Securing Mobile Devices: Evaluating the Relationship between Risk Perception, Organisational Commitment and Information Security Awareness

This study examined the relationship between perception of risk, organisational commitment, and Information Security Awareness (ISA), finding both organisational commitment and perception of personal risk to be significant predictors of ISA. Surprisingly, frequency of workplace information security training negatively affected ISA.   Read full paper     Authors: A. Reeves, K. Parsons and D....

Deep Thought: A Cybersecurity Story

ideas42 aims to help solve difficult social problems using insights from behavioural science. In this instance, the problem in question is the human aspect of cyber security. The paper applies psychology and behavioural science principles to common cyber security issues such as phishing, unsecure public Wi-Fi and poor passwords.     Read full paper     Authors: Alex Blau, Alexandra Alhadeff, Michael Stern, Scott Stinson, Josh Wright,...

Embedding Security Behaviours: using the 5Es

This framework is designed to help embed and sustain security behaviours in employees. The framework is condensed into 5Es (Educate, Enable, Environment, Encourage, Evaluate) and explains how to implement these using examples and tactical interventions.   Read full paper    ...

How to Launch a Behavior-Change Revolution

A team spear-headed by University of Pennsylvania researchers have launched an ambitious research project called Behavior Change for Good. The project will attempt to determine the best behavioural-change practices in three areas: health, education and personal finance. It will test many ideas with the ultimate aim of uncovering how best to change human behaviour.   Read full paper     Authors: Steven D Levitt & Steven J...

Phish Phinder: A Game Design Approach to Enhance User Confidence in Mitigating Phishing Attacks

This paper proposes and sets out the framework for the development of a game designed to help educate users about phishing attacks. The proposed game draws on academic research and would take the form a series of challenges that inherently educate users about phishing concepts.   Read full paper     Authors: Gaurav Misra, N.A.G. Arachchilage and Shlomo...

If someone is watching, I’ll do what I’m asked: mandatoriness, control, and information security

This research finds people are motivated to follow security procedures when they believe the procedures to be compulsory, and that both specifying policies and evaluating behaviors help position security policies as mandatory. It follows that specifying policies and evaluating behaviours is more likely to lead to security procedures being followed.   Read full paper     Authors: Scott R Boss, Laurie J Kirsch, Ingo Angermeier, Raymond A Shingler, R Wayne...

Social Cybersecurity: Applying Social Psychology to Cybersecurity

An introduction to the research of Jason Hong, Sauvik Das, Tiffany Hyun-Jin Kim and Laura Dabbish, who are investigating how social influence affects cyber security and testing how social influence techniques can improve people’s awareness and knowledge of cybersecurity, as well as their motivation to act securely.   Read full paper     Authors: Jason Hong, Sauvik Das, Tiffany Hyun-Jin Kim, Laura...

Nudging better security

This article explains what ‘behavioural nudging’ is and offers examples of how nudging could be used to encourage desired security behaviours.   Read full paper     Authors: Max Klugerman PwC

Nudging Online Security Behaviour with Warning Messages

Researchers tested the effectiveness of 9 different ways of warning users about cyber security threats. Making users aware of the steps they could take to minimise risk was effective in triggering more secure behaviour. Gain-framed messages, loss-framed messages and a message from a male anthropomorphic character triggered more secure behaviours. Interestingly, although the above interventions influenced behaviour, they did not effect participants’ self-reported knowledge of how to prevent cyberattacks.   Read full paper     Authors: René van Bavel, Nuria...

Awareness is only the first step

Improving cyber security awareness is often assumed to improve cyber security, however this paper suggests it’s necessary for people to be engaged in cyber security in order to make people a robust cyber defence. The paper builds a model for engaging people in cyber secuirty, which includes awareness profiling, awareness planning, transformation and optimisation.   Read full paper     Authors: Marcus Beyer, Sarah Ahmed, Katja Doerlemann, Simon Arnell, Simon Parkin, Prof. M. Angela Sasse, Neil...

Improving Your Security Awareness Campaigns: Examples From Behavioral Science

This short blog post suggests cyber security awareness campaigns should not be run by IT but by human resources or standalone departments; that companies should quantify risks to guide cyber security investments; that awareness campaign effectiveness should be measured and that goals of awareness campaigns should be long-term behaviour change.   Read full paper     Authors: Christophe...

The Influence of Experiential and Dispositional Factors in Phishing: An Empirical Investigation of the Deceived

This paper’s researchers used behavioural factors including trust, perceived risk and suspicion to devise and test a model predicting the chances of a successful phishing attack. They found four behavioral factors influenced whether phishing e-mails were answered with sensitive information, and suggest future anti-phishing efforts take these into account.   Read full paper     Authors: Ryan T. Wright & Kent...

Comparing the Impact of Explicit and Implicit Resistance Induction Strategies on Message Persuasiveness

Researchers studied people’s resistance to persuasion, testing traditional explicit warnings against implicit priming warnings. They found simply reminding people of a situation in which someone attempted to influence them (ie, implicit priming) was as effective in helping people resist persuasion as explicit warnings, yet required less cognitive strain.   Read full paper     Authors: Marieke L. Fransen, Bob M....

