Select Page

Research Library

The world’s first globally accessible archive of research into the human aspect of cybersecurity and behavioral science as applied to cybersecurity awareness and online behavioral change.

To see the latest studies from pioneering academics, scroll down.

Do one more thing right today. Subscribe to the Behave Newsletter

Filter results by

Information security culture: A look ahead at measurement methods

The information security culture field is a complex research area that does not currently have a standardized term, definition, and measurement process for organizations of various sizes, industries, and locations. While information security culture is still a relatively new field, the field of organizational culture research is more established and can continue to offer theory...

Measuring the security culture in organizations: a systematic overview of existing tools

There has been an increase in research into the security culture in organizations in recent years. This growing interest has been accompanied by the development of tools to measure the level of security culture in order to identify potential threats and formulate solutions. This article provides a systematic overview of the existing tools. A total...

A systematic review of scales for measuring information security culture

Purpose – The concept of information security culture, which recently gained increased attention, aims to comprehensively grasp socio-cultural mechanisms that have an impact on organizational security. Different measurement instruments have been developed to measure and assess information security culture using survey-based tools. However, the content, breadth and face validity of these scales vary greatly. This...

The human factor in phishing: collecting and analyzing user behavior when reading emails

Phishing emails are constantly increasing their sophistication, and typical countermeasures struggle at addressing them. Attackers target our cognitive vulnerabilities with a varied set of techniques, and each of us, not trained enough or simply in the wrong moment, can be deceived and put an entire organization in trouble. To date, no study has evaluated the...

Exploring the evidence for email phishing training: A scoping review

Background: Phishing emails are a pervasive threat to the security of confidential information. To mitigate this risk, a range of training measures have been developed to target the human factors involved in phishing email susceptibility. Despite the widespread use of anti-phishing training programs, there is no clear understanding of the extent to which these approaches...

How do professionals assess security risks in practice? An exploratory study

There are a number of standards and frameworks for security risk assessment; however, it appears that their application and adaptation to real organisational practices are rather limited. This paper reports some results from inquiries into risk assessment practices of security professionals in Ireland. The key findings show a lack of consensus on basic terminology when...

Fortifying healthcare: An action research approach to developing an effective SETA program

Organizations continue to use security education training and awareness (SETA) programs to reduce the number of cybersecurity incidents related to phishing. A large healthcare organization contacted the authors to share that they continued to struggle with the efficacy of their traditional training program and to ask whether we could design a better program. Using an...

How to keep your information secure? Toward a better understanding of users security behavior

Use of computers and the Internet is an integral part of our lives, with business becoming more digital. As a result, individuals are using their home computers to perform diverse tasks and to store sensitive data. This paper investigates the relative efficacy of two strategies to protect home computers from security threats: security tools and...

A systematic review of current cybersecurity training methods

Cybersecurity continues to be a growing issue, with cyberattacks causing financial losses and loss of productivity and reputation. Especially in an organisational setting, end-user behaviour plays an essential role in achieving a high level of cybersecurity. One way to improve end-user cybersecurity behaviour is through comprehensive training programmes.There are many contradictory statements and findings with...

A taxonomy of SETA methods and linkage to delivery preferences

Cybersecurity threats targeting users are common in today’s information systems. Threat actors exploit human behavior to gain unauthorized access to systems and data. The common suggestion for addressing this problem is to train users to behave better using SETA programs. The notion of training users is old, and several SETA methods are described in scientific...

Habit

This paper discusses three distinct concepts related to habits: the differences between habitual and non-habitual states of consciousness; a hierarchy of habits; and the development of habits which depends on repetition, attention, intensity of the experience, and the plasticity of the nervous system.

Content analysis of persuasion principles in mobile instant message phishing

The popularity of Mobile Instant Messaging (MIM) Applications (apps) presents cybercriminals with a new venue for sending deceptive messages, known as ‘Phishing’. MIM apps often lack technical safeguards to shield users from these messages. The first step towards developing anti-phishing solutions to identify phishing messages in any attack vector is understanding the nature of the...

Encouraging organisational information security incident reporting

21st-century organisations can only learn how to respond effectively to, and recover from, adverse information security incidents if their employees report any incidents they notice. This should happen irrespective of whether or not they themselves triggered the incident. Organisations have started to inform their employees about their incident reporting obligations. However, there is little research...

Is the key to phishing training persistence?: Developing a novel persistent intervention

Most previous phishing interventions have employed discrete training approaches, such as brief instructions aimed at improving phishing detection. However, these discrete interventions have demonstrated limited success. The present studies focused on developing an alternative to discrete training by providing college-age adults with a persistent classification aid that guided them on what characteristics a phishing email...

Emotional cost of cyber crime and cybersecurity protection motivation behaviour: A systematic literature review

The impact of a cyberattack on an organisation is multifaceted, at the employee level, cyber threat is a sensitive issue which needs further understanding. Founded in psychology research, emotions affect protection motivation behaviours at the individual level in the context of cybersecurity. The majority of the research studies focus on how external factors affect employees'...

Cyber resilient behavior: integrating human behavioral models and resilience engineering capabilities into cyber security

Cybercrime is on the rise. With the ongoing digitization of our society, it is expected that, sooner or later, all organizations have to deal with cyberattacks; hence organizations need to be more cyber resilient. This paper presents a novel framework of cyber resilience, integrating models from resilience engineering and human behavior. Based on a pilot...

Investigating cyber security awareness among preservice teachers during the COVID-19 pandemic

South African institutions of higher education suffered serious disruptions during the COVID-19 pandemic which, resulted in migrating most teaching and learning activities to various online platforms, of which many depended on the open web. This has the potential to expose lecturers and students to cyber security threats and risks. As such cyber security awareness (CSA)...

“Employees who don’t accept the time security takes are not aware enough”: The CISO view of human-centred security

In larger organisations, the security controls and policies that protect employees are typically managed by a Chief Information Security Officer (CISO). In research, industry, and policy, there are increasing efforts to relate principles of human behaviour interventions and influence to the practice of the CISO, despite these being complex disciplines in their own right. Here...

Perfecting your phish simulations — The 85% sweet spot for optimal learning

I don’t normally choose Phishing as a research topic because I think the literature is saturated with insights. However, I see that many companies struggle with a few important details when it comes to Phishing simulations: What is the optimal Phishing simulation click rate and what it entails How to achieve the optimal Phishing simulation...

From compliance to impact: Tracing the transformation of an organizational security awareness Program

There is a growing recognition of the need for a transformation from organizational security awareness programs focused on compliance − measured by training completion rates − to those resulting in behavior change. However, few prior studies have begun to unpack the organizational practices of the security awareness teams tasked with executing program transformation. We conducted...