Cybersecurity continues to be a growing issue, with cyberattacks causing financial losses and loss of productivity and reputation. Especially in an organisational setting, end-user behaviour plays an essential role in achieving a high level of cybersecurity. One way to improve end-user cybersecurity behaviour is through comprehensive training programmes.There are many contradictory statements and findings with...
A systematic review of current cybersecurity training methods
Habit
This paper discusses three distinct concepts related to habits: the differences between habitual and non-habitual states of consciousness; a hierarchy of habits; and the development of habits which depends on repetition, attention, intensity of the experience, and the plasticity of the nervous system.
Nothing ventured, nothing gained. Profiles of online activity, cyber-crime exposure, and security measures of end-users in European Union
We use large-scale survey data from the Eurobarometer 77.2/2012 to explore variability in online activity, cyber-crime exposure, and security measures of end-users in European Union (EU27). While cyber-security is a high-priority activity for security experts and researchers, end-users conduct it in the context of their daily lives, as a socially accountable and resource-limited activity. We...
How to deal with individuals who repeatedly fail phishing simulations
In most companies, a small percentage of employees repeatedly fail phishing simulations. These “repeat responders” should be addressed through frequent phishing exercises to build muscle memory in identifying a phish. The cybersecurity team should work to identify what other resources are needed to reduce the tendency for repeat responders, i.e., identify process or technology updates...
Investigation of human weaknesses in organizational cybersecurity: A meta-analytic approach
The rapid proliferation of digital technology and the increasing reliance on digital systems have made cybersecurity a critical concern for organizations and individuals worldwide. While technical solutions have been the primary focus in addressing cybersecurity threats, the human element has often been overlooked, despite evidence suggesting that human behavior is a significant contributor to cybersecurity...
Bottom-up psychosocial interventions for interdependent privacy: Effectiveness based on individual and content differences
Although a great deal of research has examined interventions to help users protect their own information online, less work has examined methods for reducing interdependent privacy (IDP) violations on social media (i.e., sharing of other people's information). This study tested the effectiveness of concept-based (i.e., general information), fact-based (i.e., statistics), and narrative-based (i.e., stories) educational...
Developing metrics to assess the effectiveness of cybersecurity awareness program
Cybersecurity awareness (CSA) is not just about knowing, but also transforming things learned into practice. It is a continuous process that needs to be adjusted in subsequent iterations to improve its usability as well as sustainability. This is possible only if a CSA program is reviewed and evaluated timely. Review and evaluation of an awareness...
SCENE: A structured means for creating and evaluating behavioral nudges in a cyber security environment
Behavior-change interventions are common in some areas of human-computer interaction, but rare in the domain of cybersecurity. This paper introduces a structured approach to working with organisations in order to develop such behavioral interventions or ‘nudges’. This approach uses elements of co-creation together with a set of prompts from the behavior change literature (MINDSPACE) that...
The nudge puzzle: Matching nudge interventions to cybersecurity decisions
Nudging is a promising approach, in terms of influencing people to make advisable choices in a range of domains, including cybersecurity. However, the processes underlying the concept and the nudge’s effectiveness in different contexts, and in the long term, are still poorly understood. Our research thus first reviewed the nudge concept and differentiated it from...
Toward sustainable behaviour change: An approach for cyber security education training and awareness
Effective information security education, training and awareness (SETA) is essential for protecting organisational information resources. Whilst most organisations invest significantly in implementing SETA programs, the number of incidents resulting from employee noncompliance with security policy are increasing. This trend may indicate that many current SETA programs are not as effective as they should be. We...
Cyber security awareness campaigns: Why do they fail to change behaviour?
The present paper focuses on Cyber Security Awareness Campaigns, and aims to identify key factors regarding security which may lead them to failing to appropriately change people’s behaviour. Past and current efforts to improve information-security practices and promote a sustainable society have not had the desired impact. It is important therefore to critically reflect on...
Cybersecurity risk management in small and medium-sized enterprises; A systematic review of recent evidence
Small and medium-sized enterprises (SMEs) have been encouraged to take advantage of any possible business opportunities by utilizing and adopting new-technologies such as cloud computing services, there is a huge misunderstanding of their cyber threats from the management perspective. Underestimation of cybersecurity threats by SMEs leads to an increase in their vulnerabilities and risks, which...
Rebooting IT security awareness – How organisations can encourage and sustain secure behaviours
Most organisations are using online security awareness training and simulated phishing attacks to encourage their employees to behave securely. Buying off-the-shelf training packages and making it mandatory for all employees to complete them is easy, and satisfies most regulatory and audit requirements, but does not lead to secure behaviour becoming a routine. In this paper,...
A systematic review of current cybersecurity training methods
Cybersecurity continues to be a growing issue, with cyberattacks causing financial losses and loss of productivity and reputation. Especially in an organisational setting, end-user behaviour plays an essential role in achieving a high level of cybersecurity. One way to improve end-user cybersecurity behaviour is through comprehensive training programmes.There are many contradictory statements and findings with...
What influences employees to follow security policies?
Incorporating the Value of Congruence Model (VC), the Theory of Planned Behavior Model (TPB), and Security-Conscious Care Behavior, this study demonstrates that cybersecurity behavior can be effectively influenced through straightforward and cost-efficient measures. Such an approach offers substantial advantages to companies seeking to protect their assets. By analyzing data from 193 respondents, the research underscores...
Avoid being a victim of social engineering attack during the COVID-19 pandemic
This article delves into the impact of the COVID-19 pandemic on the proliferation of social technology attacks. It discusses the implications of these emerging threats and offers strategies for addressing them. By examining various known threats associated with coronaviruses, this report provides valuable insights and recommendations for entities and enterprises. Furthermore, the study explores the...
Mindfulness and cybersecurity behavior: A comparative analysis of rational and intuitive cybersecurity decisions
Despite substantial investments in technological solutions to bolster cybersecurity, human factors, such as employees falling for phishing attacks, remain a significant vulnerability that can undermine even the most advanced security systems. Drawing upon dual-process theories of cognition, this study posits that a brief mindfulness practice may mitigate automatic responses to phishing attempts by improving rational...
How to launch a behavior-change revolution
A team spear-headed by University of Pennsylvania researchers have launched an ambitious research project called Behavior Change for Good. The project will attempt to determine the best behavioural-change practices in three areas: health, education and personal finance. It will test many ideas with the ultimate aim of uncovering how best to change human behaviour.
Behavioural insights in public health England
The public health behavioural insights team offer a general introduction to behavioural economics, show how theories have been successfully applied to the public health sector and present a framework for designing behavioural change interventions.
Evaluating behaviour changed in international development operations: A new framework
On behalf of the World Bank, this paper's authors develop a tool to evaluate behaviour change interventions in the development sector. The tool can be used to assess the prevalence and integration of behaviour change concepts into the life cycle of a behaviour change intervention.