StressCovidV1, Pmc, Corpus, bibRecord, 000024

Redefining the Approach to Cybersecurity

Identifieur interne : 000024 ( Pmc/Corpus ); précédent : 000023; suivant : 000025

Redefining the Approach to Cybersecurity

Source :

Building a Cybersecurity Culture in Organizations ; 2020.

RBID : PMC:7189027

Abstract

One of the most critical issues in cybersecurity is represented by social engineering attacks. These threats have been known for years, but it is very difficult to handle them effectively, because they are strictly related to human nature. Social engineering is not just a phishing email; indeed, it is possible to distinguish several forms of attack which combine different elements, from human to social to physical and technological. According to a psychological point of view, social engineering is a powerful means of gaining information exploiting individuals’ weaknesses. Moreover, due to the mechanisms of persuasion, widely studied in literature, it is easy to imagine how complicated the management of this threat is. Appropriate training of employees, especially of key roles of the company, can be an effective antidote to social engineering. Given the current scenario and the future perspective in cybersecurity, it is clear that the approach used to manage cybersecurity requires a radical change. Currently, the preferred cybersecurity strategy is still based on technological solutions, without brilliant results, since cyberthreats keep growing. Many are convinced that Artificial Intelligence (AI) will be an opportunity for managing cybersecurity; whether true or not, it is however evident that AI has also the power to generate new threats and to strengthen the existing ones. Therefore, we should be very prudent when technologies are presented as a miracle solution for cybersecurity problems. The starting point is that technology has to be deployed under full human control. Then, critical thinking is needed to develop alternatives to improve the current approach to cybersecurity. In short, we need to develop a multidisciplinary vision of cybersecurity, involving other disciplines and assuming different perspectives.

Url:

