Research Library

The world’s first globally accessible archive of research into the human aspect of cyber security and behavioural science as applied to cyber security awareness and online behavioural change.

To see the latest studies from pioneering academics, scroll down.

Reading Time: 1 minuteThe present paper focuses on Cyber Security Awareness Campaigns, and aims to identify key factors regarding security which may lead them to failing to appropriately change people’s behaviour. Past and current efforts to improve information-security practices and promote a sustainable society have not had the desired impact. It is important therefore to critically reflect on the challenges involved in improving information-security behaviours for citizens, consumers and employees. In particular, our work considers these challenges from a Psychology perspective, as we believe that understanding how people perceive risks is critical to creating effective awareness campaigns. Changing behaviour requires more than providing information about risks and reactive behaviours – firstly, people must be able to understand and apply the
  , ,
Reading Time: 1 minuteThe present report is concerned with human aspects of cybersecurity including not only psychology and sociology, but also ethnography, anthropology, human biology, behavioural economics and any other subject that takes humans as its main focal point.     Read full paper     Authors: ENISA
  , ,
Reading Time: 1 minuteThis paper proposes 10 cyber security challenges that need to be addressed, in an attempt to spark discussion about the global approach to cyber security.   Read full paper     Authors: Richard Horne PwC
  ,
Reading Time: 1 minuteThis paper proposes a multi-layered approach to defending your organisation against phishing attacks, condensed into four layers. At each layer, the authors recommend tactical interventions to help organisations achieve this multi-layered security.   Read full paper     Authors: NCSC, CPNI
 
Reading Time: 1 minuteCreative security engagements can take many forms and can be configured in different ways but they follow a similar pattern of actions: Frame, Identity, Process, Narrate. The process is not a linear, step-by-step process but an iterative one where the Facilitator of a creative security engagement responds dynamically to the pace and the interests of the participants in an engagement. Prior to the creative security engagement taking place, the Facilitator works with a particular community to identify the topic of the engagement, identify the appropriate medium through which to conduct the engagement and agree how the engagement might benefit the participant group. In this booklet, we outline the roles that routinely appear in a creative security engagement
  ,
Reading Time: 1 minuteThis report summarises key findings from ‘The Global State of Information Security Survey 2018’, which surveyed 9,500 global C-suite executives and directors about their organisation’s security practises. The report identifies and expands on nine data privacy and trust insights drawn from the survey.   Read full paper     Authors: PwC
 
Reading Time: 1 minuteCreative security engagement is an approach that helps participants to draw out the details of day-to-day security practices. As a result, such engagement methods are not only able to sketch out issues related to IT infrastructure and its use but also the everyday security issues that arise through the building and maintenance of relationships with individuals, organisations and governments. Everyday security relates to an individual’s mundane, day-to-day security concerns and the daily routines and practices that are used to respond to these concerns. It is important to understand, engage with and respond to these everyday issues because this is where challenges related to information production, sharing and protection are situated.     Read full paper     Authors: Royal Holloway,
  ,
Reading Time: 1 minuteSharing experiences about digital practices and about digital security in particular is an important means of learning and sharing security practices. These stories are also important because they bring out the difficulties and inconsistencies people face in day-to-day situations that give rise to everyday digital security concerns. In this booklet series we introduce a number of engagement practices and methods that can be sued to structure conversations about digital security in day-to-day situations. These conversations make it easier for information security practitioners and researchers to identify where interventions might be needed to adjust information security sharing and protection practices or to adjust the security policies and technologies. We have developed these engagement practices and methods from eight
  ,
Reading Time: 1 minuteThis report is designed to educate and inform organisations on the cyber threat landscape. It explores what to consider when disaster strikes and explains the importance of people and partnerships.   Read full paper     Authors: Microsoft
 
