SCOTTISH scientists are to study how people respond to phishing emails and common cyber attacks in a £1 million project aimed at improving online security.

A team at the University of Aberdeen are looking at finding ways to prevent hackers enticing people into downloading malware such as that used in recent large-scale attacks – some of which badly affected the NHS in Scotland and across the UK.

The researchers believe the main problem faced by big organisations is making sure computer users follow their existing security policies, such as frequently changing their passwords.

Loading article content

They will test how artificial intelligence (AI) and persuasion techniques can help improve the following of safety advice.

The UK Engineering and Physical Sciences Research Council (EPSRC) has awarded the research team £756,000 towards their Supporting Security Policy with Effective Digital Intervention project (SSPEDI), which takes its total funding to more than £1m.

Dr Matthew Collinson, of the university’s School of Natural and Computer Sciences, who is the principal investigator on the project, said: “If we look at most cyber security attacks, there is a weakness relating to human behaviour that hackers seek to exploit.

“Their most common approach, and the one we are most familiar with, is the use of phishing emails to entice a user to download malware on to their computer.

“One of the main problems faced by companies and organisations is getting computer users to follow existing security policies, and the main aim of this project is to develop methods to ensure that people are more likely to do so.”

The project coincides with the launch of a new masters degree in AI at the University of Aberdeen, which encompasses “persuasive technologies” – those which seek to modify human behaviour without coercion.

“The project applies our world-leading expertise in both AI and human-computer interaction,” said Collinson.

“In the case of human-computer interaction, this specifically relates to the field of persuasive technologies, which are designed to encourage behaviour change and are more commonly applied in healthcare, for example to encourage patients to follow medical advice.

“In terms of AI, we will investigate how intelligent programs can be constructed which can use dialogue to explain security policies to users, and utilise persuasion techniques to nudge users to comply. In addition we will be using sentiment analysis to detect people’s attitudes to security policies through natural language, for example through their email correspondence.

“Ultimately we are looking to employ all of these techniques to identify the issues that make us less likely to follow security advice, and make recommendations as to how these can be overcome.”

It comes as a document, reportedly from spy agency GCHQ, reveals that some hackers are “likely” to have compromised some industrial software companies in the UK. Technology website Motherboard said it has obtained a copy of the document from the National Cyber Security Centre (NCSC), part of GCHQ.

Facilities such as power stations are managed by computer-based control systems, and attacks on them have become more common, according to researchers. The report specifically addresses the threat to the energy and manufacturing sectors. It also lists connections from multiple UK internet addresses to systems associated with “advanced state-sponsored hostile threat actors” as evidence that hackers have been targeting energy and manufacturing organisations.