation. Even the usage of
industry-standard tools and technologies have not been able to contain the wrath of Ransomware.
Once Ransomware infects the device, it becomes impossible for the victim to access the files. Due
to the ransom being paid using cryptocurrency, there is no way to track the perpetrators of the
Ransomware attacks.
Ransomware can be categorized into three main forms - locker, crypto, and scareware (GomezHernandez, Alvarez-Gonzalez, Garcia-Teodoro, 2018, Kok, Abdullah, Jhanjhi, Supramaniam,
2019). Scareware may use pop-up ads to manipulate users into assuming that they are required to
download certain software, thereby using coercion techniques for downloading malware. In
scareware, the cyber crooks exploit the fear rather than lock the device or encrypt any data
(Andronio et al., 2015). This form of ransomware does not do any harm to the victim’s computer.
The aim of locker ransomware is to block primary computer functions. Locker ransomware may
22
encrypt certain files which can lock the computer screen and/or keyboard, but it is generally easy
to overcome and can often be resolved by rebooting the computer in safe mode or running an ondemand virus scanner (Adamu and Awan, 2019). Locker ransomware may allow limited user
access. Crypto ransomware encrypts the user’s sensitive files but does not interfere with basic
computer functions. Unlike locker ransomware, crypto ransomware is often irreversible as current
encryption techniques (e.g., AES and RSA) are nearly impossible to revert if implemented
properly (Gomez-Hernandez, Alvarez-Gonzalez, Garcia-Teodoro, 2018, Nadir, Bakhshi,
2018). The table below shows few popular ransomware families. Crypto ransomware can use one
of three encryption schemes: symmetric, asymmetric, or hybrid (Cicala and Bertino, 2020). A
purely symmetric approach is problematic as the encryption key must be embedded in the
ransomware (Dargahi et al., 2019). This makes this approach vulnerable to reverse engineering.
The second approach is to use asymmetric encryption. The issue with this approach is that
asymmetric encryption is slow compared to symmetric encryption and hence struggles to encrypt
larger files (Bajpai et al., 2018).
Sophos (2020), almost 51% of the organizations worldwide were hit by highly sophisticated
Ransomware attacks in 2020. These attacks were using advanced command and control servers,
making them challenging to reverse engineer. Among all the countries studied in the report, India
was affected the most by the deadly Ransomware attacks, with almost eighty-two percent of
organizations being hit by Ransomware. Netwalker is one of the newest and most dangerous
Ransomware strands (AH. et al., 2021) Its popularity is the method of propagation, using phishing
emails related to COVID-19, thus luring the victim to download the attachments resulting in the
execution of the portable binaries and system infection. February 2021, the latest Ransomware
strand, Zeoticus 2.0, successor to the infamous strand Zeoticus was released. Zeoticus 2.0 has
raised the stakes since it is now proving extremely hard to control and mitigate. It can execute
completely offline without requiring any command and control server. For receiving the Ransom
payment, Zeoticus uses highly secure and encrypted Proton mail accounts to evade tracing.
The history of Ransomware dates back to the late 1980s. The first Ransomware named Acquired
Immunodeficiency Syndrome (AIDS) Trojan, was released via a floppy disk. The AIDS Trojan
contained a program that would count the number of times a computer system was started, and
23
once this count reached the number 90, all of the files would be encrypted. The only way to be
able to use them again was to pay a ransom amount of $189 (Kalaimannan et al., 2016). During
the early days, Ransomware authors attacked victims to showcase their technical prowess. It was
not until the early 2000s that cybercriminals began to exploit users for financial gains as data
gained primacy. In 2004, a Ransomware strand named GPCode was released. GPCode infected
Windows Machines via e-mail attachments. It used a 660-Bit RSA key to encrypt files and folders
(Bodkhe, et al., 2021; Emm, 2008). Since then, Ransomware families like WannaCry, Cerber,
Petya, etc., have evolved and caused monetary damage worth billions of dollars.
Ransomware evolution and trends
198
9
200
4
201
2
AIDS Trojan
GP Code
Reveton
*Spread via floppy disk
*Used Symmetric
Cryptography
*Monitored boot time count
*Spread via Phishing Emails
*Used Asymmetric
Cryptography
*Encrypted ‘My Documents’
Directory
201
3
Cryptolocker
*Spread via Outdated Plugin
*Used Symmetric
Cryptography
*used an unstoppable DLL
*Spread via Phishing Emails
*Used Asymmetric
Cryptography
* Encrypted ‘My Documents’
Directory
201
4
201
5
201
6
201
7
202
0
Syeng
Encoder
KeRanger
WannaCry
Netwalker
*Spread via Emails attachments
* Used Asymmetric
Cryptography
*Payload Added themselves to
the registry entries via
bypassing
*Spread via a Backdoor in
Magento CMS
* Used Symmetric
Cryptography
*Payload replicated itself in
every directory with SUID
permission
*Spread via flaw in BitTorrent
* Used Asymmetric
Cryptography
*Bypassed gatekeeper to infect
the system with .RTF
*Spread via COVID-19
advisory Emails
** Used Asymmetric
Cryptography
*Used a VB script for UAC
bypassing
*Spread via flaw in SMB
server
* Used Asymmetric
Cryptography
*Used a Backdoor called
Doublepulsar to Lock registry.
Despite adopting sophisticated cyber security technology, one simple human error is all it takes
for the door to your organisation to be flung wide open to cyber criminals. Yet organisations
24
repeatedly neglect investing in human factor cybersecurity. It’s an oversight that can leave your
organisation exposed to a range of serious cyber breaches.
2.3.1 Ransomware Sources
Ransomware propagates primarily due to a lack of Cyber-hygiene at the individual level. Cyberhygiene refers to all aspects of online safety (Maennel, O et al., 2018) including browsing behavior,
availability and consistent updating of antivirus software, installing third-party software, and user
awareness. Cyber-hygiene must be practiced for keeping Ransomware and other strands of
malware away. Despite improving security standards and protocols, Ransomware families have
managed to penetrate the defense systems of organizations, governments, and individual users.
Some of the main sources of Ransomware include:
Email Attachments: Email attachments usually contain Portable Document Format (PDF)
documents, voicemails, images, e-invites, etc. These attachments using various steganographic
techniques contain embedded malicious files. Ransomware perpetrators use techniques that make
an email look like it was sent from a trusted and known sender. There are various tools available
through which attackers with no technical knowledge can craft malicious emails.
Removable Media: Removable Media is not considered as an entry portal for Ransomware by
many. However, (Tischer et al. 2016) conducted a survey, revealing that people are really intrigued
by what might be there in a random Universal Serial Bus (USB) drives lying at a public place. A
lot of Organizations that did not disable USB ports have been hit by Ransomware via this mode
(Lee, J.K., 2017).