http://www.ncbi.nlm.nih.gov/pmc/articles/PMC7189027

DOI: 10.1007/978-3-030-43999-6_3
PubMed: NONE
PubMed Central: 7189027

Links to Exploration step

PMC:7189027

Le document en format XML

<record><TEI><teiHeader><fileDesc><titleStmt><title xml:lang="en">Redefining the Approach to Cybersecurity</title>
<author><name sortKey="Corradini, Isabella" sort="Corradini, Isabella" uniqKey="Corradini I" first="Isabella" last="Corradini">Isabella Corradini</name>
<affiliation><nlm:aff id="Aff3">Themis Research Center, Rome, Italy</nlm:aff>
</affiliation>
</author>
</titleStmt>
<publicationStmt><idno type="wicri:source">PMC</idno>
<idno type="pmc">7189027</idno>
<idno type="url">http://www.ncbi.nlm.nih.gov/pmc/articles/PMC7189027</idno>
<idno type="RBID">PMC:7189027</idno>
<idno type="doi">10.1007/978-3-030-43999-6_3</idno>
<idno type="pmid">NONE</idno>
<date when="2020">2020</date>
<idno type="wicri:Area/Pmc/Corpus">000024</idno>
<idno type="wicri:explorRef" wicri:stream="Pmc" wicri:step="Corpus" wicri:corpus="PMC">000024</idno>
</publicationStmt>
<sourceDesc><biblStruct><analytic><title xml:lang="en" level="a" type="main">Redefining the Approach to Cybersecurity</title>
<author><name sortKey="Corradini, Isabella" sort="Corradini, Isabella" uniqKey="Corradini I" first="Isabella" last="Corradini">Isabella Corradini</name>
<affiliation><nlm:aff id="Aff3">Themis Research Center, Rome, Italy</nlm:aff>
</affiliation>
</author>
</analytic>
<series><title level="j">Building a Cybersecurity Culture in Organizations</title>
<imprint><date when="2020">2020</date>
</imprint>
</series>
</biblStruct>
</sourceDesc>
</fileDesc>
<profileDesc><textClass></textClass>
</profileDesc>
</teiHeader>
<front><div type="abstract" xml:lang="en"><p id="Par1">One of the most critical issues in cybersecurity is represented by social engineering attacks. These threats have been known for years, but it is very difficult to handle them effectively, because they are strictly related to human nature. Social engineering is not just a phishing email; indeed, it is possible to distinguish several forms of attack which combine different elements, from human to social to physical and technological. According to a psychological point of view, social engineering is a powerful means of gaining information exploiting individuals’ weaknesses. Moreover, due to the mechanisms of persuasion, widely studied in literature, it is easy to imagine how complicated the management of this threat is. Appropriate training of employees, especially of key roles of the company, can be an effective antidote to social engineering. Given the current scenario and the future perspective in cybersecurity, it is clear that the approach used to manage cybersecurity requires a radical change. Currently, the preferred cybersecurity strategy is still based on technological solutions, without brilliant results, since cyberthreats keep growing. Many are convinced that Artificial Intelligence (AI) will be an opportunity for managing cybersecurity; whether true or not, it is however evident that AI has also the power to generate new threats and to strengthen the existing ones. Therefore, we should be very prudent when technologies are presented as a miracle solution for cybersecurity problems. The starting point is that technology has to be deployed under full human control. Then, critical thinking is needed to develop alternatives to improve the current approach to cybersecurity. In short, we need to develop a multidisciplinary vision of cybersecurity, involving other disciplines and assuming different perspectives.</p>
</div>
</front>
<back><div1 type="bibliography"><listBibl><biblStruct></biblStruct>
<biblStruct></biblStruct>
<biblStruct></biblStruct>
<biblStruct></biblStruct>
<biblStruct></biblStruct>
<biblStruct><analytic><author><name sortKey="Cialdini, Rb" uniqKey="Cialdini R">RB Cialdini</name>
</author>
</analytic>
</biblStruct>
<biblStruct><analytic><author><name sortKey="Cybenko, G" uniqKey="Cybenko G">G Cybenko</name>
</author>
<author><name sortKey="Giani, A" uniqKey="Giani A">A Giani</name>
</author>
<author><name sortKey="Thompson, P" uniqKey="Thompson P">P Thompson</name>
</author>
</analytic>
</biblStruct>
<biblStruct></biblStruct>
<biblStruct></biblStruct>
<biblStruct></biblStruct>
<biblStruct></biblStruct>
<biblStruct></biblStruct>
<biblStruct></biblStruct>
<biblStruct></biblStruct>
<biblStruct></biblStruct>
<biblStruct></biblStruct>
<biblStruct></biblStruct>
<biblStruct></biblStruct>
<biblStruct></biblStruct>
<biblStruct></biblStruct>
<biblStruct></biblStruct>
<biblStruct><analytic><author><name sortKey="Krombholz, K" uniqKey="Krombholz K">K Krombholz</name>
</author>
<author><name sortKey="Hobel, H" uniqKey="Hobel H">H Hobel</name>
</author>
<author><name sortKey="Huber, M" uniqKey="Huber M">M Huber</name>
</author>
<author><name sortKey="Weippl, E" uniqKey="Weippl E">E Weippl</name>
</author>
</analytic>
</biblStruct>
<biblStruct><analytic><author><name sortKey="Kruglanski, Aw" uniqKey="Kruglanski A">AW Kruglanski</name>
</author>
<author><name sortKey="Thomson, Ep" uniqKey="Thomson E">EP Thomson</name>
</author>
</analytic>
</biblStruct>
<biblStruct></biblStruct>
<biblStruct><analytic><author><name sortKey="Mitnick, Kd" uniqKey="Mitnick K">KD Mitnick</name>
</author>
<author><name sortKey="Simon, Wl" uniqKey="Simon W">WL Simon</name>
</author>
</analytic>
</biblStruct>
<biblStruct><analytic><author><name sortKey="Mouton, F" uniqKey="Mouton F">F Mouton</name>
</author>
<author><name sortKey="Leenen, L" uniqKey="Leenen L">L Leenen</name>
</author>
<author><name sortKey="Venter, Hs" uniqKey="Venter H">HS Venter</name>
</author>
</analytic>
</biblStruct>
<biblStruct><analytic><author><name sortKey="Mulligan, Dk" uniqKey="Mulligan D">DK Mulligan</name>
</author>
<author><name sortKey="Schneider, Fb" uniqKey="Schneider F">FB Schneider</name>
</author>
</analytic>
</biblStruct>
<biblStruct></biblStruct>
<biblStruct></biblStruct>
<biblStruct></biblStruct>
<biblStruct></biblStruct>
<biblStruct></biblStruct>
<biblStruct><analytic><author><name sortKey="Taddeo, M" uniqKey="Taddeo M">M Taddeo</name>
</author>
</analytic>
</biblStruct>
<biblStruct></biblStruct>
<biblStruct></biblStruct>
<biblStruct></biblStruct>
<biblStruct></biblStruct>
<biblStruct></biblStruct>
<biblStruct><analytic><author><name sortKey="Xiang, Y" uniqKey="Xiang Y">Y Xiang</name>
</author>
<author><name sortKey="Wang, L" uniqKey="Wang L">L Wang</name>
</author>
<author><name sortKey="Liu, N" uniqKey="Liu N">N Liu</name>
</author>
</analytic>
</biblStruct>
<biblStruct><analytic><author><name sortKey="Zimmermann, V" uniqKey="Zimmermann V">V Zimmermann</name>
</author>
<author><name sortKey="Renaud, K" uniqKey="Renaud K">K Renaud</name>
</author>
</analytic>
</biblStruct>
</listBibl>
</div1>
</back>
</TEI>
<pmc article-type="chapter-article"><pmc-dir>properties open_access</pmc-dir>
  <front><journal-meta><journal-id journal-id-type="publisher-id">978-3-030-43999-6</journal-id>
<journal-id journal-id-type="doi">10.1007/978-3-030-43999-6</journal-id>
<journal-id journal-id-type="nlm-ta">Building a Cybersecurity Culture in Organizations</journal-id>
<journal-title-group><journal-title>Building a Cybersecurity Culture in Organizations</journal-title>
<journal-subtitle>How to Bridge the Gap Between People and Digital Technology</journal-subtitle>
</journal-title-group>
<isbn publication-format="print">978-3-030-43998-9</isbn>
<isbn publication-format="electronic">978-3-030-43999-6</isbn>
</journal-meta>
<article-meta><article-id pub-id-type="pmc">7189027</article-id>
<article-id pub-id-type="publisher-id">3</article-id>
<article-id pub-id-type="doi">10.1007/978-3-030-43999-6_3</article-id>
<article-categories><subj-group subj-group-type="heading"><subject>Article</subject>
</subj-group>
</article-categories>
<title-group><article-title>Redefining the Approach to Cybersecurity</article-title>
</title-group>
<contrib-group><contrib contrib-type="author" corresp="yes"><name><surname>Corradini</surname>
<given-names>Isabella</given-names>
</name>
<address><email>isabellacorradini@themiscrime.com</email>
</address>
<xref ref-type="aff" rid="Aff3">3</xref>
</contrib>
<aff id="Aff3">Themis Research Center, Rome, Italy</aff>
</contrib-group>
<pub-date pub-type="epub"><day>30</day>
<month>04</month>
<year>2020</year>
</pub-date>
<pub-date pub-type="collection"><year>2020</year>
</pub-date>
<volume>284</volume>
<fpage>49</fpage>
<lpage>62</lpage>
<permissions><copyright-statement>© Springer Nature Switzerland AG 2020</copyright-statement>
<license><license-p>This article is made available via the PMC Open Access Subset for unrestricted research re-use and secondary analysis in any form or by any means with acknowledgement of the original source. These permissions are granted for the duration of the World Health Organization (WHO) declaration of COVID-19 as a global pandemic.</license-p>
</license>
</permissions>
<abstract id="Abs1"><p id="Par1">One of the most critical issues in cybersecurity is represented by social engineering attacks. These threats have been known for years, but it is very difficult to handle them effectively, because they are strictly related to human nature. Social engineering is not just a phishing email; indeed, it is possible to distinguish several forms of attack which combine different elements, from human to social to physical and technological. According to a psychological point of view, social engineering is a powerful means of gaining information exploiting individuals’ weaknesses. Moreover, due to the mechanisms of persuasion, widely studied in literature, it is easy to imagine how complicated the management of this threat is. Appropriate training of employees, especially of key roles of the company, can be an effective antidote to social engineering. Given the current scenario and the future perspective in cybersecurity, it is clear that the approach used to manage cybersecurity requires a radical change. Currently, the preferred cybersecurity strategy is still based on technological solutions, without brilliant results, since cyberthreats keep growing. Many are convinced that Artificial Intelligence (AI) will be an opportunity for managing cybersecurity; whether true or not, it is however evident that AI has also the power to generate new threats and to strengthen the existing ones. Therefore, we should be very prudent when technologies are presented as a miracle solution for cybersecurity problems. The starting point is that technology has to be deployed under full human control. Then, critical thinking is needed to develop alternatives to improve the current approach to cybersecurity. In short, we need to develop a multidisciplinary vision of cybersecurity, involving other disciplines and assuming different perspectives.</p>
</abstract>
<custom-meta-group><custom-meta><meta-name>issue-copyright-statement</meta-name>
<meta-value>© Springer Nature Switzerland AG 2020</meta-value>
</custom-meta>
</custom-meta-group>
</article-meta>
</front>
<body><sec id="Sec1"><title>Social Engineering: The Real Trojan Horse of Cybersecurity</title>
