Select Page

Research Library

The world’s first globally accessible archive of research into the human aspect of cybersecurity and behavioral science as applied to cybersecurity awareness and online behavioral change.

To see the latest studies from pioneering academics, scroll down.

Do one more thing right today. Subscribe to the Behave Newsletter

Filter results by

Clear all filters

Selected filters

Content analysis of persuasion principles in mobile instant message phishing

The popularity of Mobile Instant Messaging (MIM) Applications (apps) presents cybercriminals with a new venue for sending deceptive messages, known as ‘Phishing’. MIM apps often lack technical safeguards to shield users from these messages. The first step towards developing anti-phishing solutions to identify phishing messages in any attack vector is understanding the nature of the...

Emotional cost of cyber crime and cybersecurity protection motivation behaviour: A systematic literature review

The impact of a cyberattack on an organisation is multifaceted, at the employee level, cyber threat is a sensitive issue which needs further understanding. Founded in psychology research, emotions affect protection motivation behaviours at the individual level in the context of cybersecurity. The majority of the research studies focus on how external factors affect employees'...

Investigating cyber security awareness among preservice teachers during the COVID-19 pandemic

South African institutions of higher education suffered serious disruptions during the COVID-19 pandemic which, resulted in migrating most teaching and learning activities to various online platforms, of which many depended on the open web. This has the potential to expose lecturers and students to cyber security threats and risks. As such cyber security awareness (CSA)...

“Repeat Offenders” in cyber security – Black hat Europe executive summit 2021 keynote

What is the problem with so-called “repeat offenders” We can answer that question in two ways. The easy way, and the right way. Let’s start with the simple answer. Many people would say that the problem with “repeat offenders” is repeat incidents, or at least repeat near misses. I know that’s the topic of discussion...

The enduring mystery of the repeat Clickers

Individuals within an organization who repeatedly fall victim to phishing emails, referred to as Repeat Clickers, present a significant security risk to the organizations within which they operate. The causal factors for Repeat Clicking are poorly understood. This paper argues that this behavior afflicts a persistent minority of users and is explained as either the...

Understanding digital-safety experiences of Youth in the U.S.

The seamless integration of technology into the lives of youth has raised concerns about their digital safety. While prior work has explored youth experiences with physical, sexual, and emotional threats—such as bullying and trafficking—a comprehensive and in-depth understanding of the myriad threats that youth experience is needed. By synthesizing the perspectives of 36 youth and...

Bottom-up psychosocial interventions for interdependent privacy: Effectiveness based on individual and content differences

Although a great deal of research has examined interventions to help users protect their own information online, less work has examined methods for reducing interdependent privacy (IDP) violations on social media (i.e., sharing of other people's information). This study tested the effectiveness of concept-based (i.e., general information), fact-based (i.e., statistics), and narrative-based (i.e., stories) educational...

SCENE: A structured means for creating and evaluating behavioral nudges in a cyber security environment

Behavior-change interventions are common in some areas of human-computer interaction, but rare in the domain of cybersecurity. This paper introduces a structured approach to working with organisations in order to develop such behavioral interventions or ‘nudges’. This approach uses elements of co-creation together with a set of prompts from the behavior change literature (MINDSPACE) that...

The nudge puzzle: Matching nudge interventions to cybersecurity decisions

Nudging is a promising approach, in terms of influencing people to make advisable choices in a range of domains, including cybersecurity. However, the processes underlying the concept and the nudge’s effectiveness in different contexts, and in the long term, are still poorly understood. Our research thus first reviewed the nudge concept and differentiated it from...

Toward sustainable behaviour change: An approach for cyber security education training and awareness

Effective information security education, training and awareness (SETA) is essential for protecting organisational information resources. Whilst most organisations invest significantly in implementing SETA programs, the number of incidents resulting from employee noncompliance with security policy are increasing. This trend may indicate that many current SETA programs are not as effective as they should be. We...

Towards an improved understanding of human factors in cybersecurity

Cybersecurity cannot be addressed by technology alone; the most intractable aspects are in fact sociotechnical. As a result, the 'human factor' has been recognised as being the weakest and most obscure link in creating safe and secure digital environments. This study examines the subjective and often complex nature of human factors in the cybersecurity context...

Cyber security awareness campaigns: Why do they fail to change behaviour?

The present paper focuses on Cyber Security Awareness Campaigns, and aims to identify key factors regarding security which may lead them to failing to appropriately change people’s behaviour. Past and current efforts to improve information-security practices and promote a sustainable society have not had the desired impact. It is important therefore to critically reflect on...

Cybersecurity risk management in small and medium-sized enterprises; A systematic review of recent evidence

Small and medium-sized enterprises (SMEs) have been encouraged to take advantage of any possible business opportunities by utilizing and adopting new-technologies such as cloud computing services, there is a huge misunderstanding of their cyber threats from the management perspective. Underestimation of cybersecurity threats by SMEs leads to an increase in their vulnerabilities and risks, which...

Rebooting IT security awareness – How organisations can encourage and sustain secure behaviours

Most organisations are using online security awareness training and simulated phishing attacks to encourage their employees to behave securely. Buying off-the-shelf training packages and making it mandatory for all employees to complete them is easy, and satisfies most regulatory and audit requirements, but does not lead to secure behaviour becoming a routine. In this paper,...

Client-Side Counter Phishing Application Using Adaptive Neuro-Fuzzy Inference System

Phishing is an online scam which involves identity theft of unsuspecting users, by which an attacker steals the personal information of users, such as user ID or password. E-mails, instant messaging and web pages are used in carrying out such attacks, out of which Phishing using e-mails is the most dominant method. E-mails containing hyperlinks...

Detect phishing by checking content consistency

Phishing is a form of cybercrime used to lure a victim to reveal his/her sensitive personal information to fraudulent web pages. To protect users from phishing attacks, many anti-phishing techniques have been proposed to block suspicious web pages, which are identified against registered lacklists, or checked by search engines. However, such approaches usually have difficulty...

Real time detection of phishing websites

Web Spoofing lures the user to interact with the fake websites rather than the real ones. The main objective of this attack is to steal the sensitive information from the users. The attacker creates a ‘shadow’ website that looks similar to the legitimate website. This fraudulent act allows the attacker to observe and modify any...

Presenting Suspicious Details in User-Facing E-mail Headers Does Not Improve Phishing Detection

Phishing requires humans to fall for impersonated sources. Sender authenticity can often be inferred from e-mail header information commonly displayed by e-mail clients, such as sender and recipient details. People may be biased by convincing e-mail content and overlook these details, and subsequently fall for phishing. This study tests whether people are better at detecting...

Designing and conducting phishing experiments

We describe ethical and procedural aspects of setting up and conducting phishing experiments, drawing on experience gained from being involved in the design and execution of a sequence of phishing experiments (second author), and from being involved in the review of such experiments at the Institutional Review Board (IRB) level (first author). We describe the...

A phish scale: rating human phishing message detection difficulty

As organizations continue to invest in phishing awareness training programs, many Chief Information Security Officers (CISOs) are concerned when their training exercise click rates are high or variable, as they must justify training budgets to those who question the efficacy of training when click rates are not declining. We argue that click rates should be...