Protective Factors for Developing Cognitive Skills against Cyberattacks

: Cyberattacks capitalize on human behaviors. The prevalence of cyberattacks surged during the COVID-19 pandemic, fueled by the increased interconnectivity of individuals on online platforms and shifts in their psychological dynamics due to the pandemic’s context. The enhancement of human factors becomes imperative in formulating a robust cybersecurity strategy against social engineering in the post-COVID-19 era and in anticipation of analogous pandemics. This study aims to propose a model for delineating strategies across various phases of cyberattacks, grounded in the cyber kill chain model, while also encompassing cognitive mechanisms for adaptive responses. This approach aims to cultivate defensive cognitive factors like resilience and self-efﬁcacy. To achieve this objective, we conducted an exploratory study adhering to Preferred Reporting Items for Systematic Reviews and Meta-Analyses (PRISMA) guidelines. Subsequently, we pursued a descriptive and correlational study based on prevalent attacks during the pandemic. The intention was to pinpoint proactive factors conducive to the development of cognitive capabilities to counter cyberattacks. These insights could pave the way for the creation of training programs and technological solutions aimed at mitigating the impact of such cyberattacks.


Introduction
The COVID-19 pandemic has forced significant social, technological, cultural, and environmental changes [1].In education, COVID-19 has forced students worldwide to study at home [2].In work and employment, an increase in working from home was announced in the USA in 2020, and 34% of companies worldwide consider working remotely permanently [3].The COVID-19 pandemic has generated significant challenges to cybersecurity due to the imposed accelerated migration to teleworking, tele-education, and the execution of a wide range of daily activities from home, where network infrastructures and setups were not sufficiently advanced and have not previously considered security aspects at such a high level.Having people connecting remotely and the changes in their roles and dynamics (e.g., changes in the way they shop, work, learn, and do their daily activities) increased cybersecurity-related demands.In the context of uncertainty and the moments of anxiety, depression, and/or stress generated by the pandemic, these lifestyle changes have made people more vulnerable.These aspects cause emotional and cognitive stress, which undoubtedly generates new cybersecurity challenges [4].
Although there is a certain pattern of the continuous growth of cyberattacks, in the case of phishing attacks the number of attacks increased twice during the COVID-19 pandemic, as shown in Table 2, based on the analysis of reports from McAfee [12].Phishing attacks were modified during COVID-19 to use information related to COVID-19 to take advantage of people's interests.This context is corroborated by the reports presented by the Anti-Phishing Working Group (APWG) [13] and Interpol [5].The increase in phishing attacks may be related to the conclusions of the study by Albladi et al. [14]: with more time spent using the Internet and more people interacting in cyberspace, the risk of falling victim to deception becomes greater.In this study, we present exploratory research on the landscape of cybercrime and common cyberattacks during the time of the pandemic, which was an era of crisis that created changes in behavior patterns in human activities through digital environments, which increased the probability of being a victim of cyberattacks.To better understand the meaning of cybercrime, we can consider the following definitions.The Commission of the European Communities defines cybercrime as "criminal acts committed using electronic communications networks and information systems or against such networks and systems" [3].In addition, the Council of Europe Convention on Cybercrime defines cybercrime as "a wide range of malicious activities, including the illegal interception of data, system interferences that compromise network integrity and availability" [3].Among the most critical examples of cybercrime are social engineering attacks, typically conducted through identity theft.One of the most sensitive is phishing attacks, which steal credentials to scam users through commercial transactions.This study proposes the modeling of phishing attacks based on the cyber kill chain model, including human behavior in cyberspace during the pandemic caused by COVID-19, taking into consideration the growth of human interactions with cyberspace during this time.The proposed model could be applied to a post-pandemic context or could be applied in the case of another possible similar pandemic.
The questions that guided this research are the following: (i) Is there a variation in cyberattacks during the period of the COVID-19 pandemic?(ii) Has the context of the COVID-19 pandemic increased the susceptibility of being a victim of cyberattacks?
(iii) How can we model user behavior during the COVID-19 pandemic in the face of a cyberattack employing the steps of the cyber kill chain?
Then, we review the systematic literature based on the preferred reinforcement elements for systematic reviews and meta-analysis guidelines [15], identify the variants and characteristics of cyberattacks, and learn how adversaries have taken advantage of people's psychological factors in the face of COVID-19.Moreover, we determine the psychological impact of a non-experimental correlational study based on Pearson's coefficient to determine the increase in cyberattacks in the face of the new demands for Internet use during the pandemic.
The main contributions of our work can be summarized as follows: (i) It offers an exploratory study on common cyberattacks during COVID-19; (ii) a descriptive study about the characteristics and variants of cyberattacks, as well as the psychological impact and behavior of victims during COVID-19; (iii) a correlational study on the increase in cyberattacks as a consequence of the elevated demand for Internet use during the pandemic; (iv) and a modeling of phishing attacks based on the cyber kill chain model that considers the perceived human behavior in the examined period.The literature review aims to determine cyberattack variables and their characteristics during the COVID-19 pandemic, as well as to assess the psychological impact on victims and human behavior during COVID-19.Finally, we focus on presenting a correlational study that explores the reasons for the increase in cyberattacks during COVID-19.
The remainder of this article is structured as follows.Section 2 comprises an exploratory analysis of social engineering attacks during the COVID-19 pandemic.Section 3 presents the methods and techniques used in this research.Section 4 details a proposal for modeling a phishing attack based on a cyber kill chain that considers people's psychological factors.Section 6 discusses and interprets findings and the lessons learned.Finally, Section 7 concludes this work and presents future work directions.

