Select Page

Research Library

The world’s first globally accessible archive of research into the human aspect of cybersecurity and behavioral science as applied to cybersecurity awareness and online behavioral change.

To see the latest studies from pioneering academics, scroll down.

Do one more thing right today. Subscribe to the Behave Newsletter

Filter results by

Clear all filters

Selected filters

From compliance to impact: Tracing the transformation of an organizational security awareness Program

There is a growing recognition of the need for a transformation from organizational security awareness programs focused on compliance − measured by training completion rates − to those resulting in behavior change. However, few prior studies have begun to unpack the organizational practices of the security awareness teams tasked with executing program transformation. We conducted...

Characterizing and measuring maliciousness for cybersecurity risk assessment

Cyber attacks have been increasingly detrimental to networks, systems, and users, and are increasing in number and severity globally. To better predict system vulnerabilities, cybersecurity researchers are developing new and more holistic approaches to characterizing cybersecurity system risk. The process must include characterizing the human factors that contribute to cyber security vulnerabilities and risk. Rationality,...

Nothing ventured, nothing gained. Profiles of online activity, cyber-crime exposure, and security measures of end-users in European Union

We use large-scale survey data from the Eurobarometer 77.2/2012 to explore variability in online activity, cyber-crime exposure, and security measures of end-users in European Union (EU27). While cyber-security is a high-priority activity for security experts and researchers, end-users conduct it in the context of their daily lives, as a socially accountable and resource-limited activity. We...

Development of a new ‘human cyber-resilience scale’

While there has been an upsurge in interest in cyber resilience in organizations, we know little about the resilience of individuals to cyber attacks. Cyber resilience in a domestic or non-work setting is important because we know that the majority of people will face cyber threats in their use of technology across a range of...

Developing metrics to assess the effectiveness of cybersecurity awareness program

Cybersecurity awareness (CSA) is not just about knowing, but also transforming things learned into practice. It is a continuous process that needs to be adjusted in subsequent iterations to improve its usability as well as sustainability. This is possible only if a CSA program is reviewed and evaluated timely. Review and evaluation of an awareness...

A methodology for quantifying the level of cybersecurity awareness

According to the yearly publication of Dutch National Cyber Security Center of the current cyber security situation of the country ( Cyber Security Beeld Nederland -CSBN- 2017) a cyber-attack originated in 91% of the investigated cases from some form of phishing. This is in line with data from the SysAdmin, Audit, Network and Security (SANS)...

2022 Cost of insider threats global report

The first Cost of Insider Threats: Global study was conducted in 2016 and focused exclusively on companies in North America. Since then, the research has expanded to include organizations in Europe, Middle East, Africa and Asia-Pacific with a global headcount of 500 to more than 75,000. In this year’s study, we interviewed 1,004 IT and...

Blind Spot: Do You Know the Effectiveness of Your Information Security Awareness-Raising Program?

Information and IT security awareness-raising measures and the evaluation of these measures are an indispensable part of today’s information and knowledge society. While the number of firms that apply such measures is increasing, surveys of corporations show that it is unusual for these measures to be accompanied by specific in-depth evaluations of their effectiveness. Since...

About the Measuring of Information Security Awareness: A Systematic Literature Review

To make employees aware of their important role for information security, companies typically carry out security awareness campaigns. The success and effectiveness of those campaigns has to be measured to justify the budget for example. Therefore, we did a systematic literature review in order to learn how information security awareness (ISA) is measured in theory...

Developing metrics to assess the effectiveness of cybersecurity awareness program

Cybersecurity awareness (CSA) is not just about knowing, but also transforming things learned into practice. It is a continuous process that needs to be adjusted in subsequent iterations to improve its usability as well as sustainability. This is possible only if a CSA program is reviewed and evaluated timely. Review and evaluation of an awareness...

Phishing in organizations: findings from a large-scale and long-term study

In this paper, we present findings from a large-scale and long-term phishing experiment that we conducted in collaboration with a partner company. Our experiment ran for 15 months during which time more than 14,000 study participants (employees of the company) received different simulated phishing emails in their normal working context. We also deployed a reporting...