//Research Library 

Our research library is the world’s first globally accessible archive of research into the human aspect of cyber security and behavioural science as applied to cyber security awareness and online behavioural change.

To see the latest studies from pioneering academics, scroll down.

Cyber Security Culture in organisations

Drawn from multiple disciplines including organisational sciences, psychology, law and cyber security, this report aims to assist organisations looking to begin or enhance their own cyber security culture programme.



Read full paper



Authors: ENISA

Behavioural Insights in Public Health England

The public health behavioural insights team offer a general introduction to behavioural economics, show how theories have been successfully applied to the public health sector and present a framework for designing behavioural change interventions.


Read full paper



Authors: Tim Chadborn, Liz Castle, Karen Tan, Jet Sanders

The State of Cybersecurity and Digital Trust 2016

This report, which is based on the results of a survey of over 200 enterprise security professionals, explores the state of cyber security throughout organisations. The report identifies five significant ‘cyber gaps’ that have the ability to hinder cyber security efforts.


Read full paper



Authors: Accenture

Building a Culture of Security

In this whitepaper, Adobe explain how they’ve become an established global leader in security culture, training and awareness. They offer insight into the programs and schemes they run in order to maintain a culture of security.


Read full paper



Authors: Adobe

More Harm Than Good? How Messages That Interrupt Can Make Us Vulnerable

Paper highlighting how constant interrupting messages and updates from computers and phones can impair cognitive functioning due to an effect called dual-task interference (DTI). DTI suggests that 2 tasks can only be performed in unison if there is a loss in overall performance. Constant messages, updates and alerts mean humans are constantly performing numerous tasks, thus performing poorly.



Read full paper



Authors: Jeffrey L. Jenkins, Bonnie Brinton Anderson, Anthony Vance, C. Brock Kirwan, David Eargle

How Do Vulnerabilities Get Into Software?

This paper, by application security platform Veracode, addresses the four main causes of vulnerabilities in software today. The authors investigate: insecure coding practises; the ever-shifting threat landscape; the reuse of vulnerable components and code; and idiosyncrasies of programming languages.



Read full paper



Authors: Veracode

Nudging better security

This article explains what ‘behavioural nudging’ is and offers examples of how nudging could be used to encourage desired security behaviours.


Read full paper



Authors: Max Klugerman PwC

Productive Security: A Scalable Methodology for Analysing Employee Security Behaviours

Organisational security policies are often written without sufficiently taking in to account the goals and capabilities of the employees that must follow them. Effective security management requires that security managers are able to assess the effectiveness of their policies, including their impact on employee behaviour. We present a methodology for gathering large scale data sets on employee behaviour and attitudes via scenario-based surveys. The survey questions are grounded in rich data drawn from interviews, and probe perceptions of security measures and their impact. Here we study employees of a large multinational company, demonstrating that our approach is capable of determining important differences between various population groups. We also report that our work has been used to set policy within the partner organisation, illustrating the real-world impact of our research.


Read full paper



Authors: Adam Beautement, Ingolf Becker, Simon Parkin, Kat Krol, M. Angela Sasse

Human Behaviour as an aspect of Cyber Security Assurance

This paper considers existing research into cyber security assurance processes in an effort to identify elements of cyber security that would benefit from further research and development. It concludes the cyber security industry would benefit from more research into the human aspect of cyber security and proposes a new framework be developed that’d help shape new human cyber security assurance mechanisms and evaluate their effectveness.


Read full paper



Authors: Mark Evans, Leandros A. Maglaras, Ying He, Helge Janicke

Nudging Online Security Behaviour with Warning Messages

Researchers tested the effectiveness of 9 different ways of warning users about cyber security threats. Making users aware of the steps they could take to minimise risk was effective in triggering more secure behaviour. Gain-framed messages, loss-framed messages and a message from a male anthropomorphic character triggered more secure behaviours. Interestingly, although the above interventions influenced behaviour, they did not effect participants’ self-reported knowledge of how to prevent cyberattacks.


Read full paper



Authors: René van Bavel, Nuria Rodríguez-Priego

Awareness is only the first step

Improving cyber security awareness is often assumed to improve cyber security, however this paper suggests it’s necessary for people to be engaged in cyber security in order to make people a robust cyber defence. The paper builds a model for engaging people in cyber secuirty, which includes awareness profiling, awareness planning, transformation and optimisation.


