//Research Library 

Our research library is the world’s first globally accessible archive of research into the human aspect of cyber security and behavioural science as applied to cyber security awareness and online behavioural change.

To see the latest studies from pioneering academics, scroll down.

Phishing attacks: defending your organisation

This paper proposes a multi-layered approach to defending your organisation against phishing attacks, condensed into four layers. At each layer, the authors recommend tactical interventions to help organisations achieve this multi-layered security.


Read full paper



Authors: NCSC, CPNI

Revitalizing privacy and trust in a data-driven world

This report summarises key findings from ‘The Global State of Information Security Survey 2018’, which surveyed 9,500 global C-suite executives and directors about their organisation’s security practises. The report identifies and expands on nine data privacy and trust insights drawn from the survey.


Read full paper



Authors: PwC

What Do They Really Think? Overcoming Social Acceptability Bias in Information Security Research

This study used two techniques to ensure people accurately reported attitudes on information security in the workplace. A key finding was those who believed information security to be the responsibility of the organisation felt security risks to be overstated, whereas those who believed information security to be the responsibility of individuals felt warnings over security risks were valid and justified.


Read full paper



Authors: D. Ashenden

Understanding susceptibility to phishing emails: Assessing the impact of individual differences and culture

This study looked into how individual differences and national culture impacted participants’ responses to phishing and spear-phishing emails. The study found a national culture that promoted the needs of the individual (rather than the needs of society) increased the likelihood of phishing and spear-phishing emails being accurately identified. The same study found impulsiveness decreased the chances of phishing emails being identified but the same was not true of spear-phishing emails. Finally, the study found individual differences had an effect on user’s ability to spot malicious emails.


Read full paper



Authors: Marcus Butavicius, Kathryn Parsons, Malcolm Pattinson, Agata McCormac, Dragana Calic, Meredith Lillie

Securing Mobile Devices: Evaluating the Relationship between Risk Perception, Organisational Commitment and Information Security Awareness

This study examined the relationship between perception of risk, organisational commitment, and Information Security Awareness (ISA), finding both organisational commitment and perception of personal risk to be significant predictors of ISA. Surprisingly, frequency of workplace information security training negatively affected ISA.


Read full paper



Authors: A. Reeves, K. Parsons and D. Calic

Deep Thought: A Cybersecurity Story

ideas42 aims to help solve difficult social problems using insights from behavioural science. In this instance, the problem in question is the human aspect of cyber security. The paper applies psychology and behavioural science principles to common cyber security issues such as phishing, unsecure public Wi-Fi and poor passwords.



Read full paper



Authors: Alex Blau, Alexandra Alhadeff, Michael Stern, Scott Stinson, Josh Wright, ideas42

Embedding Security Behaviours: using the 5Es

This framework is designed to help embed and sustain security behaviours in employees. The framework is condensed into 5Es (Educate, Enable, Environment, Encourage, Evaluate) and explains how to implement these using examples and tactical interventions.


Read full paper



Authors: CPNI

How to Launch a Behavior-Change Revolution

A team spear-headed by University of Pennsylvania researchers have launched an ambitious research project called Behavior Change for Good. The project will attempt to determine the best behavioural-change practices in three areas: health, education and personal finance. It will test many ideas with the ultimate aim of uncovering how best to change human behaviour.