Malvertising: Malvertising (Sood, A.K., & Enbody, R.J. (2011) is the organized practice of
infecting the advertising infrastructure that websites use for displaying online advertisements.
Malvertising has proved to be another popular technique for infecting systems with Ransomware.
It has infected systems even via browsing trusted sites like British Broadcasting Corporation
(BBC) News, America Online (AOL) and Microsoft Network (MSN) (Hernandez J. et al., 2017 ).
It tricks the browser into downloading malicious file extensions automatically. Exploit rootkits
like Angler, Magnitude and Nuclear are then able to help the attacker gain access to the victim’s
device (Mansfield, S., 2016 & Hathaliya, J.J., et al., 2019).
25
Social Media & SMS: This type of Ransomware propagation falls under the category of Social
Engineering, where the victim is lured into clicking links that they should not. Attackers use the
technique of Uniform Resource Locator (URL) shortening in order to add obscurity to the original
link. Users with poor Cyber-hygiene are lured into clicking these links. Sometimes, users also
receive SMS messages that depict urgency and force them into clicking those links (Salvi, M.H.U.,
& Kerkar, M.R.V., 2016).
Ransomware as a Service Like other hosting services on the Dark Web that offer anonymity,
Ransomware-asa-Service (RaaS) has emerged as a marketplace exclusively for attackers with
insufficient programming skills to easily propagate Ransomware. The RaaS service providers
either take a cut from the buyer or charge service usage fees.
2.3.2 Types of Ransomware
There are mainly two prevalent types of Ransomware, known as Crypto Ransomware and Locker
Ransomware.
2.3.2.1 Crypto Ransomware
Crypto Ransomware uses encryption algorithms to encrypt the victims’ data using two approaches.
In case of a Symmetric Algorithm, there is just one key that is used for both encryption and
decryption. The second algorithm which is more prevalent is the Asymmetric Algorithm through
which the data is encrypted using a public key and the victim can only get their data back when
they pay for the decryption key (Yaqoob, I., et. Al., 2017). Over the years, attackers have made it
difficult for reverse engineers trying to decrypt the data without paying the ransom. Attackers now
use a combination of both symmetric and asymmetric algorithms to make the decryption process
more challenging. Victim’s data is encrypted using a symmetric algorithm due to its speed
(Simmons, G.J., 1979 & Yassein, M.B., 2017). Then, the key used is encrypted using the public
key possessed by the malicious actor (Bajpai, P., et al., 2018).
26
2.3.2.2 The Role of Cryptocurrencies in ransomware attack
In the early days of Ransomware, attackers would demand money in the form of direct bank
deposit or via money transfer agencies. These methods of payment could be traced back to the
attacker. Since emergence of cryptocurrencies, Ransomware attacks have exploded. This is
majorly due to the fact that cryptocurrencies introduce the concept of anonymity. Cryptocurrencies
facilitate the creation of strong Ransomware which, instead of deploying a direct one-to-one
payment method, used a third-party payment gateway so that the risk of being traced is minimized.
The first ever Ransomware that proved to be really strong in terms of maintaining anonymity &
use of a well-built encryption algorithm was CTB Locker. CTB locker stood for Curve, The Onion
Routing (TOR) and Bitcoin locker. It used elliptic curve cryptography to encrypt the data, TOR
Protocol for anonymous means of communication between the victim and the attacker and Bitcoin
as a payment method for paying the ransom in a way that the transfer wouldn’t be traced [23].
Usually, when a cryptocurrency is set up as a payment method, an attacker passively watches the
blockchain, an enabler for cryptocurrencies to check if the ransom amount has been paid or not.
Once, the payment is made, the process of sending the decryption key to the victim can be initiated
via automation. This puts the theory of anonymity and un-traceability into practice.
Cryptocurrencies also play a very important role in distribution of Ransomware via the dark web.
Script Kiddies make use of platforms like RaaS to buy customized strands from exploit developers.
Evidence suggests that most of the Ransomware families such as WannaCry have been successful
because of the un-traceability provided to cyber-criminals by cryptocurrencies. 3. State-of-the-Art
Researchers, cyber-security firms and government agencies have researched all aspects of
Ransomware propagation, operation and devising effective combat techniques. Although, a few of
them were adopted by organizations and governments; most of the frameworks have not proved
successful in practice. This is due to the fact that security is multi-dimensional encompassing
network security, data security, application security and finally individual Cyber-hygiene practices
2.3.3 Locker Ransomware
As the name indicates, Locker Ransomware locks the device instead of encrypting the files and
folders. Upon being infected, the victim’s device is prevented from bring accessed. The data inside
is untouched. This type of Ransomware is less effective than Crypto Ransomware, because the
27
data can still be accessed by moving the storage device to another computer (Savage, K., et al.,
2015).
Result After the third stage, it is up to the user to either pay the ransom amount or not. There are
three outcomes that result at this stage. If the victim decides to pay the ransom, then they will be
provided with a decryption key to unlock access back to their devices. Another outcome can result
when the victim has strong technical skills or can take the help of reverse engineers to reverse the
Ransomware operations and get the files back. The third outcome results from the situation when
the victim is unable to pay the ransom. This results in permanent damage and complete loss of
data.
2.4
STATISTIC ON HUMAN ERROR IN RANSOMWARE ATTACK
2.4.1 Human Errors and Violations
Following Rasmussen’s (1983) Skill, Rule, and Knowledge (SRK) based performance framework,
Reason (1990) developed the Generic Error Modelling System (GEMS) that ties the three levels
of human performance to human error. Skill-Based Errors (SBE) occur during periods of SBP.
SBE can be separated into slips and lapses a slip is the failure of action (Norman, 1981) and a lapse
is the failure of memory (Reason, 1990). Rule-Based Mistakes (RBM) occur during RBP when
the actor misapplies a good rule or applies a bad rule. Knowledge-Based Mistakes (KBM) occur
during KBP and are a result of a lack of expertise. The fourth departure from the desired human
performance is violations. While SBE, RBM, and KBM are committed due to faulty information
and cognitive processing, violations are undesired deliberate acts in the social context of those that
oppose governed policies and procedures (Reason et al., 1990). Violations can be deliberate, but
non-malicious (Kraemer & Carayon, 2007).
Cybersecurity human error can occur in all levels of the organization from the end user, the system
administrators, to the policy makers and management that institute corporate strategy and
guidance. An end user may engage in unsafe web browsing at work that can lead to inadvertent
actions resulting in malware or data breach (Goode et al., 2018). This consequence may have been
a result of a (ill-advised) violation against policy. Some users make a rationalized decision to
28
commit violations of organization IT policies that put the system at risk (Barlow et al., 2013; Gcaza
et al., 2017; Siponen & Vance, 2010). The user’s intention may not be to cause malice, but rather,
circumvent the policies to achieve a positive business outcome (Vance & Siponen, 2012). The
policy by itself may not be sufficient for compliance, but in conjunction with training or education
to understand the “why” the policy is in place Other examples of human error may not be so clearcut or identifiable as to which human error type it is. As an example, an experienced network
engineer setting up a new network may inadvertently open a security exploit in the network
configuration, by committing a SBE, RBM, or KBM—depending on the circumstance or context.
