With the rapid development of the internet and information technology, the increasingly diversified portable mobile terminals, online shopping, and social media have facilitated information exchange, social communication, and financial payment for people more and more than ever before. In the meantime, information security and privacy protection have been meeting with new severe challenges. Although we have taken a variety of information security measures in both management and technology, the actual effectiveness depends firstly on people’s awareness of information security and the cognition of potential risks. In order to explore the new technology for the objective assessment of people’s awareness and cognition on information security, this paper takes the online financial payment as example and conducts an experimental study based on the analysis of electrophysiological signals. Results indicate that left hemisphere and beta rhythms of electroencephalogram (EEG) signal are sensitive to the cognitive degree of risks in the awareness of information security, which may be probably considered as the sign to assess people’s cognition of potential risks in online financial payment.
Today’s society is an information society. More and more people use information technologies in daily life and work. They are facilitated by increasingly diversified portable mobile terminals, online shopping, and social media in information exchange, social communication, and e-business. However, when people are enjoying the convenience from information technology, it is also facing the new severe challenges of information security, such as internet intrusion, sensitive information leak, and online payment fraud.
It is well known that information security is a complicated and systematic problem associated with technology, management, economy, and behavioral culture. Up to now, there are a lot of researches on this issue. Cavusoglu et al. studied risks related to information security; they pointed out that risks may have dire consequences, including corporate liability, monetary damage, and loss of credibility [
In fact, many information security incidents are not all caused by technology, which happened often due to management oversights or people’s weak awareness of information security. For example, behavior of weak password, neglecting the operating system patch, and free use of unsafe mobile devices are related to the lack of recognition of the potential risks on information security. Since the awareness of information security depends on brain cognition of potential risk, it is very important to study brain cognition. A lot of scholars have made great achievements in cognitive research based on cognitive neuromechanism. Qin and Han assessed the neurocognitive processes involved in environmental risk identification by using event-related potential (ERP) and functional magnetic resonance imaging (fMRI); their findings show that an early detection in the ventral anterior cingulate cortex and a late retrieval of emotional experiences in posterior cingulate cortex can help identify dreadful environmental risks [
In our study, in order to explore the new technology for the objective assessment of people’s awareness and cognition on information security, this paper takes the online financial payment as example and conducts an experimental study based on the analysis of electrophysiological signals.
This paper is organized as follows. In Section
Awareness is the human mind to reflect the objective material world, and it is the comprehension of feeling, thinking, and other psychological processes. In other words, awareness is a response to a stimulus of human brain. In order to study the information security awareness, cognitive psychology and EEG were used as the research theory and methods.
Cognition refers to all processes by which the sensory input is transformed, reduced, elaborated, stored, recovered, and used [
Model Human Processor.
We know information cognition can be viewed as a process of information processing from the previous section. Previous research shows that visual stimuli can produce perceptual awareness [
Cognitive framework for information security awareness.
From Figure
The living human brain will continue to discharge, known as electroencephalogram (EEG) [
The frequency and amplitude of basic band.
Frequency band | Frequency (Hz) | Amplitude ( |
---|---|---|
|
0.5~3.5 | 20~200 |
|
4~7 | 100~150 |
|
8~13 | 20~200 |
|
14~30 | 5~20 |
EEG is closely related to human consciousness, and amplitude of EEG rhythm will increase or decrease when the brain activity increases. Previous research has suggested that
EEG signal process mainly includes data cleaning, denoising signal, feature extraction, and classification process. Among them, denoising signal and feature extraction algorithms include power spectrum density estimation, wavelet transform (WT), public space model, multidimensional statistical analysis, and model descriptor. Classification methods include Fisher’s linear discriminant, Bayesian method, back-propagation neural network [
WT is a multifunctional multiscale analysis and filter based on combination of time-frequency analysis tool. It has the characteristic of multiresolution and can observe different detail by choosing different basic wavelet, which makes the wavelet transform have the ability to characterize the local features of the signal in the time domain and frequency domain at the same time. Wavelet transform includes Continuous Wavelet Transform (CWT) and Discrete Wavelet Transform (DWT). CWT can be defined as follows:
For the discrete case, DWT can be defined as follows:
In order to get high quality EEG signals for analysis, we adopt Discrete Wavelet Transform method and Mallat algorithm to renoise initial EEG signals. Mallat decomposition algorithm is shown as follows:
The formation process of EEG in our trial is shown in Figure
The formation process of EEG.
From Figure sampling frequency: 128 Hz; amplitude-frequency characteristic: 0.53 Hz–60 Hz; electrode placement criteria: electrodes were placed according to the international 10–20 system [ electrode channel selection: we choose eight positions of electrode as follows: frontal region (Fp1, Fp2), parietal region (T3, T4, C3, C4), and occipital region (O1, O2) [ using a single-stage lead.
EEG electrodes location of international 10–20 system.