<p id="Par2">In the era of social media and digital communication, it is strange to admit that communication can become a threat: the more we are connected, the more we have to face dangers. One of the most critical issues in cybersecurity, based on communication techniques, is social engineering.</p>
<p id="Par3">This concept seems to have been used for the first time in politics, and then migrated into cybersecurity (Hatfield <xref ref-type="bibr" rid="CR19">2017</xref>
).</p>
<p id="Par4">From a psychological viewpoint and in the context of cybersecurity, social engineering can be defined as a tactic which, using a persuasive communication, aims at gaining people’s confidence in order to lead them to disclose sensitive information or to do something dangerous, e.g. to click a malicious link or to open an infected file.</p>
<p id="Par5">If in this context social engineering has a negative meaning, we cannot say the same when applied to other fields. For example, a vendor frequently uses social engineering techniques to convince a potential buyer to acquire his products or services. A vendor needs effective communication abilities to appeal to individuals’ emotions and persuade them. Hence, he uses empathy to understand clients’ feelings. Also, empathizing with others in different life and work situations is a fundamental communication skill (Chap. 10.1007/978-3-030-43999-6_5).</p>
<p id="Par7">The main element which characterizes social engineering is its power to manipulate people’s perception by using different approaches. When communication is face-to-face, facial expressions and gestures are powerful means of persuasion. When the medium is digital technology, as in the case of phishing email, social engineering aims at generating a believable situation in order to capture people’s attention.</p>
<p id="Par8">Previously, phishing emails were easily identifiable, because of grammar errors or of the strange language used. Now, they are becoming more and more accurate with respect to contents and style; it is not therefore easy to recognize them, especially for inexperienced people, but even expert users can be confused by visual deception attacks (Dhamija et al. <xref ref-type="bibr" rid="CR13">2006</xref>
). Currently, phishing represents a core attack method for all cybercrime (Europol <xref ref-type="bibr" rid="CR15">2019</xref>
) and requires human interaction to succeed.</p>
<p id="Par9">However, social engineering is not just a phishing email; we can distinguish several forms of attacks which may combine different aspects (Salahdine and Kaabouch <xref ref-type="bibr" rid="CR35">2019</xref>
; Krombholz et al. <xref ref-type="bibr" rid="CR22">2015</xref>
), i.e. human, physical, social and technical. In the following we describe some of them.<list list-type="bullet"><list-item><p id="Par10">Phishing: This is the most popular application of social engineering. It is the fraudulent practice of sending emails, usually appearing to come from a well-known source (e.g. an important organization) to steal sensitive information, like passwords, credit card numbers, etc.</p>
</list-item>
<list-item><p id="Par11">Spear phishing: It is a form of phishing tailored to the target recipient (individual or groups). Attackers study the behaviour of their targets and collect information to make the attack believable, in order to increase the likelihood of its success. When victims receive a spear phishing email, they think that the communication comes from a trusted source. For example, Business Email Compromise (BEC) is a fraud where the attacker impersonates an organization executive to lead an authorized employee in that organization to perform a wire transfer to an account controlled by the same attacker.</p>
</list-item>
<list-item><p id="Par12">Pretexting: Social engineering needs to achieve trust to be successful. For this purpose, it uses an appropriate scenario fabricated in order to convince a targeted victim. Pretexting consists, for example, of impersonating someone else, e.g. a police officer, or an insurance investigator.</p>
</list-item>
<list-item><p id="Par13">Tailgating: In this physical form of social engineering, someone gains access to a building or to a restricted area without proper authentication, but exploiting a convenient situation, for example, following another person entering the property.</p>
</list-item>
<list-item><p id="Par14">Whaling: In this form of phishing the main characteristic is the type of target, represented by senior executives, representative people of government agencies, politicians, and celebrities. Given the relevance of the target (big fish), the value of information is particularly attractive to cybercriminals. Like spear phishing, the scam email is tailor made, and appears to come from a business partner.</p>
</list-item>
<list-item><p id="Par15">Vishing: This is a phone scam which combines phishing and voice. Vishing can be considered the telephone equivalent of phishing. Here, given that the fraudulent action is over the phone, empathy and the ability of handling conversation are needed for the success of the attack.</p>
</list-item>
</list>
</p>
<p id="Par16">We underline the multiplicity of the methods used in social engineering attacks, as well as the different levels of sophistication. For example, reverse social engineering (e.g. Irani et al. <xref ref-type="bibr" rid="CR21">2011</xref>
) points to the active role of the victim: the attacker does not start the contact with her, but the victim herself is tricked and led to initiate the relationship with the attacker.</p>
<p id="Par17">Apparently, social engineering techniques seem to be carried out spontaneously, especially when associated to the sending of massive amount of emails; there is always someone who falls for a phishing email.</p>
<p id="Par18">Several phases define a social engineering attack (e.g. Mouton et al. <xref ref-type="bibr" rid="CR28">2016</xref>
; Segovia et al. <xref ref-type="bibr" rid="CR37">2017</xref>
); typically, it includes:<list list-type="bullet"><list-item><p id="Par19">target identification and information gathering;</p>
</list-item>
<list-item><p id="Par20">relationship development to gain the trust of the selected victim;</p>
</list-item>
<list-item><p id="Par21">execution, in order to exploit the trust achieved;</p>
</list-item>
<list-item><p id="Par22">exit, to avoid leaving proof and, at the same time, maintaining a good relationship with targets for future activities.</p>
</list-item>
</list>
</p>
<p id="Par23">Whether or not it is happening through physical or technical means, the focus of social engineering is social interaction and manipulation. Understanding the mechanisms of persuasion is fundamental to handle phishing threat, since people tend to ignore the critical warning messages (Gupta et al. <xref ref-type="bibr" rid="CR17">2017</xref>
), thus contributing to the success of the attack.</p>
</sec>
<sec id="Sec2"><title>Persuasion in Social Engineering</title>
<p id="Par24">Digital technologies and social media offer many opportunities to interact socially. Hence, a social engineer can interact with targeted people through social media platforms, and collect information directly posted by Internet users.</p>
<p id="Par25">In investigating the psychological aspects of social engineering, we can say that this technique exploits both social and cognitive vulnerabilities (Corradini and Nardelli <xref ref-type="bibr" rid="CR11">2020</xref>
): if the social relationship can be -by its nature- a risk, the cognitive element<xref ref-type="fn" rid="Fn1">1</xref>
 is represented by manipulation of people’s perception.</p>
<p id="Par27">In this sense, two forms of interaction can be identified for the manipulation, depending on how explicit the interaction is. When a victim gets in touch with the attacker (direct interaction), such in the case of phishing, spear phishing and vishing, email or telephone are the means which connect the two actors. In the indirect way, instead, manipulation works without starting an explicit relationship with victims. Posting false information on a website or on a social media, for example, can attract certain individuals or groups particularly interested in the published information. Here, the number of potential targets can be very high, even if false information is posted with the goal of capturing the attention of specific groups.</p>
<p id="Par28">We know the effects of spreading fake news on the Internet and the difficulty of restoring proper communication. We also know how manipulation of information can alter people’s perceptions and generate collective inadequate behaviour (Sect. 10.1007/978-3-030-43999-6_1). False and negative information on the financial market, for instance, could cause people’s hysterical reactions, disrupt the economic balance and affect the financial relations among countries.</p>
<p id="Par29">Threats based on social engineering have been known for years, but they continue to have high chances of success, because they are strictly connected to human nature. In short “[…] we, as human beings, are all vulnerable to being deceived because people can misplace their trust if manipulated in certain ways” (Mitnick and Simon <xref ref-type="bibr" rid="CR27">2002</xref>
).</p>
<p id="Par30">Indeed, investigating victimization in the case of phishing, we observe that individuals can have an active role in the success of social engineering attacks, given that for them it is usual to receive emails and phone calls, while it is difficult to judge messages in full detail to find markers of fraud (Jansen and Leukfeldt <xref ref-type="bibr" rid="CR24">2015</xref>
).<xref ref-type="fn" rid="Fn2">2</xref>
 Moreover, stress, pressure, and other factors can facilitate the lack of accurate control and ensure the success of the attack.</p>
<p id="Par32">From a psychological point of view, it is interesting to explore how effective psychological principles of persuasion (Cialdini <xref ref-type="bibr" rid="CR5">1984</xref>
, <xref ref-type="bibr" rid="CR6">2000</xref>
) are. In this sense, understanding their function and promoting awareness on this subject should be included in cybersecurity education programmes.</p>
<p id="Par33">In Table <xref rid="Tab1" ref-type="table">3.1</xref>
 we describe some principles characterizing social engineering attacks and some specific points of attention translated into simple questions.<table-wrap id="Tab1"><label>Table 3.1</label>
<caption><p>Persuasion principles and points of attention</p>
</caption>
<table frame="hsides" rules="groups"><thead><tr><th align="left">Persuasion principles</th>
<th align="left">Description</th>
<th align="left">Points of attention</th>
</tr>
</thead>
<tbody><tr><td align="left">Reciprocity</td>
<td align="left">According to a social norm, individuals tend to return a favour: if someone gives something to others, they feel obliged to repay that debt</td>
<td align="left">How selfless is the helper?</td>
</tr>
<tr><td align="left">Commitment and consistency</td>
<td align="left">People need to appear consistent in their behaviour. Hence, they act in line with their words or agreements, so as not to be perceived unreliable</td>
