over the past 20 years, there has been a growing body of research into the underlying causes of security failures and the role of human factors. The insight that has emerged is that security measures are not adopted because humans are treated as components whose behaviour can be specified through security policies, and controlled through...
Human Factors Knowledge Area
Human systems integration approach to cyber security
The NATO Science and Technology Organization (STO) Human Factors and Medicine (HFM) Panel 259 Research Task Group (RTG), titled Human Systems Integration Approach to Cyber Security, was established to promote cooperative human-centred research activities in a NATO framework on the complex phenomenon of cyber security as a socio-technical system. The idea was to implement a...
2022 Cost of insider threats global report
The first Cost of Insider Threats: Global study was conducted in 2016 and focused exclusively on companies in North America. Since then, the research has expanded to include organizations in Europe, Middle East, Africa and Asia-Pacific with a global headcount of 500 to more than 75,000. In this year’s study, we interviewed 1,004 IT and...
Remote working and in(security): The impact of pandemic-driven remote working on employee wellbeing, the psychological contract and cyber security
Remote working during the COVID-19 pandemic has had, and continues to have, a great impact on the workforce. Through interviews with senior cyber security professionals, this research explored how the traditional dynamics between employees and leadership have adapted in such times, responding to a rapidly evolving cyber threat landscape, as well as an unpredictable period...
Cyber security culture guidelines: Behavioural aspects of cyber security
The present report is concerned with human aspects of cybersecurity including not only psychology and sociology, but also ethnography, anthropology, human biology, behavioural economics and any other subject that takes humans as its main focal point.
Nudging online security behaviour with warning messages
Researchers tested the effectiveness of 9 different ways of warning users about cyber security threats. Making users aware of the steps they could take to minimise risk was effective in triggering more secure behaviour. Gain-framed messages, loss-framed messages and a message from a male anthropomorphic character triggered more secure behaviours. Interestingly, although the above interventions...
Evaluating behaviour changed in international development operations: A new framework
On behalf of the World Bank, this paper's authors develop a tool to evaluate behaviour change interventions in the development sector. The tool can be used to assess the prevalence and integration of behaviour change concepts into the life cycle of a behaviour change intervention.
Sensitizing employees’ corporate IS security risk perception
Motivated by recent practical observations of employees’ unapproved sourcing of cloud services at work, this study empirically evaluates bring your own cloud (BYOC) policies and social interactions of the IT department to sensitize employees’ security risk perception. Based on social information processing theory, BYOC strategies varying in the level of restriction from the obligatory, recommended,...
EAST: Four simple ways to apply behavioural insights
Following extensive engagement with policy makers through lectures, seminars, workshops, and discussions, the UK government's Behavioral Insights Team has distilled years of insights into a simplified framework designed to promote behavioral change. According to their approach, to facilitate the adoption of a new behavior, it should align with the following principles, conveniently summarized as "EAST":...
Using behavioural insights to improve the public’s use of cyber security best practices
Behavioural change theory suggests influencers of behavioural change include environmental factors (such as technological design), social influencers (such as peers or family) and personal influencers (such as what we know and believe). Using the MINDSPACE framework helps design behaviour change interventions built on sound theories, maximising the chances of behaviour change. Interestingly, this paper notes...
The millennial cybersecurity project improving awareness of and modifying risky behavior in cyberspace
The underlying premise of the Millennial Cybersecurity Project is that the best way to communicate with millennials is through the language of technology. Most organizations today employ communications strategies that are better suited to previous generations. Instead of more traditional text-based materials and face-to-face interactions, this project demonstrates that risky behaviors can be reduced by...
Assessing the impact of security culture and the employee-organization relationship on IS security compliance
IS security advocates recommend strategies that shape user behavior as part of an overall information security management program. A major challenge for organizations is encouraging employees to comply with IS security policies. This paper examines the influence of security-related and employee organization relationship factors on users’ IS security compliance decisions. Specifically, we predict that security...
MINDSPACE: Influencing behaviour through public policy
In an effort to aid policy makers seeking to change behaviour, a team of researchers summarise nine non-coercive influencers of human behaviour: the messanger (who a message comes from); incentives (such as loss avoidance); norms (what other people already do); defaults (ie, maintaining the status quo); salience (the novel and interesting); priming (acting after subconscious...