Our research involved human subjects, and we recruited 12 healthy adults to participate in our trail; among them, four had received information security awareness training, and eight had not received training. All of their education degrees are bachelor degree or above, with no history of mental illness. They were right-handed with an average age of 27.1 years and they represented 5.69 of the variance. The testing process was told to them before the experiment, and the agreement was signed.
In order to research the human awareness of information security, nine experiment scenes were designed in our trial. Testers would make a choice when they take note of information security related pictures or hear fraud words. Tester may encounter fraud information in instant messaging, or access fishing website, or receive fraud text message in his mobile phone, or receive fraud message while using the online payment, and so forth. All of the above scenarios can be used as experimental scene, and sample pictures of trail are shown in Figure
Sample pictures of trail.
The above website has two suspicions. Left graph uses this link
Our experimental procedures are as follows: Tester wears electrode cap and puts electrode well. 8 channel recordings are used for electrode cap; 10–20 electrodes are put on standard position according to the International Institute of EEG. Tester seated in the most comfortable, as far as possible, position to ensure the comfort of the viewing test. Tester connects to the computer and opens the EEG signal processing software and then checks whether the software works correctly. If there is no problem, then the experiment begins. Tester closes his/her eyes, sits and rests, and calms him/herself, when the brain waves are smooth and then begins to record his/her brain waves signal. Picture will be shown on the screen. Tester watches picture and listens to the sound with distance of 1 meter, and he or she responds to the prompt. After testing the current scene, another stimulus will appear at random intervals between 1000 ms and 2000 ms. During the interval, the screen background color is black, and the middle of the screen shows the symbol “+” with white color.
In our experiment, records include tester number, event number, duration, eight-electrode value, and baseline electrode value. Sample of experimental records is shown in Table
Sample of experimental records.
Tester | Event | Minutes | Seconds | Channel 1 | Channel 2 | Channel 3 | Channel 4 | Channel 5 | Channel 6 | Channel 7 | Channel 8 | Baseline |
---|---|---|---|---|---|---|---|---|---|---|---|---|
Number 01 | 1 | 3.511 | 210.633 | 33.925 | 10.482 | 36.855 | −1.352 | 5.072 | 7.101 | 47.675 | −135.587 | −738.123 |
Number 01 | 1 | 3.511 | 210.641 | 25.359 | 5.410 | 41.251 | 11.158 | 12.172 | 17.921 | 74.387 | −129.163 | −738.123 |
Number 01 | 1 | 3.511 | 210.648 | 35.954 | 31.784 | 50.719 | 32.798 | 27.388 | 29.417 | 64.920 | −93.322 | −738.123 |
Number 01 | 1 | 3.511 | 210.656 | 6.875 | 41.251 | 32.798 | 43.618 | 26.712 | 36.179 | 81.826 | −66.610 | −738.123 |
Number 01 | 1 | 3.511 | 210.664 | 53.085 | 70.330 | 78.445 | 78.445 | 66.948 | 59.848 | 120.710 | −34.827 | −738.123 |
Number 01 | 1 | 3.511 | 210.672 | 63.342 | 68.639 | 74.049 | 66.948 | 65.934 | 61.877 | 113.271 | −3.381 | −738.123 |
Number 01 | 1 | 3.511 | 210.680 | 84.869 | 104.818 | 130.178 | 125.782 | 113.271 | 113.948 | 159.594 | 29.079 | −738.123 |
Number 01 | 1 | 3.511 | 210.688 | 168.385 | 151.479 | 197.802 | 160.609 | 167.709 | 138.292 | 180.220 | 51.395 | −738.123 |
Number 01 | 1 | 3.512 | 210.695 | 194.759 | 149.789 | 201.860 | 160.270 | 192.392 | 152.494 | 207.608 | 104.480 | −738.123 |
Number 01 | 1 | 3.512 | 210.703 | 257.875 | 200.507 | 253.593 | 218.090 | 234.658 | 196.788 | 234.996 | 143.026 | −738.123 |
Number 01 | 1 | 3.512 | 210.711 | 238.377 | 187.658 | 207.270 | 184.277 | 180.220 | 170.752 | 183.263 | 123.415 | −738.123 |
|
|
|
|
|
|
|
|
|
|
|
|
|
Number 12 | 9 | 23.071 | 1384.227 | −28.966 | −75.063 | −11.158 | −52.747 | −1.014 | −29.417 | 26.374 | −7.439 | −738.123 |
Due to the fact that initial EEG signals include a lot of noise, they need to be processed. The process usually includes denoising and characteristics analysis [
Contrast of initial EEG signal and denoising EEG signal.
Secondly, wavelet transformation method was used for these EEG signals. Because the EEG signal below 30 Hz is worth studying, then we use wavelet filtering to filter above 30 Hz EEG signals. We select the db5 as wavelet packet and decompose EEG signals into four layers. In the process of wavelet decomposition, the best wavelet decomposition tree is shown in Figure
The best wavelet decomposition tree.
According to sampling frequency which is
In order to analyze the correlation of EEG signal and safety awareness, four types of rhythm signal are extracted from wavelet transformation, which are shown in Figure
Four types of rhythm signals extracted from wavelet transformation.
In the selection of characteristic parameter, the rhythm energy and energy ratio of four types of rhythm were calculated, and both of them were used for characteristic analysis. Sample of rhythm energy and energy ratio of two test tasks (online payment and online chat) is shown in Table
Rhythm energy and energy ratio.
Rhythm energy | Energy ratio | ||||
---|---|---|---|---|---|
Task 1 | Task 2 | Task 1 | Task 2 | ||
FP1 |
|
0.3266 | 0.4593 | 0.4801 | 0.5872 |
|
0.1386 | 0.1528 | 0.2037 | 0.1923 | |
|
0.0555 | 0.0396 | 0.0817 | 0.0517 | |
|
0.1595 | 0.1305 | 0.2345 | 0.1688 | |
|
|||||
FP2 |
|
0.3436 | 0.4734 | 0.5021 | 0.5903 |
|
0.1525 | 0.1609 | 0.2229 | 0.2007 | |
|
0.0444 | 0.0364 | 0.0649 | 0.0454 | |
|
0.1437 | 0.1312 | 0.2101 | 0.1636 | |
|
|||||
T3 |
|
0.3304 | 0.4834 | 0.4740 | 0.5988 |
|
0.1388 | 0.1490 | 0.1991 | 0.1845 | |
|
0.0559 | 0.0388 | 0.0802 | 0.0472 | |
|
0.1720 | 0.1361 | 0.2467 | 0.1695 | |
|
|||||
T4 |
|
0.3278 | 0.4956 | 0.4927 | 0.6129 |
|
0.1385 | 0.1523 | 0.2081 | 0.1884 | |
|
0.0490 | 0.0337 | 0.0737 | 0.0417 | |
|
0.1501 | 0.1270 | 0.2255 | 0.1570 | |
|
|||||
C3 |
|
0.3174 | 0.4906 | 0.4572 | 0.6088 |
|
0.1402 | 0.1465 | 0.2020 | 0.1818 | |
|
0.0569 | 0.0390 | 0.0820 | 0.0384 | |
|
0.1797 | 0.1297 | 0.2588 | 0.1710 | |
|
|||||
C4 |
|
0.3370 | 0.4873 | 0.5072 | 0.6102 |
|
0.1307 | 0.1536 | 0.1968 | 0.1923 | |
|
0.0476 | 0.0330 | 0.0717 | 0.0414 | |
|
0.1490 | 0.1247 | 0.2243 | 0.1561 | |
|
|||||
O1 |
|
0.3126 | 0.4733 | 0.4833 | 0.6001 |
|
0.1350 | 0.1472 | 0.2001 | 0.1866 | |
|
0.0573 | 0.0378 | 0.0849 | 0.0479 | |
|
0.1698 | 0.1304 | 0.2317 | 0.1654 | |
|
|||||
O2 |
|
0.3720 | 0.5257 | 0.5014 | 0.6224 |
|
0.1482 | 0.1534 | 0.1998 | 0.1816 | |
|
0.0592 | 0.0377 | 0.0799 | 0.0447 | |
|
0.1624 | 0.1278 | 0.2189 | 0.1513 |
It can be seen from Table
In addition, in order to do a comparative analysis, we choose energy ratio of beta rhythm of two test tasks as comparison; the results are shown in Figure
Energy ratio of beta rhythm of two test tasks.
From Figure
In our experimental results, another finding showed that the EEG signals of tester who has been trained on information security were more active than those of untrained tester.
Promotion of people’s awareness of information security is the foundation and the precondition of information security of organization. In order to explore the new technology for the objective assessment of people’s awareness of information security, this paper conducted cognitive study of information security awareness based on the analysis of EEG signals. We firstly discussed the theory and methodology of EEG signals on cognitive study and then presented a framework for the description of awareness and cognition of information security according to the brain mechanism. On this basis, an experiment was designed to test the reaction of EEG signals to the awareness of hidden problems in information security. This finding showed that the EEG signals could provide a good method for the objective assessment of people’s awareness of information security.
In the future studies, we suggest that it can be combined with fMRI (functional magnetic resonance imaging) [
Yonghui Dai and Xingyun Dai are the joint corresponding authors.
The authors declare that there is no conflict of interests regarding the publication of this paper.
The authors appreciate the anonymous reviewers for their helpful and constructive comments on the earlier draft. This work was supported partly by National Natural Science Foundation of China (no. 41174007 and no. 91324010), Shanghai Philosophy and Social Sciences Plan (no. 2014BGL022), Shanghai Science and Technology Innovation Project (no. 13511505200), and Humanity and Social Science Foundation of Ministry of Education of China (no. 13YJA630033). Many thanks are due to Chengfeng Lin and Jinzhao Wang for their assistance; both of them are undergraduate students of Fudan University, China.