Determining the Cyber Risk Matrix and Actions Created by Company Employees with Machine Learning

Year 2025, Volume: 12 Issue: 1, 1 - 14, 25.03.2025

Esma Sığırtmaç , Musa Balta , Deniz Balta

https://doi.org/10.17350/HJSE19030000346

Abstract

In today’s digital age, the integration of various fields with the internet and technology has enabled people to meet many issues online, from their basic needs to business, banking and entertainment. However, this digital transformation poses new threats for companies, especially in terms of cyber security. Cyber-attacks can directly harm companies, disrupting systems and damaging their credibility. Despite taking technical measures, companies often encounter weaknesses due to the human factor. This study aims to identify profiles that may cause security vulnerabilities and increase the company’s cybersecurity defense level with appropriate actions. When the results are examined, it is discovered that people with a certain experience range have the same approaches. Using K-means and Mean Shift clustering algorithms, individuals are grouped according to their behaviors and a cyber risk matrix is created for the company, and it is determined which situations these people fall into which risk category. As a result of the data obtained, it is clearly seen that the human factor has emerged as a more important issue than the technical dimension in cyber security.

Keywords

Security, Machine Learning, Cyber Risk Matrix, Human Factor, Cyber Security Awareness

References

• 1. ENISA. (2020, June 4). Threat landscape 2020: Cyber attacks becoming more sophisticated, targeted, widespread and undetected. European Union Agency for Cybersecurity. Retrieved from https://www.enisa.europa.eu/news/enisa-news/enisa-threat-landscape-2020
• 2. The Hill. (2020, March 13). FBI sees spike in cyber crime reports during coronavirus pandemic. Retrieved from https://thehill. com/policy/cybersecurity/493198-fbi-sees-spike-in-cyber-crime-reports-during-coronavirus-pandemic/
• 3. Rajasekharaiah, K. M., Dule, C. S., & Sudarshan, E. (2020, December). Cyber security challenges and its emerging trends on latest technologies. IOP Conference Series: Materials Science and Engineering, 981(2), 022062. https://doi.org/10.1088/1757-899X/981/2/022062
• 4. Tirumala, S. S., Sarrafzadeh, A., & Pang, P. (2016). A survey on internet usage and cybersecurity awareness in students. In 2016 14th Annual Conference on Privacy, Security and Trust (PST)(pp. 223-228). IEEE. https://doi.org/10.1109/PST.2016.7906931
• 5. Avcı, Ü., & Oruç, O. (2020). Üniversite öğrencilerinin kişisel siber güvenlik davranışları ve bilgi güvenliği farkındalıklarının incelenmesi. İnönü Üniversitesi Eğitim Fakültesi Dergisi, 21, 284-303. https://doi.org/10.17679/inuefd.526390
• 6. Yiğit, M., & Seferoglu, S. S. (2019). Öğrencilerin siber güvenlik davranışlarının beş faktör kişilik özellikleri ve çeşitli diğer değişkenlere göre incelenmesi. Mersin Üniversitesi Eğitim Fakültesi Dergisi, 15, 186-215. https://doi.org/10.17860/mersinefd.437610
• 7. Yetgin, M., & Karakaya, A. (2020). Karabük Üniversitesi çalışanlarına yönelik kişisel siber güvenlik üzerine araştırma. Kahramanmaraş Sütçü İmam Üniversitesi İktisadi ve İdari Bilimler Fakültesi Dergisi, 10. https://doi.org/10.47147/ksuiibf.816171
• 8. Gündüz, M., & Das, R. (2022). Kişisel siber güvenlik yaklaşımlarının değerlendirilmesi. DÜMF Mühendislik Dergisi. https://doi.org/10.24012/dumf.1122997
• 9. Tokmak, M. (2023). Öğrencilerin siber güvenlik farkındalık düzeylerinin makine öğrenmesi yöntemleri ile belirlenmesi. Yüzüncü Yıl Üniversitesi Fen Bilimleri Enstitüsü Dergisi, 28. https://doi.org/10.53433/yyufbed.1181694
• 10. Çam, H., Aslay, F., & Özen, Ü. (2019). Yükseköğretim kurumlarında bilgi güvenliği farkındalık düzeylerinin ölçümlenmesi. Yönetim Bilişim Sistemleri Dergisi, 5(2), 1-11.
• 11. Talesh, S. A. (2018). Data breach, privacy, and cyber insurance: How insurance companies act as “compliance managers” for businesses. Law & Social Inquiry, 43(2), 417-440. https://doi. org/10.1111/lsi.12303
• 12. Kenny, K. S., Merry, L., Brownbridge, D. A., & Urquía, M. L. (2020). Factors associated with cyber-victimization among immigrants and non-immigrants in Canada: A cross-sectional nationally-representative study. BMC Public Health, 20(1). https://doi. org/10.1186/s12889-020-09492-w
• 13. Tempestini, G., Rovira, E., Pyke, A., & Nocera, F. D. (2023). The cybersecurity awareness inventory (CAIN): Early phases of development of a tool for assessing cybersecurity knowledge based on the ISO/IEC 27032. Journal of Cybersecurity and Privacy, 3(1), 61-75. https://doi.org/10.3390/jcp3010005
• 14. Bergh, C. M. M. R. d., & Junger, M. (2018). Victims of cybercrime in Europe: A review of victim surveys. Crime Science, 7(1). https://doi.org/10.1186/s40163-018-0079-3
• 15. Pramoda, M., Pramoda, S., & Correa, Z. M. O. (2022). Luster regained: A novel cyber incident risk prediction model using machine learning. International Journal of Scientific Research in Computer Science, Engineering and Information Technology, 1-19. https://doi.org/10.32628/cseit2283125
• 16. Nurse, J. R. C., Radanliev, P., Creese, S., & Roure, D. D. (2018). If you can’t understand it, you can’t properly assess it! The reality of assessing security risks in internet of things systems. Living in the Internet of Things: Cybersecurity of the IoT - 2018 (pp. 1-9). https://doi.org/10.1049/cp.2018.0001
• 17. Cains, M., Flora, L., Taber, D., King, Z. M., & Henshel, D. S.(2021). Defining cybersecurity and cybersecurity risk within a multidisciplinary context using expert elicitation. Risk Analysis, 42(8), 1643-1669. https://doi.org/10.1111/risa.13687
• 18. Kumar, A., & Singh, R. (2019). A review of K-means clustering algorithm and its applications. International Journal of Computer Applications, 178(24), 1-5. https://doi.org/10.5120/ijca2019919558
• 19. Huang, C., & Wang, Y. (2019). A survey on mean shift algorithm and its applications. Journal of Computer Science and Technology, 34(1), 1-20. https://doi.org/10.1007/s11390-019-1906-0
• 20. Alkhalil, Z., Hewage, C., Nawaf, L., & Khan, I. (2021). Phishing attacks: A recent comprehensive study and a new anatomy. Frontiers in Computer Science, 3, 563060. https://doi. org/10.3389/fcomp.2021.563060
• 21. Hirshman, E., & Bjork, R. A. (1988). The generation effect: Support for a two-factor theory. Journal of Experimental Psychology: Learning, Memory, and Cognition, 14(3), 484–494. https://doi.org/10.1037/0278-7393.14.3.484
• 22. Aloul, F., Zahidi, S., & El-Hajj, W. (2009). Two-factor authentication using mobile phones. In 2009 IEEE/ACS International Conference on Computer Systems and Applications (pp. 641-644). IEEE. https://doi.org/10.1109/AICSSA.2009.5069395