Exploratory Analysis of Social Engineering Attacks during the COVID-19 Pandemic
In an analysis conducted by Imperva professionals, they observed an increase in attacks on the following four types of web applications in the COVID-19 platform: Protocol manipulation attacks increased by 76%; remote code execution (RCE) increased by 68%; SQL injection (SQLi) increased by 44%; and cross-site scripting (XSS) increased by 43%.For instance, healthcare organizations were victims of multiple attacks during COVID-19, compromising their operations through IoT systems and legacy software vulnerabilities via the execution of cross-site scripting and ransomware attacks.Although these attacks existed before the COVID-19 pandemic, unfortunately their criticality increased due to the importance of health systems in the context of controlling the COVID-19 virus.Another critical aspect to consider is that ransomware attacks generally employ a social engineering attack at an initial stage, commonly phishing.Some specialized security companies mention this, such as the FBI, INTERPOL, and EUROPOL.According to [7][8][9][10][11][12], during the COVID-19 pandemic, the number of attacks increased by 35%.

Social Engineering Attacks
During the COVID-19 pandemic, people sought helpful information to prevent the spread of the coronavirus disease.At the same time, adversaries tried to trick people into clicking links that would drive them to fake sites to steal valuable data, such as usernames and passwords, credit card information, and other personal information.
In the context of the COVID-19 pandemic, adversaries sent messages impersonating a trustworthy authority such as the World Health Organization (WHO).In [16], the author mentions that emails sent during the COVID-19 pandemic used subject lines such as "2020 Coronavirus updates" or "2019-nCov".Table 3 indicates the types of existing social engineering attacks.

Baiting
It is a social engineering technique where the attacker arouses the victim's interest or curiosity in a trap to steal information or access their system through malware.

Invoice Fraud
This technique is used to gain access to a victim's email address.In an example of this technique, the recipient is tricked into believing that they must make an immediate payment.

Phishing
It is one of the most-used social engineering techniques, where attackers trick users to obtain information or breach their devices.Attackers impersonate a legitimate organization or entity to send emails to deceive recipients.

Vishing
Also known as voice phishing.It is a social engineering attack focused on phone lines.The attacker performs the scam by calling a legitimate entity to obtain confidential information, such as credit card details.

Pretexting
Pretexting is another type of social engineering.The attacker creates a good pretext, scenario, and coherent story to steal information from the victims.

Spear Phishing
It is a phishing attack where the objective is to obtain information from a specific user or organization.A previous study is made to choose the victim.

Scareware
It is a type of malware used with social engineering techniques.It seeks to scare, cause fear, and shock the user to install and buy software that is not needed.

Attacks on Teleconference Systems
Novel cyberattacks and unknown vectors of attack increased during the COVID-19 pandemic.For instance, we can mention Zoom bombing and unknown malware variants such as Azolurt or Maze.During a Zoom bombing, an adversary injects objectionable content such as pornographic material and violent images into online meetings.During the first months of the year 2020, accounts of teleconference systems were sold on hacker forums [17].During the COVID-19 pandemic, the FBI revealed that it received many reports regarding hijacked videoconferences; e.g., two Massachusetts schools reported the intruders' presence in their online classrooms [18].

Fake News
Fake news refers to fabricated information published to cause panic or influence the decision process to achieve financial or political goals.Some factors increase the problem of fake news.The first is the technological dimension; with information technologies' growth, news, whether real or fake, has more impact and a larger audience.The second is the social dimension.News is affected by the way social media presents it on popular online platforms [19].During the COVID-19 pandemic, the World Health Organization declared a global info-demic issue, and it asked tech companies to act against misinformation.Facebook is banning coronavirus-related posts that may be harmful, while Google's Trust and Safety team has been tasked with removing conspiracy theories and misinformation.Misinformation-driven panic has pushed people to seek measures against COVID-19 on malicious sites.For instance, [20] mentions that they found 788 fake sites directly related to COVID-19 products.
The security firm CheckPoint claims that, since the beginning of January 2020, more than 16,000 new domains related to the coronavirus have been registered, and about 20% of them were classified as potentially dangerous [21].

Malware
Adversaries try to install malicious code on people's computers.According to [10], adversaries used online interactive COVID-19 maps, fake news, websites, and phishing emails to take advantage of people's fears and need for information to introduce the Azolurt malware and steal credentials and accounts.More than 600 malicious applications were detected during COVID-19 [22].API endpoints seem to be targeted by malicious actors following imprisonment measures across the planet, with one attack seeing fifteen million events aimed toward one single API endpoint for the Android app [23].Anyone with a link could access confidential documents related to the UK's NHS coronavirus trailing app hosted in Google Drive.The documents contain privacy protection information and further plans the app could take [24].Over 6400 Edison Mail users were hit by a security bug that allows others to access an account in an update rolled out on its iOS app [25].The following are the most impactful attacks carried out on mobile devices during the COVID-19 pandemic (see Figure 1).

Malware
Adversaries try to install malicious code on people's computers.According to [10], adversaries used online interactive COVID-19 maps, fake news, websites, and phishing emails to take advantage of people's fears and need for information to introduce the Azolurt malware and steal credentials and accounts.More than 600 malicious applications were detected during COVID-19 [22].API endpoints seem to be targeted by malicious actors following imprisonment measures across the planet, with one attack seeing fifteen million events aimed toward one single API endpoint for the Android app [23].Anyone with a link could access confidential documents related to the UK's NHS coronavirus trailing app hosted in Google Drive.The documents contain privacy protection information and further plans the app could take [24].Over 6400 Edison Mail users were hit by a security bug that allows others to access an account in an update rolled out on its iOS app [25].The following are the most impactful attacks carried out on mobile devices during the COVID-19 pandemic (see Figure 1).