<td align="left">Am I sensitive to people’s judgment?</td>
</tr>
<tr><td align="left">Social proof</td>
<td align="left">People tend to do what the others do, especially in uncertain conditions</td>
<td align="left">Do people behave in a certain way just for conformity?</td>
</tr>
<tr><td align="left">Authority</td>
<td align="left">People feel an obligation to obey figures of authority, even if they don’t agree with them</td>
<td align="left">Is the source reliable?</td>
</tr>
<tr><td align="left">Liking</td>
<td align="left">People tend to comply with requests made by those they like, because of physical attractiveness, familiarity and similarity</td>
<td align="left">Is it really empathy?</td>
</tr>
<tr><td align="left">Scarcity</td>
<td align="left">People tend to consider things more valuable if less available. For example, finding offers available for a “limited time only”, sales are encouraged</td>
<td align="left">Do I really need it?</td>
</tr>
</tbody>
</table>
<table-wrap-foot><p>Persuasion principles (Cialdini <xref ref-type="bibr" rid="CR5">1984</xref>
, <xref ref-type="bibr" rid="CR6">2000</xref>
) and points of attention in social engineering (Corradini <xref ref-type="bibr" rid="CR10">2017</xref>
)</p>
</table-wrap-foot>
</table-wrap>
</p>
<p id="Par35">The principles listed above work effectively because they are based on heuristic processes easily available to human minds (Sect. 10.1007/978-3-030-43999-6_2). They can count on the peripherical route of persuasion, which points to incidental cues, rather than to the strength of the contents.<xref ref-type="fn" rid="Fn3">3</xref>
 The power of persuasion is well-described in literature, especially in social psychology (e.g. Petty and Cacioppo <xref ref-type="bibr" rid="CR33">1986</xref>
; Kruglanski and Thomson <xref ref-type="bibr" rid="CR23">1999</xref>
).</p>
<p id="Par37">The main factors of persuasion include:<list list-type="bullet"><list-item><p id="Par38">the communicator (<italic>who</italic>
),</p>
</list-item>
<list-item><p id="Par39">the message content (<italic>what</italic>
),</p>
</list-item>
<list-item><p id="Par40">the channel of communication (<italic>how</italic>
),</p>
</list-item>
<list-item><p id="Par41">the audience (<italic>whom</italic>
).</p>
</list-item>
</list>
</p>
<p id="Par42">However, in investigating the persuasive process, we have to consider other many factors, such as: the characteristic of the source and its reliability; logical or emotional contents of the message and what they inspire; motivation and need of cognition; the flood of influence generated by the channels of communication.</p>
<p id="Par43">It is evident that when factors are combined in a digital context (<italic>where</italic>
), the space of influence is larger and more powerful (Corradini <xref ref-type="bibr" rid="CR10">2017</xref>
). Digital technology has changed the nature of persuasion (Perloff <xref ref-type="bibr" rid="CR32">2014</xref>
), increasing complexity and blurring the lines between three different concepts, such as information, influence and entertainment.</p>
<p id="Par44">People are not often aware of the reliability of sources, and—unless they do a particular job—they do not bother to verify them. It is a fact that nobody is immune, to the point where even security experts can become victim of social engineering.<xref ref-type="fn" rid="Fn4">4</xref>
</p>
<p id="Par47">Organizations have to consider this threat seriously, and to review training and awareness programmes to fight it (Aldawood and Skinner <xref ref-type="bibr" rid="CR100">2019</xref>
): despite of their efforts, social engineering is still a significant problem for companies. Indeed, social engineering activity can be finalized to different targets with the purpose of stealing useful information. Specific positions can be targeted for this goal, for example executive assistants to the CEO, general managers, drivers, receptionists, the cleaning staff: according to their different roles, they handle sensitive information which needs to be protected.</p>
<p id="Par48">Appropriate training combined with social engineering penetration testing can be a strong antidote to this persuasive form of communication; moreover, the points of attention identified in Table <xref rid="Tab1" ref-type="table">3.1</xref>
 are useful questions to invite people to reflect on the situation they experience, in order to ponder the different circumstances they have to face.</p>
</sec>
<sec id="Sec3"><title>What Happens with Artificial Intelligence and Internet of Things?</title>
<p id="Par49">As discussed in Chap. 10.1007/978-3-030-43999-6_1, the growth of Internet of Things (IoT) and Artificial Intelligence (AI) applications are defining a new technological environment, which produces advantages but also further security risks. Currently, many countries are more and more interested in deploying AI systems, to the point where the estimated business for 2030 is impressive.<xref ref-type="fn" rid="Fn5">5</xref>
</p>
<p id="Par51">It is evident that there is a strong reliance on automation; the application of AI in cybersecurity is accelerating: to fight against cyber-attacks, at least a third of Chief Information Security Officers (CISOs) have decided to adopt artificial intelligence (CISCO <xref ref-type="bibr" rid="CR8">2018</xref>
). In addition, firms are more and more convinced that they need to implement AI systems to identity critical threats (Capgemini <xref ref-type="bibr" rid="CR3">2019</xref>
).</p>
<p id="Par52">It is more than likely that AI will re-design our lives, and that it will have a significant impact in a lot of fields. It is not very clear if this would have a positive or negative effect. Media and experts say that the growth of AI systems is going to improve our lives, because of the opportunities offered.</p>
<p id="Par53">We always recommend great prudence when technology is presented as a miracle for our problems, before research clarifies benefits and risks. On the other hand, technology can be considered positively when human beings have its complete control.</p>
<p id="Par54">Among recommendations on AI (Del Ponte <xref ref-type="bibr" rid="CR12">2018</xref>
), it is recognized the need of discussing its societal risks, and the need of creating an ethical framework to regulate it, starting from the principle that this technology has to be developed under human control. In this sense, the Ethics Guidelines for Trustworthy AI by European Commission (<xref ref-type="bibr" rid="CR102">2019</xref>
) underlines the necessity of a full adherence of AI to humans’ ethical principles and values (Sect. 10.1007/978-3-030-43999-6_1).</p>
<p id="Par55">AI systems are developing rapidly, and the risk that their growth overcomes people’s capacity of handling them is more than real. According to the approach of Machine Learning (ML), machines can “learn” without someone having to program them. And they learn rapidly, focusing on any data we, as humans, handle for our activities; so, if we search a certain product on different websites, we have to be aware that in the future similar products will be suggested to us.</p>
<p id="Par56">It is obvious that humans cannot enter into competition with AI. The battle would be lost from the start. On the contrary, humans and machines have to work together respecting their own limits, because more and more in the future digital technologies will play an important role in our lives.</p>
<p id="Par57">Hence, we have to exploit opportunities offered by the landscape of AI and, at the same time, we cannot ignore that AI increases relevant risks even in the workplace (Houghton and Green <xref ref-type="bibr" rid="CR20">2018</xref>
), regarding health and safety, employee ethics, diversity and equality. One of the major risks is about discrimination: machine learning works on data, and there is no guarantee that this data is free from prejudice. Consequently, the algorithmic process of learning can build altered representations of reality on whose basis discriminatory answers are provided by the AI system.</p>
<p id="Par58">Such an impact is significant when hiring people or promoting specific categories or genders for specific jobs; bias in predictive hiring tools is a relevant problem to be handled, since employers are more and more interested to use these predictive tools to reduce time and costs (Bogen and Rieke <xref ref-type="bibr" rid="CR1">2018</xref>
).</p>
<p id="Par59">In the meantime, precautionary measures are required when AI applications are proposed as the panacea for cybersecurity. They say that solutions based on AI will provide important support for the protection of organizations, ensuring effective security standards. AI will probably be able to identify new malware and cyberthreats, given its capacity to handle massive volume of data.</p>
<p id="Par60">There are at least two considerations we should reflect on.</p>
<p id="Par61">The first is that we are facing many threats not yet solved, despite using the most advanced technological solutions available on the market. Moreover, cyberthreats continue to evolve and improve, so every solution based on artificial intelligence needs to be constantly updated. Therefore, it is not clear why and how AI will be able to solve security problems without causing new ones.</p>
<p id="Par62">The second issue is that, as with any innovation, everyone takes advantage. This means that criminals can also improve their “modus operandi” exploiting the scalable use of AI systems. We can assume an extension of the landscape of threats consisting of (Brundage et al. <xref ref-type="bibr" rid="CR2">2018</xref>
)<xref ref-type="fn" rid="Fn6">6</xref>
 a reinforcement of the existing menaces (e.g. expanding set of actors) and of the possibility of generating new ones.</p>
<p id="Par64">From this point of view, we can say that social engineering techniques can be strengthened from AI systems. Indeed, since AI is able to mimic human voices realistically, a social engineer can create automated social engineering attacks, using recorded data and impersonating perfectly, even using the same style of language. No wonder that Facebook engineers have created a machine learning system named “MelNet” cloning the voice of Bill Gates,<xref ref-type="fn" rid="Fn7">7</xref>
 and that a Canadian start-up introduced an AI system capable of synthesizing a person’s voice from just a one-minute audio sample.<xref ref-type="fn" rid="Fn8">8</xref>
</p>
<p id="Par67">In addition, the combination between AI and Internet of Things provides a powerful weapon for criminals. IoT devices make available a large amount of data, because their sensors are able to collect information about their environment. AI algorithms, on the other hand, can infer selected information from this data. Consequently, it is possible to produce accurate profiles of targeted people, as well as to identify further vulnerabilities.</p>
<p id="Par68">Such a combination can also be useful for the implementation of social engineering attacks, where the ability of gathering information and profiling is essential for their success.</p>
<p id="Par69">We are convinced that human beings are essential in cybersecurity, regardless of the wonderful technological solutions used. Who thinks that the employment of AI will completely replace human beings in the activity of protection has not yet understood the nature of the issue. Once again, the tendency is to underestimate the importance of human factors and of well-trained people, and to rely on AI completely. This conviction is the biggest threat to overcome.</p>
<p id="Par70">Even if AI is able to recognize threats more quickly than humans, thanks to its ability to analyse a large amount of data, originality and human experience are quite difficult to replicate. This is especially true when it comes to tackling cyber-attacks: if AI solutions are based on rule sets, people have the opportunity of using abstract thought (Hadley <xref ref-type="bibr" rid="CR18">2019</xref>
).</p>
<p id="Par71">Finally, delegating cybersecurity to machines and replacing humans in control activities can certainly solve technical vulnerabilities, but if people and technology become ever more distant, other critical issues will have to be handled.</p>
</sec>
<sec id="Sec4"><title>For a Holistic Vision of Cybersecurity</title>
<p id="Par72">As discussed in the previous chapters, we have to get used to living in a more and more connected and digitized world, since this trend will continue in the years to come. Consequently, the amount of data available on the Internet will tend to rise, as well as the need to protect them.</p>
<p id="Par73">Hence, it is realistic to think that the threat landscape will get worse.<xref ref-type="fn" rid="Fn9">9</xref>
</p>
<p id="Par74">Individuals and organizations will be exposed to new security risks, and they will have to improve their capabilities to handle them. Indeed, criminals will continue to exploit any possible vulnerability, whether it is technological, physical or human.</p>
<p id="Par75">Considering the current and the potential future situation of cybersecurity, a strong and effective approach to the issue becomes vital for everyone and, above all, for decision makers.</p>
<p id="Par76">The first thing to do is to admit that, as it is, cybersecurity does not work. Like in a therapeutic relationship, recognizing the problem is fundamental to achieve positive outcomes.</p>
<p id="Par77">Critical thinking is needed to develop alternatives to improve the current approach. We can start from the enhancement of what has been done so far, recognizing errors and weaknesses, and move on. It takes a change of mentality, involving both decision makers and those who have to deal with security problems. For example, within organizations, we should have the courage of breaking away from old patterns that consider security as a set of products or, worse, a check list to tick off.</p>
<p id="Par78">Critical elements in the approach to cybersecurity cannot be ignored anymore, and we urgently need to redefine it.</p>
<p id="Par79">Since the digital aspect is now an integral part of our lives, we should accept the idea of considering cybersecurity as a “public good” (Mulligan and Schneider <xref ref-type="bibr" rid="CR29">2011</xref>
), like public health. In this sense, cybersecurity should be handled in the public interest, by developing a strong cooperation between public and private sector, as well as users’ responsibility regarding their cybersecurity awareness (Taddeo <xref ref-type="bibr" rid="CR39">2019</xref>
).</p>
<p id="Par80">So, at least three issues are important in this vision.</p>
<sec id="Sec5"><title>Excessive Focus on Technology</title>
<p id="Par81">The first issue concerns the general approach to security, based mainly on a technocentric point of view. We confirm the importance of technological view to clarify how cyberthreats work and what technological solutions are needed, but this is not enough. It has been proved that technological solutions are not sufficiently developed to respond to all the threats.</p>
<p id="Par82">We need to adopt a multidisciplinary vision of cybersecurity. Other disciplines—also far from technical approaches—are capable of giving different views. Clearly, these perspectives should be integrated with the technological approach, because we are strongly convinced that humans and technology have to work together.</p>
<p id="Par83">Similarly, the study of the human factor in cybersecurity requires different contributions from social science fields, such as psychology, sociology, anthropology, and so on. To best understand cyberspace and all criminal activities developing in this huge area, it is not sufficient to be trained in mathematics and engineering related approaches (Patterson and Winston-Proctor <xref ref-type="bibr" rid="CR31">2019</xref>
), but it is necessary the expertise of individuals with knowledge in behavioural sciences.</p>
<p id="Par84">On the other hand, several international security reports over the years<xref ref-type="fn" rid="Fn10">10</xref>
 have shown how the most advanced technological solutions are not capable of solving all cybersecurity problems. They represent only one of the means, not the only one.</p>
<p id="Par86">There is a general overconfidence in emerging technologies as soon as they make their appearance, when instead they should not be seen as the magic bullet. Before relying on technologies completely, we should study their advantages and disadvantages.</p>
<p id="Par87">On the contrary, it happens that technologies are immediately released on the market, while industry and media underline the pros of them. Unfortunately, the cons come after, when it is impossible to take a step back. Business is business, we know, and technological evolution must go on, but the basic question is: are we really willing to give up our ethical and social values for the benefits deriving from the use of technologies?</p>
<p id="Par88">Differently from the past, we are now dealing with powerful technologies, but we are not sure that we will be able to control it, and this represents a serious problem for security too.</p>
<p id="Par89">Other daily examples help us to understand how technology alone cannot offer a real solution to security. Besides a refined design, modern smartphones are becoming more and more equipped with highly advanced functions, such as sophisticated access to the device (fingerprint, facial recognition, etc.). Just pronouncing them, it seems that these technologies are able to keep hackers and criminals of all kinds away. However, being technologically advanced does not mean being protected from security risks. As security experts love repeating (and it is really true), an absolute security does not exist.</p>
<p id="Par90">Nothing is impenetrable, considering that even a child can unintentionally overcome more or less sophisticated security protections.<xref ref-type="fn" rid="Fn11">11</xref>
 Sometimes, people’s false security perceptions are able to produce undesirable effects. Everyone knows the dramatic epilogue of the Titanic, marketed as unsinkable. Despite this assumption, things went differently, and unfortunately, consequences were tragic.</p>
</sec>
<sec id="Sec6"><title>Physical Elements Are Neglected</title>
<p id="Par92">The second issue concerns underestimating the “physical” elements involved in cybersecurity. Behind an attack there are devices and human beings, not only Internet. For example, attacks can guarantee the access to national infrastructures, with the consequence of interrupting essential services, such as transport, energy and financial systems. Coordinated cyber-physical attacks on critical infrastructures can be devastating and produce severe damages (Xiang et al. <xref ref-type="bibr" rid="CR44">2017</xref>
). The well-known cyberattack to Ukrainian power system in 2015<xref ref-type="fn" rid="Fn12">12</xref>
 has shown that multiple approaches can be extremely effective, impacting remote assets both electronically and physically (Lee et al. <xref ref-type="bibr" rid="CR26">2016</xref>
).</p>
<p id="Par95">Then, thinking of Internet of Things, we know that this is made up of physical objects and connectivity; we already have evidence that the combination of the two elements can be critical for security.<xref ref-type="fn" rid="Fn13">13</xref>
 We should not forget that even cities are implementing the adoption of smart technologies (smart cities), developing automation, remotely managed, and so on.</p>
<p id="Par97">Looking at this scenario, we should realize that if the focus of cybersecurity remains anchored only to its cyber aspects, it is plausible to think that physical elements will be considered by cybercriminals as an attractive vulnerability to be exploited. It is no coincidence that criminal actions involve physical devices and that among criminal actions there are also theft and cards skimmer (Verizon <xref ref-type="bibr" rid="CR41">2018</xref>
).<xref ref-type="fn" rid="Fn14">14</xref>
 In addition, whether data is stored in a physical or digital form, physical access controls are required to prevent unauthorized access.</p>
<p id="Par99">An effective approach to cybersecurity should involve actors and instruments coming from different security fields, together with people having a plurality of experiences in order to expand the breadth of analysis. On the other hand, analysing the new threats and the growing ability of criminals to exploit any vulnerability, it is evident that a traditional approach based on the separation of physical and cyber security is inadequate and should be overcome, since physical security regards the protection of personnel and IT infrastructures—hence hardware, software and data—from physical actions that could cause damages or loss to an organization.</p>
<p id="Par100">Perhaps, speaking of Cyber-Physical-Security instead of just Cybsersecurity could be a more appropriated approach to understand and manage threats. Even though the term cybersecurity is more fashionable and appealing, we should not forget the relevance of physical elements involved.</p>
</sec>
<sec id="Sec7"><title>Human Factors and Cybersecurity Culture</title>
<p id="Par101">The third issue—strictly related to the others—regards the importance of social and human aspects of cybersecurity, and the need of raising awareness. The building of Cybersecurity Culture is a must for any organization. In this sense, the popular triad “People, Technology and Process” developed by the security expert Schneier at the end of last century is still a valid reference to handle security.</p>
<p id="Par102">Between the cyber and the physical dimension there are always human beings: whether it is a physical theft or a data breach, the illegal action is carried out by individuals, and the consequences inevitably involve them. Furthermore, people can also be the vector of criminal actions, such as in phishing and social engineering attacks, as discussed in this chapter.</p>
<p id="Par103">In a new approach to cybersecurity, we should not see human factor as a problem, but as a part of the solution, since individuals are essential to the functioning of the socio-technical system (Zimmermann and Renaud <xref ref-type="bibr" rid="CR45">2019</xref>
).</p>
<p id="Par104">While everyone agrees that the human factor is fundamental, in practice this conviction does not find application as a global strategy, and when it happens, its management is not effective. We must admit that it is not a simple matter, and in designing cybersecurity awareness programmes we have to consider the need of taking care of cognitive, emotional and social aspects.</p>
<p id="Par105">What is necessary is the construction of high-reliability-organizations (Winnefeld et al. <xref ref-type="bibr" rid="CR46">2015</xref>
) based on interconnected and fundamental principles: integrity, depth of knowledge, procedural compliance, forceful backup, a questioning attitude, and formality in communication.</p>
<p id="Par106">We often forget that organizations are made up of people, who must be prepared to recognize risks and respond to them, but they have to be put in the right condition to do so. Hence, investing in people also means paying attention to their well-being, since effective Cybersecurity Culture requires a receptive and a healthy workplace (Sect. 10.1007/978-3-030-43999-6_4).</p>
<p id="Par107">Finally, working on prevention is still the best strategy. This concept is too often forgotten in favour of emergency management. Cybersecurity incidents happen constantly and it appears more and more difficult to prevent them, to the point where many are convinced that the only thing we can do is to be prepared to manage crisis events. We are aware that there are real hurdles in managing cybersecurity, since it touches every business process and function, and changing user behaviour requires considerable effort.<xref ref-type="fn" rid="Fn15">15</xref>
</p>
<p id="Par109">On the contrary, we strongly believe that preparing employees to secure behaviour can prevent many security problems. After all, prevention is better (and cheaper) than cure.</p>
</sec>
</sec>
</body>
<back><fn-group><fn id="Fn1"><label>1</label>
<p id="Par26">In literature, social engineering is considered a form of cognitive hacking, that is “as gaining access to, or breaking into, a computer information system for the purpose of modifying certain behaviours of a human user in a way that violates the integrity of the overall user-information system” (Cybenko et al. <xref ref-type="bibr" rid="CR7">2004</xref>
).</p>
</fn>
<fn id="Fn2"><label>2</label>
<p id="Par31">The study consisted of an analysis of 600 phishing and malware incidents involving a Dutch bank, and focused on the behaviour of the customers victims of fraud. Despite the limitations of the study (regarding one bank), the authors underline how the combination of phishing (social engineering) and malware (technical skills) is becoming a more common method to commit fraud.</p>
</fn>
<fn id="Fn3"><label>3</label>
<p id="Par36">According to literature, it is possible to distinguish two different methods of persuasion: the central route is characterized by the strength of the messages or of the arguments; to be effective, the person receiving the message must have a high motivation to listen to. Peripheral route, instead, do not require thinking carefully. For example, when we are distracted, we cannot be concentrated on the contents of a message, but we are attracted by superficial cues (depending on the context).</p>
</fn>
<fn id="Fn4"><label>4</label>
<p id="Par45">See, for example, how Kane Gable, a 15-year-old, using social engineering, gained access to the personal and work accounts of some of America’s most powerful spy chiefs.</p>
<p id="Par46">The teenager persuaded call handlers at an internet giant that he was John Brennan, the then director of the CIA, to gain access to his computers and an FBI helpdesk that he was Mark Giuliano, then the agency’s Deputy Director, to re-gain access to an intelligence database <ext-link ext-link-type="uri" xlink:href="https://www.telegraph.co.uk/news/2018/01/19/british-15-year-old-gained-access-intelligence-operations-afghanistan/">https://www.telegraph.co.uk/news/2018/01/19/british-15-year-old-gained-access-intelligence-operations-afghanistan/</ext-link>
.</p>
</fn>
<fn id="Fn5"><label>5</label>
<p id="Par50">According to McKinsey Global Institute AI has the potential to deliver additional global economic activity of around $13 trillion by 2030 <ext-link ext-link-type="uri" xlink:href="https://www.mckinsey.com/featured-insights/artificial-intelligence/notes-from-the-ai-frontier-modeling-the-impact-of-ai-on-the-world-economy#part1">https://www.mckinsey.com/featured-insights/artificial-intelligence/notes-from-the-ai-frontier-modeling-the-impact-of-ai-on-the-world-economy#part1</ext-link>
.</p>
</fn>
<fn id="Fn6"><label>6</label>
<p id="Par63">In this report the authors identify three representative domains: Besides digital security, and the problems of cyberattacks, they also consider the domain of physical security (e.g. the deployment of autonomous weapon systems) and the political security (the use of AI for propaganda and deception).</p>
</fn>
<fn id="Fn7"><label>7</label>
<p id="Par65"><ext-link ext-link-type="uri" xlink:href="https://www.theverge.com/2019/6/10/18659897/ai-voice-clone-bill-gates-facebook-melnet-speech-generation">https://www.theverge.com/2019/6/10/18659897/ai-voice-clone-bill-gates-facebook-melnet-speech-generation</ext-link>
.</p>
</fn>
<fn id="Fn8"><label>8</label>
<p id="Par66">“Lyrebird” is the system realized by the start-up, on the basis of deep learning models developed by the University of Montréal <ext-link ext-link-type="uri" xlink:href="https://www.nextnature.net/2017/05/lyrebird-api-copies-human-voice/">https://www.nextnature.net/2017/05/lyrebird-api-copies-human-voice/</ext-link>
.</p>
</fn>
<fn id="Fn9"><label>9</label>
<p>Just think of the COVID-19 pandemic which probably is going to change our future habits and way of working: increasing the dependence on digital tools exposes to the risk of cyberattacks (WEF <xref ref-type="bibr" rid="CR101">2020</xref>
).</p>
</fn>
<fn id="Fn10"><label>10</label>
<p id="Par85">See, for example, ENISA Threat Landscape Report (<xref ref-type="bibr" rid="CR14">2019</xref>
) and Verizon Data Breach Investigations Report (<xref ref-type="bibr" rid="CR40">2017</xref>
, <xref ref-type="bibr" rid="CR41">2018</xref>
, <xref ref-type="bibr" rid="CR42">2019</xref>
).</p>
</fn>
<fn id="Fn11"><label>11</label>
<p id="Par91">See, for example, the news about a child who, at the age of 10, overcame his mother’s i-Phone security block, consisting of the Face ID, the technology based on the recognition of the user’s face <ext-link ext-link-type="uri" xlink:href="https://www.wired.com/story/10-year-old-face-id-unlocks-mothers-iphone-x/">https://www.wired.com/story/10-year-old-face-id-unlocks-mothers-iphone-x/</ext-link>
. The episode is worrying, since if a child can unintentionally overcome security blocks, we can imagine what hackers can do.</p>
</fn>
<fn id="Fn12"><label>12</label>
<p id="Par93">The Ukrainian power system cyberattack is the first publicly acknowledged incident to result in power outages. It left about 225,000 people without power for several hours.</p>
</fn>
<fn id="Fn13"><label>13</label>
<p id="Par96">In 2016, a massive DDoS attack (distributed denial of service) hit the Internet. Important website platforms, like Twitter, Netflix, etc., took down. The company attacked was Dyn, that controls much of the internet’s DNS infrastructure. The attack was realized through a specific malware (Mirai), which infected IoT devices (like DVR players, digital cameras), and accessing the devices using default password and usernames.</p>
</fn>
<fn id="Fn14"><label>14</label>
<p id="Par98">The report refers to Payment Card Skinner, including all incidents in which a skimming device is physically implanted (tampering) on an asset that reads magnetic stripe data from a payment card.</p>
</fn>
<fn id="Fn15"><label>15</label>
<p id="Par108"><ext-link ext-link-type="uri" xlink:href="https://www.mckinsey.com/business-functions/mckinsey-digital/our-insights/why-senior-leaders-are-the-front-line-against-cyberattacks">https://www.mckinsey.com/business-functions/mckinsey-digital/our-insights/why-senior-leaders-are-the-front-line-against-cyberattacks</ext-link>
.</p>
</fn>
</fn-group>
<ref-list id="Bib1"><title>References</title>
<ref id="CR100"><mixed-citation publication-type="other">Aldawood, H., Skinner, G.: Reviewing cyber security social engineering training and awareness programs-pitfalls and ongoing issues. Future Internet, Review <bold>11</bold>
(3), Art no. 73, (2019)</mixed-citation>
</ref>
<ref id="CR1"><mixed-citation publication-type="other">Bogen, M., Rieke, A.: Help Wanted: An Examination of Hiring Algorithms, Equity, and Bias, Upturn (December 2018)</mixed-citation>
</ref>
<ref id="CR2"><mixed-citation publication-type="other">Brundage, M., Avin, S., Clark, J., et al.: The malicious use of artificial intelligence: forecasting, prevention, and mitigation (2018)</mixed-citation>
</ref>
<ref id="CR3"><mixed-citation publication-type="other">Capgemini Research Institute: Reinventing Cybersecurity with Artificial Intelligence. The New Frontier in Digital Security (2019)</mixed-citation>
</ref>
<ref id="CR5"><mixed-citation publication-type="other">Cialdini, R.B.: Influence. The Psychology of Persuasion. Quill William Morrow and Company, New York (1984)</mixed-citation>
</ref>
<ref id="CR6"><element-citation publication-type="book"><person-group person-group-type="author"><name><surname>Cialdini</surname>
<given-names>RB</given-names>
</name>
</person-group>
<source>Influence: Science and Practice</source>
<year>2000</year>
<edition>4</edition>
<publisher-loc>Boston</publisher-loc>
<publisher-name>Allyn and Bacon</publisher-name>
</element-citation>
</ref>
<ref id="CR7"><element-citation publication-type="journal"><person-group person-group-type="author"><name><surname>Cybenko</surname>
<given-names>G</given-names>
</name>
<name><surname>Giani</surname>
<given-names>A</given-names>
</name>
<name><surname>Thompson</surname>
<given-names>P</given-names>
</name>
</person-group>
<article-title>Cognitive hacking</article-title>
<source>Adv. Comput.</source>
<year>2004</year>
<volume>60</volume>
<fpage>36</fpage>
<lpage>73</lpage>
</element-citation>
</ref>
<ref id="CR8"><mixed-citation publication-type="other">CISCO: Annual Cybersecurity News Report (2018). <ext-link ext-link-type="uri" xlink:href="https://www.cisco.com/c/dam/m/hu_hu/campaigns/security-hub/pdf/acr-2018.pdf">https://www.cisco.com/c/dam/m/hu_hu/campaigns/security-hub/pdf/acr-2018.pdf</ext-link>
</mixed-citation>
</ref>
<ref id="CR10"><mixed-citation publication-type="other">Corradini, I.: Human factors in hybrid threats: the need of an integrated view. In: Hybrid Cyber Warfare and The Evolution of Aerospace Power: risks and opportunities, CESMA (2017)</mixed-citation>
</ref>
