What we learned at SABS4CYBER 2019 – Part 1 of 2

sabs4cyber blog image


We are CybSafe. A cyber security & data analytics company.


SABS4CYBER is an annual conference that shines a spotlight on social and behavioural sciences.

More specifically, SABS4CYBER puts the people using social and behavioural science to solve security challenges into the spotlight.

This year, we were super excited to host the conference at our home in Level39, the prestigious London technology community based at One Canada Square, Canary Wharf. This is because we’re passionate about building a future that reshapes the way organisations approach human cyber risks. We see science as an integral part of understanding human behaviour and as a result it’s ingrained in everything we do. We know that only through collaboration between industry, academia and government can we address the challenge of cyber security and keep people, businesses and nations safe online. We were honoured to host sabs4cyber and to be able to support the early career academic community.

Each amazing speaker had the microphone and 15 minutes with which to inspire and enlighten the audience with security behavioural insights. And that’s precisely what happened!

Kicking things off in a joint opening talk, CybSafe’s Oz Alashe MBE and the University of Portsmouth’s Professor Debi Ashenden highlighted the urgent need for new, cross-discipline and scientifically grounded security interventions. The challenge was clear, and the room’s atmosphere shifted. Attendees leaned in.



Academia is changing

In the day’s first keynote, Lancaster University’s Dr. David Ellis gripped people’s attention with a talk that explained how the world of academia has recently changed. Gone are the days of the lone, isolated researcher! Today, in a shift that’s proving fruitful, interdisciplinary research, teams are becoming the norm. Given today’s need for cross-discipline security insights, Ellis’s timing gave the pendulum momentum.

Do we see hackers as a threat?

Ghent University’s Dr. Sanja Budimir kept things moving at pace, discussing a practical study of IoT users. As part of her fascinating research, Budimir’s team gave people IoT devices and studied how they reacted when the devices malfunctioned. Perhaps surprisingly, people largely blamed themselves for malfunctioning devices, and few saw hacking by cyber criminals as a risk. Budimir’s study convinced her that victims of cyber crime need emotional support: the shift in victims’ emotional outlook is not something we should ignore.


Awareness does not equal behaviour change!

Royal Holloway’s Georgia Crossland followed, presenting research that confirmed greater security awareness doesn’t necessarily change how people behave! Through focus groups, Crossland discovered that people who write down passwords or accept lax privacy settings know what they’re doing is unsafe yet continue anyway. Some users felt that best-practice security measures weren’t enough to prevent advanced attacks, so why bother at all? The talk set a challenge for security professionals: how can we overcome latent fatalism to ensure people keep themselves safe online?


Does hunger increase cyber risk?

The University of Portsmouth’s Dr. Ian Reid was next up. Reid’s talk summarised his research into the contextual factors that might influence people’s perceptions of cyber risk. Research suggests the day of the week, the temperature in the office and even hunger pangs all influence decision-making! By extension, do such factors also influence our vulnerability to attacks? In future research, Reid plans to test the hypotheses. We can’t wait to see the results.

Do Pokémon Go-like games decrease cyber risk?!

Dr. Meredydd Williams’s following discussion focused on security behaviour change in practice. As Georgia Crossland had already clarified, raising security awareness doesn’t necessarily change people’s security behaviours. What can, Dr. Williams noted, was “edutainment”. In one recent experiment, Williams asked users to play a Pokémon-esque smartwatch game designed to influence their approach to security. After taking part, participants were 43% more likely to use a screen lock. The conclusion gave those currently designing today’s interventions pause for thought.


What makes phishing effective?

Talking of which, the University of Huddersfield representative Sathpal Panesar followed Dr. Meredydd Williams with a talk on the factors that influence phishing susceptibility. After analysing a 67,000-user strong dataset, Panesar found simulated phishing emails that played on urgency, offered a system upgrade or threatened loss were all more likely to garner clicks.

Even more influential was the supposed email sender: according to Panesar’s research,  simulated phishing emails that appeared to come from people’s employers were far more likely to trick people than emails supposedly from the likes of Amazon or Google. Concluding, Panesar cautioned that suspicion should always guide security behaviours.


That’s it for part one! The key takeaways for us? Awareness training doesn’t equal behaviour change, and there is a lot more at play affecting our decisions than we might think. Both super exciting prospects that we can’t wait to explore further.

Join us for part two where we’ll cover whether multitasking affects our susceptibility to cyber crime. Why boards typically underinvest in cyber security. And whether developers regularly break security policies.

This is how your people get better