For example, the engineer may have been distracted and misconfigured the switch (SBE) or
inexplicably forgot to save the configuration (SBE); followed a bad procedure (RBM), or their
lack of experience failed them in configuring the switch properly (KBM) (Pollini et al., 2021;
Stanton et al., 2005). Configuration mistakes can leave security applications, systems, or network
boundaries vulnerable (Ahmed et al., 2012; Pollini et al., 2021). In the safety industry, human
reliability analysis helps to understand the problem of human error.
2.4.2 Phishing
Cybersecurity attacks can be successful because users are not aware of their vulnerabilities and
because of their Lack of Knowledge about consequences and risks. With social media users
tending to share a lot of their lives online, it is significantly easier for attackers to find ways to
gather information about users and use it in ways to “convince” them that their identity and
intentions are legitimate. Phishing is one of the most effective cyber-attacks. Various authors
define phishing in slightly different ways. In this article, we adopt the definition of phishing
proposed by Lastdrager in his literature survey on phishing attacks (Elmer EH Lastdrager. 2014),
where phishing is defined as: “a scalable act of deception whereby impersonation is used to obtain
information from a target”. A phishing attack usually consists of sending a message (e.g., an
email), which appears as from a reputable organization (e.g., a bank), sounds urgent, claims to
enclose important information, and invites the victims to open a website that is a clone of the
original one (e.g., a clone of their own bank website). In the message, the victims are invited to
provide personal information on the website, for example, they are required to login to the website
for updating their profile information. In most cases, the victims are unlikely to check or question
the website validity; thus, they open it providing the required information that, unfortunately, is
29
stolen by the attackers who can use it, for example, to enter on the bank account on behalf of the
victims to steal their money. Phishing is often successful due to the vulnerabilities of users, namely
to human factors related issues. A phishing attack requires preparation for it to be successful, which
involves studying users, their behavior, their online posts, and even watching them online to gain
valuable knowledge to use in a targeted approach. Also target websites are considered by the
attackers to improve the effectiveness of their attacks, for example, by looking at the schedule
where servers go down for (regular) maintenance, their content, etc. On one side, knowledge about
victims allows attackers to send customized messages, for example, fans of a soccer team may
receive an email regarding an offer to purchase their club’s jerseys (in this case, the phishing
website aims to steal their credit card information). On the other side, knowledge about target
websites can improve the trustability of phishing messages; for instance, if a website has scheduled
maintenance, its users may receive an email asking them to unlock their account after the
maintenance by clicking on a link and sign in on the website (in this case, the phishing website
aims to steal users’ credentials). Phishing does not only occur via email. In several cases, users
receive fraudulent phone calls or text messages that appear as though they have legitimately come
from a company that the user has an account or service. As a result, some users are unlikely to
check or question their validity and unknowingly hand over their personal data to scammers,
hackers, and other persons with malicious intentions. In addition, as a response to continuous
updates of defensive solutions against phishing attacks, increasingly sophisticated and diversified
attacks are proposed. A comprehensive overview of the variants of phishing attacks is reported by
Chiew et al. 2018, where a classification of the main components characterizing this attack is
derived. This classification firstly identifies the medium, which is used to start the attack, namely,
Internet, SMS, and voice. Each medium may use a vector, i.e., the vehicle for launching the attack.
Examples of vectors for the Internet are e-mail, eFax, instant messaging (e.g., social network
messages), and websites. The last layer of this classification is called technical approaches and
reports all the technological solutions available to deploy a phishing attack, for example,
JavaScript obfuscation, man-in-the-middle, and SQL injection. Each vector can exploit one or
more of these technical approaches to perform the attack. From this classification, it emerges that
a phishing attack is very complex and it can be performed in several ways.
This has led to the spreading of new terms indicating variations of phishing attacks. Some of the
most popular variants are:
30
Spear-Phishing: it is the fraudulent practice of sending emails that appear to be from a known or
trusted sender and are targeted to individuals to reveal confidential information.
Vishing: it is the fraudulent practice of making phone calls or leaving voice messages appearing
to be from reputable companies to obtain personal information
SMiShing: also known as SMS phishing, it consists of sending SMS or instant messages on
victim’s smartphone; such messages appear as sent by a trusted source (e.g., our bank) and invite
the victim to click a link as in the case of more traditional phishing, or even to download an
attachment. In this last case, the attachment installs malware like a rootkit or a backdoor to
guarantee the scammers to access to everything (contacts, email messages, application data, etc.).
Pharming: it is a scamming practice where malicious code is installed on a personal computer or
server, which in-turns misdirects users to fraudulent sites without their knowledge or consent. A
phishing attack is successful for several reasons. For example, the attacker can gain an advantage
by performing reconnaissance about users and/or the company they work for. This information
allows the attacker to communicate with a user by using familiar terms or colloquial phrases. As a
result, the attackers can improve the “legitimacy” as being someone the user can trust. Therefore,
users are likely to feel more comfortable with who they are interacting with and subsequently
lower their guard. The COVID-19 pandemic has provided the opportunity for increasing attacks
based on the fear of users and their working situation (i.e. working from home) (Jessica Ellis. &
Elizabeth Montalbano. 2020).
A framework reporting the main components of a phishing attack and the relationships among them.
31
According to data gathered and analyzed by Atlas VPN1 , the number of phishing websites spiked
by 250% amid COVID-19 quarantine (John C. 2020.), with 18 million scam emails being blocked
by Google daily (Joe Tidy. 2020), and thousands of malicious coronavirus-related websites being
created daily (John C. 2020.) The attack increase is echoed by several security experts and
companies (Dean Takahashi. 2020.) however, while users’ knowledge and awareness of phishing
and security-related issues should be improved, other human factors issues should be addressed.
