Leveraging human factors in cybersecurity: an integrated methodological approach
Tóm tắt
Computer and Information Security (CIS) is usually approached adopting a technology-centric viewpoint, where the human components of sociotechnical systems are generally considered as their weakest part, with little consideration for the end users’ cognitive characteristics, needs and motivations. This paper presents a holistic/Human Factors (HF) approach, where the individual, organisational and technological factors are investigated in pilot healthcare organisations to show how HF vulnerabilities may impact on cybersecurity risks. An overview of current challenges in relation to cybersecurity is first provided, followed by the presentation of an integrated top–down and bottom–up methodology using qualitative and quantitative research methods to assess the level of maturity of the pilot organisations with respect to their capability to face and tackle cyber threats and attacks. This approach adopts a user-centred perspective, involving both the organisations’ management and employees, The results show that a better cyber-security culture does not always correspond with more rule compliant behaviour. In addition, conflicts among cybersecurity rules and procedures may trigger human vulnerabilities. In conclusion, the integration of traditional technical solutions with guidelines to enhance CIS systems by leveraging HF in cybersecurity may lead to the adoption of non-technical countermeasures (such as user awareness) for a comprehensive and holistic way to manage cyber security in organisations.
Từ khóa
Tài liệu tham khảo
Abawajy J (2014) User preference of cyber security awareness delivery methods. Behav Inform Technol 33(3):237–248. https://doi.org/10.1080/0144929X.2012.708787
Abbott RG, McClain J, Anderson B, Nauer K, Silva A, Forsythe C (2015) Log analysis of cyber security training exercises. Procedia Manuf 3:5088–5094. https://doi.org/10.1016/j.promfg.2015.07.523
Abomhara M, Køien GM (2015) Cyber security and the internet of things: vulnerabilities, threats, intruders and attacks. J Cyber Secur Mobility 4(1):65–88
Addae JH, Sun X, Towey D, Radenkovic M (2019) Exploring user behavioral data for adaptive cybersecurity. User Model User-Adap Inter 29(3):701–750. https://doi.org/10.1007/s11257-019-09236-5
Albrechtsen E (2007) A qualitative study of users’ view on information security. Comput Secur 26(4):276–289
Al-Darwish AI, Choe P (2019) A framework of information security integrated with human factors. In: Moallem A (ed) HCI for cybersecurity, privacy and trust HCII 2019 lecture notes in computer science. Springer
Alhogail A (2015) Design and validation of information security culture framework. Comput Hum Behav 49:567–575. https://doi.org/10.1016/j.chb.2015.03.054
Alhogail A, Mirza A (2014) A framework of information security culture change. J Theor Appl Inf Technol 64(3):540–549
Alzahrani A, Johnson C, Altamimi S (2018) Information security policy compliance: investigating the role of intrinsic motivation towards policy compliance in the organisation. In: 2018 4th international conference on information management. IEEE, pp 125–32. https://doi.org/10.1109/INFOMAN.2018.8392822
Antonsen S (2009) Safety culture and the issue of power. Saf Sci 47(2):183–191. https://doi.org/10.1016/j.ssci.2008.02.004
Aoyama T, Naruoka H, Koshijima I, Watanabe K (2015) How management goes wrong? – The human factor lessons learned from a cyber incident handling exercise. Procedia Manufact 3:1082–1087. https://doi.org/10.1016/j.promfg.2015.07.178
Argaw ST, Troncoso-Pastoriza JR, Lacey D, Florin M-V, Calcavecchia F, Anderson D, Flahault A (2020) Cybersecurity of Hospitals: discussing the challenges and working towards mitigating the risks. BMC Med Inform Decis Mak 20(1):146. https://doi.org/10.1186/s12911-020-01161-7
Bansal G, Zahedi FM, Gefen D (2010) The impact of personal dispositions on information sensitivity, privacy concern and trust in disclosing health information online. Decis Support Syst 49(2):138–150. https://doi.org/10.1016/j.dss.2010.01.010
