These days, cyber-criminals target humans rather than machines since they try to accomplish their malicious intentions by exploiting the weaknesses of end users. Thus, human vulnerabilities pose a serious threat to the security and integrity of computer systems and data. The human tendency to trust and help others, as well as personal, social, and cultural characteristics, are indicative of the level of susceptibility that one may exhibit towards certain attack types and deception strategies. This work aims to investigate the factors that affect human susceptibility by studying the existing literature related to this subject. The objective is also to explore and describe state of the art human vulnerability assessment models, current prevention, and mitigation approaches regarding user susceptibility, as well as educational and awareness raising training strategies. Following the review of the literature, several conclusions are reached. Among them, Human Vulnerability Assessment has been included in various frameworks aiming to assess the cyber security capacity of organizations, but it concerns a one time assessment rather than a continuous practice. Moreover, human maliciousness is still neglected from current Human Vulnerability Assessment frameworks; thus, insider threat actors evade identification, which may lead to an increased cyber security risk. Finally, this work proposes a user susceptibility profile according to the factors stemming from our research.
翻译:这些天,网络罪犯以人类为目标,而不是以机器为目标,因为他们试图利用终端用户的弱点来达到其恶意意图,因此,人类的脆弱性对计算机系统和数据的安全和完整性构成严重威胁。人类信任和帮助他人的倾向以及个人、社会和文化特点表明人们对某些攻击类型和欺骗战略的敏感程度。这项工作的目的是通过研究与这一主题有关的现有文献来调查影响人类易受伤害的因素。目的还在于探索和描述人类脆弱性评估模型、目前对用户易感性的预防和缓解方法以及教育和提高认识培训战略的现状。在审查文献后,得出了若干结论。其中,人类脆弱性评估被纳入了各种框架,旨在评估各组织的网络安全能力,但涉及一次性评估而不是持续做法。此外,人类恶意行为仍然被目前的人类脆弱性评估框架所忽视;因此,内部威胁行为体逃避识别,从而可能导致网络安全风险增加。最后,这项工作根据我们研究产生的各种因素,提出了用户易感性简介。