Our research library is the world’s first globally accessible archive of research into the human aspect of cyber security and behavioural science as applied to cyber security awareness and online behavioural change.
To see the latest studies from pioneering academics, scroll down.
This paper proposes 10 cyber security challenges that need to be addressed, in an attempt to spark discussion about the global approach to cyber security.
Authors: Richard Horne PwC
This paper proposes a multi-layered approach to defending your organisation against phishing attacks, condensed into four layers. At each layer, the authors recommend tactical interventions to help organisations achieve this multi-layered security.
Authors: NCSC, CPNI
This report summarises key findings from ‘The Global State of Information Security Survey 2018’, which surveyed 9,500 global C-suite executives and directors about their organisation’s security practises. The report identifies and expands on nine data privacy and trust insights drawn from the survey.
This report is designed to educate and inform organisations on the cyber threat landscape. It explores what to consider when disaster strikes and explains the importance of people and partnerships.
A set of best practice guidelines published by the WFE designed to encourage a culture of cyber security compliance, including ideas on behavioural incentives, cultural incentives and operational support.
Through a series of qualitative interviews with 19 participants, this study looked into and reported several factors influencing employees’ security behaviour at home.
Authors: Joseph Omidosu, Jacques Ophoff
The Socio-Technical Impact on Security of the Healthcare Internet of Things in the Use of Personal Monitoring Devices (PMDs)
This paper sets out a framework that might allow those who use healthcare personal monitoring devices (such as fitness trackers) to better protect their personal information.
Authors: Asanka I Pathirana, Patricia A H Williams
This study used two techniques to ensure people accurately reported attitudes on information security in the workplace. A key finding was those who believed information security to be the responsibility of the organisation felt security risks to be overstated, whereas those who believed information security to be the responsibility of individuals felt warnings over security risks were valid and justified.
Authors: D. Ashenden
Understanding susceptibility to phishing emails: Assessing the impact of individual differences and culture
This study looked into how individual differences and national culture impacted participants’ responses to phishing and spear-phishing emails. The study found a national culture that promoted the needs of the individual (rather than the needs of society) increased the likelihood of phishing and spear-phishing emails being accurately identified. The same study found impulsiveness decreased the chances of phishing emails being identified but the same was not true of spear-phishing emails. Finally, the study found individual differences had an effect on user’s ability to spot malicious emails.
Authors: Marcus Butavicius, Kathryn Parsons, Malcolm Pattinson, Agata McCormac, Dragana Calic, Meredith Lillie
This study examined the relationship between Information Security Awareness (ISA), resilience and work stress, finding greater resilience to be associated with higher ISA and lower work stress.
Authors: Agata McCormac, Dragana Calic, Marcus Butavicius, Kathryn Parsons, Malcolm Pattinson, Meredith lillie
Securing Mobile Devices: Evaluating the Relationship between Risk Perception, Organisational Commitment and Information Security Awareness
This study examined the relationship between perception of risk, organisational commitment, and Information Security Awareness (ISA), finding both organisational commitment and perception of personal risk to be significant predictors of ISA. Surprisingly, frequency of workplace information security training negatively affected ISA.
Authors: A. Reeves, K. Parsons and D. Calic
ideas42 aims to help solve difficult social problems using insights from behavioural science. In this instance, the problem in question is the human aspect of cyber security. The paper applies psychology and behavioural science principles to common cyber security issues such as phishing, unsecure public Wi-Fi and poor passwords.
Authors: Alex Blau, Alexandra Alhadeff, Michael Stern, Scott Stinson, Josh Wright, ideas42
This framework is designed to help embed and sustain security behaviours in employees. The framework is condensed into 5Es (Educate, Enable, Environment, Encourage, Evaluate) and explains how to implement these using examples and tactical interventions.
A team spear-headed by University of Pennsylvania researchers have launched an ambitious research project called Behavior Change for Good. The project will attempt to determine the best behavioural-change practices in three areas: health, education and personal finance. It will test many ideas with the ultimate aim of uncovering how best to change human behaviour.