The Effect of Social Influence on Security Sensitivity

Even though there has been an increased effort to increase security sensitivity amongst the population, most individuals ignore security advice. This paper found a few social influence processes – processes that influence the behaviours of individuals with words and actions – play a major role in many security-related behaviour changes, most likely due to the fact that these processes were effective at raising security sensitivity.     Read full paper     Authors: Sauvik Das, Tiffany Hyun-Jin Kim, Laura A. Dabbish, Jason I....

Cyber Security Awareness Campaigns: Why do they fail to change behaviour?

The focus of this comprehensive paper is why cyber security awareness campaigns fail. The authors find changing behaviour requires more than simply offering people information about risks and best practices, such as people being willing to apply advice on security procedures – which requires a change in attitudes towards cyber security. The paper also reviews current persuasion techniques and finds fear is a successful behaviour change motivator when it comes to cyber security. Finally, the paper offers examples of awareness campaigns from around the world.   Read full paper...

EAST: 4 simple ways to apply behavioural insights

After years of lectures, seminars, workshops and talks with policy makers, the UK government’s behavioural insights team have developed a simpleified framework to help encourage behavioural change. To encourage the adoption of a new behaviour, the team argue, the behaviour should be Easy, Attractive, Social and Timely, or EAST as an acronym.    Read full paper     Authors: Owain Service, Michael Hallsworth, David Halpern, Felicity Algate, Rory Gallagher, Sam Nguyen, Simon Ruda, Michael Sanders with Marcos Pelenur, Alex Gyani, Hugo Harper, Joanne Reinhard & Elspeth...

Using behavioural insights to improve the public’s use of cyber security best practices

Behavioural change theory suggests influencers of behavioural change include environmental factors (such as technological design), social influencers (such as peers or family) and personal influencers (such as what we know and believe). Using the MINDSPACE framework helps design behaviour change interventions built on sound theories, maximising the chances of behaviour change. Interestingly, this paper notes messages of fear can backfire if they begin to be perceived as scaremongering (ie, if users never actually experience attacks first hand).   Read full paper    ...

Effects of Self-Relevant Perspective-Taking on the Impact of Persuasive Appeals

Researchers offer participants persuasive communications in the form of charitable appeals and commercial advertisements. By drawing the attention of the participant to how similar they are with either a victim of misfortune (in a charitable appeal) or a protagonist (in a commercial appeal), researchers conclude persuasive power increases when similarities are high, decreases when similarities are moderately low and has no effect when similarities are very low.   Read full paper     Authors: IW Hung, RS Wyer...

Using Behavioral Economics for Postsecondary Success

Many programs that aim to help individuals in postsecondary education underperform due to the fact that humans do not behave in an expected, rational way. In this report, it’s suggested that behavioural economics can provide an insight into how people behave and make decisions and, once this is known, “behavioural bottlenecks” can be identified and effective solutions designed.     Read full paper     Authors: Rebecca Ross, Shannon White, Josh Wright, Lori...

A Review of Young People’s Vulnerabilities to Online Grooming

According to this study: adolescents appear to be the age group most vulnerable to online grooming; parental involvement in a child’s internet use protects against online grooming; and the more risk-taking behaviors a young person carries out, the more vulnerable they are likely to be to online grooming attempts.   Read full paper     Authors: Helen Whittle, Catherine Hamilton-Giachritsisa, Anthony Beecha, Guy...

Similarities and Differences Between Working Memory and Long-Term Memory: Evidence From the Levels-of-Processing Span Task

This paper tests the effects of depth of processing on both working memory and long-term memory. The results indicate that the depth of processing had little effect on working memory tests; however, the typical benefits of semantic processing was seen in long term memory tests.     Read full paper     Authors: Nathan S. Rose, Joel Myerson, Henry L. Roediger III, Sandra...

Leveraging Behavioral Science to Mitigate Cyber Security Risk

A thorough paper reporting the findings of Shari Pfleeeger and Deanna Caputo’s research into blending behavioural science and cyber security. Following an introduction into the relationship between human behaviour and cyber security, the paper discusses proven and potential behavioral science findings that have cyber security relevance.   Read full paper     Authors: Shari Lawrence Pfleeger, Deanna D....

MINDSPACE: Influencing behaviour through public policy

In an effort to aid policy makers seeking to change behaviour, a team of researchers summarise nine non-coercive influencers of human behaviour: the messanger (who a message comes from); incentives (such as loss avoidance); norms (what other people already do); defaults (ie, maintaining the status quo); salience (the novel and interesting); priming (acting after subconscious cues); affect (our emotions); commitments (to maintain consistent behaviour) and ego (to feel better about ourselves).   Read full paper     Authors: Paul Dolan, Michael Hallsworth, David Halpern, Dominic...

Indirect Warnings and Instructions Produce Behavioral Compliance

In this study, participants performed a computer memory task while compliance to three safety measures was monitored. Compling with indirect warnings – that is, warnings triggered by entities other than researchers – was not significantly different to compliance with direct warnings. The research suggests there are effective ways to warn people other than from the top down.   Read full paper     Authors: Michael S. Wogalter and Eric...