Search results

The purpose of this study was to investigate the role of grace in the aftermaths of adverse cybersecurity incidents. Adverse incidents are an inescapable fact of life in organizational settings; consequences could be significant and costly. Increasingly, the cause may be a cybersecurity exploit, such as a well-targeted phishing email. In the aftermath, line managers have a choice in responding to the individual who caused the incident. Negative emotions, such as shame and regret, may deliberately be weaponized. Alternatively, positive emotions, such as grace, forgiveness and mercy, may come into play.

We detail a study with 60 participants to explore attribution differences in response to adverse incidents, both non-cybersecurity and cybersecurity. We examined the stages that occur in the aftermath of such adverse incidents where grace may be observed.

Our participants generally believed that grace was indicated toward those who triggered an adverse cybersecurity incident, pointing to situational causes. This was in stark contrast to their responses to the non-cybersecurity incident, where the individual was often blamed, with punishment being advocated.

The role of positive emotions merits investigation in the cybersecurity context if we are to understand how best to manage the aftermaths of adverse cybersecurity incidents.

Organizations that mismanage aftermaths of adverse incidents by blaming, shaming and punishing those who make mistakes will harm the individual who made the mistake, other employees and the long-term health of their organization in the long run.

To the best of the authors’ knowledge, this is the first study to reveal the grace phenomenon in the cybersecurity context.

Adverse cyber events, like death and taxes, have become inevitable. They are an increasingly common feature of organisational life. Their aftermaths are a critical and under-examined context and dynamic space within which to examine trust. In this paper, we address this deficit.

Drawing on pertinent theory and reports of empirical studies, we outline the basis of two alternative subsequent trajectories, drawing out the relationships between trust, vulnerability and emotion, both positive and negative, in the aftermath of an adverse cyber event.

We combine stage theory and social information processing theories to delineate the dynamics of trust processes and their multilevel trajectories during adverse cyber event aftermaths. We consider two response trajectories to chart the way vulnerability arises at different levels within these social systems to create self-reinforcing trust and distrust spirals. These ripple out to impact multiple levels of the organisation by either amplifying or relieving vulnerability.

The way adverse cyber events aftermaths are managed has immediate and long-term consequences for organisational stakeholders. Actions impact resilience and the ability to preserve the social fabric of the organisations. Subsequent trajectories can be “negative” or “positive”. The “negative” trajectory is characterised by efforts to identify and punish the employee whose actions facilitated the adverse events, i.e. the “who”. Public scapegoating might follow thereby amplifying perceived vulnerability and reducing trust across the board. By contrast, the “positive” trajectory relieves perceived vulnerability by focusing on, and correcting, situational causatives. Here, the focus is on the “what” and “why” of the event.

We raise the importance of responding in a constructive way to adverse cyber events.

The aftermaths of cyber attacks in organisations are a critical, neglected context. We explore the interplay between trust and vulnerability and its implications for management “best practice”.

This study aims to investigate how phishers apply persuasion principles and construct deceptive URLs in mobile instant messaging (MIM) phishing.

In total, 67 examples of real-world MIM phishing attacks were collected from various online sources. Each example was coded using established guidelines from the literature to identify the persuasion principles, and the URL construction techniques employed.

The principles of social proof, liking and authority were the most widely used in MIM phishing, followed by scarcity and reciprocity. Most phishing examples use three persuasion principles, often a combination of authority, liking and social proof. In contrast to email phishing but similar to vishing, the social proof principle was the most commonly used in MIM phishing. Phishers implement the social proof principle in different ways, most commonly by claiming that other users have already acted (e.g. crafting messages that indicate the sender has already benefited from the scam). In contrast to email, retail and fintech companies are the most commonly targeted in MIM phishing. Furthermore, phishers created deceptive URLs using multiple URL obfuscation techniques, often using spoofed domains, to make the URL complex by adding random characters and using homoglyphs.

The insights from this study provide a theoretical foundation for future research on the psychological aspects of phishing in MIM apps. The study provides recommendations that software developers should consider when developing automated anti-phishing solutions for MIM apps and proposes a set of MIM phishing awareness training tips.