Article 1 Review
The article I decided to review is called, ‘The nature of losses from cyber-related events: risk categories and business sectors’ and it is written by multiple authors, the first one is named Pavel V Shevchenko. This article explains and examines the nature of losses that are the result of a cyber-related attack. Furthermore, the article evaluated and compared the relationship between the severity of the cyber attacks to the number of affected individuals. The study did not state their research question or hypothesis directly, however with the information I read I was able to understand the main point. After reading, I found the main point to be to discover how each cyber-relate attack affects companies in different ways. Furthermore, the hypothesis in this case could be along the lines of, ‘different types of cyber-related attacks cause different results in companies’. In module 3, the PowerPoint discussed different types of research in political science. There were different types of research listed and some of these were present in this study. In order to test their theories and hypothesis the study decided to use secondary data analysis as they used data from around the world to form a series of graphs/tables. This could also be named ‘archival research’, which is what this study used to compose their date.
When looking at the context of this article, we can see there is one principle of social sciences present and that would be economics. The entire study is based on how certain cyber-related events affect businesses and companies economically. For example, in Table 1, it shows the number of losses (in millions) based on the certain risk categories. One of the risk categories that are listed is phishing and this is reported to have a mean loss of 12.36 million dollars. In Figure 3, the graph showed the amount of losses (in dollars) from the different types of cyber-related attacks. Furthermore, the economic impact of having losses from cyber-related events is seen when companies are losing large amounts of money which leads to affecting the company negatively. This study can play a huge role in society in the way that it can give other companies an insight on the effects of cyber-related attacks. Seeing this type of study can encourage other companies to work on having more detailed security measures.
Source:
Pavel V Shevchenko, Jiwook Jang, Matteo Malavasi, Gareth W Peters, Georgy Sofronov, Stefan Trück, The nature of losses from cyber-related events: risk categories and business sectors, Journal of Cybersecurity, Volume 9, Issue 1, 2023, tyac016, https://doi.org/10.1093/cybsec/tyac016
Article 2 Review
The article I reviewed is called, “Categorizing human phishing difficulty: a Phish Scale” and it is written by three authors, Michelle Steves, Kristen Greene, Mary and Theofanos. The article explains the concerns on phishing scams from CISOs. The main concerns come from the employee’s click rates on the training exercises. A click rate is the ratio of clicks on a specific link to the total number of individuals on the page. When reading the article, it was made known that the issue with phishing training being given to employees is that it may be too difficult for them to understand. Therefore, the article gives a solution to this concern by creating something called a Phish Scale. This scale would help CISOs and phishing trainers rate the difficulty of their training exercises, which would help them decide the best way to go about the training.
The topic of the Phish Scale in regards to the principles of social sciences falls under ‘ethical neutrality’. The principle of social science of ethical neutrality is ‘behaving in a respectful way towards the preferences and values of the participants. This would give the chance for participants to feel that they are being heard. This relates to the article because the authors have found a way to respect the preferences of the participants of phishing training. If the participants of the training are shown to be having high click rates on the phishing training, this would mean that they are not understanding it fully. With the principle of social science of ‘ethical neutrality’, this would help to ensure that they are fully grasping the importance of the training.
When analyzing the study itself, it is seen that they decided the research method of experiments or focus groups. The study used ten phishing training exercises and applied the Phisch Scale and then determined the difficulty rating for each of those exercises. They then created a table to show the results of the experiment which is labeled as ‘Table 13’. For example, in exercise 1, it was rated as ‘very difficult’ and this would mean that the difficulty level of the phishing training was found to be difficult. Furthermore, during the training there was a 49.3% click rate which would mean that those individuals did not fully understand the training.
In conclusion, this article highlighted the concern from CISOs on the difficulty of their phishing training to their employees. The importance behind this topic is due to the fact that if the employees aren’t trained on this matter, it can cause issues within the company. The issues would arise when an employee, who isn’t familiar with phishing scams, clicks on a link that would then take the information from that company computer. This would be considered a cyber crime and the company would now be at risk of having their personal information being accessed by unauthorized users. This study benefits society because it could bring awareness to other CISOs on the idea that if phishing training is too difficult, it might not work to protect the company from potential phishing scams. It is important for CISOs and phishing trainers to understand that not everyone has background knowledge on cyber security.
Source:Michelle Steves, Kristen Greene, Mary Theofanos, Categorizing human phishing difficulty: a Phish Scale, Journal of Cybersecurity, Volume 6, Issue 1, 2020, tyaa009, https://doi.org/10.1093/cybsec/tyaa009