Reading Time: 1 minuteA set of best practice guidelines published by the WFE designed to encourage a culture of cyber security compliance, including ideas on behavioural incentives, cultural incentives and operational support.   Read full paper     Authors: WFE
  , ,
Reading Time: 1 minuteThrough a series of qualitative interviews with 19 participants, this study looked into and reported several factors influencing employees’ security behaviour at home.   Read full paper     Authors: Joseph Omidosu, Jacques Ophoff
 
Reading Time: 1 minuteThis paper sets out a framework that might allow those who use healthcare personal monitoring devices (such as fitness trackers) to better protect their personal information.   Read full paper     Authors: Asanka I Pathirana, Patricia A H Williams
 
Reading Time: 1 minuteThis study used two techniques to ensure people accurately reported attitudes on information security in the workplace. A key finding was those who believed information security to be the responsibility of the organisation felt security risks to be overstated, whereas those who believed information security to be the responsibility of individuals felt warnings over security risks were valid and justified.   Read full paper     Authors: D. Ashenden
 
Reading Time: 1 minuteThis study looked into how individual differences and national culture impacted participants’ responses to phishing and spear-phishing emails. The study found a national culture that promoted the needs of the individual (rather than the needs of society) increased the likelihood of phishing and spear-phishing emails being accurately identified. The same study found impulsiveness decreased the chances of phishing emails being identified but the same was not true of spear-phishing emails. Finally, the study found individual differences had an effect on user’s ability to spot malicious emails.   Read full paper     Authors: Marcus Butavicius, Kathryn Parsons, Malcolm Pattinson, Agata McCormac, Dragana Calic, Meredith Lillie
 
Reading Time: 1 minuteThis study examined the relationship between Information Security Awareness (ISA), resilience and work stress, finding greater resilience to be associated with higher ISA and lower work stress.   Read full paper     Authors: Agata McCormac, Dragana Calic, Marcus Butavicius, Kathryn Parsons, Malcolm Pattinson, Meredith lillie
  ,
Reading Time: 1 minuteThis study examined the relationship between perception of risk, organisational commitment, and Information Security Awareness (ISA), finding both organisational commitment and perception of personal risk to be significant predictors of ISA. Surprisingly, frequency of workplace information security training negatively affected ISA.   Read full paper     Authors: A. Reeves, K. Parsons and D. Calic
  , ,
Reading Time: 1 minuteideas42 aims to help solve difficult social problems using insights from behavioural science. In this instance, the problem in question is the human aspect of cyber security. The paper applies psychology and behavioural science principles to common cyber security issues such as phishing, unsecure public Wi-Fi and poor passwords.     Read full paper     Authors: Alex Blau, Alexandra Alhadeff, Michael Stern, Scott Stinson, Josh Wright, ideas42
  ,
Reading Time: 1 minuteThis framework is designed to help embed and sustain security behaviours in employees. The framework is condensed into 5Es (Educate, Enable, Environment, Encourage, Evaluate) and explains how to implement these using examples and tactical interventions.   Read full paper     Authors: CPNI
 
Reading Time: 1 minuteA team spear-headed by University of Pennsylvania researchers have launched an ambitious research project called Behavior Change for Good. The project will attempt to determine the best behavioural-change practices in three areas: health, education and personal finance. It will test many ideas with the ultimate aim of uncovering how best to change human behaviour.   Read full paper     Authors: Steven D Levitt & Steven J Dubner
 
Reading Time: 2 minutesBackground: We reflect on a methodology for developing scenario-based security behaviour surveys that evolved through deployment in two large partner organisations (A & B). In each organisation, scenarios are grounded in workplace tensions between security and employees’ productive tasks. These tensions are drawn from prior interviews in the organisation, rather than using established but generic questionnaires. Survey responses allow clustering of participants according to predefined groups. Aim: We aim to establish the usefulness of framing survey questions around active security controls and problems experienced by employees, by assessing the validity of the clustering. We introduce measures for the appropriateness of the survey scenarios for each organisation and the quality of candidate answer options. We use these scores
  ,