Phishing
Phishing is a form of social engineering characterized by a computer attack aimed at deceiving individuals to obtain their personal and confidential information.Some common forms of phishing include email phishing, malware-based phishing, content poisoning of host files, injection through man-in-the-middle attacks and using search engines [26].In this article, we specifically study email phishing, considering that over 238.4 billion emails are sent worldwide every day.In 2020, there were 241,342 phishing/vishing/smishing/pharming victims, representing a 52.47% increase compared to 2019, with a loss of 54,241,075 dollars [27].Although no anti-spam filtering system can guarantee 100% effectiveness against spam, phishing, or other malicious emails, automated and regular scans can significantly reduce the risk of data loss.Currently, the approaches used to detect phishing remain dependent on users and self-mimicking.User-dependent detection involves communication methods to identify phishing, such as phishing tests to assess user awareness.On the other hand, the automated approach includes software-based distributions, block lists, heuristic analyses based on multiple criteria, threat intelligence for security incidents and event management systems, and the use of Machine Learning (ML) and Artificial Intelligence (AI) technologies [28].Among the proposed systems, random forestbased classifiers are found to be the most effective for evaluating whether a given URL refers to a phishing site [26].
As a result, the most vulnerable group of users are those who lack a support system.It is crucial to understand that the ability of human users to accurately detect phishing emails directly impacts the level of risk faced by organizations or individuals.Unfortunately, previous research has shown that individuals often fall victim to phishing attacks,

Phishing
Phishing is a form of social engineering characterized by a computer attack aimed at deceiving individuals to obtain their personal and confidential information.Some common forms of phishing include email phishing, malware-based phishing, content poisoning of host files, injection through man-in-the-middle attacks and using search engines [26].In this article, we specifically study email phishing, considering that over 238.4 billion emails are sent worldwide every day.In 2020, there were 241,342 phishing/vishing/smishing/pharming victims, representing a 52.47% increase compared to 2019, with a loss of 54,241,075 dollars [27].Although no anti-spam filtering system can guarantee 100% effectiveness against spam, phishing, or other malicious emails, automated and regular scans can significantly reduce the risk of data loss.Currently, the approaches used to detect phishing remain dependent on users and self-mimicking.User-dependent detection involves communication methods to identify phishing, such as phishing tests to assess user awareness.On the other hand, the automated approach includes software-based distributions, block lists, heuristic analyses based on multiple criteria, threat intelligence for security incidents and event management systems, and the use of Machine Learning (ML) and Artificial Intelligence (AI) technologies [28].Among the proposed systems, random forest-based classifiers are found to be the most effective for evaluating whether a given URL refers to a phishing site [26].
As a result, the most vulnerable group of users are those who lack a support system.It is crucial to understand that the ability of human users to accurately detect phishing emails directly impacts the level of risk faced by organizations or individuals.Unfortunately, previous research has shown that individuals often fall victim to phishing attacks, both in controlled laboratory settings and in real-world environments, despite receiving phishing awareness training [29].People may be aware of cybersecurity risks when engaging online, but they can still make wrong decisions and accept malicious emails or infected pages.This susceptibility is associated with how humans process information systematically and heuristically [30].Emotional exploitation techniques are employed to influence heuristic decision-making, using a sense of authority or urgency to persuade recipients.Attackers may also present themselves as authoritative figures, such as a CEO or an official entity [31].
Individuals might judge emails differently based on factors like time pressure, their level of trust, and the level of detail in the email content, all of which can influence their decision [32].For instance, participants in a phishing study were better able to identify phishing content when it included co-branded companies [33].Conversely, attackers have perfected persuasion techniques to exploit emotional factors that can affect judgment in decision-making processes.Some attackers create a sense of limited opportunity, such as offering exclusive travel deals [34].Furthermore, impulsivity and a tendency for sensationseeking have been linked to making mistakes in detecting phishing emails, as individuals using heuristic thinking tend to overlook details [28].In [35], it was proposed that people who are overconfident in their ability to identify phishing may make errors due to omitting important details.