For example, high-pressure workplaces (resulting in high levels of Stress) or situations with a
strong cultural influence (e.g., Norms) should be considered in the analysis, and approaches to
mitigate the risks have to be devised
Literature reviews and surveys on phishing
The complexity and importance of phishing attacks have been demonstrated by increasingly
growing research activity that is framed in different surveys and literature reviews. Although
phishing attacks exploit social and psychological aspects of victims, most of the research is focused
on technical aspects. In the survey reported in (A. Almomani et al., 2013), the authors evaluated
and compared different techniques, focusing on machine learning solutions, to detect phishing
emails. In (M. Khonji et al., 2013), it has been proposed a survey on phishing mitigation techniques
like detection, offensive defense, correction, and prevention. To the best of our knowledge, that
survey is the only one that marginally covers human factors in phishing, as part of the defensive
mechanisms. However, similar to the other surveys, the emphasis is on the technical and
procedural aspects. A few literature reviews deal with the topic of human factors in cybersecurity,
marginally covering phishing attacks. For example, in (Xichen Zhang & Ali A Ghorbani. 2020)
papers on human factors and their related issues in cybersecurity and privacy are reviewed,
focusing the attention on big data. In particular, human factors are analyzed by considering desktop
behaviors, mobile behaviors, and online behaviors, and security and privacy issues in daily human
practices are identified and used to propose both users’ behavioral patterns and solutions to detect
abnormal, vulnerable and malicious actions. A literature review on information security culture is
presented in (Henry W Glaspie & Waldemar Karwowski. 2017); a framework summarizing human
factors that contribute to the security culture of an organization is also proposed. Human factors
32
play a central role in phishing attacks, which have rapidly and dramatically increased in the last
years their number as well as their effectiveness. However, to date, there is no publication that
surveys the literature on human factors in phishing attacks; this SLR aims to remedy this lack.
Despite phishing attacks are widely recognized among the most spread and effective attacks and
human factors play a central role in them, the SLR revealed a lack of systematized knowledge on
these topics. Existing surveys and SLR dealt with phishing attacks from more technical and
technological perspectives. Instead, the SLR presented in this article, through the analysis of the
reviewed papers, provides answers to different research questions, leading to highlighting the most
vulnerable human error exploited by attackers during phishing scams (Lack of Knowledge, Lack
of Resources, Lack of Awareness, Norms, and Complacency).
According to Lena Y. et al., 2020 various efforts to understand the factors that make individuals
more prone to becoming victims. Drawing upon Lifestyle Theory and Routine Activity Theory,
(Agustina 2015) proposes several behavioral and environmental factors that should, in theory at
least, elevate the risk of being victimized. In practice, however, as found by (Ngo and Paternoster
2011), these theories do not hold up to empirical scrutiny. Our work differs from these previous
studies in two ways: first, we are looking not at cybercrime in general, but specifically at
ransomware attacks; secondly, this research is not focused is not only on individual victims, its
include organizations.
Don’t become an easy target, be careful what you reveal about your organization Targeted attacks
were more likely than opportunistic ones to lead to severe consequences in the observed sample.
This result is expected as targeted attacks require a lot of preparation, but the ‘prize’ is much
higher: There is a recent trend of a particular variant of ransomware called BitPaymer, which is
seen as a big problem. It seems to me to be much targeted because cybercriminals are making
extremely large demands on the businesses, which I have never seen before – £30,000 –so they
are clearly much targeted. Cybercriminals know the targets they are going after. (Detective
Sergeant, CyberTL) Such attacks suggest that there is some kind of network reconnaissance
behind, so cybercriminals know what company they are targeting and how much to ask for.
Cybercriminals will say, ‘Wait there, your turnover is £400m so you can pay maybe £2m’. There
are victims out there that have paid up to £1,000,000 or even more to get the decryption key.
33
(Detective Constable, CyberBR) Clearly, such extravagant amounts would have a more severe
effect on an organization than, e.g. the typical £300–500 ransom. In our own sample, one small IT
company (VirtOrgD) was asked to pay 75 bitcoins (approximate value £352 000 at the time of the
attack), a ransom amount the victim could not afford to pay. After intense negotiations, hackers
agreed to reduce the ransom amount to 65 bitcoins, but it was still too high for VirtOrgD. The
victim had no choice but to recover from partial backups. In the first stages of recovery the
management was not sure if the business was going to survive this attack as the VirtOrgD was
rapidly losing its customer base. Through tremendous efforts of staff and with the help of external
specialists, VirtOrgD managed to restore its business, although, inevitably, some substantial losses
occurred. Similarly, another company (ITOrgJL) was asked to pay 100 bitcoins (approximate
value of £470 000 at the time of the attack). ITOrgJL was able to negotiate the ransom down to 15
bitcoins and effectively recovered with a decryption key provided by hackers. Since 2013,
ransomware has evolved considerably and become much more technically advanced and
dangerous. Generation III is substantially more of a menace than Generation II because of its
greater degree of contagiousness and ability to self-propagate across infected networks. However,
we found that the propagation class of crypto-ransomware by itself had no effect on the severity
of crypto-ransomware attacks in the observed sample. Regarding the attack target (i.e. machine vs.
human), crypto-ransomware equally impacts victims despite the network access method (Lena Y.
et al., 2020)
34
CHAPTER THREE
EXITING SOLUTION TO RANSOMWARE PROTECTION
3.1
EXISTING SOLUTIONS TO REDUCE HUMAN ERROR IN RANSOMWARE
ATTACK AND IN IT SECURITY IN GENERAL
In Norman’s (1983), research on cognitive engineering “System design principles can be derived
from classes of human error” (p. 254). Norman (1983), bases his research on high level
specifications of desired actions known as intention. The intentions are broken down into mistakes
and slips that were researched by Liginlal et al. (2009), and Reason (1990). In trying to find the
casual factors in an organization that cause human error to occur the use of experimental
psychology and human factors engineering the probability of human error can be directly
measured, (Wood & Banks, 1993). System design and human interaction both play a role in how
often human error occurs particularly when there is a slight mismatch between the system design
and the person operating it, (Wood & Banks, 1993). One major problem with systems design is
that they are designed for simplicity which can lead a normally privacy conscious person to make
bad security decisions, (Bratus et al., 2008). The system design issue can be addressed through the
creation of artifacts through design science (Johannesson & Perjons, 2014). A flexible
methodology created by Peffers et al.(2007) consists of a six step design science research
methodology (DSRM). Peffers et al. (2007) found that there was a serious lack of a DSRM in IS
research even with 15 years of prior application of DS in the IS research discipline.
According to Johannesson and Perjons (2014) design science is a study of artifacts like many other
scientific disciplines. These artifacts are then developed to solve practical problems that people
face. In the information systems (IS) perspective these problems involve systems and the people
that operate them. Design science utilizes both qualitative and quantitative research methodologies
according to Johannesson and Perjons (2014). According to Maher (2011) even though design is
a complicated and complex process that includes formulation, synthesis, and analysis, the results
can bring value to the processes and design. Some of the values in design sciences according to
(Niiniluoto, 2014) are anecdotal conditions for actions. According to Niiniluoto(2014), design
science is based the 19th century application of applied arts (industrial design) and design research
based off Simon (1996). Some of the world greatest minds, da Vinci and Aristotle employed some
35
sort of design science in their time (Niiniluoto, 2014).This research tends to point out some existing
attack and ways to prevent them;
3.1.2 Tackling phishing with signal-sharing and machine learning by Microsoft
On December 19. 2018, Microsoft Defender Security Research Team Across services in Microsoft
Threat Protection, the correlation of security signals enhances the comprehensive and integrated
security for identities, endpoints, user data, cloud apps, and infrastructure. The Company’s leading
visibility into the entire attack chain translates to enriched protection thats evident in many
different attack scenarios, including flashy cyberattacks, massive malware campaigns, and
even small-scale, localized attacks.
