Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Skip to main content
Springer Nature Link
Log in

Securing the remote office: reducing cyber risks to remote working through regular security awareness education campaigns

  • Regular Contribution
  • Published:
International Journal of Information Security Aims and scope Submit manuscript

Abstract

Cyber security threats, including risks to remote workers, are varied and diverse, with the number of scams and business email compromise breaches increasing. Firms and their staff are experiencing mass phishing attacks, several typical precursors to more sinister attacks like cyber-enabled fraud, ransomware, and denial of service (DDoS) attacks. Threat actors are leveraging new technologies such as machine learning and artificial intelligence (AI) to deliver sophisticated scam and phishing messages that are challenging for users to identify as malicious. Several businesses are increasing technical efforts in critical areas, including network hardening, robust patching, anti-malware, ransomware detection applications, and multi-factor authentication to detect, prevent, and recover from potential threats. Despite that, these measures provide only a partial solution if the users who access the systems do not have good security awareness training. In this study, we review some cyber risks related to remote working and detail how they can be remediated through regular security awareness education campaigns (SAECs). The study presents the results of a proof of concept (PoC) experiment conducted to establish the value of regular SAECs in the fight against scams and phishing attacks against remote workers. The pilot results confirm that securing the remote office requires a robust SAEC. It argues that to be successful and help staff protect business systems and data, SAECs must be regular and varied, providing opportunities for staff to understand what to look for in suspicious scams and phishing emails. Moreover, they must provide opportunities for staff to practice their knowledge and understanding through practical exercises such as spam and phishing simulation exercises, which could help users avoid falling victim to spam and phishing emails.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13
Fig. 14
Fig. 15

Similar content being viewed by others

Availability of data and materials

The results data/figure in this manuscript have not been published elsewhere, nor are they under consideration by another publisher. The data that support the findings of this study are available on request from the corresponding author.

References

  1. Georgiadou, A., Mouzakitis, S., Askounis, D.: Working from home during COVID-19 crisis: a cyber security culture assessment survey. Secur. J. 35(2), 486–505 (2022)

    Article  Google Scholar 

  2. Tasheva, I.: Cybersecurity post-COVID-19: lessons learned and policy recommendations. Eur. View 20(2), 140–149 (2021)

    Article  Google Scholar 

  3. Pranggono, B., Arabo, A.: COVID-19 pandemic cybersecurity issues. Internet Technol. Lett. 4(2), e247 (2021)

    Article  Google Scholar 

  4. Hijji, M., Alam, G.: Cybersecurity awareness and training (CAT) framework for remote working employees. Sensors 22(22), 8663 (2022)

    Article  Google Scholar 

  5. Tzokatziou, G., Maglaras, L., Janicke, H.: Insecure by design: Using human interface devices to exploit SCADA systems. In: 3rd International Symposium for ICS & SCADA Cyber Security Research 2015 (ICS-CSR 2015) 3, pp. 103–106 (2015)

  6. Sebastian, G.: A descriptive study on cybersecurity challenges of working from home during COVID-19 pandemic and a proposed 8 step WFH cyber-attack mitigation plan. Commun. IBIMA 2, 2–7 (2021)

    Google Scholar 

  7. Lambat, Y., Ayres, N., Maglaras, L., Ferrag, M.A.: A mamdani type fuzzy inference system to calculate employee susceptibility to phishing attacks. Appl. Sci. 11(19), 9083 (2021)

    Article  Google Scholar 

  8. Kagerl, C., Starzetz, J.: Working from home for good? lessons learned from the COVID-19 pandemic and what this means for the future of work. J. Bus. Econ. 93(1), 229–265 (2023)

    Google Scholar 

  9. Yang, L., Holtz, D., Jaffe, S., Suri, S., Sinha, S., Weston, J., Joyce, C., Shah, N., Sherman, K., Hecht, B., et al.: The effects of remote work on collaboration among information workers. Nat. Hum. Behav. 6(1), 43–54 (2022)

    Article  Google Scholar 

  10. Lidong Wang and Cheryl Ann Alexander: Cyber security during the COVID-19 pandemic. AIMS Electron. Electr. Eng. 5(2), 146–157 (2021)