Methods and Techniques
This section presents the methods, techniques, and stages used during this research.The first process consists of a literature review to determine cyberattack variables and characteristics during the COVID-19 pandemic.The second is a literature review to determine the victims' psychological impact and human behavior during COVID-19.The third procedure focuses on presenting a correlational study exploring the increase in cyberattacks as Internet use rises due to COVID-19.Based on these preliminary results, we present a proposal for modeling phishing attacks using the cyber kill chain model, considering human behavior due to the COVID-19 pandemic.We performed an exploratory, descriptive, and correlational study.It is exploratory as it attempts to study a problem whose impact is not clearly defined, and it is conducted to understand it better.It is descriptive because it describes the nature of a social problem, focusing on why a specific phenomenon occurs.Finally, it is correlational as it attempts to determine the relationship between two or more study variables, manipulating them to obtain conclusions about the existing relationships.To provide the orientation and delimitation of the study, we try to resolve the following research questions: RQ1: Is there a variation in cyberattacks during the period of the COVID-19 pandemic?RQ2: Has the context of the COVID-19 pandemic increased the susceptibility of being a victim of cyberattacks?RQ3: How can we model user behavior during the COVID-19 pandemic in the face of a cyberattack employing the steps of the cyber kill chain?
The literature reviews were based on the PRISMA guidelines [15], which promote a modular approach of four stages: identification, screening, eligibility analysis, and inclusion.The identification stage included different steps such as study selection, inclusion and exclusion criteria, manual search, and removal of duplicates.The screening stage consisted of the review of titles and abstracts.The eligibility analysis stage was executed by reading the full texts of the selected articles.Finally, the inclusion stage consisted of data extraction.These phases are briefly described below.Identification of Study Selection consisted of constructing the following search strings that employ Boolean operators to connect the following keyboard strings: "(COVID-19)" AND "(CYBERATTACKS OR CYBERSECURITY)"; "(COVID-19)" AND "(HUMAN FACTORS)"; "(COVID-19)" AND "(HUMAN BEHAVIOUR)"; "(COVID-19)" AND "(VECTOR ATTACKS)".
Based on these strings, we conducted a manual search in the following databases: Springer, Scopus, IEEE, the Association for Computing Machinery (ACM), the Web of Science, and Science Direct.These databases were chosen since they are the most relevant sources of information corresponding to cyberattacks during the COVID-19 pandemic.
The inclusion criteria were: (i) papers, conferences, and book chapters published between 2020 and 2021; and (ii) design research, experimental and not experimental, related to human factors in phishing attacks.The exclusion criteria were papers published in scientific databases and international organizations that include aspects of COVID-19 but do not consider security attacks during the pandemic or human factors affected during the pandemic.Through this process, we identified 175 articles; 119 were presented at conferences, 52 were journal articles, and 4 were book chapters.Thirty-eight articles have been removed as duplicates.
For screening, we carried out a screening process for the 137 remaining papers to select the main contributions.This process was based on papers' titles and abstracts using a free web application created for the systemic review process called Rayvan [15].This web application allows each reviewer to see the collected papers' titles and abstracts, maintaining a blinded review process.Initially, 73 articles were identified for full-text reading that focuses on analyzing safety aspects during the COVID-19 pandemic, and then a total of 50 studies were considered to analyze the correlation between human factors and cyberattacks during the period of the COVID-19 pandemic (see Tables 4 and 5), based on the PRISMA methodology shown in Figure 2.     Regarding the inclusion stage or data extraction and cyberattacks, Weil et al. [36] mention that the COVID-19 epidemic has generated a global transformation in education, healthcare, business, industry, government, entertainment, social life, spirituality, and religious practices.For instance, the restriction of access to educational institutions leads to the creation of virtual learning environments using online video conferencing systems.Gupta et al. [37] declare that various sectors implemented robotics applications to avoid social contact.Robots were used for sanitization and cleaning, medicine and food delivery, food packing, self-driving vehicles, and food inspection.Additionally, Gupta mentions the use of AI-enabled body temperature monitoring in some airports, schools, and subways.A wide range of technologies has gained more relevance during the COVID-19 pandemic.Some representative examples include online video conferencing systems, virtual labs, chatbots, drone delivery, remote access, robots, 3-D printing, web online payment, contactless payment, virtual reality apps, and video streaming.On the other hand, Tawalbeh et al. [38] report that because of the COVID-19 pandemic, there was an increase in cyberattacks.Healthcare organizations were victims of multiple attacks aiming to compromise their operations through IoT systems and legacy software vulnerabilities.Another critical aspect of the impact of the COVID-19 pandemic on people is the incurred lifestyle change.This behavior change is one of the main consequences of social isolation, along with restrictive measures that cause people to lose freedom and create a lower perception of social support, leading to feelings of loneliness and boredom [4].Based on the literature review carried out on public open data from organizations such as the Organization for Economic Co-operation and Development (OECD), the Office for National Statics by United Kingdom, and the United States Census Bureau (USCB), a great number of changes have occurred in people's lifestyles, which are presented in Table 6.During the COVID-19 pandemic, people changed or empathized with specific products.Certain items gained attention during the COVID-19 pandemic, like cosmetic and personal care products, digital entertainment, food and beverage, pharmaceutical/health, education and online courses, tools, gardening, do-it-yourself, and household products [77].The relevance of the Internet in the world has never been greater than in the year 2020, since the quarantine caused by COVID-19 changed people's lifestyles.Confinement measures, the universal use of masks, migration to teleworking and tele-education, and new habits concerning consumption, work, studies, and interpersonal relationships have enabled a shift regarding using the network of networks.According to Organization for Economic Co-operation and Development (OECD) estimates, electronic commerce grew by around 108% globally.At the same time, the use of digital tools doubled in just the first two months of the COVID-19 pandemic [78].Online stores have increased by 60%.However, the growth of these numbers has also caused an alarming increase in cyber threats.For the last quarter of 2020, there was a 75% increase in the probability of being a victim of cybercrime compared to 2019.Cyberattacks are intensifying due to the growth of adversaries' ability to access personal and business data and due to the fact that they face lower protection barriers due to the massive use of teleworking and greater socialization in social networks [5].We analyzed data from the Office for National Statistics [1], and UNICEF [2], UK Data Service [63], Staszkiewicz [64] the World Bank [69], Burton [65], Chandola [78].The data have the following formats: CSV, JSON, and XML.
Adversaries are aware that people have changed their behavior.Social media was one of the primary sources of fake news during the COVID-19 pandemic.Consequently, it had a relevant impact and disastrous effects on the pandemic's control [79]; e.g., certain information had the objective of inducing mental fatigue, leading to anxiety, phobia, panic spells, depression, obsession, irritability, and delusions related to COVID-19.Attackers can focus on carrying out their attack knowing that home security infrastructure is less efficient than that of enterprises and that people are interested in learning about COVID-19 effects.Information about COVID-19 does not just focus on the growth of the number of COVID-19 cases or information on vaccination processes; people also search for topics such as tax or economic incentives, miracle cures against COVID-19, entertainment, online shopping, and e-commerce.Based on a web scraping analysis of security reports issued by international organizations such as the FBI, INTERPOL, and specialized security sites such as Kaspersky, TrendMicro, Checkpoint, and ESET, we collected a compilation of impersonating attacks using known brands during COVID-19 based on the persons' needs, as shown in Table 7 [80].