Phishing is another area where this protection has proven effective. While phishing attacks have
been part of the daily hum of cybercriminal activity for years, they remain some of the most
prevalent threats to this day. Specialized machine learning-based detection algorithms in Windows
Defender ATP zero in on non-executable file types like scripts and document files typically used
for phishing and other social engineering attacks. These file type-specific classifiers are part of the
metadata-based ML models that can make a verdict on suspicious files within a fraction of a
second.
Recently, anomaly detection algorithms in the Windows Defender ATP next-generation
protection pointed to multiple PDF files that only Microsoft detects. These malicious PDF files
were blocked by machine learning models that assimilate signals from other components of our
protection stack, exemplifying how comprehensive telemetry, signal-sharing, and machine
learning allows Microsoft to deliver best-in-class security.
36
One of several PDF files that only Microsoft was detecting (as Trojan:PDF/Sonbokli.A!cl) at the
time it was first observed (Source: https://www.virustotal.com/)
Machine learning-based detection of malicious PDF files used for phishing
Windows Defender ATP uses multiple layers of machine learning models to correctly identify
malicious content. Most attacks are caught by the first few layers, which swiftly make a verdict
and protect customers at first sight during the early stages of attacks. More sophisticated attacks
may need the more complex classifiers in further layers, which take more time but make sure
additional protections catch attacks that evade the first, faster classifiers.
37
Multiple layers of machine learning in Windows Defender ATP
To catch malicious PDF files that are used for phishing and other cyberattacks, we built and
continuously train machine learning classifiers that are designed to catch malware using this
specific file type. These classifiers inspect file metadata for malicious characteristics and content.
These classifiers regularly catch PDF files used for phishing.
38
Typical malicious PDF files used for phishing (1) spoof a popular brand, app, or service, (2)
contain a link to a phishing page, and (3) have the familiar social engineering techniques to
convince recipients to click the link.
Enrichment with URL and domain reputation
Through the Microsoft Intelligent Security Graph, we enrich this detection algorithm with URL
and domain reputation intelligence from Windows Defender SmartScreen, the technology that
powers the anti-phishing technology in Microsoft Edge, as well as the Network
protection capability in Windows Defender ATP.
Windows Defender ATP queries URL and domain reputation in real time, so any PDF file that
contains a known malicious domain or URL is detected by Windows Defender ATP.
39
Enriching detection with URL and domain reputation
That is how Windows Defender ATP blocked several PDF files that no other antivirus solution
knew were malicious at first sight.
Sample malicious PDF files blocked by detection algorithms aided by URL and domain reputation
40
Enrichment with Office 365 ATP intelligence
Windows Defender ATP also integrates with Office 365 ATP. This integration provides rich optics
into threats like PDF files that are commonly distributed via email. When Office 365 ATP detects
a suspicious file or URL in emails, it uses a detonation platform, heuristics, and machine learning
to make a verdict. This verdict is shared to other services in Microsoft Threat Protection.
In the case of PDF files, signals from Office 365 ATP enhances Windows Defender ATP’s
capability to detect and block malicious PDF files on endpoints at first sight, even if they arrive
through some other means or if they are observed in environments that don’t use Office 365 ATP.
Enriching detection with URL and domain reputation with Officer 365 ATP intelligence
What happened to Kaspersky?
Kaspersky is an Editors' Choice in the antivirus realm, as is Kaspersky internet security in the
security suite arena. Kaspersky's malware-fighting technology routinely earns perfect or nearperfect scores from independent antivirus testing labs around the world. This roundup used to
include both products.
41
For years, Kaspersky has faced accusations and censure based on its Russian origins, though none
of the accusations have come backed by hard evidence of malicious behavior. the current war in
Ukraine has raised the stakes. Governments and third parties are cutting ties with Kaspersky. The
FCC labeled Kaspersky national security risk.
42
CHAPTER FOUR
GAP IN EXISTING SOLUTION
4.1
GAPS IN EXISTING SOLUTION TO REDUCE HUMAN ERROR AS A FORM OF
RANSOMWARE ATTACK
The gaps in existing solution to reduce human error as a form of a ransomware attack is Lack of
Knowledge, Lack of Resources, Lack of Awareness, Norms, and Complacency. There is an
existing solution in reducing human error as a form of Ransomware attack below are some
platform that help in protect end-user and organization from ransomware attack
Table Showing The Existing platforms prons and cons
Existing platform
Broadcom
About the Platform
Prons
Cons
Broadcom is a
CA PPM is for all
It requires too much
security software
types of employees
effort to link stories
suite that consists of
with busy schedules
to features, it's too
anti-malware,
or who cannot work
hard to see the details
intrusion prevention
in the office at a
and requires too
and firewall features
certain time.
much effort to do
for server and
desktop computers.
that.
Supports Scrum,
Kanban, and other
Because it is feature-
Agile Frameworks.
rich tool learning the
It's very important for tool took a while, so
a PPM tool because
that training must do
Agile Transformation
so as well.
is the Top Trend.
Every PPM tool has
The features are all a
little bit hidden. It
would be better to
43
to work with both
improve the UI with
frameworks.
UX.
CA Clarity's analysis
License cost is quite
functions are
high as compared
impressive, and give
with other tools
the best clean graphic
representations
depend on your data.
The software, overall,
is very feature-rich.
Allows user’s to
provide the right
amount of detail
within the stories and
acceptance criteria.
From tasks to stories,
stories to features.
Knowbe4
KnowBe4 is knowns
Knowbe4 get to tell
instead of making
the world’s first and
the percentages of
users go through a
largest security
users who click on
video and then asking
awareness training
links and who don't
questions, it can have
and simulated
click on links.
a video where they
phishing platform
click on the scenarios
that helps manage the
and have to make
ongoing social
Knowbe4 get an
decisions. It can
engineering problem.
overall score or risk
maybe have
score from them.
something like a live
44
simulation. It would
It's already deployed
be nice for users.
in the cloud, and you
don't have to install
anything. You just
upload your users to
the cloud and tweak
something if needed.
Dispite the different
language there is no
Ukrainian and
Russian languages.
Confense
Cofense delivers the
Confense is email
technology &
security that
advanced insight
eliminates BEC and
needed to rapidly
Ransomware
Is email security only
detect, analyze and
auto quarantine
phishing attacks.