Bendovschi A (2015) Cyber-attacks – trends, patterns and security countermeasures. Procedia Econ Finance 28:24–31. https://doi.org/10.1016/S2212-5671(15)01077-1
Besnard D, Arief B (2004) Computer security impaired by legitimate users. Comput Secur 23(3):253–264. https://doi.org/10.1016/j.cose.2003.09.002
Bicanic S, Brahm C, Bre C (2020) What to do now that your demand forecast is wrong. Bain & Co. https://www.bain.com/insights/what-to-do-when-your-demand-forecast-is-wrong/. Accessed 6 Apr 2020
Bødker S (2006) When second wave HCI meets third wave challenges. In: Proceedings of the 4th nordic conference on human-computer interaction: changing roles, pp 1–8
Boyatzis RE (1998) Transforming qualitative information: thematic analysis and code development. SAGE Publications
Braun V, Clarke V (2006) Using thematic analysis in psychology. Qual Res Psychol 3(2):77–101. https://doi.org/10.1191/1478088706qp063oa
Bulgurcu B, Cavusoglu H, Benbasat I (2010) Quality and fairness of an information security policy as antecedents of employees' security engagement in the workplace: an empirical investigation. Paper presented at the 43rd Hawaii international conference on system sciences, Honolulu, HI, USA
Callari TC, Ciairano S, Re A (2012) Elderly-technology interaction: accessibility and acceptability of technological devices promoting motor and cognitive training. Work A J Prev Asses Rehabilit 41(1):362–369. https://doi.org/10.3233/WOR-2012-0183-362
Carayon P, Kraemer S (2002) Macroergonomics in WWDU: what about computer and information security. Paper presented at the proceedings of the sixth international scientific conference on work with display units-WWDU 2002-world wide work, Berlin, Germany
Carayon P, Kraemer S, Bier V (2005) Human factors issues in computer and e-business security. In: Labbi A (ed) Handbook of integrated risk management for e-business measuring, modeling, and managing risk. Ross Publishing
Carroll JS, Quijada MA (2004) Redirecting traditional professional values to support safety: changing organisational culture in health care. Quality Safety Health Care 13(suppl 2):16–21. https://doi.org/10.1136/qshc.2003.009514
Chua HN, Wong PPF, Low YC, Chang Y (2018) Impact of employees’ demographic characteristics on the awareness and compliance of information security policy in organizationss. Telematics Inform 35(6):1770–1780
Colwill C (2009) Human factors in information security: the insider threat – Who can you trust these days? Inf Secur Tech Rep 14(4):186–196. https://doi.org/10.1016/j.istr.2010.04.004
Conteh NY, Schmick PJ (2016) Cybersecurity: risks, vulnerabilities and countermeasures to prevent social engineering attacks. Internat J Adv Comput Res 6(23):31–38
Corradini I (2020) Building a cybersecurity culture in organizations. Studies in Syst Dec Control. https://doi.org/10.1007/978-3-030-43999-6_3
Coventry L, Branley D (2018) Cybersecurity in healthcare: a narrative review of trends, threats and ways forward. Maturitas 113:48–52. https://doi.org/10.1016/j.maturitas.2018.04.008
Craggs B (2019) A just culture is fundamental: extending security ergonomics by design. In: 2019 IEEE/ACM 5th international workshop on software engineering for smart cyber-physical systems (SEsCPS). IEEE, pp 46–49
D’Arcy J, Hovav A (2009) Does one size fit all? Examining the differential effects of is security countermeasures. J Bus Ethics 89:59. https://doi.org/10.1007/s10551-008-9909-7
Da Veiga A, Eloff JHP (2010) A framework and assessment instrument for information security culture. Comput Secur 29(2):196–207. https://doi.org/10.1016/j.cose.2009.09.002
Da Veiga A, Martins N (2015) Information security culture and information protection culture: a validated assessment instrument. Comput Law Secur Rev 31(2):243–256. https://doi.org/10.1016/j.clsr.2015.01.005
DeJoy DM (2005) Behavior change versus culture change: divergent approaches to managing workplace safety. Safety Sci 43(2):105–129. https://doi.org/10.1016/j.ssci.2005.02.001S0925-7535(05)00007-X
Dekker S (2003) Failure to adapt or adaptations that fail: contrasting models on procedures and safety. Appl Ergon 34(3):233–238
Deline S, Guillet L, Rauffet P, Guérin C (2021) Team cognition in a cyber defense context: focus on social support behaviors. Cogn Tech Work 23:51–63. https://doi.org/10.1007/s10111-019-00614-y
