Keywords

1 Introduction

1.1 Background

The rise of the Internet of Things (IoT) presents new opportunities for organizations to develop new technologies that will enable them to better manage their business and operations, create new products, improve daily work operations etc. However, implementing these new solutions can also lead to security issues. Even though there are a lot of studies related to Information Security, the research community seems to be little or no interested in the relationship between human factors and breaches.

There are broad range of issues related to European Cybersecurity and national experiences in the research in cybersecurity domain. A proper solution to respond to the complex phenomenon of cybersecurity is to implement human-centric approach in system designs. Among the important topics is human factor (HF), as an object of vulnerability and cyber-attacks. This means that an important aspect in implementing the security by design approach are the cybersecurity aspects related to privacy by design [2] such as testing vulnerability of organization’s cybersecurity of social engineering attacks, modelling HF in cybersecurity, developing HF Framework for cyber vulnerabilities investigations, as well as addressing the significance of cognitive user profiles for improving usability of computer system interface and others. These issues are relevant to the highest level of IoT Reference Architecture. Because the goal of the architecture is to improve security in IoT systems, therefore the human factor plays a role in adding security at the software application level as part of the user interfaces of the user domain.

Several studies have proved that half of data security breaches are caused by errors due to activities of ordinary users [1]. This contradicts the notion that hackers are the ones behind most breaches. Another key observation, from the study, is that human mistakes lead to more incidents than malicious actions do. That is why the attention should be focused on human factor activities. Moreover, in the current COVID-pandemic situation many users prefer working by the so-called “Work From Home” model. It requires more detailed research for cybersecurity in order to enhance user’s cyber awareness and competence. According to ISACA’s Covid-19 Study, about 90% of participants believe that an abrupt transition from the place of work to so called “home office” way of working would increase the risk for data privacy and cause problems [8].

A key aspect of the human factor is related to identity management, which is an important element of a cybersecurity system within organizations. With regard to the management of digital identity, key issues are security and privacy. As digital identity has become an increasingly popular attack vector and identity theft is widespread on the web, measures to identify and validate digital identities are crucial for network management and security in the public and private sectors.

1.2 Digital Identity as Object of Cybersecurity Vulnerabilities

Identity is the link that connects individuals to their community. It is a link between the individuals and the world in which they live. According to the APAFootnote 1 dictionary of Psychology [3], identity is “an individual’s sense of self defined by (a) a set of physical, psychological, and interpersonal characteristics that is not wholly shared with any other person and (b) a range of affiliations (e.g., ethnicity) and social roles. Identity involves a sense of continuity, or the feeling that one is the same person today that one was yesterday or last year (despite physical or other changes). Such a sense is derived from one’s body sensations; one’s body image; and the feeling that one’s memories, goals, values, expectations, and beliefs belong to the self. Also called personal identity.”

The advent of digital technologies, the internet and social media have made possible the shift of the identity paradigm into a digital (cyber) context. The management of digital identity has many facets - technical, economic, social and cultural – and therefore it is complex to understand it and address it as a universal concept. Nevertheless, digital identity is essential for the further development of the Digital and Global Economy [7]. Many initiatives have been set to explore the necessity of unique digital identity and it’s adoption on a global scale. For example, The United Nations (UN) and World Bank ID4D initiatives aim to provide everyone on the planet with a legal identity by 2030. At the ID2020 summit in May 2016 in New York, the UN initiated discussions around digital identity, blockchain, cryptographic technologies, and its benefits for the underprivileged. During the summit, 400 experts shared best practices and ideas on how to provide universal identity to all.

The problem that exists is that in today’s digital world it is a challenge to determine exactly what data such as type, quantity and quality are available in cyberspace. There is a huge amount of personal data on the Internet that is a “digital imprint” of a person and is linked to a “digital identity”. Therefore, a key aspect of cyber security is the human factor.

As an open system, man communicates through the information environment and social networks. Through the physical environment the digital devices may turn into a means of striking, using its output to the person to broadcast massive amount of information or interfere with his everyday operations.

In addition, as a major challenge in IoT smart home infrastructure, is the security of devices. The main problem comes from the heterogeneous nature of IoT networks and large number of devices that differ on many criteria: the communication protocols that they use and data protocols [9]. Therefore, the security implementation will vary from device to device and finding a uniform solution is almost impossible [10]. Smart solutions contain a large amount of confidential data (e.g. personal photos, videos, microphones).