Results of Extraction of Human Factor Used during Cyberattacks
Then we used basic statistical methods to define a Pearson coefficient to validate the correlation between cyberattacks, tele-education, telework, and psychological factors.The relationships obtained from this correlation can be seen in Table 8.The selected psychological factors directly influence and present a high positive correlation between Internet use and cyberattacks, having a value of (0.210).On the other hand, cyberattack and psychological factors and the system's vulnerability have a value of (0.430), giving us a significant correlation.As a result, we infer that there are greater possibilities that both factors move in the same direction (see Figure 3).Open shops Amazon

Results of Extraction of Human Factor Used during Cyberattacks
Then we used basic statistical methods to define a Pearson coefficient to validate the correlation between cyberattacks, tele-education, telework, and psychological factors.The relationships obtained from this correlation can be seen in Table 8.The selected psychological factors directly influence and present a high positive correlation between Internet use and cyberattacks, having a value of (0.210).On the other hand, cyberattack and psychological factors and the system's vulnerability have a value of (0.430), giving us a significant correlation.As a result, we infer that there are greater possibilities that both factors move in the same direction (see Figure 3).The results obtained reflect a probable fact known by security experts; the cybersecurity strategy depends on a cognitive approach.So, one of the main issues today in the context of the COVID-19 pandemic is the environment of uncertainty where users and cybersecurity specialists need to improve their cognitive agility.To understand the process that an attacker could use, in this study we adopted the cyber kill chain model [77] that includes the following phases: reconnaissance, weaponization, delivery, exploitation, installation, command and control, and exfiltration with psychological factors during the COVID-19 pandemic.

RQ1. Is there a variation in security attacks during the period of the COVID-19 pandemic?
Based on the literature review, in the works [47][48][49][50][51], we can observe no significant variation in the types of phishing attacks that existed before COVID-19.On the other hand, no new types of attacks have been detected.However, we observed that these attacks are adaptable to the current context of the COVID-19 pandemic.Furthermore, complementing the study by [17], who mentions that ransomware and XSS attacks have been the most relevant due to their volume during COVID-19, it should be noted that there is an increase in social engineering attacks.Attacks have improved their effectiveness due to people's increased connection and interconnection to digital media and services and the need to acquire information during the pandemic.The context of the COVID-19 pandemic has generated changes in social, technological, and cultural aspects worldwide.Teleworking and tele-education have become essential to give continuity to daily operations and activities in the world.This migration of activities to the home environment, where cybersecurity mechanisms (firewall, IDS, SIEM, among others) are less efficient and advanced than the organizations' physical facilities, has enabled cyber adversaries to increase the scope and impact of their attacks.
COVID-19 has generated an increase in the need for access to data, information, and social networks to be aware of the issues inherent to the pandemic, such as infection growth and medication.Moreover, knowing that daily activities related to entertainment, shopping, or social relations have shifted entirely to the digital realm, adversaries have intelligently made variations in the form of their attacks to exploit this new reality imposed by the pandemic.As a representative example, phishing attacks that used content related to COVID-19 (e.g., possible protection measures against the coronavirus) have become very common.

RQ2. Has the context of the COVID-19 pandemic increased the susceptibility of being a victim of cyberattacks?
The context of COVID-19 has generated a change in some people in human factors such as anxiety, depression, and uncertainty due to the social and economic crisis of the pandemic.In some cases, these changes have prompted people to seek refuge in social media to maintain human interaction in the face of a state of confinement and the need to obtain information related to the social and economic aspects of COVID-19.Based on the literature review, we can observe an increase in fake news and misinformation events.Although these events do not fall under the category of cybercrime, they can be used by attackers to increase uncertainty and a negative context that increases the susceptibility of people to being attacked.Moreover, knowing that social engineering attacks focus on cognitive manipulation, the more information sent to a person, the greater the probability of changing their cognitive bias.Adversaries are aware that when humans are in a stage where psychological factors such as anxiety, depression, frustration, or loneliness are high, they become more vulnerable, and they are the weakest link in the cybersecurity chain.Hence, they focus on these aspects in their social engineering attacks.It is safe to assume that adversaries carry out these types of behavioral and technical analyses.In that case, it is essential that cybersecurity specialists and people, in general, understand the process related to an attack and how cyberattacks are adaptable to each context, as is the case with the COVID-19 pandemic.
For this reason, we model cyberattacks in the context of the pandemic by considering psychological factors.Psychological factors can be leveraged for an attack where the victim in the same exploration phase is experiencing a restriction or loss of physical freedom and feels socially isolated.Due to the pandemic, the adversary knows that people resorted to being connected for more extended periods.However, psychological factors can also be used as defense strategies, thus improving people's resilience and self-efficacy.In this way, security mechanisms can be generated, especially in the delivery phase in which the role of people is more relevant than that of technological solutions.International organizations have highlighted this aspect and have promoted a hybrid set of strategies (i.e., social and technical) during the COVID-19 pandemic.
The conducted SLR identifies that common cyberattacks such as phishing, ransomware, mobile malware, or XSS not only remained during the pandemic but also increased their volume.Through the use of the full-text review in the PRISMA methodology's inclusion process, it was possible to identify that the pandemic influenced the growth of human factors such as stress, anguish, and despair caused by the perception of danger, loneliness, and loss of physical freedom.Adversaries took advantage of these factors to improve their social engineering attacks by including content related to the coronavirus.
Adversaries also focused on the people's emotional vulnerability during this pandemic, knowing that messages referring to job stability, economic incentives, or vaccination plans would be of interest.Their critical judgment could be affected by this context.The SLR identifies that the COVID-19 pandemic prompted a mandatory use of the Internet for education, work, or service payment activities, which allowed the attackers to have a greater possibility of carrying out their attacks [55][56][57][58][59][60][61][62][63][64][65][66][67].The correlational study carried out based on the data obtained in the SLR shows that a longer time spent on the Internet and the impact on psychological factors present a positive correlation coefficient that allows inducing a direct relationship between these two elements and the increase of cybersecurity attacks.