Desruelle P, Baldini G, Barboni M, Bono F, Delipetrev B, Duch Brown N, Fernandez Macias E, Gkoumas K, Joossens E, Kalpaka A, Nepelski D, Nunes de Lima MV, Pagano A, Prettico G, Sanchez I, Sobolewski M, Triaille J-P, Tsakalidis A, Urzi Brancati MC (2019) Digital transformation in transport, construction, energy, government and public administration, EUR 29782 EN, Publications Office of the European Union, Luxembourg
Dhillon G, Backhouse J (2001) Current directions in IS security research: towards socio-organisational perspectives. Inf Syst J 11(2):127–153. https://doi.org/10.1046/j.1365-2575.2001.00099.x
Dlamini MT, Eloff JHP, Eloff MM (2009) Information security: the moving target. Comput Secur 28(3):189–198. https://doi.org/10.1016/j.cose.2008.11.007
Driscoll DL, Appiah-Yeboah A, Salib P, Rupert DJ (2007) Merging qualitative and quantitative data in mixed methods research: How to and why not. Ecol Environ Anthropol (University of Georgia). 18. https://digitalcommons.unl.edu/icwdmeea/18
ENISA (2020a) ENISA threat landscape 2020: cyber attacks becoming more sophisticated, targeted, widespread and undetected. European Union Agency for Network and Information Security
Eminağaoğlu M, Uçar E, Eren Ş (2009) The positive outcomes of information security awareness training in companies – A case study. Inf Secur Tech Rep 14(4):223–229. https://doi.org/10.1016/j.istr.2010.05.002
Engestrom Y (2000) Activity theory as a framework for analyzing and redesigning work. Ergonomics 43(7):960–974
ENISA (2020b) ENISA Main incidents in the EU and worldwide. European Union Agency for Network and Information Security
Flechais I, Sasse MA (2009) Stakeholder involvement, motivation, responsibility, communication: How to design usable security in e-Science. Internat J Hum Comput Studies 67:281–296. https://doi.org/10.1016/j.ijhcs.2007.10.002
Furnell SM, Clarke N (2012) Power to the people? The evolving recognition of human aspects of security. Comput Secur 31(8):983–988. https://doi.org/10.1016/j.cose.2012.08.004
Furnell SM, Jusoh A, Katsabas D (2006) The challenges of understanding and using security: a survey of end-users. Comput Secur 25(1):27–35. https://doi.org/10.1016/j.cose.2005.12.004
Gael M, Rene A, Christine C (2009) How good micro/macro ergonomics may improve resilience, but not necessarily safety. Saf Sci 47(2):285–294. https://doi.org/10.1016/j.ssci.2008.03.002
Gilbert C, Amalberti R, Laroche H, Paries J (2007) Errors and failures: towards a new safety paradigm. J Risk Res 10(7):959–975
Glaspie HW, Karwowski W (2018) Human factors in information security culture: a literature review. Adv Intell Syst Comput. https://doi.org/10.1007/978-3-319-60585-2_25
Hadley J (2019) In the age of AI, the human factor still matters for cybersecurity, Forbes. https://www.forbes.com/sites/jameshadley/2019/03/27/in-the-age-of-ai-the-human-factor-still-matters-for-cybersecurity/#7a9774725cc5. Accessed 27 Mar 2019
Henshel D, Cains MG, Hoffman B, Kelley T (2015) Trust as a human factor in holistic cyber security risk assessment. Proc Manufact 3:1117–1124. https://doi.org/10.1016/j.promfg.2015.07.186
HERMENEUT Project (2018) Deliverable D2.2. Integrated estimation of the enterprise's vulnerabilities
Ivankova N, Wingo N (2018) Applying mixed methods in action research: methodological potentials and advantages. Am Behav Sci 62(7):978–997
Jaferian P, Hawkey K, Sotirakopoulos A, Velez-Rojas M, Beznosov K (2011) Heuristics for evaluating IT security management tools. Paper presented at the proceedings of the seventh symposium on usable privacy and security Pittsburgh, Pennsylvania. https://doi.org/10.1145/2078827.2078837
Jang-Jaccard J, Nepal S (2014) A survey of emerging threats in cybersecurity. J Comput Syst Sci 80(5):973–993. https://doi.org/10.1016/j.jcss.2014.02.005
Jeong J, Mihelcic, G Oliver, Rudolph C (2019) Towards an improved understanding of human factors in cybersecurity 2019 IEEE 5th international conference on collaboration and internet computing (CIC). Los Angeles, CA, USA https://doi.org/10.1109/CIC48465.2019.00047