The notion of human factor within cyber-physical systems leads to one main observation in regard to user awareness within such systems.

In order to reach the above-mentioned aim of this paper, the issue has been explored, from a user’s point of view, by applying a survey research methodology. It gave an opportunity to select key research indicators, related to cyber awareness and digital identity. They were explored and analysed, and then the evaluation criteria were defined. The study is aimed to help users get certain skills when they operate in the cyberspace. The survey was conducted and its results were compiled and examined. These results are used for the development of solutions that would enhance users’ cyber awareness, digital competences and help them maintain high level cyberhygiene.

Based on the survey results, a human-centric perspective for a practical solution is applied by the development of a virtual online space - a website “Cyberawareness”. It provides opportunities for active communication between users. They could submit information to the platform, as well as receive information from it. The virtual space of the platform has several functionalities. On one hand, it offers a tool for researching skills and behaviour of citizens, verifying their competencies in cyber awareness, and helps them manage their digital identity. On the other hand, it provides cyber awareness resources, access to various free cybersecurity verification tools, information resources, useful information and contacts, opportunities for sharing information related to cyber incidents, etc.

In this way, the platform could strengthen information sharing and improve cybersecurity competence of the workforce and citizens, especially in the sphere of the cybersecurity continuous education and the related services. According to ACM study group and the NICE framework (NIST Special Publication 800-181. Title. National Initiative for Cybersecurity Education) it is necessary to pay attention on topics in the curricula like Organizational security (Security Operation and Personal Security), anonymizing data, Social Security (Customer service and technical support), Component Security (Procurement), Connection Security (Physical Interface and Connectors) due to the expansion of IoT-connected devices. It could be mentioned that the areas of utmost importance, like privacy by design, appeared to be present in less than 30% of the educational programmes. In addition, cybersecurity programmes in education should recognize the role of the human-centric factors, which provide basis to incorporate technology, software, organizational processes and users, and to study this as socio-technical and psychology system [4].

2 Approach for Improving Cyber Awareness Users When Working in Cyberspace and with IoT Devices’ Interface

2.1 Research Method

The research method is based on the evaluation through analysis of collected data. The data which is collected provides information about the users, their occupation, experience and level of excellence. For the purpose of this study, the survey method was selected as the most appropriate one.

The survey examines and analyses the opinion of a wide range of participants that work in public and administrative structures. It provides an objective overview of the needs and potential areas for improvement in the organization of information infrastructures in those structures, as well as using IoT software applications.

The preparation of the survey is related to the following technology for work:

  • Studying the general theory and technology of organizing and creating a survey;

  • Exploring the possibilities for creating questionnaires or online forms with the relevant topics;

  • Selection of indicators and definition of criteria for assessment of information needs;

  • Development of a questionnaire;

  • Organizing and conducting the survey;

  • Processing and analysis of the results of the survey;

  • Synthesis of the results, development of conclusions, recommendations and lessons for the users, administrators and developers;

  • Applying the results of the survey to improve information security, defining them as information resources within the package of capabilities they need to implement.

Indicators for the Formation of the Criteria.

As part of information security, indicators for the formation of criteria for cyber awareness assessment are related to capability building, as follows:

  • Application of service-oriented architecture;

  • Capability building for monitoring, detection and recognition of cyber threats in the IoT ecosystem environment;

  • Capability building to ensure effective processing and sharing of information related to cyber incidents and threats.

  • Personally Identifiable Information and Identity Management.

The needs for information security and services of the systems are planned and built-in accordance with their taxonomic grouping. It is a part of the comprehensive service-oriented, security by design and privacy by design approaches. The taxonomy is a hierarchical model consisting of a certain layer of services, including information security services.

Also, the capacity building for monitoring cyberspace is related to sharing data in real time through a subsystem for cyber incident detection.

In order to manage increased cyber risks and to improve cyber awareness, it is essential for users to counter detected threats, as well as to be capable and adaptable to neutralize new cyber threats generated by some innovative information technologies and especially those connected to IoT infrastructure and Personal Area Networks.

Evaluation Criteria.