<ref id="CR11"><mixed-citation publication-type="other">Corradini, I., Nardelli, E.: Social engineering and the value of data: the need of specific awareness programs. In: Ahram, T., Karwowski, W. (eds.) Advances in Human Factors in Cybersecurity, AHFE 2019. Advances in Intelligent Systems and Computing, vol. 960. Springer, Cham (2020)</mixed-citation>
</ref>
<ref id="CR12"><mixed-citation publication-type="other">Del Ponte, L.: European Artificial Intelligence Leadership, the Path for an Integrated Vision. Policy Department for Economic, Scientific and Quality of Life Policies, European Parliament, Brussels (2018)</mixed-citation>
</ref>
<ref id="CR13"><mixed-citation publication-type="other">Dhamija, R., Tygar, J.D., Hearst, M.A.: Why phishing works. In: Proceedings of the 2006 Conference on Human Factors in Computing Systems (CHI), Montreal, Quebec, Canada, pp. 581–590. ACM (2006)</mixed-citation>
</ref>
<ref id="CR14"><mixed-citation publication-type="other">ENISA: Threat Landscape Report 2018. 15 Cyberthreats and Trends (January 2019) <ext-link ext-link-type="uri" xlink:href="https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-2018">https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-2018</ext-link>
</mixed-citation>
</ref>
<ref id="CR102"><mixed-citation publication-type="other">European Commission: Ethics Guidelines for Trustworthy AI (2019). <ext-link ext-link-type="uri" xlink:href="https://ec.europa.eu/digital-single-market/en/news/ethics-guidelines-trustworthy-ai">https://ec.europa.eu/digital-single-market/en/news/ethics-guidelines-trustworthy-ai</ext-link>
</mixed-citation>
</ref>
<ref id="CR15"><mixed-citation publication-type="other">Europol: The Internet Organised Crime Threat Assessment (IOCTA) (2019)</mixed-citation>
</ref>
<ref id="CR17"><mixed-citation publication-type="other">Gupta, B., Arachchilage, N.A., Psannis, K.E.: Defending against phishing attacks: taxonomy of methods, current issues and future directions. Telecommun. Syst., 1–21 (2017)</mixed-citation>
</ref>
<ref id="CR18"><mixed-citation publication-type="other">Hadley, J.: In the Age of AI, The Human Factor Still Matters For Cybersecurity, Forbes, March 27 (2019). <ext-link ext-link-type="uri" xlink:href="https://www.forbes.com/sites/jameshadley/2019/03/27/in-the-age-of-ai-the-human-factor-still-matters-for-cybersecurity/#7a9774725cc5">https://www.forbes.com/sites/jameshadley/2019/03/27/in-the-age-of-ai-the-human-factor-still-matters-for-cybersecurity/#7a9774725cc5</ext-link>
</mixed-citation>
</ref>
<ref id="CR19"><mixed-citation publication-type="other">Hatfield, J.M.: Social engineering in cybersecurity: the evolution of a concept. Comput. Secur. (2017)</mixed-citation>
</ref>
<ref id="CR20"><mixed-citation publication-type="other">Houghton, E., Green, M.: People Analytics: Driving Business Performance with People Data. Chartered Institute for Personnel Development (CIPD), Global research, report (June 2018). <ext-link ext-link-type="uri" xlink:href="https://www.cipd.co.uk/Images/people-analytics-report_tcm18-43755.pdf">https://www.cipd.co.uk/Images/people-analytics-report_tcm18-43755.pdf</ext-link>
</mixed-citation>
</ref>
<ref id="CR21"><mixed-citation publication-type="other">Irani, D., Balduzzi, M., Balzarotti, D., Kirda, E., Pu, C.: Reverse social engineering attacks in online social networks. In: Detection of Intrusions and Malware, and Vulnerability Assessment, pp. 55–74 (2011)</mixed-citation>
</ref>
<ref id="CR24"><mixed-citation publication-type="other">Jansen, J., Leukfeldt, R.: How people help fraudsters steal their money: an analysis of 600 online banking fraud cases. In: Proceedings of the 5th Workshop on Socio- Technical Aspects in Security and Trust, pp. 25–31 (2015)</mixed-citation>
</ref>
<ref id="CR22"><element-citation publication-type="journal"><person-group person-group-type="author"><name><surname>Krombholz</surname>
<given-names>K</given-names>
</name>
<name><surname>Hobel</surname>
<given-names>H</given-names>
</name>
<name><surname>Huber</surname>
<given-names>M</given-names>
</name>
<name><surname>Weippl</surname>
<given-names>E</given-names>
</name>
</person-group>
<article-title>Advanced social engineering attacks</article-title>
<source>J. Inf. Secur. Appl.</source>
<year>2015</year>
<volume>22</volume>
<fpage>113</fpage>
<lpage>122</lpage>
</element-citation>
</ref>
<ref id="CR23"><element-citation publication-type="journal"><person-group person-group-type="author"><name><surname>Kruglanski</surname>
<given-names>AW</given-names>
</name>
<name><surname>Thomson</surname>
<given-names>EP</given-names>
</name>
</person-group>
<article-title>Persuasion by a single route: a view from the unimodal</article-title>
<source>Psychol. Inq.</source>
<year>1999</year>
<volume>10</volume>
<fpage>83</fpage>
<lpage>109</lpage>
<pub-id pub-id-type="doi">10.1207/S15327965PL100201</pub-id>
</element-citation>
</ref>
<ref id="CR26"><mixed-citation publication-type="other">Lee, R.M., Assante, M.J., Conway, T.: Analysis of the Cyber Attack on the Ukrainian Power Grid. SANS Industrial Control Systems, Santa Monica, CA, USA (2016)</mixed-citation>
</ref>
<ref id="CR27"><element-citation publication-type="book"><person-group person-group-type="author"><name><surname>Mitnick</surname>
<given-names>KD</given-names>
</name>
<name><surname>Simon</surname>
<given-names>WL</given-names>
</name>
</person-group>
<source>The Art of Deception: Controlling the Human Element of Security</source>
<year>2002</year>
<publisher-loc>Indianapolis, IN</publisher-loc>
<publisher-name>Wiley Publishing, Inc.</publisher-name>
</element-citation>
</ref>
<ref id="CR28"><element-citation publication-type="journal"><person-group person-group-type="author"><name><surname>Mouton</surname>
<given-names>F</given-names>
</name>
<name><surname>Leenen</surname>
<given-names>L</given-names>
</name>
<name><surname>Venter</surname>
<given-names>HS</given-names>
</name>
</person-group>
<article-title>Social engineering attack examples, templates and scenarios</article-title>
<source>Comput. Secur.</source>
<year>2016</year>
<volume>59</volume>
<fpage>186</fpage>
<lpage>209</lpage>
<pub-id pub-id-type="doi">10.1016/j.cose.2016.03.004</pub-id>
</element-citation>
</ref>
<ref id="CR29"><element-citation publication-type="journal"><person-group person-group-type="author"><name><surname>Mulligan</surname>
<given-names>DK</given-names>
</name>
<name><surname>Schneider</surname>
<given-names>FB</given-names>
</name>
</person-group>
<article-title>Doctrine for cybersecurity</article-title>
<source>Daedalus</source>
<year>2011</year>
<volume>140</volume>
<issue>4</issue>
<fpage>70</fpage>
<lpage>92</lpage>
<pub-id pub-id-type="doi">10.1162/DAED_a_00116</pub-id>
<pub-id pub-id-type="pmid">22605880</pub-id>
</element-citation>
</ref>
<ref id="CR31"><mixed-citation publication-type="other">Patterson, W., Winston-Proctor, C.E.: Behavioural Cybersecurity: Application of Personality Psychology and Computer Science. CRC Press, Taylor & Francis (2019)</mixed-citation>
</ref>
<ref id="CR32"><mixed-citation publication-type="other">Perloff, R.M.: The Dynamics of Persuasion. Communication and Attitudes in the 21st Century, 5th edn. Routledge (2014)</mixed-citation>
</ref>
<ref id="CR33"><mixed-citation publication-type="other">Petty, R.E., Cacioppo, J.T.: The elaboration likelihood model of persuasion. In: Berkowitz, L. (ed.), Advanced in Experimental Social Psychology, vol. 19, pp. 123–205 (1986)</mixed-citation>
</ref>
<ref id="CR35"><mixed-citation publication-type="other">Salahdine, F., Kaabouch, N.: Social engineering attacks: a survey. Futur. Internet <bold>11</bold>
(4), 89 (2019)</mixed-citation>
</ref>
<ref id="CR37"><mixed-citation publication-type="other">Segovia, L., Torres, F., Rosillo, M., Tapia, E., Albarado, F., Saltos, D.: Social engineering as an attack vector for ransomware. In: Proceedings of the Conference on Electrical Engineering and Information Communication Technology, Pucon, Chile, 18–20 October 2017, pp. 1–6 (2017)</mixed-citation>
</ref>
<ref id="CR39"><element-citation publication-type="journal"><person-group person-group-type="author"><name><surname>Taddeo</surname>
<given-names>M</given-names>
</name>
</person-group>
<article-title>Is cybersecurity a public good?</article-title>
<source>Mind. Mach.</source>
<year>2019</year>
<volume>29</volume>
<issue>3</issue>
<fpage>349</fpage>
<lpage>354</lpage>
<pub-id pub-id-type="doi">10.1007/s11023-019-09507-5</pub-id>
</element-citation>
</ref>
<ref id="CR40"><mixed-citation publication-type="other">Verizon: Data Breach Investigations Report (DBIR) (2017). <ext-link ext-link-type="uri" xlink:href="https://enterprise.verizon.com/resources/reports/2017_dbir.pdf">https://enterprise.verizon.com/resources/reports/2017_dbir.pdf</ext-link>
</mixed-citation>
</ref>
<ref id="CR41"><mixed-citation publication-type="other">Verizon: Data Breach Investigations Report (DBIR) (2018). <ext-link ext-link-type="uri" xlink:href="https://enterprise.verizon.com/resources/reports/DBIR_2018_Report.pdf">https://enterprise.verizon.com/resources/reports/DBIR_2018_Report.pdf</ext-link>
</mixed-citation>
</ref>
<ref id="CR42"><mixed-citation publication-type="other">Verizon: Data Breach Investigations Report (DBIR) (2019). <ext-link ext-link-type="uri" xlink:href="https://enterprise.verizon.com/resources/reports/dbir/">https://enterprise.verizon.com/resources/reports/dbir/</ext-link>
</mixed-citation>
</ref>
<ref id="CR101"><mixed-citation publication-type="other">WEF: Why Cybersecurity Matters more than ever During the Coronavirus Pandemic (March 2020). <ext-link ext-link-type="uri" xlink:href="https://www.weforum.org/agenda/2020/03/coronavirus-pandemic-cybersecurity/">https://www.weforum.org/agenda/2020/03/coronavirus-pandemic-cybersecurity/</ext-link>
</mixed-citation>
</ref>
<ref id="CR46"><mixed-citation publication-type="other">Winnefeld, J., Kirckhoff, C., Upton, D.A.: Cybersecurity’s human factor: lessons from the Pentagon. Harv. Bus. Rev., 87–95 (September 2015)</mixed-citation>
</ref>
<ref id="CR44"><element-citation publication-type="journal"><person-group person-group-type="author"><name><surname>Xiang</surname>
<given-names>Y</given-names>
</name>
<name><surname>Wang</surname>
<given-names>L</given-names>
</name>
<name><surname>Liu</surname>
<given-names>N</given-names>
</name>
</person-group>
<article-title>Coordinated attacks on electric power systems in a cyber- physical environment</article-title>
<source>Electr. Power Syst. Res.</source>
<year>2017</year>
<volume>149</volume>
<fpage>156</fpage>
<lpage>168</lpage>
<pub-id pub-id-type="doi">10.1016/j.epsr.2017.04.023</pub-id>
</element-citation>
</ref>
<ref id="CR45"><element-citation publication-type="journal"><person-group person-group-type="author"><name><surname>Zimmermann</surname>
<given-names>V</given-names>
</name>
<name><surname>Renaud</surname>
<given-names>K</given-names>
</name>
</person-group>
<article-title>Moving from a “Human-as-Problem” to a “Human-as-Solution” cybersecurity mindset</article-title>
<source>Int. J. Hum. Comput. Stud.</source>
<year>2019</year>
<volume>131</volume>
<fpage>169</fpage>
<lpage>187</lpage>
<pub-id pub-id-type="doi">10.1016/j.ijhcs.2019.05.005</pub-id>
</element-citation>
</ref>
</ref-list>
</back>
</pmc>
</record>