Johnston AC, Hale R (2009) Improved security through information security governance. Commun ACM 52(1):126–129
Katsikas SK, López J, Backes M, Gritzalis S, Preneel B (Eds) (2006) Information security: 9th international conference, ISC 2006, Samos Island, Greece, August 30–September 2, 2006. Proceedings. Springer
Khan B, Alghathbar KS, Nabi SI, Khan MK (2011) Effectiveness of information security awareness methods based on psychological theories. Afr J Bus Manag 5(26):10862e8
Kim B (2016) Cybersecurity and digital surveillance versus usability and privacy1: why libraries need to advocate for online privacy. Coll Res Libr News 77(9):442–451. https://doi.org/10.5860/crln.77.9.9553
Kluge EH (2011) e-Health promises and challenges: some ethical considerations. Studies Health Technol Inform 164:148–153
Knapp KJ, Franklin Morris R, Marshall TE, Byrd TA (2009) Information security policy: an organisational-level process model. Comput Secur 28(7):493–508. https://doi.org/10.1016/j.cose.2009.07.001
Knott BA, Mancuso VF, Bennett K, Finomore V, McNeese M, McKneely JA, Beecher MM (2013) Human factors in cyber warfare. Proc Hum Factors Ergon Soc Ann Meeting 57(1):399–403. https://doi.org/10.1177/1541931213571086
Kraemer S, Carayon P (2005) A macroergonomic framework for computer and information security. In: Carayon P, Robertson M, Kleiner B, Hoonakker P (eds) Human factors in organizational design and management - VII. IEA Press, pp 243–254
Kraemer S, Carayon P (2007) Human errors and violations in computer and information security: the viewpoint of network administrators and security specialists. Appl Ergon 38(2):143–154. https://doi.org/10.1016/j.apergo.2006.03.010
Kraemer S, Carayon P, Clem J (2009) Human and organisational factors in computer and information security: pathways to vulnerabilities. Comput Secur 28(7):509–520. https://doi.org/10.1016/j.cose.2009.04.006
Krombholz K, Hobel H, Huber M, Weippl E (2015) Advanced social engineering attacks. J Inform Secur Appl 22:113–122. https://doi.org/10.1016/j.jisa.2014.09.005
Lacomblez M, Bellemare M, Chatigny C, Delgoulet C, Re A, Trudel L, Vasconcelos R (2007) Ergonomic analysis of work activity and training: basic paradigm, evolutions and challenges. In: Pikaar R, Settels P (eds) Meeting diversity in ergonomics. Elsevier
Ladner S (2016) Practical ethnography: a guide to doing ethnography in the private sector. Routledge
Lahcen RAM, Mohapatra R, Kumar M (2018) Cybersecurity: a survey of vulnerability analysis and attack graphs In: International conference on mathematics and computing. Springer, pp 97–111
Leplat J (1991) Understanding work in order to transform it. Trav Hum 54(3):283–285
Linkov V, Zámecˇník P, Havlícˇková D, Pai C-W (2019) Human factors in the cybersecurity of autonomous vehicles: trends in current research. Front Psychol 10:995. https://doi.org/10.3389/fpsyg.2019.00995
Loi M, Christen M, Kleine N, Weber K (2019) Cybersecurity in health – disentangling value tensions. J Inf Commun Ethics Soc 17(2):229–245. https://doi.org/10.1108/JICES-12-2018-0095
Maalem Lahcen RA, Caulkins B, Mohapatra R et al (2020) Review and insight on the behavioral aspects of cybersecurity. Cybersecur 3:10. https://doi.org/10.1186/s42400-020-00050-w
Macnish K, van der Ham J (2020) Ethics in cybersecurity research and practice. Technol Soc 63:101382. https://doi.org/10.1016/j.techsoc.2020.101382
Malatji M, Von Solms S, Marnewick A (2019) Socio-technical systems cybersecurity framework. Inform Comput Secur 27(2):233–272. https://doi.org/10.1108/ICS-03-2018-0031
McEvoy TR, Kowalski SJ (2019) Deriving cyber security risks from human and organizational factors – a socio-technical approach. Complex Syst Inform Model Quart CSIMQ 18:47–64. https://doi.org/10.7250/csimq.2019-18.03
Morrow PJ (2018) The new age of cybersecurity privacy, criminal procedure and cyber corporate ethics. J Cybersec Res (JCR) 3(1):19–28. https://doi.org/10.19030/jcr.v3i1.10241
Mouton F, Leenen L, Venter HS (2016) Social engineering attack examples, templates and scenarios. Comput Secur 59:186–209
Mudassir H (2020) COVID-19 will fuel the next wave of innovation. https://www.entrepreneur.com/article/347669. Accessed 16 Mar 2020