The definition of evaluation criteria is based on analysis of the proposed indicators for information security. It can be concluded that the basis for building the information environment should be a service-oriented architecture. That is why the evaluation criteria can be:

  • applying a comprehensive service-oriented approach to build up information security;

  • capability building for effective information sharing and processing among different organizational units;

  • providing abilities to work in a group environment;

  • getting specific abilities in order to observe, detect and recognize the environment in cyberspace in real time;

  • assessment of the threat and risk level in regard to identity theft.

The set of indicators and defined criteria for evaluation of cyber awareness and information security are the basis that forms resources necessary to guarantee information security when users work in cyberspace.

A variant of such a consistent method for cyber awareness research, identity management, and proposing solution in order to enhance user competencies regarding cyberspace could be successfully applied, both at the national level for one country and in EU Cybersecurity Domain, as well.

The survey was conducted online between several different user groups. The “Forms” applications of the Microsoft Teams and Google Forms platforms have been used as implementation technology.

The analysis of the results of the survey is used in the development of a solution to increase cyber awareness.

3 Results of the Study

Given the dynamic state of information security vulnerabilities and the volume and complexity of existing threats, public organizations face a huge challenge defining and understanding human-related threats and risks. To help understand these challenges, cybersecurity experts and cyber users in public organizations from various institutions were interviewed through a survey. Based on the results of the survey, the key questions that all the users face are related to the lack of information about type of vulnerabilities, risk assessment, risk awareness, access to right information and support.

Interviews with the following three types of experts were conducted:

  • users (of IoT)

  • public sector workforce

  • cyber security specialists and developers

Thirty-eight (38) people took part in the survey at the user level respondents. In the second survey, forty-three (43) respondents were interviewed, of which information security specialists were fifteen (15). Along with the specific answers to the questions, concrete proposals were made. The main one identified the need to provide opportunities for cyber awareness. These are opportunities to improve competencies of public sector users when working in cyberspace.

Some key observations are identified as follows:

  • More than 50% of participants underwent security training within their organizations

  • 78% of respondents say that in the corporations where they work there are established security policies. In a very small part of them these rules are related only to certain activities. Here the role of the leadership is positive and obvious.

  • 72% of the respondents would accept when working in cyberspace to comply with the recommendations by observing their own user, monitor their device, knowing their correspondents, use virtual cards for your payments and more. However, 27% would not comply with such recommendations. Although a small percentage of dissenters, yet in a public administrative structure, such percentage is unacceptable.

  • Over 60% of employees would like to be involved in training on the implementation of software capabilities to protect information and networks and especially IoT devices. The training can be done by external training structures, but also by the cyber security specialists.

  • The results of the recommendations concern the exclusive administrator on information security. Highly recommended are end-user protection and awareness systems. They recommend having analysis systems in the information infrastructure, incident monitoring and reporting IoT vulnerabilities.

  • More than 50% of the participants recommend the information infrastructure to have cyber threat systems and indicators, along with incident analysis, monitoring and reporting systems.

  • More than 50% of the breakthroughs in the networks of corporate structures are due to the human factor of the organization itself and about 30% are caused by external factors and resources. This presupposes prevention in the work of the management with the users in the electronic environment and daily control over the users and the administrators in the IoT infrastructure. These conclusions also apply to network administrators for daily work with employees.

Based on the analysis of the results of the survey the following recommendations could be made towards the work of the users, managers and network and security administrators within public organizations.

Regarding Users and Managers in Institutions.

The above data gathered from this group shows that justified cybersecurity concerns are present. This requires the leadership of institutions to develop measures and recommendations for safe work of their employees in the digital environment and enhance their cyber awareness.

  • About cyber awareness level analysis – public sector organizations should create and use a cybersecurity policy during crises.

  • About data analysis, smaller sized organizations with lower budgets and less employees are less prepared and less aware of cybersecurity risks. Therefore, more cybersecurity awareness is need.

Organizational measures are needed, including those related to identity management, such as:

Employees need to know that each account matches exactly a particular user and everyone must act responsibly and protect their data. Username information and passwords should not be provided of third parties, as well as in various digital platforms and social media. In case of suspicions about profile theft or compromised account, notify immediately the security administrator in the institution.

Password compromising is one of the main reasons for most cybercrime incidents. Quality management of passwords assume that each account is secured with a unique one access password. Passwords must be sufficient at the same time long and complex enough to be composed of different characters and symbols. Passwords should include words, names or anything that is easy to associate with their owners.

