Select Page

Research Library

The world’s first globally accessible archive of research into the human aspect of cybersecurity and behavioral science as applied to cybersecurity awareness and online behavioral change.

To see the latest studies from pioneering academics, scroll down.

Do one more thing right today. Subscribe to the Behave Newsletter

Filter results by

Clear all filters

Selected filters

“Employees who don’t accept the time security takes are not aware enough”: The CISO view of human-centred security

In larger organisations, the security controls and policies that protect employees are typically managed by a Chief Information Security Officer (CISO). In research, industry, and policy, there are increasing efforts to relate principles of human behaviour interventions and influence to the practice of the CISO, despite these being complex disciplines in their own right. Here...

From compliance to impact: Tracing the transformation of an organizational security awareness Program

There is a growing recognition of the need for a transformation from organizational security awareness programs focused on compliance − measured by training completion rates − to those resulting in behavior change. However, few prior studies have begun to unpack the organizational practices of the security awareness teams tasked with executing program transformation. We conducted...

Characterizing and measuring maliciousness for cybersecurity risk assessment

Cyber attacks have been increasingly detrimental to networks, systems, and users, and are increasing in number and severity globally. To better predict system vulnerabilities, cybersecurity researchers are developing new and more holistic approaches to characterizing cybersecurity system risk. The process must include characterizing the human factors that contribute to cyber security vulnerabilities and risk. Rationality,...

Nothing ventured, nothing gained. Profiles of online activity, cyber-crime exposure, and security measures of end-users in European Union

We use large-scale survey data from the Eurobarometer 77.2/2012 to explore variability in online activity, cyber-crime exposure, and security measures of end-users in European Union (EU27). While cyber-security is a high-priority activity for security experts and researchers, end-users conduct it in the context of their daily lives, as a socially accountable and resource-limited activity. We...

Repeat clicking: A lack of awareness is not the problem

Although phishing is the most common social engineering tactic employed by cyber criminals, not everyone is equally susceptible. An important finding emerging across several research studies on phishing is that a subset of employees is especially susceptible to social engineering tactics and is responsible for a disproportionate number of successful phishing attempts. Sometimes referred to...

The enduring mystery of the repeat Clickers

Individuals within an organization who repeatedly fall victim to phishing emails, referred to as Repeat Clickers, present a significant security risk to the organizations within which they operate. The causal factors for Repeat Clicking are poorly understood. This paper argues that this behavior afflicts a persistent minority of users and is explained as either the...

Phishing for long tails: Examining organizational repeat clickers and protective stewards

Organizational cybersecurity efforts depend largely on the employees who reside within organizational walls. These individuals are central to the effectiveness of organizational actions to protect sensitive assets, and research has shown that they can be detrimental (e.g., sabotage and computer abuse) as well as beneficial (e.g., protective motivated behaviors) to their organizations. One major context...

Research on the effectiveness of cyber security awareness in ICS risk assessment frameworks

Assessing security awareness among users is essential for protecting industrial control systems (ICSs) from social engineering attacks. This research aimed to determine the effect of cyber security awareness on the emergency response to cyber security incidents in the ICS. Additionally, this study has adopted a variety of cyber security emergency response process measures and frameworks...

Social Phishing

Phishing is a form of social engineering in which an attacker attempts to fraudulently acquire sensitive information from a victim by impersonating a trustworthy third party. Phishing attacks today typically employ generalized “lures.” For instance, a phisher misrepresenting himself as a large banking corporation or popular on-line auction site will have a reasonable yield, despite...

Development of a new ‘human cyber-resilience scale’

While there has been an upsurge in interest in cyber resilience in organizations, we know little about the resilience of individuals to cyber attacks. Cyber resilience in a domestic or non-work setting is important because we know that the majority of people will face cyber threats in their use of technology across a range of...

What drives generation Z to behave security compliant? An extended analysis using the theory of planned behaviour

Cyber security remains a relevant topic for organisations. While companies invest in expensive security tools security awareness training often is neglected, even though human error still accounts for a large part of cyber incidents (Gartner, 2022). At the same time there is currently an important generational shift, as Generation Z (Gen Z) is starting to...

Developing metrics to assess the effectiveness of cybersecurity awareness program

Cybersecurity awareness (CSA) is not just about knowing, but also transforming things learned into practice. It is a continuous process that needs to be adjusted in subsequent iterations to improve its usability as well as sustainability. This is possible only if a CSA program is reviewed and evaluated timely. Review and evaluation of an awareness...

Employees attitude towards cyber security and risky online behaviours: An empirical assessment in the United Kingdom

The present study aimed to explore if the size of company an individual works for, age or attitudes towards cyber security affected frequency to engage in risky online behaviours. A total of 515 participants aged between 18-84 in full or part-time employment were asked to complete a questionnaire that consisted of two scales. One measured...

An ideal approach for detection and prevention of phishing attacks

Phishing is a treacherous attempt to embezzle personal information such as bank account details, credit card information, social security number, employment details, and online shopping account passwords and so on from internet users. Phishing, or stealing of sensitive information on the web, has dealt a major blow to Internet security in recent times. These attacks...

Social network security: issues, challenges, threats, and solutions

Networks are very popular in today’s world. Millions of people use various forms of social networks as they allow individuals to connect with friends and family, and share private information. However, issues related to maintaining the privacy and security of a user’s information can occur, especially when the user’s uploaded content is multimedia, such as...

Addressing the incremental risks associated with adopting bring your own device

Bring Your Own Device (BYOD) involves allowing employees to use their own mobile devices to access their organisations’ networks. Many organisations are embracing this trend as a means to cut information technology (IT) expenditure, enhance employee satisfaction, etc. However, these and other benefits come at a cost in the form of exposing an organisation to...

Online disclosure of personally identifiable information with strangers: effects of public and private sharing

Safeguarding personally identifiable information (PII) is crucial because such information is increasingly used to engineer privacy attacks, identity thefts and security breaches. But is it likely that individuals may choose to just share this information with strangers? This study examines how reciprocation can lead to the disclosure of PII between strangers in online social networking....

Quantifying phishing susceptibility for detection and behavior decisions

Objective: We use signal detection theory to measure vulnerability to phishing attacks, including variation in performance across task conditions.Background: Phishing attacks are difficult to prevent with technology alone, as long as technology is operated by people. Those responsible for managing security risks must understand user decision making in order to create and evaluate potential solutions.Method:...

Exploring susceptibility to phishing in the workplace

Phishing emails provide a means to infiltrate the technical systems of organisations by encouraging employees to click on malicious links or attachments. Despite the use of awareness campaigns and phishing simulations, employees remain vulnerable to phishing emails. The present research uses a mixed methods approach to explore employee susceptibility to targeted phishing emails, known as...

Suspicion, cognition, and automaticity model of phishing susceptibility

Social-psychological research on phishing has implicated ineffective cognitive processing as the key reason for individual victimization. Interventions have consequently focused on training individuals to better detect deceptive emails. Evidence, however, points to individuals sinking into patterns of email usage that within a short period of time results in an attenuation of the training effects. Thus,...