Volume 24, Issue 2

Book Review by W. Hutchinson (January, 2025)

Author: Terry R. Merz and Lawrence E. Shaw
Publisher: The Institution of Engineering and Technology (November 5, 2024)
ISBN-10 : 1839536675
ISBN-978-1839536670

Firstly, this book is written by professionals for professionals. It is a comprehensive overview of phishing defined by the authors in their Glossary of Terms as “A type of cyberattack that uses disguised email or other forms of communication to trick recipients into revealing personal information”. It is a phenomenon that is on the increase and, hence, security personnel and, in fact, all of us should be aware of it. This book with its 288 pages of text provides the reader with an in-depth analysis of this subject.

It is not for casual users, although chapters can be read individually, for example, Chapter 2 ‘The user and context’. This chapter gives a concise breakdown of social engineering and the means of contact and its psychological impact on the user. This is where this book stands out amongst others; it has a large consideration of the impact of the technology on humans. As such, it combines people and technology in a very skilful and, I think, unique way. Of course, it uses acronyms (although they are all defined in a list) quite a lot. It seems technical books cannot rid themselves of this, but that is another discussion.

The chapters have a comprehensive series of topics that show the full range of attack types as well as mitigation techniques. The first chapter introduces the types of phishing, a breakdown of an attack, some previous mitigation techniques, the impact of Artificial Intelligence (AI), and elements of concern with QR codes. It breaks down the anatomy of phishing attacks. As previously stated, the next chapter moves on to the human element and their impact on the user.

In this chapter, the uniqueness (to me) of this book really surfaces. I think I can sum it up with a phrase used within it: “anthropomorphized technology”. Anthropomorphic technology is technology that is designed to be human-like, and anthropomorphism is the tendency to assign human characteristics to non-human things. I had to look both of these up but knew what they meant. I think this emphasis is why this text is different from many others. I have read many that describe holistic or ‘systemic’ explanations but tend to emphasise either the human system or the physical/procedural aspects of a system. This book combines the two and that is its greatest strength. It does not do it at a superficial level but instead captures the complexity of combining the impact and procedural processes at many levels. The individual level (both the attacker and the attacked) are exposed and the importance to mitigation and organisational procedure levels is shown. The book shows the many facets of the ‘humanisation’ of software such as user interface design and chatbots, for example, that simulate human behaviours and the responses. The ethical dimension is also covered.

I will attempt to briefly cover the next eight chapters to show the scope of each. The next chapter examines the failure to regulate threats and vulnerabilities. It begins with a whole list of risks and actions that can be taken against them. It goes into human-computer interaction, predictive coding (you will need to read this over! It was quite complex to me, at least) interface design. It has extensive information on AI and human/computer interface design. Intense stuff!

Chapter 5 examines the assessment of phishing risk; it examines the framework behind this. Again, human factors are examined. Trends in phishing risk management outlining available tools are discussed. Again, it goes back to AI and its use in phishing attacks. It does outline technological countermeasures as well.

Chapter 6 delves into the organisation itself and its ability to handle this risk. It tells the reader there is no ‘silver bullet’. It outlines the design of actions and policies to mitigate the risk. There are a number of suggestions on managing the risk within organisation.

Chapter 7 is an interesting inspection of the ‘training versus the experience’ solution to the cybersecurity problem. It has an extensive overview of the solution to the training problem and suggests a merging of the two aspects. This tends to be sensible way for any such complex, fast-changing organisational problem. Cooperation is normally the most efficacious solution, but not always.

Chapter 8 introduces the social media environment which, because of its almost universal use by almost all individuals, is an obvious source of threat. It covers social media used in the organisation as well. It examines privacy, reputation management, customer engagement, and a myriad of other issues.

Chapter 9 expands on the technological solutions mentioned. It suggests AI and M (Machine Learning).

Chapter 10 introduces some useful case studies.

Chapter 11, the final chapter, offers suggestions about the human in the loop (a constant theme), the need for a comprehensive strategy. The requirement for the organisation to be committed to this, and a recommendation to use AI and ML, is also discussed.
It ends with a very helpful Glossary of Terms and the Index.

Obviously, I have not covered all the aspects of this book in this review, but to summarise, this text is a well-written technical analysis of phishing; both human and technological aspects are brought together to produce a volume of value to practitioners, researchers, students, and to those who wish to examine this security phenomenon at a deep level. I would recommend it, if you are in one of those groups. It is not often that a book of this type is readable, covers all the elements, is focused, and also comprehensible to a range of readers.

Volume 24, Issue 2 Editorial

Spring 2025

Most of our readers understand that the Journal of Information Warfare (JIW) has a very close relationship with Academic Conferences International (ACI), https://www.academic-conferences.org/, a United Kingdom based organization that has provided outstanding events around the world for the last quarter century. Just recently, we jointly completed the 20th International Conference on Cyber Warfare and Security, from 28-29 March 2025, at the William & Mary Law School in Virgina with an outstanding group of 150 academics and practitioners from around the world. It was a great opportunity to meet and collaborate on a wide variety of cyber security-related topics.

Integrated Strategic Security Communication: Constructing a Framework Using Design Science Research

Abstract:

The state’s internal and external security can be promoted by means of strategic communication. Deterrence signalling aims to secure the state’s sovereignty by convincing adversarial actors that aggression will not be profitable. Although these two forms of state-led communication have much in common, deterrence signalling is usually studied as a separate phenomenon. This study aimed to determine whether there exists a unified core narrative for both deterrence signalling and strategic communication. The key finding is that a unified narrative creates clarity in state’s security policy. Different aspects can be emphasised depending on the target audience.