Sophos
Sophos is primarily
Sophos develops
Sophos does not
focused on providing
products for
simulate attacks and
security software to
communication
also does not provide
10- to 5,000-seat
endpoint, encryption,
awareness training
organizations
network security,
email security,
mobile security, and
unified threat
management.
Hook Security
Hook Security is a
Hook Security
Hook security only
company that uses
provides the toolkit for
performs training on
45
psychological
any company to create
our to spot a phishing
security training to
a healthy security-
attack
help companies
aware culture.
create a securityaware culture
Barracuda Phishline Barracuda
The software helps
The software is rather
Phishline is an email
create emails that
difficult to work with.
security awareness
look exactly or
Lots of options are a
and phishing
almost exactly the
little bit "hidden" and
simulation solution
same as the phishing
are difficult to find.
designed to protect
emails we found in
organization against
our email gateway.
blacklisted
targeted phishing
attacks.
Lots of URLs are
The ESS gateway
sometimes. user are
from Barracuda
kept in the loop but
Networks, and in the
changing to other
TEP bundle, this
URLs that are not
software is included,
blacklisted is very
so it's not that much
resource-intensive.
work to also
configure this.
Ironscales
Ironscales is a
The report function
The integration with
platform that enables
through Gmail is
Google Suite needs to
business security
probably the most
be better.
teams and employees
valuable feature. The
through a multi-
next most valuable
layered self-learning
features are
IRONSCALES have
no reminder
mechanism
threat .
46
simulation and
training.
Proofpoint
is a cloud-based
Short, quick, easy
Integrating reporting
training platform that
training videos
from other modules
simulates threat
scenarios (e.g.
phishing) and also
provides assessment
testing developed by
Wombat
Technologies, which
Rapid 7
PhishLabs
would be helpful
Phish alarm reporting
capabilities are
Auto-enrollment not
excellent
supported for clicks
on data entry and
Reporting makes it
attachment
easy to report metrics
campaigns
on education
was acquired by
Does not translate
Proofpoint in March
any custom templates
2018.
or emails
The Insight Platform
Allow uses to
The main
gives protectors the
customize my
functionality of
tools and clarity
dashboard with
identifying item
they need to assess
different widgets and
endpoints that weren't
their attack surface,
different heat maps.
properly patched or
detect suspicious
had vulnerabilities is
behavior, and
the solution's most
respond
valuable feature.
IT Services and IT
PhishLabs provides
The Technical
Consulting. Digital
external threat
Direction was
Risk Protection
intelligence, incident
somewhat reactionary
through curated threat response, and
security awareness
47
when I worked there
and visionary.
intelligence and
training solutions that
complete mitigation.
mitigate digital risks
This research has pointed out that there is existing platform the helps in detecting ransomware
attack using phishing links and some of this platform provides external threat intelligence, incident
response, and security awareness training solutions that mitigate digital risks, high-cost rate of
using it premium version. Some platform Does not translate any custom templates or emails, while
other user interface is difficult to navigate for end-user. This research is tending to provide an
automated platform that will report to the security team when a staff and also identify the particular
staff that link on a malicious link and also the type of attack that the malicious link is about to
perform. Provide a friendly user interface, tell the percentages of users who click on links and who
don't click on links. And make you cost of using it premium version at a low rate. The aim of this
research is to make the world a secure place to provide powerful tools that send random phishing
templates at random times during business hours over a 24 hours time period including weekends
because staff can be asked to work from home, this sending of phishing attack is to test their
knowledge of how to identify malicious links The other tool is Community Templates where
customers can share successful phishing templates with their peers. This research tends to provide
security awareness training that goes from lunchroom to boardroom, and updates users of newly
detected malicious attacks.
48
CHAPTER FIVE
SUMMARY, CONCLUSION AND RECOMMENDATION
5.1
SUMMARY
According to Reason (2019). In trying to find the casual factors in an organization that cause
human error to occur the use of experimental psychology and human factors engineering the
probability of human error can be directly measured, (Wood & Banks, 2021). System design and
human interaction both play a role in how often human error occurs particularly when there is a
slight mismatch between the system design and the person operating it, (Wood & Banks, 2020).
One major problem with systems design is that they are designed for simplicity which can lead a
normally privacy conscious person to make bad security decisions, (Bratus et al., 2018). This
chapter has point out there are existing solution and also there are gaps in the existing solution to
reduce human error as a form of a ransomware attack. Lack of Knowledge, Lack of Resources,
Lack of Awareness, Norms, and Complacency and some of the gaps the research tends to amend.
The main goal of this research study is to employ an awareness platform to educate organization
an end-user’s of ransomware attack via phishing links and also use the platform to communicate
with user’s and recent attack and possible way to mitigate them, latest this study will keep user’s
update on new detected scam and how to mitigate them.
5.2 CONCLUSION
The very first step in defense against ransomware attacks it to try and prevent them. Understanding
how the infection takes place will allow to develop strategies to prevent the ransomware from
entering the system. People are always the weakest link in the security chain and remain the biggest
threat. Human error is the first cause of infection. The users should be informed and trained about
the risks of opening attachments, visiting unknown websites, downloading suspicious software.
However, even well trained users do make mistakes, which lead to infection. As spam emails are
the widely used infection vector, email-filtering services need to be put in place to prevent
malicious emails even before they reach the users. Emails should be scanned at endpoints to ensure
that malicious content or JavaScript present within the email should be blocked. Finally, one useful
49
way to recover from a ransomware attack, or for that case any other kind of malware infection is
to have a good backup stored on an external device. Maintaining regular backups will enable the
user to restore from the point just before the infection happened. It is very important to remove the
external device once the backup is finished as to prevent the ransomware from infecting this
backup. If backups are taken at regular intervals, the systems can be restored with little data loss.
5.3
RECOMMENDATION
Cybersecurity and data protection requires human buy-in. Otherwise, human error will
negate defense-in-depth technology. Addressing the human element of data security requires the
following steps.
Cybersecurity awareness training: Training and awareness programs introduce the tenable
prospect of threats into your employees’ working lives. These programs often provide real-time
simulations that demonstrate what a threat can look like, and how employees can react. These,
however, are not a ‘one and done’ deal. Organization must commit to the continuous education of
the workforce because the threat landscape doesn’t just stop evolving when your employee’s
cybersecurity training is done. Admittedly this type of program takes time and resources, but it
can be as simple as a 10-minute commitment a few times a month.
Access rights and privileges: Employees might want continuous access to all organization’s files,
this is a dangerous proposition. By implementing and maintaining policies that restrict file access,
you can prevent data theft from the inside. Proactively offer employees access to the files they
need to do their jobs well. When employees require access to new files, set a limit to the time they
may access these files. File management systems provide these privacy settings, so this level of
regulation is accessible to businesses of all sizes.