RQ3. How can we model the user behavior during the COVID-19 pandemic in the face of a cyberattack employing the steps of the cyber kill chain?
There is a generalization of people's behaviors in digital media in the recognition phase.Lifestyle changes are driven by the pandemic, such as telecommuting, accessing social media, and online shopping, which have allowed cyberattacks to become more widespread.In the weaponization phase, media such as email messages, web pages, and mobile applications are still used to prepare the cyberattack.In the delivery phase, there are two aspects in which technological solutions and the optimization of cognitive processes can be employed for the defense of security.Modeling cyberattacks with a cyber kill chain allows us to understand the attack process executed by adversaries.Although the model does not detail the techniques and tools used and does not identify the attacker's behavior, it provides a macro vision of the cyberattack process for establishing cybersecurity strategies.Understanding each attack stage and associating it with the human factor that the adversary will exploit could support establishing security strategies based on people's psychological and cognitive characteristics.

Psychological Impact and Behaviors during the Pandemic
The results of this study corroborate the relation between human factors and cybersecurity attacks.Elements such as time of connectivity to the Internet, social and entertainment media, and the psychological behavior of the user could increase the susceptibility to attacks.Regarding this point, our interest is defining how the human factor in cyberattacks (psychological behavior) could be taken into consideration in the development of cyber-exercises.
Human factors: A negative psychological impact is another consequence of the COVID-19 outbreak.The literature review found that emerging mental health problems are related to stress, anxiety, depression, frustration, and uncertainty.
Protective factors: Psychological resilience is the ability to support or retrieve psychological well-being.In social threat situations such as a pandemic, strengthening individual strategies helps in the acceptance of anxiety and the management of negative emotions to achieve the successful re-adaptation process [77].The establishment of social support is a strategy to reduce the likelihood of developing psychological distress and psychiatric conditions.The results of the research in [81] in 2020 suggest that the belief that we can face social threat situations (self-efficacy) helps to maintain mental health and reduce risky behaviors.From the psychology perspective, the user could use protective strategies such as cognitive agility, effective communication, and social support to deal with anxiety, depression, and distress and generate resilience against cyberattacks (see Figure 4).processes, especially when they are subjected to high levels of anxiety, depression, and distress, such as those generated within the COVID-19 pandemic.Ref. [82] mentions that feelings of frustration and uncertainty can occur in processes when there is an inadequate provision of essential services such as food or water.During the period of the COVID-19 quarantine, these feelings intensified.Additionally, inadequate information generates a stress factor.During the COVID-19 pandemic, the lack of information in the first month led to people's confusion [83].Risk factors: Cognitive and affective factors can influence people's decision-making processes, especially when they are subjected to high levels of anxiety, depression, and distress, such as those generated within the COVID-19 pandemic.Ref. [82] mentions that feelings of frustration and uncertainty can occur in processes when there is an inadequate provision of essential services such as food or water.During the period of the COVID-19 quarantine, these feelings intensified.Additionally, inadequate information generates a stress factor.During the COVID-19 pandemic, the lack of information in the first month led to people's confusion [83].