    Article  Google Scholar 

  11. Barrero, J.M., Bloom, N., Davis, S.J.: 60 million fewer commuting hours per day: how Americans use time saved by working from home. University of Chicago, Becker Friedman Institute for Economics Working Paper (2020-132) (2020)

  12. Angafor, G.N., Yevseyeva, I., Maglaras, L.: Scenario-based incident response training: lessons learnt from conducting an experiential learning virtual incident response tabletop exercise. Inf. Comput. Secur. (2023)

  13. Bada, M., Sasse, A.M., Nurse, J.R.C.: Cyber security awareness campaigns: Why do they fail to change behaviour? arXiv preprint arXiv:1901.02672 (2019)

  14. Abawajy, J.: User preference of cyber security awareness delivery methods. Behav. Inf. Technol. 33(3), 237–248 (2014)

    Article  MathSciNet  Google Scholar 

  15. CybSafe. 7 reasons why security awareness training is important in 2023, Mar 2023. https://www.cybsafe.com/blog/7-reasons-why-security-awareness-training-is-important/

  16. Pattinson, M., Butavicius, M., Lillie, M., Ciccarello, B., Parsons, K., Calic, D., McCormac, A.: Matching training to individual learning styles improves information security awareness. Inf. Comput. Secur. 28(1), 1–14 (2020)

    Google Scholar 

  17. Kovačević, A., Radenković, S.D.: SAWIT—security awareness improvement tool in the workplace. Appl. Sci. 10(9), 3065 (2020)

    Article  Google Scholar 

  18. Kovačević, A., Putnik, N., Tošković, O.: Factors related to cyber security behavior. IEEE Access 8, 125140–125148 (2020)

    Article  Google Scholar 

  19. Aldawood, H., Skinner, G.: Reviewing cyber security social engineering training and awareness programs-pitfalls and ongoing issues. Future Internet 11(3), 73 (2019)

    Article  Google Scholar 

  20. Tasevski, P.: It and cyber security awareness-raising campaigns. Inf. Secur. 34(1), 7–22 (2016)

    Google Scholar 

  21. Middaugh, D.J.: Cybersecurity attacks during a pandemic: it is not just it’s job! Medsurg Nurs. 30(1), 65–66 (2021)

    Google Scholar 

  22. Mohammed ALotibi and Abdulrahman Abdullah Alghamdi: The effect of applying information security awareness concept of MOH employees on cybersecurity department-ministry of health-Riyadh. J. Inf. Secur. Cybercrimes Res. 5(2), 144–163 (2022)

    Article  Google Scholar 

  23. Furnell, S., Network Research Group, et al.: Securing the home worker. Netw. Secur. 2006(11), 6–12 (2006)

  24. Steven Furnell and Jayesh Navin Shah: Home working and cyber security-an outbreak of unpreparedness? Comput. Fraud Secur. 2020(8), 6–12 (2020)

    Article  Google Scholar 

  25. Siadati, H., Palka, S., Siegel, A., McCoy, D.: Measuring the effectiveness of embedded phishing exercises. In: 10th USENIX Workshop on Cyber Security Experimentation and Test (CSET 17) (2017)

  26. Student guide to phishing: what to do if you click (but don’t click!), Aug 2021. URL https://www.onlineeducation.com/features/student-guide-to-phishing-attacks

  27. Alkhalil, Z., Hewage, C., Nawaf, L., Khan, I.: Phishing attacks: a recent comprehensive study and a new anatomy. Front. Comput. Sci. 3, 563060 (2021)

    Article  Google Scholar 

  28. Al-Qahtani, A.F., Cresci, S.: The COVID-19 scamdemic: a survey of phishing attacks and their countermeasures during COVID-19. IET Inf. Secur. 16(5), 324–345 (2022)

    Article  Google Scholar 

  29. Mahadevan, P.: Cybercrime. Threats during the COVID (2019)

  30. Alsharnouby, M., Alaca, F., Chiasson, S.: Why phishing still works: user strategies for combating phishing attacks. Int. J. Hum. Comput. Stud. 82, 69–82 (2015)