Improper password management can lead to significant risks of theft and irreversible loss of information, leakage of sensitive data, and breakthrough in information systems.

Passwords are strictly personal and on no occasion and under no circumstances should not be shared - be it sent by e-mail, recorded on paper, communicated by telephone, fax or other insecure or easy to read format or channel, and under no circumstances should be entered in electronic surveys. Passwords must not be saved in a file on a workstation, server, or mobile device in unencrypted view.

Compliance with security policies by users will ensure a relatively safe working environment in cyberspace. Administrators must also commit to compliance with network and security policies, as well as the management of the institution’s information infrastructure.

Since the vision of IoT is to connect as many smart devices as possible, it is important that IoT users have all data available and at all times. However, data is not the only component used in IoT. Devices and services must also be available in a timely manner when needed to achieve IoT expectations. Denial of service (DDoS) attack is an example of affecting resource availability.

Information systems and services that we use are becoming safer and “more secure” to hack, but in fact people remain the weakest part of the cybersecurity system. Their mistakes can compromise the whole system. Therefore, it is important how to promote cyber hygiene and consumer behaviour through cyber awareness, education and training which corresponds to advances in psychology, state of the art technologies and security.

The human factor vulnerability is a major target of social engineering attacks, which completely circumvent all technical protection measures taken. Social engineering is method for unauthorized acquisition of information resources and/or user rights without the use of technical means. Social engineering uses mainly psychological methods, namely a person’s tendency to trust. Social attacks engineering take place on two levels:

  • Physical level are offices, telephones, trashcans, business mail.

  • The social engineer can simply enter the workplace, posing as a maintenance person, and to get a custom username and password.

This psychological approach uses well-established methods for persuasion: presenting to someone else, conformism, reference to authoritative figure, distraction or just friendly attitude. The most common and easy way to get a third party with username and password is by receiving it directly from the user through various methods of persuasion, deception, involuntary sharing, misleading in order to achieve financial benefits, etc. Social engineering is the preferred method to launch an attack on a system because in case of carelessness on the part of the user the attacker can easily obtain the necessary information.

The human factor is in conjunction with the implementation of security policies. It is important to note the need for the rules for security policies of IoT infrastructure devices to be developed according to the participants in the overall IoT ecosystem. They could be summarized as security policies for developers and service providers (in the processes of infrastructure development, implementation and integration), as well as security policies for end users of IoT devices and applications [5, 6]. Security is not only about technology, but also about the people. That is why it should be accepted that the human factor in cybersecurity cannot be ignored. Therefore, it is necessary to take actions and care of people, such as: education - to make users aware; establishing proper security policies; to constantly study one’s own mistakes and weaknesses.

Developing the Project Portal “Cyber Awareness”.

In line with the observations based on survey results, the author presents a methodology for enhancing the knowledge of users to work in a secure environment and to refine and improve their cyber awareness and IoT security skills. As a practical implementation of the proposed methodology, the author presents a developed Cyber Awareness portal. Its main purpose is to provide information and resources on cybersecurity and IoT security, and to be the main point of knowledge access. The portal also provides opportunities to test your cyber knowledge, participate in public survey related to cyber topics, share and exchange information, opinions and useful practices on cyber incidents and knowledge.

4 Conclusion

IoT technologies became everyday commodities, peculating both our social and work environments. The complexity, variety, and frequency of cyber incidents have increased significantly over the last decade. Understanding cybersecurity risk requires a certain level of discipline and cautious mentality, which requires increasing cyber awareness levels among regular users of IoT.

The developed portal is a good practice which can be further improved in a collaborative platform that enables regular editing and enrichment of the content with additional up-to-date information, setting up a forum and discussion structure, as well as adding tools. The proposed approach for improving cyber awareness of people has an interdisciplinary effect, as it could be successfully applied in other cyber domains. Human vulnerabilities need to be identified and managed before they lead to an actual security breach. For that reason, we need a common research perspective to study cybersecurity that focuses on the interaction of technology and software development, concepts and architectures, organizational processes improvement and human performance. This means to apply a human–centred approach, which provides a comprehensive foundation to analyse cybersecurity as a socio-technical system that cover diverse aspects such as psychological, cultural, technology and software development.