Authors: Steven D Levitt & Steven J Dubner
Background: We reflect on a methodology for developing scenario-based security behaviour surveys that evolved through deployment in two large partner organisations (A & B). In each organisation, scenarios are grounded in workplace tensions between security and employees’ productive tasks. These tensions are drawn from prior interviews in the organisation, rather than using established but generic questionnaires. Survey responses allow clustering of participants according to predefined groups. Aim: We aim to establish the usefulness of framing survey questions around active security controls and problems experienced by employees, by assessing the validity of the clustering. We introduce measures for the appropriateness of the survey scenarios for each organisation and the quality of candidate answer options. We use these scores to articulate the methodological improvements between the two surveys. Method: We develop a methodology to verify the clustering of participants, where 516 (A) and 195 (B) free-text responses are coded by two annotators. Inter-annotator metrics are adopted to identify agreement. Further, we analyse 5196 (A) and 1824 (B) appropriateness and severity scores to measure the appropriateness and quality of the questions. Results: Participants rank questions in B as more appropriate than in A, although the variations in the severity of the answer options available to participants is higher in B than in A. We find that the scenarios presented in B are more recognisable to the participants, suggesting that the survey design has indeed improved. The annotators mostly agree strongly on their codings with Krippendorff’s α > 0.7. A number of clusterings should be questioned, although α improves for reliable questions by 0.15 from A to B. Conclusions: To be able to draw valid conclusions from survey responses, the train of analysis needs to be verifiable. Our approach allows us to further validate the clustering of responses by utilising free-text responses. Further, we establish the relevance and appropriateness of the scenarios for individual organisations. While much prior research draws on survey instruments from research before it, this is then often applied in a different context; in these cases adding metrics of appropriateness and severity to the survey design can ensure that results relate to the security experiences of employees.
Authors: Ingolf Becker, Simon Parkin, M. Angela Sasse
This paper proposes and sets out the framework for the development of a game designed to help educate users about phishing attacks. The proposed game draws on academic research and would take the form a series of challenges that inherently educate users about phishing concepts.
Authors: Gaurav Misra, N.A.G. Arachchilage and Shlomo Berkovsky
This research finds people are motivated to follow security procedures when they believe the procedures to be compulsory, and that both specifying policies and evaluating behaviors help position security policies as mandatory. It follows that specifying policies and evaluating behaviours is more likely to lead to security procedures being followed.
Authors: Scott R Boss, Laurie J Kirsch, Ingo Angermeier, Raymond A Shingler, R Wayne Boss
Advancements in information technology often task users with complex and consequential privacy and security decisions. A growing body of research has investigated individuals’ choices in the presence of privacy and information security tradeoffs, the decision-making hurdles affecting those choices, and ways to mitigate such hurdles. This article provides a multi-disciplinary assessment of the literature pertaining to privacy and security decision making. It focuses on research on assisting individuals’ privacy and security choices with soft paternalistic interventions that nudge users toward more beneficial choices. The article discusses potential benefits of those interventions, highlights their shortcomings, and identifies key ethical, design, and research challenges.
Authors: Alessandro Acquisti, Idris Adjerid, Rebecca Balebako, Laura Brandimarte, Lorrie Faith Cranor, Saranga Komanduri, Pedro Giovanni Leon, Norman Sadeh, Florain Schaub, Manya Sleeper, Yang Wang, Shomir Wilson
This unique guide provides step-by-step instructions on how to commit fraud. From buying the correct hardware and software, to spoofing the personal details of your victims, to actually using stolen cards effectively. Originally published by an anonymous individual “Yegate”, this guide was bought by Brett Johnson, a former cyber criminal turned good, and released for free online for the public to read.
Packed with statistics and survey results, this paper profiles the ever-growing cyber threat landscape and offers advice to help address and overcome risks.
This paper offers an insight into what’s needed for an organisation to achieve a cyber risk aware culture and outlines the importance of establishing such a culture.
This paper reviews academic literature on the both individual differences and contextual factors that influence susceptibility to cyber attacks, including self-awareness, self-control, security expertise, motivation, trust and attitudes to risk.
Authors: Emma J.Williams, AmyBeardmore, Adam N.Joinsona
A Research Agenda publication aiming to stimulate research on the human factor in cyber crime and cyber security. This book offers examples of unanswered research questions and methods and datasets that could be used for future studies.