Read full paper



Authors: Marcus Beyer, Sarah Ahmed, Katja Doerlemann, Simon Arnell, Simon Parkin, Prof. M. Angela Sasse, Neil Passingham

Cybersecurity’s Human Factor: Lessons from the Pentagon

The article shares the US Defense Department’s approach to addressing the human side of cyber security, allowing business leaders to apply the same framework to their own organisations.


Read full paper



Authors: James A. (Sandy) Winnefeld Jr., Christopher Kirchhoff, and David M. Upton

The Online dating romance scam: The psychological impact on victims – both financial and non-financial

This paper finds for most people, the loss of a relationship following the culmination of an online dating scam is more unsettling than any financial losses suffered. According to the paper, few victims of online dating scams find a sufficient way to cope following the scams ending. Researchers suggest the absence of a coping mechanism leaves victims vulnerable to a second wave of attack and make policy recommendations as a result.


Read full paper



Authors: Whitty, M. T. and Buchanan, T.

On cyber security, technology and human behaviors

According to this post, it’s important to take an innovative approach when it comes to cyber security as conventional means (such as posters or one-time awareness training) do not change behavior. Further, the post suggests risk-mitigating behaviors must become automatic so they are not forgotten when people are absorbed in their roles.


Read full paper



Authors: Hend Ezzeddine

Identifying How Firms Manage Cyber Security Investment

A report on a set of semi-structured interviews that aimed to determine how firms make decisions regarding their cyber security investment. The report finds that senior management understand the importance of cyber security, that budgeting for cyber security is not difficult but finding qualified personnel is, and that the process is prioritised over outcome.



Read full paper



Authors: Tyler Moore, Scott Dynes, Frederick R. Chang

HP Security Research – Cyber Risk Report 2015

An overview of the threat landscape of HP in 2014. This report outlines the threats that occurred and the changes that were made to improve the resilience of the software company HP. The report aimed to provide an understanding of potential threats and interventions that could minimise their damage.



Read full paper



Authors: Hewlett Packard

HP Security Research – Cyber Risk Report 2015

An overview of the threat landscape of HP in 2014. This report outlines the threats that occurred and the changes that were made to improve the resilience of the software company HP. The report aimed to provide an understanding of potential threats and interventions that could minimise their damage.



Read full paper



Authors: Hewlett Packard

Cyber security: a failure of Imagination by CEOs

This paper discusses the involvement of CEOs in cyber security. Backed up by strong research, it explores the current state of CEO involvement, addresses some of the challenges involved in CEO involvement and offers four golden rules of cyber security.



Read full paper



Authors: KPMG

Evolvement of Information Security Research on Employees Behavior: A Systematic Review and Future Direction

Information Security (IS) is one of the biggest concerns for many organizations. This concern has led many to focus a huge effort into studying different IS areas. One of these critical areas is the human aspect, where investigation of employees’ behaviors has emerged as an important topic. In this paper, we conduct a systematic review of all empirical studies published on this topic. The review will highlight the theoretical and methodological development and the dissemination of related empirical studies in academic journals throughout the years. At the end of the review, future research considerations are discussed and shared.


Read full paper



Authors: Mohamed Alaskar, Shahper Vodanovich, Kathy Ning Shen

Improving Your Security Awareness Campaigns: Examples From Behavioral Science

This short blog post suggests cyber security awareness campaigns should not be run by IT but by human resources or standalone departments; that companies should quantify risks to guide cyber security investments; that awareness campaign effectiveness should be measured and that goals of awareness campaigns should be long-term behaviour change.


Read full paper



Authors: Christophe Veltsos

True (but not false) memories are subject to retrieval-induced forgetting in children

This paper’s researchers studied the concept of retrieval-induced forgetting in children. Researchers found that while actual memories were indeed subject to retrieval-induced forgetting, false meories were not. The finding suggests cue indepedence – the idea of cues being entirely independent from one another – doesn’t necessarily hold true.


Read full paper



Authors: Heather L. Price, Thomas L. Phenix

Filter your results:

Want to suggest an addition to our research library?