While training individuals on best practices in cybersecurity continues to be implemented, prior research has found that training people in the use of secure passwords has not proven to be effective. Developing profiles of individual who are likely to become victims...
Research Library
The world’s first globally accessible archive of research into the human aspect of cyber security and behavioural science as applied to cyber security awareness and online behavioural change.
To see the latest studies from pioneering academics, scroll down.
A cyber security culture framework for assessing organisation readiness
This paper presents a cyber-security culture framework for assessing and evaluating the current security readiness of an organization’s workforce. Having conducted a thorough review of the most commonly used security frameworks, it identifies core security...
Unpacking the intention-behavior gap in privacy decision making for the internet of things (IoT) using aspect listing
Previous studies have observed an intention-behavior gap that has been labeled the “privacy paradox”: people disclose personal information (behavior) despite expressing negative sharing intentions (in surveys). However, this phenomenon has not been studied in the...
Refining the blunt instruments of cyber security: A framework to coordinate prevention and preservation of behaviours
Cybersecurity controls are deployed to manage risks posed by malicious behaviours or systems. What is not often considered or articulated is how cybersecurity controls may impact legitimate users (often those whose use of a managed system needs to be protected, and...
Categorizing human phishing difficulty: a Phish Scale
As organizations continue to invest in phishing awareness training programs, many chief information security officers (CISOs) are concerned when their training exercise click rates are high or variable, as they must justify training budgets to organization officials...
Passive- and not active-risk tendencies predict cyber security behavior
Vulnerabilities to online cyber-related crime are typically the result of poor decisions on the part of users. To date, research on risk-taking behavior applied to cyber-security situations has concentrated mainly on the risks that stem from active behavioral choices...
When believing in technology leads to poor cyber security: Development of a Trust in Technical Controls Scale
While technical controls can reduce vulnerabilities to cyber threats, no technology provides absolute protection and we hypothesised that people may act less securely if they place unwarranted trust in these automated systems. This paper describes the development of a...
Strengthen security culture through communications and awareness programs
Formally adopted security policies, well-defined security governance, and clear security-related roles in the business are prerequisites for a successful security program. But in the background behind the visible security governance and security program machinery is...
An investigation of phishing awareness and education over time: When and how to best remind users
Security awareness and education programmes are rolled out in more and more organisations. However, their effectiveness over time and, correspondingly, appropriate intervals to remind users’ awareness and knowledge are an open question. In an attempt to address this...
Theoretical domains framework applied to cyber security behaviour
The challenge of changing user cybersecurity behaviour is now in the foreground of cybersecurity research. To understand the problem, cybersecurity behaviour researchers have included, into their studies, theories from the Psychology domain. Psychology makes use of...