A Study of North Korea’s Cyber Warfare: Actors, Tactics, and AI Integration

Abstract:

North Korea’s cyber threat operations have emerged as one of the most advanced and aggressive in the world. Over the past decade, the country has built a sophisticated cyber warfare capability, primarily aimed at financial gain, intelligence gathering, and disrupting adversaries. North Korea’s cyber activities are largely driven by its isolation from the global economy and its need to fund its regime amid international sanctions. These operations are conducted by highly skilled state-sponsored groups, most notably the Lazarus Group and APT38, both believed to be controlled by North Korea’s Reconnaissance General Bureau (RGB), the country’s primary intelligence agency. 

Defining Comprehensive Cognitive Security in the Digital Era: Literature Review and Concept Analysis

Abstract:

Cognitive security, an emerging field, spans disciplines and contexts but often lacks clear definitions. In the digital age, where disinformation spreads rapidly via the Internet, cognitive security is particularly crucial. Drawing on theoretical background, a definition is proposed: comprehensive cognitive security can be defined as a state and a process in which undesired malign influence or manipulation is incapable of altering human cognition and which can be achieved through a combination of knowledge and situation awareness with purposeful actions. This definition provides a framework that can be applied across various disciplines and can support societies in educating citizens on cognitive security.

Variety Dynamics for Taking Control of Complex Heterogenous Systems in Information Warfare

Abstract:

This paper introduces the use of Variety Dynamics in information warfare. A central challenge of Information Warfare is to control situations using influence via information factors. Typical information warfare situations are a heterogenous mix of physical and informatic systems changing dynamically: with multiple owners/controllers of the different elements and whose power, skill, and allegiances change as do subsystems, elements, and relationships, including those with external entities. All of these are subject to change due to relationships within the situation and are also influenced from external locations, relationships, and motivations. These factors and structures are often opaque, hidden, or deceitful. Conventional systems or causal theories do not apply well to controlling such systems. Variety Dynamics is offered as an alternative method of influence, analysis, and control.

Integrating EWACS and the Reimagined Pyramid of Pain: Proactive Strategies against Adversarial Information Operations

Abstract:

This paper proposes a multidisciplinary approach to combatting adversarial information operations, drawing upon theoretical frameworks and practical applications. It proposes proactive countermeasures, including an Early Warning and Control System for early detection and intervention. The study also highlights media literacy and institutional cooperation as essential strategies for building societal and individual resilience against disinformation, while emphasizing the need to uphold ethical standards. In conclusion, this paper advocates for converging theory and practice in addressing adversarial information operations. The proposed approach integrates cybersecurity theory with practical applications, providing a holistic framework for countering disinformation in today’s information environments.

How the Voice Lost Its Voice: Applying the Dual Processing Theory to Explain How Mis/Disinformation Can Deceive and Persuade Voting Decision Making

Abstract:

Mis/disinformation (also called fake news) is a major information warfare concern because it is a powerful tool for manipulating public perception, destabilising societies, and influencing geopolitical conflicts. This paper examined whether there is utility in applying the Dual Processing Theory to gain understandings and distinctions in language used in mis/disinformation compared to genuine information. The study examined Facebook posts written about the ‘The Indigenous Voice to Parliament’ 2023 referendum in Australia. There was evidence of persuasive language in both types of posts; however, anchoring techniques, fear around untrue losses, and moral framing were more typical of mis/disinformation posts.

Advanced Persistent Threats Targeting the Middle East: Tactics, Techniques and Recommendations for Countermeasures

Abstract:

This research analyses the tactics and techniques of Advanced Persistent Threat groups targeting the Middle East, focusing on improving regional cyber security practices. It evaluates security measures using the MITRE ATT&CK framework, threat intelligence feeds, and simulated attacks in a controlled environment simulating corporate networks. Through experimental testing methodology employing both quantitative and qualitative analysis approaches, the research executed 127 attack techniques against endpoints and 1,968 web-based attacks to evaluate detection capabilities. Testing revealed that only 6.3% of endpoint attacks were detected by security solutions, while just 41.4% of web attacks were blocked by the Web Application Firewall, highlighting significant gaps in existing defences and recommending adoption of more enhanced technologies.

A Disinformation Attack Risk Awareness Framework: A Case Study on Incidents Collected by DISARM Foundation

Abstract:

The diversity of disinformation attack strategies highlights the need for a thorough analysis of their impacts and related risks. To deal with them, this paper proposes an ontology-based framework for building knowledge about disinformation incidents, bridging Itemset Mining and Situational Awareness. The framework incorporates a High-Risk Itemset Mining algorithm that combines the frequency and fuzzy utility of attack pattern itemsets, allowing for deeper insights into attack tactics and a better assessment of their associated risks. Experiments conducted using DISARM Foundation dataset demonstrate the framework’s potential to identify the most relevant attack patterns and quantify their associated risks.

Journal of Information Warfare

The definitive publication for the best and latest research and analysis on information warfare, information operations, and cyber crime. Available in traditional hard copy or online.

Quick Links

View the latest issue of JIW.

Latest Edition

Purchase a subscription to JIW.

Subscribe

Keywords

A

AI
APT

C

C2
C2S
CDX
CIA
CIP
CPS

D

DNS
DoD
DoS

I

IA
ICS

M

P

PDA

S

SOA

X

XRY

Quill Logo

The definitive publication for the best and latest research and analysis on information warfare, information operations, and cyber crime. Available in traditional hard copy or online.

SUBSCRIBE NOW

Get in touch

Registered Agent and Mailing Address

  • Journal of Information Warfare
  •  ArmisteadTEC
  • Dr Leigh Armistead, President
  • 1624 Wakefield Drive
  • Virginia Beach, VA 23455

 757.510.4574

 JIW@ArmisteadTec.com