Select Page

Research Library

The world’s first globally accessible archive of research into the human aspect of cybersecurity and behavioral science as applied to cybersecurity awareness and online behavioral change.

To see the latest studies from pioneering academics, scroll down.

Do one more thing right today. Subscribe to the Behave Newsletter

Filter results by

Clear all filters

Selected filters

The Behavior Grid: 35 ways behavior can change

This paper presents a new way of categorizing behavior change in a framework called the Behavior Grid. This preliminary work shows 35 types of behavior along two categorical dimensions. To demonstrate the analytical potential for the Behavior Grid, this paper maps behavior goals from Facebook onto the framework, revealing potential patterns of intent. To show...

Employee behavior: the psychological gateway for cyberattacks

Purpose – Cyberattacks have become a major threat to small and medium-sized enterprises. Their prevention efforts often prioritize technical solutions over human factors, despite humans posing the greatest risk. This article highlights the importance of developing tailored behavioral interventions. Through qualitative interviews, we identified three persona types with different psychological biases that increase the risk...

A systematic review of current cybersecurity training methods

Cybersecurity continues to be a growing issue, with cyberattacks causing financial losses and loss of productivity and reputation. Especially in an organisational setting, end-user behaviour plays an essential role in achieving a high level of cybersecurity. One way to improve end-user cybersecurity behaviour is through comprehensive training programmes.There are many contradictory statements and findings with...

Habit

This paper discusses three distinct concepts related to habits: the differences between habitual and non-habitual states of consciousness; a hierarchy of habits; and the development of habits which depends on repetition, attention, intensity of the experience, and the plasticity of the nervous system.

Nothing ventured, nothing gained. Profiles of online activity, cyber-crime exposure, and security measures of end-users in European Union

We use large-scale survey data from the Eurobarometer 77.2/2012 to explore variability in online activity, cyber-crime exposure, and security measures of end-users in European Union (EU27). While cyber-security is a high-priority activity for security experts and researchers, end-users conduct it in the context of their daily lives, as a socially accountable and resource-limited activity. We...

How to deal with individuals who repeatedly fail phishing simulations

In most companies, a small percentage of employees repeatedly fail phishing simulations. These “repeat responders” should be addressed through frequent phishing exercises to build muscle memory in identifying a phish. The cybersecurity team should work to identify what other resources are needed to reduce the tendency for repeat responders, i.e., identify process or technology updates...

Investigation of human weaknesses in organizational cybersecurity: A meta-analytic approach

The rapid proliferation of digital technology and the increasing reliance on digital systems have made cybersecurity a critical concern for organizations and individuals worldwide. While technical solutions have been the primary focus in addressing cybersecurity threats, the human element has often been overlooked, despite evidence suggesting that human behavior is a significant contributor to cybersecurity...

Bottom-up psychosocial interventions for interdependent privacy: Effectiveness based on individual and content differences

Although a great deal of research has examined interventions to help users protect their own information online, less work has examined methods for reducing interdependent privacy (IDP) violations on social media (i.e., sharing of other people's information). This study tested the effectiveness of concept-based (i.e., general information), fact-based (i.e., statistics), and narrative-based (i.e., stories) educational...

Developing metrics to assess the effectiveness of cybersecurity awareness program

Cybersecurity awareness (CSA) is not just about knowing, but also transforming things learned into practice. It is a continuous process that needs to be adjusted in subsequent iterations to improve its usability as well as sustainability. This is possible only if a CSA program is reviewed and evaluated timely. Review and evaluation of an awareness...

SCENE: A structured means for creating and evaluating behavioral nudges in a cyber security environment

Behavior-change interventions are common in some areas of human-computer interaction, but rare in the domain of cybersecurity. This paper introduces a structured approach to working with organisations in order to develop such behavioral interventions or ‘nudges’. This approach uses elements of co-creation together with a set of prompts from the behavior change literature (MINDSPACE) that...

The nudge puzzle: Matching nudge interventions to cybersecurity decisions

Nudging is a promising approach, in terms of influencing people to make advisable choices in a range of domains, including cybersecurity. However, the processes underlying the concept and the nudge’s effectiveness in different contexts, and in the long term, are still poorly understood. Our research thus first reviewed the nudge concept and differentiated it from...

Toward sustainable behaviour change: An approach for cyber security education training and awareness

Effective information security education, training and awareness (SETA) is essential for protecting organisational information resources. Whilst most organisations invest significantly in implementing SETA programs, the number of incidents resulting from employee noncompliance with security policy are increasing. This trend may indicate that many current SETA programs are not as effective as they should be. We...

Cyber security awareness campaigns: Why do they fail to change behaviour?

The present paper focuses on Cyber Security Awareness Campaigns, and aims to identify key factors regarding security which may lead them to failing to appropriately change people’s behaviour. Past and current efforts to improve information-security practices and promote a sustainable society have not had the desired impact. It is important therefore to critically reflect on...

Cybersecurity risk management in small and medium-sized enterprises; A systematic review of recent evidence

Small and medium-sized enterprises (SMEs) have been encouraged to take advantage of any possible business opportunities by utilizing and adopting new-technologies such as cloud computing services, there is a huge misunderstanding of their cyber threats from the management perspective. Underestimation of cybersecurity threats by SMEs leads to an increase in their vulnerabilities and risks, which...

Rebooting IT security awareness – How organisations can encourage and sustain secure behaviours

Most organisations are using online security awareness training and simulated phishing attacks to encourage their employees to behave securely. Buying off-the-shelf training packages and making it mandatory for all employees to complete them is easy, and satisfies most regulatory and audit requirements, but does not lead to secure behaviour becoming a routine. In this paper,...

A systematic review of current cybersecurity training methods

Cybersecurity continues to be a growing issue, with cyberattacks causing financial losses and loss of productivity and reputation. Especially in an organisational setting, end-user behaviour plays an essential role in achieving a high level of cybersecurity. One way to improve end-user cybersecurity behaviour is through comprehensive training programmes.There are many contradictory statements and findings with...

What influences employees to follow security policies?

Incorporating the Value of Congruence Model (VC), the Theory of Planned Behavior Model (TPB), and Security-Conscious Care Behavior, this study demonstrates that cybersecurity behavior can be effectively influenced through straightforward and cost-efficient measures. Such an approach offers substantial advantages to companies seeking to protect their assets. By analyzing data from 193 respondents, the research underscores...

Avoid being a victim of social engineering attack during the COVID-19 pandemic

This article delves into the impact of the COVID-19 pandemic on the proliferation of social technology attacks. It discusses the implications of these emerging threats and offers strategies for addressing them. By examining various known threats associated with coronaviruses, this report provides valuable insights and recommendations for entities and enterprises. Furthermore, the study explores the...

Mindfulness and cybersecurity behavior: A comparative analysis of rational and intuitive cybersecurity decisions

Despite substantial investments in technological solutions to bolster cybersecurity, human factors, such as employees falling for phishing attacks, remain a significant vulnerability that can undermine even the most advanced security systems. Drawing upon dual-process theories of cognition, this study posits that a brief mindfulness practice may mitigate automatic responses to phishing attempts by improving rational...

How to launch a behavior-change revolution

A team spear-headed by University of Pennsylvania researchers have launched an ambitious research project called Behavior Change for Good. The project will attempt to determine the best behavioural-change practices in three areas: health, education and personal finance. It will test many ideas with the ultimate aim of uncovering how best to change human behaviour.