Modeling Cyberattacks with Cyber Kill Chain
Cyberattacks leave behind behavioral patterns that can be analyzed to detect malicious activities.Studying the behavior of attackers in various cyberattack scenarios can help develop behavioral models that can be used to identify patterns and distinguish them from legitimate user actions.The systematic literature review allows an understanding of the different vectors that are related to the cybersecurity context, and based on these aspects it can be determined which cognitive elements could be included in each of the phases of the cyber kill chain model.
For the second step, we include the preventive strategies in the seven phases of the cyber kill chain (see Figure 5).The cyber kill chain is used in cybersecurity to describe the various stages that a cyber attacker typically goes through during a targeted attack.It was developed by Lockheed Martin [77].By understanding the cyber kill chain, cybersecurity professionals can implement measures to detect and prevent attacks at various stages.
To clarify the cyber kill chain process under the COVID-19 scenario where people are connected online, they will use fake web pages with content, medicines, treatment, and vaccines; fake apps with COVID-19 growth maps; emails with false information; and fake messages on social networks.The use of emails to carry out phishing has been highly influential, showing its growth worldwide during 2020.The adversary sends an email impersonating a recognized body such as the World Health Organization (WHO) and generates a message with content that creates interest, such as actions to avoid contagion.The adversary uses official logos so that his mail has a formal presentation.A decomposition of the main elements of the false messages was performed.The elements that these messages have, in general, are a logo, title, name or description, text related to fake content, links to malicious sites, and the message's source [83].Then, in the weaponization phase, the adversaries look for tools that allow them to carry out their attack.Next, in the delivery phase, the attacker tries to deliver the malicious code, for which he uses an embedded link or a document attached to the email.People are often not good at storing large amounts of new information and generating automatic processes that adapt to their environment.In the context of COVID-19, their systemic thought processes must face work activities, family, and feelings caused by the pandemic, such as anxiety or uncertainty.Not paying attention to the link or attachment description can be of high impact against a cyberattack.At this point, if the adversary successfully delivers the malicious code, he will proceed with the subsequent exploitation, installation, command and control, and exfiltration phases, in which he can gain control of the machine and steal information or disrupt the service.The model considers the cognitive processes of people as central elements and complements these with the development of solutions based on cognitive systems (machine learning, deep learning, and reinforcement learning) to development behavior analyses for estimating and alerting about possible risky actions by users.They understand the cognitive process of a person during a phishing attack, and this allows us to model and consider the application of deep learning, neural networks, or reinforcement learning as possible complements to reduce the probability of the success of a phishing attack by developing solutions or tools that support the cognitive process of people in the face of possible cyberattack scenarios.
The main objectives are to understand that not all people have similar forms of cognitive processing or act in a similar way when faced with a cyberattack, to be able to develop solutions based on cognitive systems that adjust to the behavior of each person, which would allow estimating the risk in real time, and being able to establish a proactive cybersecurity strategy.We propose that the cyber kill chain model include stimulating cognitive strategies at the level of executive functions, attention, and perception.This can encourage the acquisition of protective behaviors, such as managing privacy on social networks, blocking unknown contacts, changing passwords, using antiviruses, and limiting one's opinion publications, not only from a technical perspective, but also from social and cognitive perspectives.
The model extracts relevant features such as language patterns, linguistic cues, visual elements, sender information, and domain analyses from vector attacks, which could support the capture of cognitive factors.Considering that the modeling of each episode of cyberattacks could contain a mixture of various vector attack scenarios when different cognitive factors from users could be under development, the use of episodic training as a strategy could leverage the idea of learning from different episodes or scenarios rather than just from individual data points [84].For instance, in the context of detecting phishing attacks based on cognitive factors, episodic training can be applied to improve the performance of machine learning models by exposing them to various phishing scenarios, making them more robust and capable of generalizing across different attack patterns.In each phase, we identify both the vulnerabilities of the user and the techniques that attackers use to achieve their purpose.In addition, our model includes the elements of prevention of an attack from the cognitive aspects that would help people face each of the phases.For this reason, we include the mechanisms for re-adaptation by the user [81].As illustrated in Figure 5, each of the phases comprises the process conducted by an attacker, ranging from identifying the target to taking control and stealing information or disrupting operations.Establishing an attack model would allow technicians to develop the appropriate defensive measures.However, we consider that the context of the COVID-19 pandemic has generated a greater relevance of the human factor over the technological tools in cybersecurity defense processes.Within this context, we can show that the "Reconnaissance" and "Weaponization" phases of the cyber kill chain relate to psychological factors such as social isolation and restrictive measures that cause lifestyle changes.Adversaries can use people's experiences of loss of freedom, loneliness, and boredom to build profiles of their needs and use them to develop weapons of cyberattacks that could be effective in their objective of stealing information or disrupting services.In the "Delivery" phase, we can show that defense strategies need to consider human factors.Strengthening protective factors such as resilience and self-efficacy will help to develop mechanisms for re-adaptation to this new reality.
The model considers the cognitive processes of people as central elements and complements these with the development of solutions based on cognitive systems (machine learning, deep learning, and reinforcement learning) to development behavior analyses for estimating and alerting about possible risky actions by users.They understand the cognitive process of a person during a phishing attack, and this allows us to model and consider the application of deep learning, neural networks, or reinforcement learning as possible complements to reduce the probability of the success of a phishing attack by developing solutions or tools that support the cognitive process of people in the face of possible cyberattack scenarios.
The main objectives are to understand that not all people have similar forms of cognitive processing or act in a similar way when faced with a cyberattack, to be able to develop solutions based on cognitive systems that adjust to the behavior of each person, which would allow estimating the risk in real time, and being able to establish a proactive cybersecurity strategy.We propose that the cyber kill chain model include stimulating cognitive strategies at the level of executive functions, attention, and perception.This can encourage the acquisition of protective behaviors, such as managing privacy on social networks, blocking unknown contacts, changing passwords, using antiviruses, and limiting one's opinion publications, not only from a technical perspective, but also from social and cognitive perspectives.
The model extracts relevant features such as language patterns, linguistic cues, visual elements, sender information, and domain analyses from vector attacks, which could support the capture of cognitive factors.Considering that the modeling of each episode of cyberattacks could contain a mixture of various vector attack scenarios when different cognitive factors from users could be under development, the use of episodic training as a strategy could leverage the idea of learning from different episodes or scenarios rather than just from individual data points [84].For instance, in the context of detecting phishing attacks based on cognitive factors, episodic training can be applied to improve the performance of machine learning models by exposing them to various phishing scenarios, making them more robust and capable of generalizing across different attack patterns.Additionally, clearer images can potentially make phishing attempts more convincing and harder to detect by users, especially in periods of significant anxiety such as the COVID-19 pandemic, when some cognitive factors could be changed.So, the use of deep learning algorithms such as Unsupervised Unified Image Dehazing and Denoising Networks (UU-DeNets) could be used effectively.UU-DeNets are image processing techniques primarily used to improve the visual quality of hazy and noisy images [82].While these techniques are not directly related to detecting phishing attacks, they can still be applied in certain scenarios to enhance the quality of images used in phishing emails or phishing websites which enhance cognitive processing.

Discussion
According to Tarnowski [77], we can establish a set of technological solutions such as SIEM, IPS, firewalls, and antiviruses to reduce the attacker's capacity in any of these phases.However, the delivery phase needs to consider the user as a part of countermeasures.Along these lines, the director of SANS mentions that a delivery phase that includes the human being is more decisive in stopping cyberattacks than technological solutions [83].Even security solutions that include Artificial Intelligence can have false positives and negatives that require human actions to refine them (human in the loop).
We can examine the possibility of a mass attack by exploring the same characteristics observed in individuals worldwide who exhibit similar behaviors.For example, these behaviors may include spending more time online to search for information, experiencing more times when they may feel anxiety or frustration generated by the uncertainty of the pandemic, seeking social contact using technological means, and connecting to work, education, or home activities from a less secure form of environment.As mentioned above, expensive tools such as SIEM, IPS, and firewalls, among others, help reduce attacks.Their deployment is carried out jointly on the premises of the organization.By migrating people to a work-from-home mode, work environments are made less safe from a technological perspective because not all of these tools are available there.
In defense strategies, it is necessary to take into consideration the people.Social isolation and restrictive measures cause lifestyle changes, which attackers can use in the "Reconnaissance" and "Weaponization" phases of cyberattacks.The experiences of loss of freedom, loneliness, and boredom can build profiles of people's needs and, with these elements, malicious actors can develop weapons of cyberattacks that could be effective in their objective of stealing information or disrupting services.Strengthening protective factors such as resilience and self-efficacy will help to develop mechanisms for re-adapting to this new life scenario and reduce the vulnerability of people to cyberattacks.
Based on the proposed model, it is possible to define security tools and detection algorithms designed to reduce a cyberattack's effectiveness in the first three phases before the adversary can have greater control of the technological system.This study highlights that although technological solutions are relevant for the continuity of operations, they are also a window of opportunity for the generation of cyberattacks that seek to disrupt services or steal information.Additionally, it shows that the human factor, which has always been considered a key element in cybersecurity strategies, has further increased its relevance during this pandemic.Since the beginning of the pandemic, specialized organizations have mentioned that the control of the coronavirus depends on the behavior and critical judgment of people; this criterion is transferred in the same way to the digital world where the success or failure of a cyberattack will depend on the role and action of people.
This study proposes integrating human factors into technological solutions against social engineering cyberattacks.This is a relatively new field that requires further research to generate scientific evidence that can reduce the vulnerability of digital systems in which humans spend more time and interact with a greater number of people, especially after the COVID-19 pandemic, which has modified behaviors in the workplace, commerce, and education sectors.Cyberpsychology is emerging as a promising research area with significant future potential.

