Article
Organizations routinely measure cybersecurity awareness but rarely measure whether behavioral susceptibility actually changes over time. This paper presents VISHWAR, a simulation-driven behavioral cybersecurity framework designed to generate longitudinal telemetry on human susceptibility to social engineering attacks. Built around the Human Vulnerability Management Lifecycle (HVML), the framework treats human cyber risk as a dynamic operational condition rather than a fixed knowledge deficit.
A pilot study involving 20 participants across three simulation cycles explored phishing, vishing, MFA fatigue, and pretexting scenarios. Preliminary observations revealed vector-specific susceptibility patterns, persistent vulnerability in MFA fatigue and vishing attacks, and uneven behavioral improvement across participants.
The study argues that longitudinal behavioral measurement may provide a more meaningful approach to human-centric cybersecurity than traditional awareness-training metrics alone. While exploratory and limited in scale, the findings suggest the need for continuous behavioral risk assessment frameworks capable of identifying persistent and evolving human vulnerabilities over time.
Scroll to read the preview. Download for the complete document.
- Anderson, C. L., & Agarwal, R. (2010). Practicing safe computing: A multimethod empirical examination of home computer user security behavioral intentions. MIS Quarterly, 34(3), 613–643.
- Canham, M., Posey, C., & Strickland, D. (2021). Phishing for long-term behavioral change: A longitudinal field experiment. Computers & Security, 111, 102456.
- Hadlington, L. (2017). Human factors in cybersecurity: Examining the link between internet addiction, impulsivity, attitudes towards cybersecurity, and risky cybersecurity behaviours. Heliyon, 3(7), e00346.
- Heartfield, R., & Loukas, G. (2015). A taxonomy of attacks and a survey of defence mechanisms for semantic social engineering attacks. ACM Computing Surveys, 48(3), 1–39.
- Lain, D., Kostiainen, K., & Capkun, S. (2021). Phishing in organizations: Findings from a large-scale and long-term study. In Proceedings of the IEEE Symposium on Security and Privacy (pp. 1793–1810).
- Mitnick, K. D., & Simon, W. L. (2002). The Art of Deception: Controlling the Human Element of Security. Wiley.
- Posey, C., Roberts, T. L., Lowry, P. B., Bennett, R. J., & Courtney, J. F. (2011). Insiders' protection of organizational information assets: Development of a systematics-based taxonomy and theory of diversity for protection-motivated behaviors. MIS Quarterly, 37(4), 1189–1210.
- Verizon. (2024). Data Breach Investigations Report. Verizon Enterprise Solutions. https://www.verizon.com/business/resources/reports/dbir/
- Vishwanath, A., Harrison, B., & Ng, Y. J. (2016). Suspicion, cognition, and automaticity model of phishing susceptibility. Communication Research, 45(8), 1146–1166.
- Witte, K. (1996). Predicting risk behaviors: Development and validation of a diagnostic scale. Journal of Health Communication, 1(4), 317–341.
- Workman, M. (2008). Wisecrackers: A theory-grounded investigation of phishing and pretext social engineering threats to information security. Journal of the American Society for Information Science and Technology, 59(4), 662–674.
Metrics are updated in real time as the article is accessed and downloaded.
Comments
Leave a Comment