Require regular data backups: By encouraging employees to regularly backup their data can
prevent data loss when disaster strikes. While this may be a hard policy to enforce while employees
are working remotely, it remains a best practice. In many instances, devices can be set to backup
to the cloud automatically. When relying on cloud storage remember that ransomware can take
50
control of cloud services. Any data stored in the cloud should also be backed up to an external hard
drive from time to time. Data backups ensure that a business can continue to operate, even if
resources are taken offline by a ransomware attack.
Encourage good cyber hygiene: Out-of-date software or unpatched software can offer attackers
a gateway into organization. Encourage employees to update the software on their devices and to
enable all available security features, such as firewalls and anti-malware. It’s an easy form of
prevention and an important defensive layer.
51
REFERENCE
Almomani, A., Gupta, B.B., Atawneh, S., & Meulenberg, A., 2013. A Survey of Phishing Email
Filtering Techniques. IEEE Communications Surveys Tutorials 15, 4 (2013), 2070–
2090. https://doi.org/10.1109/SURV.2013.030713.00020
AH, A.K., CC, Y.Y., Ping, M., Zahra, F. (2021). Cybersecurity Issues and Challenges during
COVID-19 Pandemic. Available online: https://cyber-trust.eu/2021/01/07/cybersecurity-challenges-during-the-covid-19-pandemic/ (accessed on 7 July 2022).
Ahmed, M., Sharif, L., Kabir, M., & Al-Maimani, M. (2012). Human errors in information
security. International Journal of Advanced Trends in Computer Science and
Engineering, 1(3), 82–87.
Agustina JR. Understanding cyber victimization: digital architectures and the disinhibition effect.
Int J Cyber Criminol 2015;9:35–54
Aurangzeb, S., Aleem, M., Iqbal, M.A., & Islam, M.A. (2017). Ransomware: A survey and trends.
J. Information Assurance Security 2017, 6, 48–58.
Bajpai, P., Sood, A.K., & Enbody, R., (2018). A key-management-based taxonomy for
ransomware. In Proceedings of the 2018 APWG Symposium on Electronic Crime
Research (eCrime), San Diego, CA, USA, 15–17 May 2018; pp. 1–12
Barlow, J. B., Warkentin, M., Ormond, D., & Dennis, A. R. (2013). Don't make excuses!
Discouraging neutralization to reduce IT policy violation. Computers & Security, 39,
145–159. https://doi.org/10.1016/j.cose.2013.05.006
Bodkhe, U., Tanwar, S. (2021). Secure data dissemination techniques for IoT applications:
Research challenges and opportunities. Software Practice Exp. 2021, 51, 2469–2491
Chiew Kang Leng, Kelvin Sheng Chek Yong, and Choon Lin Tan. 2018. A survey of phishing
attacks: Their types, vectors and technical approaches. Expert Systems with
Applications 106 (2018), 1 – 20. https://doi.org/10.1016/j.eswa.2018.03.050
52
Dean Takahashi. 2020. Unit 42: Phishing attacks are thriving during the pandemic.
https://venturebeat.com/2020/04/14/unit-42-phishing-attacksare-thriving-duringthe-pandemic/
Elizabeth Montalbano. 2020. Top Email Protections Fail in Latest COVID-19 Phishing Campaign.
https://threatpost.com/top-email-protections-failcovid-19-phishing/154329/
Elmer EH Lastdrager. 2014. Achieving a consensual definition of phishing based on a systematic
review of the literature. Crime Science 3, 1 (2014). https://doi.org/10.1186/s40163014-0009-y
Emm, D., (2008). Cracking the code: The history of Gpcode. Computer. Fraud. Security. 2008,
2008, 15–17.
Evans, M. G., He, Y., Yevseyeva, I., & Janicke, H. (2019). Published incidents and their
proportions of human error. Information & Computer Security, 27(3).
https://doi.org/10.1108/ICS-12-2018-0147
French, S., Bedford, T., Pollard, S. J., & Soane, E. (2011). Human reliability analysis: A critique
and
review
for
managers.
Safety
Science,
49(6),
753–763.
https://doi.org/10.1016/j.ssci.2011.02.008
Gcaza, N., & von Solms, R. (2017). Cybersecurity culture: An ill-defined problem. Proceedings
from IFIP World Conference on Information Security Education (pp. 98-109).
https://doi.org/10.1007/978-3-319-58553-6_9
Genç, Z.A., Lenzini, G., & Ryan, P. (2017). The Cipher, the Random and the Ransom: A Survey
on Current and Future Ransomware. In Advances in Cybersecurity; University of
Maribor Press: Maribor, Slovenia, 2017.
Goode, J., Levy, Y., Hovav, A., & Smith, J. (2018). Expert assessment of organizational
cybersecurity programs and development of vignettes to measure cybersecurity
countermeasures awareness. Online Journal of Applied Knowledge Management,
6(1), 67–80. https://doi.org/10.36965/OJAKM.2018.6(1)67-80
53
Gordon Dupont. 1997. The Dirty Dozen Errors in Maintenance. In 11th Meeting on Human Factors
in Aviation Maintenance and Inspection
Hathaliya, J.J., Tanwar, S., Tyagi, S., & Kumar, N. (2019) Securing electronics healthcare records
in Healthcare 4.0: A biometric-based approach. Computer Electronic Engineering
2019, 76, 398–410.
Henry W Glaspie & Waldemar Karwowski. 2017. Human Factors in Information Security Culture:
A Literature Review. In Int. Conf. on Applied Human Factors and Ergonomics.
Springer, 269–280. https://doi.org/10.1007/978-3-319-60585-2_25
Hernandez-Castro, J., Cartwright, E., & Stepanova, A., (2017). Economic Analysis of
Ransomware. SSRN Electron. J. 2017, 1–14
Human Factors Ergonomics Society. 2021. Human Factors and Ergonomics Society - Technical
Groups. https://www.hfes.org/Connect/TechnicalGroups. Accessed: 2021-06-10.
IBM Security Services 2014 Cyber Security Intelligence Index. Online. Available:
https://media.scmagazine.com/documents/82/ib
m_cyber_security_intelligenc_20450.pdf
Joe
Tidy.
2020.
Google
blocking
18m
coronavirus
scam
emails
every
day.
https://www.bbc.com/news/technology-52319093
John C. 2020. Google Registers a 350% Increase in Phishing Websites Amid Quarantine.
https://atlasvpn.com/blog/google-registers-a-350-increasein-phishing-websitesamid-quarantine Accessed: 2021-07-07.
