Matteo Cardaioli

Computer Science for societal challenges and innovation, XXXIV series
Grant sponsor

Mauro Conti

Giuseppe Sartori


Project: Human Interactions in Cybersecurity: Threats and Opportunities
Full text of the dissertation book can be downloaded from:

Abstract: Over the years, many cybersecurity breaches have been attributed to human error, considering human factors as one of the weakest links in the security chain. In fact, human factors are exploited by cybercriminals, causing significant losses of money and reputation to organizations. According to Verizon’s 2021 Data Breach Investigations, 85% of breaches involved a human element, while 61% involved stolen or compromised credentials, causing an average breach cost of more than $3 million. To prevent cyberattacks, organizations focus on training employees and developing new policies, while also trying to maintain a balance between the complexity of security systems and their usability. However, the unpredictability of human behavior, the fast evolution of the digital world, and the increasing availability of technological resources for cybercriminals pose new and evolving cybersecurity challenges in anticipating both cyber threats in new environments and the rise of new threats in systems considered secure to date. On the other hand, the complexity and uniqueness of human behavior give new opportunities for designing new solutions to mitigate threats, improving the security of organizations and users. In this thesis, we investigate human interactions and cybersecurity, focusing on two ain aspects: (i) developing new attacks, based on human interaction, against existing and consolidated authentication methods (i.e., PIN pads), and (ii) proposing new methods leveraging human behavior in multiple contexts to enhance the security of users and organizations. The first part of this thesis demonstrates the effectiveness of three attacks against the security of PIN-based authentication systems, focusing on Automated Teller Machines (ATMs) PIN pads. ATMs have become an indispensable part of the banking ecosystem such that according to the European Central Bank, in 2019 only in Europe, more than 11 billion withdrawal and deposit transactions were made. In particular, we show how ATM PIN pads are exposed to security threats related to human factors even if users have policy-compliant behaviors. We analyze different attack scenarios depending on the sources of information available to the attacker (e.g., video, audio, thermal, typing style). The results show that in the worst-case scenario for the victim, our attacks can reconstruct up to 94% of the 5-digit PINs typed within three attempts. In the second part of this thesis, we show how the variability and unpredictability of human behavior can be exploited to increase the security of systems and users. We develop new human-based approaches focusing on three different contexts: (i) new methods for bot detection in social networks (i.e., Twitter) relying on the stylistic consistency of posts over time, (ii) a new framework for identifying fake and genuine expressions from videos, and (iii) a new de-authentication method based on the detection of physically blurred faces. Results demonstrate the efficacy of the proposed approaches, achieving an F1-score up to 98% in human-bot detection, an accuracy up to 90% in fake sadness detection, and accuracy in de-authenticating users up to 100% under 3 seconds of grace period. This thesis highlights the need for more effort in designing security solutions that focus on human factors, showing the direction for further investigation in analyzing human interactions in cybersecurity.