Authors: Mark Evans, Leandros A. Maglaras, Ying He, Helge Janicke
This report looks at the practical steps organisations typically go through on their journey towards managing cyber risk. It identifies five stages during the ‘cyber-maturity journey’ during which organisations are likely to encounter problems. Finally, it offers a solution to each of the problems specified.
Usable security research to date has focused on making users more secure, by identifying and addressing usability issues that lead users to making mistakes, or by persuading users to pay attention to security and make secure choices.However, security goals were set by security experts, who were unaware that users often have other priorities and value security differently. In this paper, we present examples of circumventions and non-adoption of secure systems designed under this paternalistic mindset. We argue that security experts need to identify user values and deliver on them. To do that, we need a methodological framework that can conceptualise values and identify those that impact user engagement with security. We show that (a) engagement with, and adherence to security, are mediated by user values, and that (b) it is necessary to model those values to understand the nature of security’s failures and to design viable alternatives.
Authors: Steve Dodier-Lazaro, Ruba Abu-Salma, Ingolf Becker, M. Angela Sasse
Security managers define policies and procedures to express how employees should behave to ‘do their bit’ for information security. They assume these policies are compatible with the business processes and individual employees’ tasks as they know them. Security managers usually rely on the ‘official’ description of how those processes are run; the day-to-day reality is different, and this is where security policies can cause friction. Organisations need employees to participate in the construction of workable security, by identifying where policies causes friction, are ambiguous, or just do not apply. However, current efforts to involve employees in security act to identify employees who can be local representatives of policy – as with the currently popular idea of ‘security champions’ – rather than as a representative of employee security needs. Towards helping organisations ‘close the loop’ and get input from employees, we have conducted employee surveys on security in the context of their specific jobs. The paper presents results from secondary analysis of one such survey in a large commercial organisation. The analysis of 608 responses finds that attitude to policy and behaviour types – the prevailing security cultures – vary greatly in the organisation and across four business divisions examined in further detail. There is a role in contributing to the effectiveness of security policies not only for those who follow policy, but also for those who question policy, socialise solutions, or expect security to justify itself as a critical part of their productive work. This demonstrates that security champions cannot be uniform across the organisation, but rather that organisations should re-think the role of security champions as diverse ‘bottom-up’ agents to change policy for the better, rather than communicators of existing ‘top-down’ policies.
Authors: Ingolf Becker, Simon Parkin, M. Angela Sasse
This blog post explores how organisations can create, maintain and improve their security culture and addresses the questions one may have in regards to security culture. The author highlights three phenomena that actively prevent affected organisations from achieving a culture of security, alongside offering alternative approaches to to each.
Authors: Emma W NCSC
The recent expansion of Internet of Things (IoT) and the growing trends towards a healthier lifestyle, have been followed by a proliferation in the use of fitness-trackers in our daily life. These wearable IoT devices combined with the extensive use by individuals of Online Social Networks (OSNs) have raised many security and privacy concerns. Individuals enrich the content of their online posts with their physical performance and attendance at sporting events, without considering the plausible risks that this may result in. This paper aims to examine the potential exposure of users’ identity that is caused by information that they share online and personal data that are stored by their fitness-trackers. We approach the privacy concerns that arise by building an interactive tool. This tool models online information shared by individuals and elaborates on how they might be exposed to the unwanted leakage of further personal data. The tool also illustrates the privacy risks that arise from information that people expose, which could be exploited by malicious parties such as fraudsters, stalkers and other online and offline criminals. To understand the level of users’ awareness concerning their identity exposure when engaging with such devices and online services, we also have conducted a qualitative analysis and present our findings here.
Authors: Angeliki Aktypi, Jason R. C. Nurse, Michael Goldsmith
This blog post emphasises the need for organisation-wide security awareness and offers five recommendations that can improve personal security practises and defend organisations against cyber threats.
Authors: Scott Garrett CISCO
An introduction to the research of Jason Hong, Sauvik Das, Tiffany Hyun-Jin Kim and Laura Dabbish, who are investigating how social influence affects cyber security and testing how social influence techniques can improve people’s awareness and knowledge of cybersecurity, as well as their motivation to act securely.
Authors: Jason Hong, Sauvik Das, Tiffany Hyun-Jin Kim, Laura Dabbish
Filter your results: