//Research Library 

Our research library is the world’s first globally accessible archive of research into the human aspect of cyber security and behavioural science as applied to cyber security awareness and online behavioural change.

To see the latest studies from pioneering academics, scroll down.



Filter your results:

Jun, 2018

Insights from 22 cyber security experts – part 1

PeepSec, the world’s first free, online summit on the people, culture and social aspects of cyber security, took place between Monday the 11th and Friday 15th of June.

22 expert speakers offered actionable and practical advice on the most pressing issues facing the security industry today. Hundreds of cyber security professionals and enthusiasts joined us, but for those who couldn’t make it, here’s what you missed on the first three days.

(By the way, you can now get immediate access to all 22 PeepSec talks by simply registering for free here.)

Day One

Ben Brabyn, head of the world’s most connected tech community, Level39, kicked PeepSec off with an interesting series of thought-provoking and to-the-point opinions. In a chat with Oz Alashe, Ben covered the importance of the human aspect of cyber security and building a culture of security, amongst other things.

Of particular note were Ben’s views on what makes so many people indifferent to security and, by extension, how to make security more compelling.

Because so often the person whose conduct causes the problem doesn’t immediately see feedback, many people don’t take cyber security seriously. Anything you can do to close that feedback loop clearly has a huge contribution to make.

Ben Brabyn, Head of Level39

Chartered Psychologist and Associate Fellow of the British Psychological Society Dr Emma Williams followed Ben, with an expansive discussion largely born from her academic research. Unlike many in the field, Dr Williams’ research revolves around the influence of context on security practices. According to Dr Williams, our external environments have a hand in our behaviours – and the right environments can heighten our resilience.

National Security Advisor Janet Williams was third to speak on day one of PeepSec. Perhaps unsurprisingly Janet focused her discussion on the security of nation states, explaining the security of nation states is now largely dependent on the security of UK businesses and organisations.

We can’t think, “It’ll just hit our own business.” An attack could have a knock on effect on the whole of the national infrastructure. That’s why the investment in our staff is important. They could have a massive implication.

Janet Williams, National Security Advisor

MD of Priviness Sandy Gilchrist closed day one, with candid advice on data privacy. As the managing director of a consultancy that specialises in helping organisations comply with the General Data Protection Regulations, Sandy’s simple and succinct views stripped reams of regulation all the way back to the European Convention on Human Rights, first drafted in 1950.

According to the convention, we all have the right to a private life. Sandy explained that, over the last 68 years, the convention seems to have been overlooked by certain organisations but by developing privacy policies with that simple fact in mind, salvation is possible and probable.

We don’t actually need legislation to say to people what they can do. If you can change the culture of an organisation to make people think about how they’d like their data to be used, it makes a huge difference.

Sandy Gilchrist, MD of Priviness

Day Two

PeepSec day two opened with an interview with author, academic and public speaker Professor Adam Joinson. Professor Joinson again offered advice on security from a different slant: this time centring the conversation on systems design.

It’s easy to blame users for poor security practices, believes Professor Joinson, but should we also be thinking about those designing insecure systems in the first place?

Professor Joinson argues convincingly that those designing systems are in a unique position to have a disproportionately positive effect on cyber resilience – and yet, frequently, their impact is harmful.

If you drive a car and the brakes don’t work, that’s not your responsibility. And yet, at the moment, the people who are bearing the cost of insecure systems are the end users or organisations.

Professor Adam Joinson

The Metropolitan Police’s Andrew Gould followed Professor Joinson and discussed the public value of good cyber security. Andrew is on a mission to increase engagement in cyber security for societal wellbeing, and discussed several interesting and novel ways of doing so.

Domain name registrar Nominet UK’s Cath Goulding then followed Andrew. In her interview with Oz Alashe, Cath talked through creating a culture of cyber security by getting the board engaged, before moving on to the dangers of selling-in security through fear.

You’ve got to start at the top. You’ve got to get leaders engaged. I’d love to see better metrics in the space. CFOs have numbers to show how well or how badly an organisation is doing. It’d be really good for the security profession to do the same.

Cath Goulding, Head of IT Security, Nominet UK

Dr Ioannis Agrafiotis of the University of Oxford ended day two, passionately arguing for greater collaboration amongst the security industry.

Dr Agrafiotis claimed our connected world has given us an opportunity that’s potentially too great to pass up and, if we could all admit we all have security issues, we may be better positioned to tackle them.

Day Three

The Bank of England’s John Scott began PeepSec day three with a considered talk on people being our greatest defence. As with other talks, John offered novel advice on getting people engaged with security – this time by using nudge theory. Interestingly, John talked through a risk-based approach to cyber security, in which each security risk is considered. Some risks are worth taking, John admits, but at the moment too many of us are taking risks without thinking.

KPMG’s Caroline Rivett followed John, with a well-rounded talk that touched on everything from the security industry’s sub-optimal communication to achieving the ever-elusive culture of security so many CISOs desire. Caroline tied her discussion together by showing how the two were interrelated, offering a valuable lesson to all those in security.

Danielle Kingsbury, Founder and President of CyberSecPsych, was next on the bill. Alongside its focus on psychology, Danielle’s talk was characterised by how we might be able to help more people learn and develop cyber security skills, and where we may currently be going wrong.

We each have a particular way of analysing information and being able to address those different learning styles is going to be essential for us to address the cyber issue.

Danielle Kingsbury, Founder and President of CyberSecPsych

Day three came to a close with an energetic talk from Mark Milton, Founder and CEO of Amberlight. After warning against an over-reliance on awareness training, Mark discussed making security a benefit by using it to optimise business processes. Often, security is seen as an added frustration.

Mark discussed the value of security policies that help people achieve their goals – and how such policies can be developed.

Often, security teams aim to secure a business process assumed to be already optimised. Frequently, it’s not. If you involve users in the conversation, you can look at optimising process and making sure secure behaviours are the default.

Mark Milton, Founder & CEO of Amberlight

If you didn’t get a chance to attend PeepSec you can get immediate access to all 22 PeepSec talks by registering for free here.

Jan, 2018

WFE Staff Behavior and Culture Best Practice Guidelines

A set of best practice guidelines published by the WFE designed to encourage a culture of cyber security compliance, including ideas on behavioural incentives, cultural incentives and operational support.


Read full paper



Authors: WFE

Nov, 2017

Employee Information Security Beliefs in the Home Environment

Through a series of qualitative interviews with 19 participants, this study looked into and reported several factors influencing employees’ security behaviour at home.


Read full paper



Authors: Joseph Omidosu, Jacques Ophoff

Nov, 2017

The Socio-Technical Impact on Security of the Healthcare Internet of Things in the Use of Personal Monitoring Devices (PMDs)

This paper sets out a framework that might allow those who use healthcare personal monitoring devices (such as fitness trackers) to better protect their personal information.


Read full paper



Authors: Asanka I Pathirana, Patricia A H Williams

Nov, 2017

What Do They Really Think? Overcoming Social Acceptability Bias in Information Security Research

This study used two techniques to ensure people accurately reported attitudes on information security in the workplace. A key finding was those who believed information security to be the responsibility of the organisation felt security risks to be overstated, whereas those who believed information security to be the responsibility of individuals felt warnings over security risks were valid and justified.


Read full paper



Authors: D. Ashenden

Nov, 2017

Understanding susceptibility to phishing emails: Assessing the impact of individual differences and culture

This study looked into how individual differences and national culture impacted participants’ responses to phishing and spear-phishing emails. The study found a national culture that promoted the needs of the individual (rather than the needs of society) increased the likelihood of phishing and spear-phishing emails being accurately identified. The same study found impulsiveness decreased the chances of phishing emails being identified but the same was not true of spear-phishing emails. Finally, the study found individual differences had an effect on user’s ability to spot malicious emails.


Read full paper



Authors: Marcus Butavicius, Kathryn Parsons, Malcolm Pattinson, Agata McCormac, Dragana Calic, Meredith Lillie

Nov, 2017

Understanding the Relationships between Resilience, Work Stress and Information Security Awareness

This study examined the relationship between Information Security Awareness (ISA), resilience and work stress, finding greater resilience to be associated with higher ISA and lower work stress.


Read full paper



Authors: Agata McCormac, Dragana Calic, Marcus Butavicius, Kathryn Parsons, Malcolm Pattinson, Meredith lillie

Nov, 2017

Securing Mobile Devices: Evaluating the Relationship between Risk Perception, Organisational Commitment and Information Security Awareness

This study examined the relationship between perception of risk, organisational commitment, and Information Security Awareness (ISA), finding both organisational commitment and perception of personal risk to be significant predictors of ISA. Surprisingly, frequency of workplace information security training negatively affected ISA.


Read full paper



Authors: A. Reeves, K. Parsons and D. Calic

Oct, 2017

How to Launch a Behavior-Change Revolution

A team spear-headed by University of Pennsylvania researchers have launched an ambitious research project called Behavior Change for Good. The project will attempt to determine the best behavioural-change practices in three areas: health, education and personal finance. It will test many ideas with the ultimate aim of uncovering how best to change human behaviour.


Read full paper



Authors: Steven D Levitt & Steven J Dubner

Oct, 2017

Phish Phinder: A Game Design Approach to Enhance User Confidence in Mitigating Phishing Attacks

This paper proposes and sets out the framework for the development of a game designed to help educate users about phishing attacks. The proposed game draws on academic research and would take the form a series of challenges that inherently educate users about phishing concepts.


Read full paper



Authors: Gaurav Misra, N.A.G. Arachchilage and Shlomo Berkovsky

Want to suggest an addition to our research library?