Research Library

The world’s first globally accessible archive of research into the human aspect of cyber security and behavioural science as applied to cyber security awareness and online behavioural change.

To see the latest studies from pioneering academics, scroll down.

Reading Time: 1 minuteThis paper proposes and sets out the framework for the development of a game designed to help educate users about phishing attacks. The proposed game draws on academic research and would take the form a series of challenges that inherently educate users about phishing concepts.   Read full paper     Authors: Gaurav Misra, N.A.G. Arachchilage and Shlomo Berkovsky
  , ,
Reading Time: 1 minuteThis research finds people are motivated to follow security procedures when they believe the procedures to be compulsory, and that both specifying policies and evaluating behaviors help position security policies as mandatory. It follows that specifying policies and evaluating behaviours is more likely to lead to security procedures being followed.   Read full paper     Authors: Scott R Boss, Laurie J Kirsch, Ingo Angermeier, Raymond A Shingler, R Wayne Boss
  , ,
Reading Time: 1 minuteAdvancements in information technology often task users with complex and consequential privacy and security decisions. A growing body of research has investigated individuals’ choices in the presence of privacy and information security tradeoffs, the decision-making hurdles affecting those choices, and ways to mitigate such hurdles. This article provides a multi-disciplinary assessment of the literature pertaining to privacy and security decision making. It focuses on research on assisting individuals’ privacy and security choices with soft paternalistic interventions that nudge users toward more beneficial choices. The article discusses potential benefits of those interventions, highlights their shortcomings, and identifies key ethical, design, and research challenges.   Read full paper     Authors: Alessandro Acquisti, Idris Adjerid, Rebecca Balebako, Laura Brandimarte, Lorrie
  , ,
Reading Time: 1 minuteThis unique guide provides step-by-step instructions on how to commit fraud. From buying the correct hardware and software, to spoofing the personal details of your victims, to actually using stolen cards effectively. Originally published by an anonymous individual “Yegate”, this guide was bought by Brett Johnson, a former cyber criminal turned good, and released for free online for the public to read.     Read full paper     Authors: Yegate
  ,
Reading Time: 1 minutePacked with statistics and survey results, this paper profiles the ever-growing cyber threat landscape and offers advice to help address and overcome risks.   Read full paper     Authors: EY
  ,
Reading Time: 1 minuteThis paper offers an insight into what’s needed for an organisation to achieve a cyber risk aware culture and outlines the importance of establishing such a culture.   Read full paper     Authors: Deloitte
 
Reading Time: 1 minuteThis paper reviews academic literature on the both individual differences and contextual factors that influence susceptibility to cyber attacks, including self-awareness, self-control, security expertise, motivation, trust and attitudes to risk.   Read full paper     Authors: Emma J.Williams, AmyBeardmore, Adam N.Joinsona
  ,
Reading Time: 1 minuteA Research Agenda publication aiming to stimulate research on the human factor in cyber crime and cyber security. This book offers examples of unanswered research questions and methods and datasets that could be used for future studies.   Read full paper     Authors: Mark Evans, Leandros A. Maglaras, Ying He, Helge Janicke
 
Reading Time: 1 minuteThis report looks at the practical steps organisations typically go through on their journey towards managing cyber risk. It identifies five stages during the ‘cyber-maturity journey’ during which organisations are likely to encounter problems. Finally, it offers a solution to each of the problems specified.   Read full paper     Authors: BT
 
Reading Time: 1 minuteUsable security research to date has focused on making users more secure, by identifying and addressing usability issues that lead users to making mistakes, or by persuading users to pay attention to security and make secure choices.However, security goals were set by security experts, who were unaware that users often have other priorities and value security differently. In this paper, we present examples of circumventions and non-adoption of secure systems designed under this paternalistic mindset. We argue that security experts need to identify user values and deliver on them. To do that, we need a methodological framework that can conceptualise values and identify those that impact user engagement with security. We show that (a) engagement with, and
  ,
Reading Time: 1 minuteSecurity managers define policies and procedures to express how employees should behave to ‘do their bit’ for information security. They assume these policies are compatible with the business processes and individual employees’ tasks as they know them. Security managers usually rely on the ‘official’ description of how those processes are run; the day-to-day reality is different, and this is where security policies can cause friction. Organisations need employees to participate in the construction of workable security, by identifying where policies causes friction, are ambiguous, or just do not apply. However, current efforts to involve employees in security act to identify employees who can be local representatives of policy – as with the currently popular idea of ‘security
 
Reading Time: 1 minuteThis blog post explores how organisations can create, maintain and improve their security culture and addresses the questions one may have in regards to security culture. The author highlights three phenomena that actively prevent affected organisations from achieving a culture of security, alongside offering alternative approaches to to each.   Read full paper     Authors: Emma W NCSC
 
Reading Time: 1 minuteThe recent expansion of Internet of Things (IoT) and the growing trends towards a healthier lifestyle, have been followed by a proliferation in the use of fitness-trackers in our daily life. These wearable IoT devices combined with the extensive use by individuals of Online Social Networks (OSNs) have raised many security and privacy concerns. Individuals enrich the content of their online posts with their physical performance and attendance at sporting events, without considering the plausible risks that this may result in. This paper aims to examine the potential exposure of users’ identity that is caused by information that they share online and personal data that are stored by their fitness-trackers. We approach the privacy concerns that arise
  ,
Reading Time: 1 minuteThis blog post emphasises the need for organisation-wide security awareness and offers five recommendations that can improve personal security practises and defend organisations against cyber threats.   Read full paper     Authors: Scott Garrett CISCO
 
Reading Time: 1 minuteAn introduction to the research of Jason Hong, Sauvik Das, Tiffany Hyun-Jin Kim and Laura Dabbish, who are investigating how social influence affects cyber security and testing how social influence techniques can improve people’s awareness and knowledge of cybersecurity, as well as their motivation to act securely.   Read full paper     Authors: Jason Hong, Sauvik Das, Tiffany Hyun-Jin Kim, Laura Dabbish
  , , ,
Reading Time: 1 minuteHumans tend to trust each other and to easily disclose personal information. This makes them vulnerable to social engineering attacks. The present study investigated the effectiveness of two interventions that aim to protect users against social engineering attacks, namely priming through cues to raise awareness about the dangers of social engineering cyber-attacks and warnings against the disclosure of personal information. A sample of visitors of the shopping district of a medium-sized town in the Netherlands was studied. Disclosure was measured by asking subjects for their email address, 9 digits from their 18 digit bank account number, and for those who previously shopped online, what they had purchased and in which web shop. Relatively high disclosure rates were
  , ,

January 15, 2017

CYBERHYGIENE INSIGHT REPORT

Reading Time: 1 minuteA report that investigates users’ cyberhygiene and provides insights and implications.  
  , ,
Reading Time: 1 minuteThis study proposes a new framework to help organisations nurture a culture of information security. The framework consists of factors known to affect security behaviour, such as: management; risk assessment; policies; education; and conduct, among others.   Read full paper     Authors: A. Tolah, S.M. Furnell and M. Papadaki
  ,
Reading Time: 1 minuteBy offering users a strong message of fear, a weak message of fear and no message of fear, the authors of this paper concluded messages of fear combined with behavioural advice on how to mitigate threats can increase security behavioural intentions.   Read full paper     Authors: J. Jansen and P. van Schaik
  , ,
Reading Time: 1 minuteDrawn from multiple disciplines including organisational sciences, psychology, law and cyber security, this report aims to assist organisations looking to begin or enhance their own cyber security culture programme.     Read full paper     Authors: ENISA