Kalaimannan, E., John, S., DuBose, T., & Pinto, A. (2016). Influences on ransomware’s evolution
and predictions for the future challenges. J. Cyber Security Technology. 2016, 1, 1–
9. [CrossRef]
Kok, S., Abdullah, A., Jhanjhi, N., Supramaniam, M. (2019). Ransomware, threat and detection
techniques: A review. Int. J. Comput. Sci. Netw. Secur. 2019, 19, 136
54
Khonji, M., Iraqi, M., & Jones. A., 2013. Phishing Detection: A Literature Survey. IEEE
Communications
Surveys
Tutorials
15,
4
(2013),
2091–2121.
https://doi.org/10.1109/SURV.2013.032213.00009
Koyon, A., & Janabi, E. (2017, June 6). Social engineering attacks - JMEST. Retrieved October
26, 2021, from https://www.jmest.org/wpcontent/uploads/JMESTN42352270.pdf.
Kraemer, S., & Carayon, P. (2007). Human errors and violations in computer and information
security: The viewpoint of network administrators and security specialists. Applied
Ergonomics, 38(2), 143–154. https://doi.org/10.1016/j.apergo.2006.03.010
Lena Y. C., David S., Wall., Michael L., & Bruce O., 2020. An empirical study of ransomware
attacks on organizations: an assessment of severity and salient factors affecting
vulnerability. Journal of Cybersecurity, 2020, 1–18 doi: 10.1093/cybsec/tyaa023
(accessed July 9,2022.)
Lee, J.K., Moon, S.Y., & Park, J.H., (2017) CloudRPS: A cloud analysis based enhanced
ransomware prevention system. J. Supercomput. 2017, 73, 3065–3084
Maennel, K., Mäses, S., & Maennel, O., (2018). Cyber Hygiene: The Big Picture. In Proceedings
of the 23rd Nordic Conference, NordSec 2018, Oslo, Norway, 28–30 November
2018; pp. 291–305.
Mansfield-Devine, S., (2016). Ransomware: taking businesses hostage. Netw. Secur. 2016, 2016,
8–17.
Ngo F.T., & Paternoster R. Cybercrime victimization: an examination of Individual and situational
level factors. Int J Cyber Criminol 2011;5: 773–93
Oz, H., Aris, A., Levi, A., & Uluagac, A.S. (2021). A Survey on Ransomware: Evolution,
Taxonomy, and Defense Solutions. arXiv 2021, arXiv:2102.06249
Pollini, A., Callari, T. C., Tedeschi, A., Ruscio, D., Save, L., Chiarugi, F., & Guerri, D. (2021).
Leveraging human factors in cybersecurity: An integrated methodological approach.
Cognition, Technology & Work, 1-20. https://doi.org/10.1007/s10111- 021-00683-y
55
Rasmussen, J. (1983). Skills, rules, and knowledge; signals, signs, and symbols, and other
distinctions in human performance models. IEEE transactions on systems, man, and
cybernetics, 3, 257–266. https://doi.org/10.1109/TSMC.1983.6313160
Reason, J. (1990). Human error. Cambridge, UK: Cambridge University Press.
Salahdine, F., & Kaabouch, N. (2019). Social Engineering Attacks: A Survey. Future Internet
2019, 11, 89. https://www.mdpi.com/1999-5903/11/4/89/html
Salvi, M.H.U., & Kerkar, M.R.V., (2016). Ransomware: A cyber extortion. Asian J. Converg.
Technol. (AJCT) 2016, 2, 1–6
Savage, K., Coogan, P., & Lau, H., (2015) The Evolution of Ransomware; Symantec: Mountain
View, CA, USA, 2015.
Shetty, D. (2017). Social Engineering - The Human factor. Retrieved October 26, 2021, from
https://www.exploit-db.com/docs/english/18135-social-engineering---thehumanfactor.pdf.
Simmons, G.J., (1979). Symmetric and asymmetric encryption. ACM Computer Surveillance
(CSUR) 1979, 11, 305–330.
Siponen, M., & Vance, A. (2010). Neutralization: new insights into the problem of employee
information systems security policy violations. MIS Quarterly, 487– 502.
https://doi.org/10.2307/25750688
Sood, A.K., & Enbody, R.J. (2011) Malvertising–exploiting web advertising. Comput. Fraud.
Security. 2011, 2011, 11–16.
Sophos. (2020). The State of Ransomware 2020. Available online: https://www.sophos.com/enus/medialibrary/Gated-Assets/whitepapers/sophos-the-state-of-ransomware-2020wp.pdf (accessed on 6 July 2022).
56
Stanton, J. M., Stam, K. R., Mastrangelo, P., & Jolton, J. (2005). Analysis of end user security
behaviors.
Computers
&
Security,
24(2),
124–133.
https://doi.org/10.1016/j.cose.2004.07.001
Tailor, J.P., & Patel, A.D. (2017). A comprehensive survey: Ransomware attacks prevention,
monitoring and damage control. Int. J. Res. Sci. Innov 2017, 4, 116–121.
Tandon, A., & Nayyar, A. (2019). A comprehensive survey on ransomware attack: A growing
havoc cyberthreat. In Data Management, Analytics and Innovation; Springer:
Singapore , 2019; pp. 403–420.
The Hackers News (2022) technique to uncover anonymized ransomware sites on Dark Web.
Online. Available: https://thehackernews.com/2022/07/researchers-share-techniques-touncover.html (accessed on 8 July. 2022)
Tischer, M., Durumeric, Z., Foster, S., Duan, S., Mori, A., Bursztein, E., & Bailey, M. (2016).
Users Really Do Plug in USB Drives They Find. In Proceedings of the 2016 IEEE
Symposium on Security and Privacy (SP), San Jose, CA, USA, 23–26 May 2016; pp.
306–319
Ung, S. T., & Shen, W. M. (2011). A novel human error probability assessment using fuzzy
modeling.
Risk
Analysis:
An
International
Journal,
31(5),
745–757.
https://doi.org/10.1111/j.1539-6924.2010.01536.x
Vance, A., & Siponen, M. T. (2012). IS security policy violations: A rational choice perspective.
Journal
of
Organizational
and
End
User
Computing,
24(1),
21–41.
https://doi.org/10.4018/joeuc.2012010102
Xichen Zhang & Ali A Ghorbani. 2020. Human Factors in Cybersecurity: Issues and Challenges
in Big Data. In Security, Privacy, and Forensics Issues in Big Data. IGI Global, 66–
96. https://doi.org/10.4018/978-1-5225-9742-1.ch003
Yassein, M.B., Aljawarneh, S., Qawasmeh, E., Mardini, W., & Khamayseh, Y., (2017)
Comprehensive study of symmetric key and asymmetric key encryption algorithms.
57
In Proceedings of the 2017 International Conference on Engineering and Technology
(ICET), Antalya, Turkey, 21–24 August 2017; pp. 1–7
58