Conclusions
The pandemic was a catalyst for social, cultural, and technological changes worldwide.Although from the perspective of technological growth the pandemic has pushed the growth of solutions focused on tele-education, teleworking, and online services, it is also true that it has indirectly led to an increase in cybersecurity attacks.
Cross-site scripting and ransomware attacks have been relevant during the pandemic due to their use and impact in the financial and health domains.These attacks have disrupted computer systems, caused the infection of millions of machines, and exposed people's sensitive information.Cyberattacks during the pandemic maintained their fundamental attack characteristics, such as the use of cookies, the injection of malware through email, and the use of fake news.
Adversaries have taken advantage of the pandemic context to modify their attacks using information related to COVID-19 to take advantage of people's need to learn information about the coronavirus and the development of daily activities.Some psychological factors such as stress, anxiety, and depression, which reflect a combination of the feelings of loss of freedom and social isolation generated by the pandemic, have been used by adversaries to be more effective in their social engineering attacks.This study made it possible to understand how adversaries took advantage of psychological factors in cyberattacks, an aspect that could allow the establishment of more effective security mechanisms.To understand the process that a phishing attacker could use for taking advantage of psychological factors during the COVID-19 pandemic, we adapted in this study the cyber kill chain model that included reconnaissance, armament, and delivery, exploitation, installation, command and control, and exfiltration phases.In certain stages of the cyberattack, such as delivery, the actions carried out by people are of greater relevance than those established by technological solutions.Therefore, it is convenient to focus on hybrid solutions that strengthen people's cognitive processes to detect cyberattacks.They can contribute to the effectiveness of minimizing the impact of cyberattacks.

Figure 2 .
Figure 2. PRISMA is stated as the Preferred Reporting Item for Systematic Reviews and Meta-Analyzes.The figure shows the technical process followed to report the systematic literature reviews and meta-analyses that evolved in this study.

4 .
Exploratory Study of Human Factors in Cyberattacks during the COVID-19 Pandemic 4.1.Psychological Impact and Behaviors during the Pandemic Another critical aspect of the impact of the COVID-19 pandemic on people is the incurred lifestyle change.This behavior change is one of the main consequences of social isolation, along with restrictive measures that cause people to lose freedom and create a lower perception of social support, leading to feelings of loneliness and boredom [4].Based on the literature review carried out on public open data from organizations such as the Organization for Economic Co-operation and Development (OECD), the Office for National Statics by United Kingdom, and the United States Census Bureau (USCB), a great number of changes have occurred in people's lifestyles, which are presented in Table6.During the COVID-19 pandemic, people changed or empathized with specific products.Certain items gained attention during the COVID-19 pandemic, like cosmetic and personal care products, digital entertainment, food and beverage, pharmaceutical/health, education and online courses, tools, gardening, do-it-yourself, and household products[77].

Figure 2 .
Figure 2. PRISMA is stated as the Preferred Reporting Item for Systematic Reviews and Meta-Analyzes.The figure shows the technical process followed to report the systematic literature reviews and meta-analyses that evolved in this study.

4 .
Exploratory Study of Human Factors in Cyberattacks during the COVID-19 Pandemic 4.1.Psychological Impact and Behaviors during the Pandemic

Figure 3 .
Figure 3. (Left) correlation between Internet demand and cyberattacks; (right) correlation between psychological factors and cyberattacks.

Figure 3 .
Figure 3. (Left) correlation between Internet demand and cyberattacks; (right) correlation between psychological factors and cyberattacks.

Electronics 2023 , 21 Figure 5 .
Figure 5.This figure represents the adaptation of the cyber kill chain model developed by Lockheed Martin.We propose to model a phishing attack, focusing on the cognitive human factor, in a sequence of seven steps.

Figure 5 .
Figure 5.This figure represents the adaptation of the cyber kill chain model developed by Lockheed Martin.We propose to model a phishing attack, focusing on the cognitive human factor, in a sequence of seven steps.

Author
Contributions: Conceptualization, W.F. and M.C.; methodology, R.A.; formal analysis, R.A.; investigation, R.A. and M.C.; writing-review and editing, R.A. and W.F.; project administration, W.F.; funding acquisition, I.O.-G.and M.S.R.All authors have read and agreed to the published version of the manuscript.

Table 3 .
Types of social engineering attacks.

Table 5 .
Primary and secondary sources for literature review for human behaviors during COVID-19.

Table 4 .
Primary and secondary sources for literature review for cyberattacks during COVID-19.

Table 5 .
Primary and secondary sources for literature review for human behaviors during COVID-19.
** The correlation is significant at the 0.01 level (bilateral).