SCOTTISH scientists are to study how people respond to phishing emails and common cyber attacks in a £1 million project aimed at improving online security.
A team at the University of Aberdeen are looking at finding ways to prevent hackers enticing people into downloading malware such as that used in recent large-scale attacks – some of which badly affected the NHS in Scotland and across the UK.
The researchers believe the main problem faced by big organisations is making sure computer users follow their existing security policies, such as frequently changing their passwords.
They will test how artificial intelligence (AI) and persuasion techniques can help improve the following of safety advice.
The UK Engineering and Physical Sciences Research Council (EPSRC) has awarded the research team £756,000 towards their Supporting Security Policy with Effective Digital Intervention project (SSPEDI), which takes its total funding to more than £1m.
Dr Matthew Collinson, of the university’s School of Natural and Computer Sciences, who is the principal investigator on the project, said: “If we look at most cyber security attacks, there is a weakness relating to human behaviour that hackers seek to exploit.
“Their most common approach, and the one we are most familiar with, is the use of phishing emails to entice a user to download malware on to their computer.
“One of the main problems faced by companies and organisations is getting computer users to follow existing security policies, and the main aim of this project is to develop methods to ensure that people are more likely to do so.”
The project coincides with the launch of a new masters degree in AI at the University of Aberdeen, which encompasses “persuasive technologies” – those which seek to modify human behaviour without coercion.
“The project applies our world-leading expertise in both AI and human-computer interaction,” said Collinson.
“In the case of human-computer interaction, this specifically relates to the field of persuasive technologies, which are designed to encourage behaviour change and are more commonly applied in healthcare, for example to encourage patients to follow medical advice.
“In terms of AI, we will investigate how intelligent programs can be constructed which can use dialogue to explain security policies to users, and utilise persuasion techniques to nudge users to comply. In addition we will be using sentiment analysis to detect people’s attitudes to security policies through natural language, for example through their email correspondence.
“Ultimately we are looking to employ all of these techniques to identify the issues that make us less likely to follow security advice, and make recommendations as to how these can be overcome.”
It comes as a document, reportedly from spy agency GCHQ, reveals that some hackers are “likely” to have compromised some industrial software companies in the UK. Technology website Motherboard said it has obtained a copy of the document from the National Cyber Security Centre (NCSC), part of GCHQ.
Facilities such as power stations are managed by computer-based control systems, and attacks on them have become more common, according to researchers. The report specifically addresses the threat to the energy and manufacturing sectors. It also lists connections from multiple UK internet addresses to systems associated with “advanced state-sponsored hostile threat actors” as evidence that hackers have been targeting energy and manufacturing organisations.
Why are you making commenting on The National only available to subscribers?
We know there are thousands of National readers who want to debate, argue and go back and forth in the comments section of our stories. We’ve got the most informed readers in Scotland, asking each other the big questions about the future of our country.
Unfortunately, though, these important debates are being spoiled by a vocal minority of trolls who aren’t really interested in the issues, try to derail the conversations, register under fake names, and post vile abuse.
So that’s why we’ve decided to make the ability to comment only available to our paying subscribers. That way, all the trolls who post abuse on our website will have to pay if they want to join the debate – and risk a permanent ban from the account that they subscribe with.
The conversation will go back to what it should be about – people who care passionately about the issues, but disagree constructively on what we should do about them. Let’s get that debate started!
Callum Baird, Editor of The National
Comments: Our rules
We want our comments to be a lively and valuable part of our community - a place where readers can debate and engage with the most important local issues. The ability to comment on our stories is a privilege, not a right, however, and that privilege may be withdrawn if it is abused or misused.
Please report any comments that break our rules.
Read the rules here