  31. Miranda, M.J.A.: Enhancing cybersecurity awareness training: a comprehensive phishing exercise approach. Int. Manag. Rev. 14(2), 5–10 (2018)

    Google Scholar 

  32. Sharma, P., Dash, B., Ansari, M.F.: Anti-phishing techniques-a review of cyber defense mechanisms. IJARCCE 11(7), 153–160 (2022)

    Article  Google Scholar 

  33. Ahmad, T.: Pandemic and work from home: challenges of cybercrimes and cybersecurity. Available at SSRN (2020)

  34. URL https://www.pwc.nl/nl/themas/assets/pdf/impact-of-covid-19-on-cyber-security-nl.pdf

  35. Reegård, K., Blackett. C., Katta. V.: The Concept of Cybersecurity Culture (2019). https://doi.org/10.3850/978-981-11-2724-3_0761-cd

Download references

Author information

Authors and Affiliations

  1. Faculty of Computing, Engineering and Media, School of Computer Science and Informatics, De Montfort University, Leicester, UK

    Giddeon Njamngang Angafor & Iryna Yevseyeva

  2. School of Computing, Engineering and the Built Environment, Edinburgh Napier University, Edinburgh, UK

    Leandros Maglaras

Authors
  1. Giddeon Njamngang Angafor
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Iryna Yevseyeva
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Leandros Maglaras
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Giddeon Njamngang Angafor.

Ethics declarations

Conflict of interest

The authors declare no competing interests.

Ethical approval

The authors declare full compliance with ethical standards. This article does not contain any studies involving humans or animals performed by any of the authors.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Appendix A: Questionnaire

Appendix A: Questionnaire

Security Awareness Education Campaigns

PoC Initial Survey

  1. 1.

    Which business sector are you in?

    1. (a)

      Customer Services

    2. (b)

      Information Technology

    3. (c)

      Government including local councils

    4. (d)

      Financial Industry

    5. (e)

      Health and care sector

    6. (f)

      Commercial sector

  2. 2.

    What department do you work in?

    1. (a)

      Human Resources

    2. (b)

      Service Desk

    3. (c)

      IT

    4. (d)

      Finance

    5. (e)

      Learning and Development

    6. (f)

      Project Management

  3. 3.

    What is your highest qualification?

    1. (a)

      GCSE

    2. (b)

      Advanced Level

    3. (c)

      Diploma

    4. (d)

      Degree

    5. (e)

      Masters or MBA

    6. (f)

      PhD

    7. (g)

      other

  4. 4.

    Do you know what phishing is?

  5. 5.

    Do you know what spam is?

  6. 6.

    Do you know what social engineering is?

  7. 7.

    Which one of the following best describes your working status?

    1. (a)

      Office Based

    2. (b)

      Hybrid

    3. (c)

      Remote

  8. 8.

    If your work is remote, when did you start?

    1. (a)

      Before COVID’19

    2. (b)

      During COVID’19

    3. (c)

      After COVID’19

  9. 9.

    Have you been exposed to scams or phishing email threats while working remotely?

    1. (a)

      Scam emails

    2. (b)

      Phishing emails

    3. (c)

      All of the above

  10. 10.

    Select the most relevant statement from the list below

    1. (a)

      I can confidently identify scam and phishing emails

    2. (b)

      I may be able to recognize scam and phishing emails

    3. (c)

      i am not able to recognize scam and phishing emails

  11. 11.

    Select all the options that apply to you.

    1. (a)

      I understand what cyber security awareness education campaigns are

    2. (b)

      My company carries out regular cyber security awareness education campaigns

    3. (c)

      I have recently attended a cyber security awareness education campaign

  12. 12.

    I believe that regular security awareness campaigns encourage users to be conscious of cyber security threats.

    1. (a)

      Yes

    2. (b)

      No

    3. (c)

      Don’t Know

Rights and permissions

Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Angafor, G.N., Yevseyeva, I. & Maglaras, L. Securing the remote office: reducing cyber risks to remote working through regular security awareness education campaigns. Int. J. Inf. Secur. 23, 1679–1693 (2024). https://doi.org/10.1007/s10207-023-00809-5

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10207-023-00809-5

Keywords

Search

Navigation