Naikar N, Moylan A, Pearce B (2006) Analysing activity in complex systems with cognitive work analysis: concepts, guidelines and case study for control task analysis. Theor Issues Ergon Sci 7(4):371–394. https://doi.org/10.1080/14639220500098821
Ng B-Y, Kankanhalli A, Xu Y (2009) Studying users’ computer security behavior: a health belief perspective. Decis Support Syst 46(4):815–825. https://doi.org/10.1016/j.dss.2008.11.010
Nicho M, Fakhry H, Egbue U (2018) Evaluating user vulnerabilities vs phisher skills in spear phishing. Internat J Comput Sci Inform Syst 13:93–108. https://doi.org/10.33965/ijcsis_2018130207
Nowell LS, Norris JM, White DE, Moules NJ (2017) Thematic analysis: striving to meet the trustworthiness criteria. Int J Qual Methods 16(1):1609406917733847. https://doi.org/10.1177/1609406917733847
Nurse JRC, Creese S, Goldsmith M, Lamberts K (2011) Guidelines for usable cybersecurity: past and present. Paper presented at the 2011 third international workshop on cyberspace safety and security (CSS)
Parsons K, McCormac A, Butavicius M, Pattinson M, Jerram C (2014) Determining employee awareness using the human aspects of information security questionnaire (HAIS-Q). Comput Secur 42:165–176. https://doi.org/10.1016/j.cose.2013.12.003
Pollini A, Tedeschi A, Falciani L (2014) Airports as critical transportation infrastructures increasingly impacted by cyberattacks: a case study. Accepted Secur Privacy. https://doi.org/10.1007/978-3-319-12574-9_4
Quiñones D, Rusu C (2017) How to develop usability heuristics: a systematic literature review. Comput Standards Interf 53:89–122. https://doi.org/10.1016/j.csi.2017.03.009
Rasmussen J (1974) The human data processor an a system component bits and pieces of a model. Retrieved from revised edition of internal memo, N- 3O, June 1973.
Rasmussen J (1983) Skills, rules, and knowledge: signals, signs, and symbols, and other distinctions in human performance models. IEEE Trans Syst Man Cybernet SMC 13(3):257–266
Rasmussen J, Pejtersen AM, Goodstein LP (1994) Cognitive systems engineering. John Wiley
Reason J (1997) Managing the risks of organisational accidents. Ashgate Publishing Ltd
Reiman T, Oedewald P (2007) Assessment of complex sociotechnical systems: theoretical issues concerning the use of organisational culture and organisational core task concepts. Saf Sci 45(7):745–768. https://doi.org/10.1016/j.ssci.2006.07.010
Renaud K, Flowerday S (2017) Contemplating human-centred security and privacy research: suggesting future directions. J Inform Secur Appl 34(2017):76–81
Roper A, Wilson S, Neate T, Marshall J (2019) Speech and Language. In: Yesilada Y, Harper S (eds) Web Accessibility Human-Computer Interaction Series. Springer
Sabillon R, Cavaller V, Cano J, Serra-Ruiz J (2016) Cybercriminals, cyberattacks and cybercrime. Paper presented at the 2016 IEEE international conference on cybercrime and computer forensic (ICCCF), Simon Fraser University, Vancouver, BC, Canada
Scala NM, Reilly AC, Goethals PL, Cukier M (2019) Risk and the five hard problems of cybersecurity. Risk Anal 39(10):2119–2126
Scaratti G, Galuppo L, Gorli M, Gozzoli C, Ripamonti S (2017) The social relevance and social impact of knowledge and knowing. Manag Learn 48(1):57–64. https://doi.org/10.1177/1350507616680563
Schultz E (2005) The human factor in security. Comput Secur 24(6):425–426. https://doi.org/10.1016/j.cose.2005.07.002
Segovia L, Torres F, Rosillo M, Tapia E, Albarado F, Saltos D (2017) Social engineering as an attack vector for ransomware. In: proceedings of the conference on electrical engineering and information communication technology, Pucon, Chile, pp 1–6
Shabut AM, Lwin KT, Hossain MA (2016) Cyber attacks, countermeasures, and protection schemes. A state of the art survey. Paper presented at the 2016 10th international conference on software, knowledge, information management and Application (SKIMA)
Shackel B (2009) Usability-Context, framework, definition, design and evaluation. Interact Comput 21(5–6):339–346. https://doi.org/10.1016/j.intcom.2009.04.007
Sharp H, Rogers Y, Preece J (2007) Interaction design: beyond human-computer interaction, 2nd edn. John Wiley and Sons Ltd.