Read full paper



Authors: Steven D Levitt & Steven J Dubner

Measuring the Success of Context-Aware Security Behaviour Surveys

Background: We reflect on a methodology for developing scenario-based security behaviour surveys that evolved through deployment in two large partner organisations (A & B). In each organisation, scenarios are grounded in workplace tensions between security and employees’ productive tasks. These tensions are drawn from prior interviews in the organisation, rather than using established but generic questionnaires. Survey responses allow clustering of participants according to predefined groups. Aim: We aim to establish the usefulness of framing survey questions around active security controls and problems experienced by employees, by assessing the validity of the clustering. We introduce measures for the appropriateness of the survey scenarios for each organisation and the quality of candidate answer options. We use these scores to articulate the methodological improvements between the two surveys. Method: We develop a methodology to verify the clustering of participants, where 516 (A) and 195 (B) free-text responses are coded by two annotators. Inter-annotator metrics are adopted to identify agreement. Further, we analyse 5196 (A) and 1824 (B) appropriateness and severity scores to measure the appropriateness and quality of the questions. Results: Participants rank questions in B as more appropriate than in A, although the variations in the severity of the answer options available to participants is higher in B than in A. We find that the scenarios presented in B are more recognisable to the participants, suggesting that the survey design has indeed improved. The annotators mostly agree strongly on their codings with Krippendorff’s α > 0.7. A number of clusterings should be questioned, although α improves for reliable questions by 0.15 from A to B. Conclusions: To be able to draw valid conclusions from survey responses, the train of analysis needs to be verifiable. Our approach allows us to further validate the clustering of responses by utilising free-text responses. Further, we establish the relevance and appropriateness of the scenarios for individual organisations. While much prior research draws on survey instruments from research before it, this is then often applied in a different context; in these cases adding metrics of appropriateness and severity to the survey design can ensure that results relate to the security experiences of employees.


Read full paper



Authors: Ingolf Becker, Simon Parkin, M. Angela Sasse

If someone is watching, I’ll do what I’m asked: mandatoriness, control, and information security

This research finds people are motivated to follow security procedures when they believe the procedures to be compulsory, and that both specifying policies and evaluating behaviors help position security policies as mandatory. It follows that specifying policies and evaluating behaviours is more likely to lead to security procedures being followed.


Read full paper



Authors: Scott R Boss, Laurie J Kirsch, Ingo Angermeier, Raymond A Shingler, R Wayne Boss

Nudges for Privacy and Security: Understanding and Assisting Users’ Choices Online

Advancements in information technology often task users with complex and consequential privacy and security decisions. A growing body of research has investigated individuals’ choices in the presence of privacy and information security tradeoffs, the decision-making hurdles affecting those choices, and ways to mitigate such hurdles. This article provides a multi-disciplinary assessment of the literature pertaining to privacy and security decision making. It focuses on research on assisting individuals’ privacy and security choices with soft paternalistic interventions that nudge users toward more beneficial choices. The article discusses potential benefits of those interventions, highlights their shortcomings, and identifies key ethical, design, and research challenges.


Read full paper



Authors: Alessandro Acquisti, Idris Adjerid, Rebecca Balebako, Laura Brandimarte, Lorrie Faith Cranor, Saranga Komanduri, Pedro Giovanni Leon, Norman Sadeh, Florain Schaub, Manya Sleeper, Yang Wang, Shomir Wilson

The Definitive Fraud Encyclopedia

This unique guide provides step-by-step instructions on how to commit fraud. From buying the correct hardware and software, to spoofing the personal details of your victims, to actually using stolen cards effectively. Originally published by an anonymous individual “Yegate”, this guide was bought by Brett Johnson, a former cyber criminal turned good, and released for free online for the public to read.



Read full paper



Authors: Yegate

The Human Factor in Cybercrime and Cybersecurity

A Research Agenda publication aiming to stimulate research on the human factor in cyber crime and cyber security. This book offers examples of unanswered research questions and methods and datasets that could be used for future studies.


Read full paper



Authors: Mark Evans, Leandros A. Maglaras, Ying He, Helge Janicke

Securing the digital enterprise

This report looks at the practical steps organisations typically go through on their journey towards managing cyber risk. It identifies five stages during the ‘cyber-maturity journey’ during which organisations are likely to encounter problems. Finally, it offers a solution to each of the problems specified.


Read full paper



Authors: BT

From Paternalistic to User-Centred Security: Putting Users First with Value-Sensitive Design

Usable security research to date has focused on making users more secure, by identifying and addressing usability issues that lead users to making mistakes, or by persuading users to pay attention to security and make secure choices.However, security goals were set by security experts, who were unaware that users often have other priorities and value security differently. In this paper, we present examples of circumventions and non-adoption of secure systems designed under this paternalistic mindset. We argue that security experts need to identify user values and deliver on them. To do that, we need a methodological framework that can conceptualise values and identify those that impact user engagement with security. We show that (a) engagement with, and adherence to security, are mediated by user values, and that (b) it is necessary to model those values to understand the nature of security’s failures and to design viable alternatives.


Read full paper



Authors: Steve Dodier-Lazaro, Ruba Abu-Salma, Ingolf Becker, M. Angela Sasse

Finding Security Champions in Blends of Organisational Culture

Security managers define policies and procedures to express how employees should behave to ‘do their bit’ for information security. They assume these policies are compatible with the business processes and individual employees’ tasks as they know them. Security managers usually rely on the ‘official’ description of how those processes are run; the day-to-day reality is different, and this is where security policies can cause friction. Organisations need employees to participate in the construction of workable security, by identifying where policies causes friction, are ambiguous, or just do not apply. However, current efforts to involve employees in security act to identify employees who can be local representatives of policy – as with the currently popular idea of ‘security champions’ – rather than as a representative of employee security needs. Towards helping organisations ‘close the loop’ and get input from employees, we have conducted employee surveys on security in the context of their specific jobs. The paper presents results from secondary analysis of one such survey in a large commercial organisation. The analysis of 608 responses finds that attitude to policy and behaviour types – the prevailing security cultures – vary greatly in the organisation and across four business divisions examined in further detail. There is a role in contributing to the effectiveness of security policies not only for those who follow policy, but also for those who question policy, socialise solutions, or expect security to justify itself as a critical part of their productive work. This demonstrates that security champions cannot be uniform across the organisation, but rather that organisations should re-think the role of security champions as diverse ‘bottom-up’ agents to change policy for the better, rather than communicators of existing ‘top-down’ policies.


Read full paper



Authors: Ingolf Becker, Simon Parkin, M. Angela Sasse 

Growing positive security culture

This blog post explores how organisations can create, maintain and improve their security culture and addresses the questions one may have in regards to security culture. The author highlights three phenomena that actively prevent affected organisations from achieving a culture of security, alongside offering alternative approaches to to each.


Read full paper



Authors: Emma W NCSC

Unwinding Ariadne’s Identity Thread: Privacy Risks with Fitness Trackers and Online Social Networks

The recent expansion of Internet of Things (IoT) and the growing trends towards a healthier lifestyle, have been followed by a proliferation in the use of fitness-trackers in our daily life. These wearable IoT devices combined with the extensive use by individuals of Online Social Networks (OSNs) have raised many security and privacy concerns. Individuals enrich the content of their online posts with their physical performance and attendance at sporting events, without considering the plausible risks that this may result in. This paper aims to examine the potential exposure of users’ identity that is caused by information that they share online and personal data that are stored by their fitness-trackers. We approach the privacy concerns that arise by building an interactive tool. This tool models online information shared by individuals and elaborates on how they might be exposed to the unwanted leakage of further personal data. The tool also illustrates the privacy risks that arise from information that people expose, which could be exploited by malicious parties such as fraudsters, stalkers and other online and offline criminals. To understand the level of users’ awareness concerning their identity exposure when engaging with such devices and online services, we also have conducted a qualitative analysis and present our findings here.


Read full paper



Authors: Angeliki Aktypi, Jason R. C. Nurse, Michael Goldsmith

Social Cybersecurity: Applying Social Psychology to Cybersecurity

An introduction to the research of Jason Hong, Sauvik Das, Tiffany Hyun-Jin Kim and Laura Dabbish, who are investigating how social influence affects cyber security and testing how social influence techniques can improve people’s awareness and knowledge of cybersecurity, as well as their motivation to act securely.


Read full paper



Authors: Jason Hong, Sauvik Das, Tiffany Hyun-Jin Kim, Laura Dabbish

Filter your results:

Want to suggest an addition to our research library?