Commenced in January 2007
Frequency: Monthly
Edition: International
Paper Count: 31903
User’s Susceptibility Factors to Malware Attacks: A Systemic Literature Review

Authors: Awad A. Younis, Elise Stronberg, Shifa Noor


Users’ susceptibility to malware attacks have been noticed in the past few years. Investigating the factors that make a user vulnerable to those attacks is critical because they can be utilized to set up proactive strategies such as awareness and education to mitigate the impacts of those attacks. Demographic, behavioral, and cultural vulnerabilities are the main factors that make users susceptible to malware attacks. It is challenging, however, to draw more general conclusions based on those factors due to the varieties in the type of users and different types of malware. Therefore, we conducted a systematic literature review (SLR) of the existing research for user susceptibility factors to malware attacks. The results showed that all demographic factors are consistently associated with malware infection regardless of the users' type except for age and gender. Besides, the association of culture and personality factors with malware infection is consistent in most of the selected studies and for all types of users. Moreover, malware infection varies based on age, geographic location, and host types. We propose that future studies should carefully take into consideration the type of users because different users may be exposed to different threats or targeted based on their user domains’ characteristics. Additionally, as different types of malware use different tactics to trick users, taking the malware types into consideration is important.

Keywords: cybersecurity, malware, users, demographics, personality, culture, systematic literature review

Procedia APA BibTeX Chicago EndNote Harvard JSON MLA RIS XML ISO 690 PDF Downloads 389


[1] S. Rob, “134 Cybersecurity Statistics and Trends for 2021,” Varonis, Jan. 13, 2020. (accessed Jan. 30, 2021).
[2] R. Anderson, “Why cryptosystems fail,” in Proceedings of the 1st ACM Conference on Computer and Communications Security, 1993, pp. 215–227.
[3] A. Whitten and J. D. Tygar, “Why Johnny Can’t Encrypt: A Usability Evaluation of PGP 5.0.,” in USENIX Security Symposium, 1999, vol. 348, pp. 169–184.
[4] S. Clark, T. Goodspeed, P. Metzger, Z. Wasserman, K. Xu, and M. Blaze, “Why (Special Agent) Johnny (Still) Can’t Encrypt: A Security Analysis of the APCO Project 25 Two-Way Radio System.,” in USENIX Security Symposium, 2011, vol. 2011, pp. 8–12.
[5] C. Simoiu, C. Gates, J. Bonneau, and S. Goel, “‘I was told to buy a software or lose my computer. I ignored it’: A study of ransomware,” In Fifteenth Symposium on Usable Privacy and Security (SOUPS), p. 21, 2019.
[6] J. Jeong, J. Mihelcic, G. Oliver, and C. Rudolph, “Towards an Improved Understanding of Human Factors in Cybersecurity,” in 2019 IEEE 5th International Conference on Collaboration and Internet Computing (CIC), 2019, pp. 338–345.
[7] R. Montanez Rodriguez, E. Golob, and S. Xu, “Human Cognition through the Lens of Social Engineering Cyberattacks,” arXiv e-prints, p. arXiv-2007, 2020.
[8] P. Brereton, B. A. Kitchenham, D. Budgen, M. Turner, and M. Khalil, “Lessons from applying the systematic literature review process within the software engineering domain,” Journal of systems and software, vol. 80, no. 4, pp. 571–583, 2007.
[9] S. Das, A. Dingman, and L. J. Camp, “Why Johnny doesn’t use two factor a two-phase usability study of the FIDO U2F security key,” in International Conference on Financial Cryptography and Data Security, 2018, pp. 160–179.
[10] P. Doerfler et al., “Evaluating login challenges as adefense against account takeover,” in The World Wide Web Conference, 2019, pp. 372–382.
[11] C. Wohlin, “Guidelines for snowballing in systematic literature studies and a replication in software engineering,” in Proceedings of the 18th international conference on evaluation and assessment in software engineering, 2014, pp. 1–10.
[12] W. R. King and G. Torkzadeh, “Information systems offshoring: Research status and issues,” MIS quarterly, vol. 32, no. 2, pp. 205–225, 2008.
[13] Y. Carlinet, L. Mé, H. Debar, and Y. Gourhant, “Analysis of Computer Infection Risk Factors Based on Customer Network Usage,” in 2008 Second International Conference on Emerging Security Information, Systems and Technologies, Cap Esterel, France, Aug. 2008, pp. 317–325, doi: 10.1109/SECURWARE.2008.30.
[14] A. M. Bossler and T. J. Holt, “On-line Activities, Guardianship, and Malware Infection: An Examination of Routine Activities Theory,” vol. 3, no. 1, p. 21, 2009.
[15] F. T. Ngo, “Cybercrime Victimization: An examination of Individual and Situational level factors,” vol. 5, no. 1, p. 21, 2011.
[16] G. Maier, A. Feldmann, V. Paxson, R. Sommer, and M. Vallentin, “An Assessment of Overt Malicious Activity Manifest in Residential Networks,” in Detection of Intrusions and Malware, and Vulnerability Assessment, vol. 6739, T. Holz and H. Bos, Eds. Berlin, Heidelberg: Springer Berlin Heidelberg, 2011, pp. 144–163.
[17] M. Lee, “WHO’S NEXT? IDENTIFYING RISK FACTORS FOR SUBJECTS OF TARGETED ATTACKS,” In Proc. Virus Bull. Conf, pp. 301–306, 2012.
[18] F. Lalonde Levesque, J. Nsiempba, J. M. Fernandez, S. Chiasson, and A. Somayaji, “A clinical study of risk factors related to malware infections,” in Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security, New York, NY, USA, Nov. 2013, pp. 97–108, doi: 10.1145/2508859.2516747.
[19] T. J. Holt and A. M. Bossler, “Examining the Relationship Between Routine Activities and Malware Infection Indicators,” Journal of Contemporary Criminal Justice, vol. 29, no. 4, pp. 420–436, Nov. 2013, doi: 10.1177/1043986213507401.
[20] T.-F. Yen, V. Heorhiadi, A. Oprea, M. K. Reiter, and A. Juels, “An Epidemiological Study of Malware Encounters in a Large Enterprise,” in Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security - CCS ’14, Scottsdale, Arizona, USA, 2014, pp. 1117–1130, doi: 10.1145/2660267.2660330.
[21] D. Canali, L. Bilge, and D. Balzarotti, “On the effectiveness of risk prediction based on users browsing behavior,” in Proceedings of the 9th ACM symposium on Information, computer and communications security - ASIA CCS ’14, Kyoto, Japan, 2014, pp. 171–182, doi: 10.1145/2590296.2590347.
[22] O. Thonnard, L. Bilge, A. Kashyap, and M. Lee, “Are You at Risk? Profiling Organizations and Individuals Subject to Targeted Attacks,” in Financial Cryptography and Data Security, vol. 8975, R. Böhme and T. Okamoto, Eds. Berlin, Heidelberg: Springer Berlin Heidelberg, 2015, pp. 13–31.
[23] J. Jansen and R. Leukfeldt, “Phishing And Malware Attacks On Online Banking Customers In The Netherlands: A Qualitative Analysis Of Factors Leading To Victimization,” Jul. 2016, doi: 10.5281/ZENODO.58523.
[24] A. Neupane, N. Saxena, J. O. Maximo, and R. Kana, “Neural Markers of Cybersecurity: An fMRI Study of Phishing and Malware Warnings,” IEEE Trans.Inform.Forensic Secur., vol. 11, no. 9, pp. 1970–1983, Sep. 2016, doi: 10.1109/TIFS.2016.2566265.
[25] F. L. Levesque, J. M. Fernandez, and A. Somayaji, “National-level risk assessment: A multi-country study of malware infections,” In Proc. of WEIS, pp. 1–30, 2016.
[26] F. L. Lévesque, J. M. M. Fernandez, and D. Batchelder, “Age and gender as independent risk factors for malware victimisation,” presented at the Electronic Visualisation and the Arts (EVA 2017), Jul. 2017, doi: 10.14236/ewic/HCI2017.48.
[27] M. Ovelgönne, T. Dumitraş, B. A. Prakash, V. S. Subrahmanian, and B. Wang, “Understanding the Relationship between Human Behavior and Susceptibility to Cyber Attacks: A Data-Driven Approach,” ACM Trans. Intell. Syst. Technol., vol. 8, no. 4, p. 51:1-51:25, Mar. 2017, doi: 10.1145/2890509.
[28] F. L. Lévesque, S. Chiasson, A. Somayaji, and J. M. Fernandez, “Technological and Human Factors of Malware Attacks: A Computer Security Clinical Trial Approach,” ACM Trans. Priv. Secur., vol. 21, no. 4, p. 18:1-18:30, Jul. 2018, doi: 10.1145/3210311.
[29] J. M. Blythe and L. Coventry, “Costly but effective: Comparing the factors that influence employee anti-malware behaviours,” Computers in Human Behavior, vol. 87, pp. 87–97, Oct. 2018, doi: 10.1016/j.chb.2018.05.023.
[30] C. Simoiu, A. Zand, K. Thomas, and E. Bursztein, “Who is targeted by email-based phishing and malware?: Measuring factors that differentiate risk,” in Proceedings of the ACM Internet Measurement Conference, Virtual Event USA, Oct. 2020, pp. 567–576, doi: 10.1145/3419394.3423617.
[31] S. Lewallen and P. Courtright, “Epidemiology in practice: case-control studies,” Community Eye Health, vol. 11, no. 28, p. 57, 1998.
[32] J. J. Arnett, “The neglected 95%: why American psychology needs to become less American.,” 2016.
[33] P. H. Hanel and K. C. Vione, “Do student samples provide an accurate estimate of the general public?,” PloS one, vol. 11, no. 12, p. e0168354, 2016.
[34] R. L. Baskerville and M. D. Myers, “Design ethnography in information systems,” Information Systems Journal, vol. 25, no. 1, pp. 23–46, 2015.
[35] Xu, Shouhuai. "The cybersecurity dynamics way of thinking and landscape." In Proceedings of the 7th ACM Workshop on Moving Target Defense, pp. 69-80. 2020.
[36] Fang, Z., Xu, M., Xu, S. and Hu, T., 2021. A framework for predicting data breach risk: Leveraging dependence to cope with sparsity. IEEE Transactions on Information Forensics and Security, 16, pp.2186-2201
[37] Henshel, Diane, Char Sample, Mariana Cains, and Blaine Hoffman. "Integrating cultural factors into human factors framework and ontology for cyber attackers." In Advances in human factors in cybersecurity, pp. 123-137. Springer, Cham, 2016.
[38] Ferro, Lauren S., Andrea Marrella, and Tiziana Catarci. "A Human Factor Approach to Threat Modeling." In International Conference on Human-Computer Interaction, pp. 139-157. Springer, Cham, 2021.
[39] Ferro, Lauren S., and Francesco Sapio. "Another Week at the Office (AWATO)–An Interactive Serious Game for Threat Modeling Human Factors." In International Conference on Human-Computer Interaction, pp. 123-142. Springer, Cham, 2020.
[40] Jagatic, Tom N., Nathaniel A. Johnson, Markus Jakobsson, and Filippo Menczer. "Social phishing." Communications of the ACM 50, no. 10 (2007): 94-100.
[41] Hijji, Mohammad, and Gulzar Alam. "A Multivocal Literature Review on Growing Social Engineering Based Cyber-Attacks/Threats During the COVID-19 Pandemic: Challenges and Prospective Solutions." IEEE Access 9 (2021): 7152-7169