Shaver KG (2012) The attribution of blame: causality, responsibility, and blameworthiness. Springer
Siponen MT (2000) A conceptual foundation for organisational information security awareness. Inf Manag Comput Secur 8(1):31–41
Siponen MT (2001) An analysis of the recent IS security development approaches: descriptive and prescriptive implications. In: Dhillon G (ed) Information security management: global challenges in the new millennium. Idea Group Publishing, pp 101–124
Siponen MT (2005) An analysis of the traditional IS security approaches: implications for research and practice. Eur J Inf Syst 14(3):303–315. https://doi.org/10.1057/palgrave.ejis.3000537
Siponen M, Willison R (2009) Information security management standards: problems and solutions. Inform Manag 46(5):267–270. https://doi.org/10.1016/j.im.2008.12.007
Soomro ZA, Shah MH, Ahmed J (2016) Information security management needs more holistic approach: a literature review. Int J Inf Manage 36(2):215–225. https://doi.org/10.1016/j.ijinfomgt.2015.11.009
Stanton NA, Young MS (1999) A guide to methodology in ergonomics: designing for human use. Taylor and Francis
Stanton JM, Stam KR, Mastrangelo P, Jolton J (2005) Analysis of end user security behaviors. Comput Secur 24(2):124–133. https://doi.org/10.1016/j.cose.2004.07.001
Symantec (2018) Internet security threat report (ISTR). https://www.symantec.com/content/dam/symantec/docs/reports/istr-23-2018-en.pdf
Tayouri D (2015) The human factor in the social media security – Combining education and technology to reduce social engineering risks and damages. Procedia Manufact 3:1096–1100. https://doi.org/10.1016/j.promfg.2015.07.181
Teal K (2020) Cybercrime tactics and techniques’: COVID-19 Sends attackers into overdrive, channel futures. https://www.channelfutures.com/mssp-insider/cybercrime-tactics-and-techniques-covid-19-sends-attackers-into-overdrive. Accessed 1 June 2020
Turner SF, Cardinal LB, Burton RM (2017) Research design for mixed methods: a triangulation-based framework and roadmap. Organ Res Methods 20(2):243–267
Vanderhaegen F (2012) Cooperation and learning to increase the autonomy of ADAS. Cogn Technol Work 14(1):61–69
Vanderhaegen F (2017) Towards increased systems resilience: new challenges based on dissonance control for human reliability in cyber-physical and human systems. Annu Rev Control 44:316–322
Vanderhaegen F (2021a) Pedagogical learning supports based on human–systems inclusion applied to rail flow control. Cogn Tech Work 23:193–202. https://doi.org/10.1007/s10111-019-00602-2
Vanderhaegen F (2021b) Weak signal-oriented investigation of ethical dissonance applied to unsuccessful mobility experiences linked to human-machine interactions. Sci Eng Ethics 27(1):2. https://doi.org/10.1007/s11948-021-00284-y
Warren M, Burmeister O (2019) Preface to research on applied ethics (Cybersecurity). Austr J Inf Syst. https://doi.org/10.3127/ajis.v23i0.2211
Weber K, Loi M, Christen M, Kleine N (2018) Digital medicine, cybersecurity, and ethics: an uneasy relationship. Am J Bioeth 18(9):52–53. https://doi.org/10.1080/15265161.2018.1498935
Woods M, Paulus T, Atkins DP, Macklin R (2016) Advancing qualitative research using qualitative data analysis software (QDAS)? Reviewing potential versus practice in published studies using ATLASt.i and NVivo 1994–2013. Soc Sci Comput Rev 34(5):597–617. https://doi.org/10.1177/0894439315596311
Yaghmaei E, van de Poel I (2020) CANVAS Project White Paper 1 – Cybersecurity and Ethics. Retrieved from Wilson, J. R. (2000). Fundamentals of ergonomics in theory and practice. Appl Ergon 31:557–567
Zimmermann V, Renaud K (2019) Moving from a ‘human-as-problem” to a ‘human-as-solution” cybersecurity mindset. Int J Hum Comput Stud 131:169–187