Pour manipuler ce document sous Unix (Dilib)

EXPLOR_STEP=$WICRI_ROOT/Sante/explor/StressCovidV1/Data/Pmc/Corpus

HfdSelect -h $EXPLOR_STEP/biblio.hfd -nk 000024 | SxmlIndent | more

HfdSelect -h $EXPLOR_AREA/Data/Pmc/Corpus/biblio.hfd -nk 000024 | SxmlIndent | more

Pour mettre un lien sur cette page dans le réseau Wicri

{{Explor lien
   |wiki=    Sante
   |area=    StressCovidV1
   |flux=    Pmc
   |étape=   Corpus
   |type=    RBID
   |clé=     PMC:7189027
   |texte=   Redefining the Approach to Cybersecurity
}}

Pour générer des pages wiki

HfdIndexSelect -h $EXPLOR_AREA/Data/Pmc/Corpus/RBID.i   -Sk "pubmed:NONE" \
       | HfdSelect -Kh $EXPLOR_AREA/Data/Pmc/Corpus/biblio.hfd   \
       | NlmPubMed2Wicri -a StressCovidV1

This area was generated with Dilib version V0.6.33.
Data generation: Wed May 6 16:44:09 2020. Site generation: Sun Mar 28 08:26:57 2021

	Serveur d'exploration Stress et Covid
	Attention, ce site est en cours de développement ! Attention, site généré par des moyens informatiques à partir de corpus bruts. Les informations ne sont donc pas validées.

Serveur d'exploration Stress et Covid

Redefining the Approach to Cybersecurity

Redefining the Approach to Cybersecurity

Source :

Abstract

Links to Exploration step

Le document en format XML

Pour manipuler ce document sous Unix (Dilib)

Pour mettre un lien sur cette page dans le réseau Wicri

Pour générer des pages wiki