Research Library

The world’s first globally accessible archive of research into the human aspect of cyber security and behavioural science as applied to cyber security awareness and online behavioural change.

To see the latest studies from pioneering academics, scroll down.

The present paper focuses on Cyber Security Awareness Campaigns, and aims to identify key factors regarding security which may lead them to failing to appropriately change people’s behaviour. Past and current efforts to improve information-security practices and promote a sustainable society have not had the desired impact. It is important therefore to critically reflect on the challenges involved in improving information-security behaviours for citizens, consumers and employees. In particular, our work considers these challenges from a Psychology perspective, as we believe that understanding how people perceive risks is critical to creating effective awareness campaigns. Changing behaviour requires more than providing information about risks and reactive behaviours – firstly, people must be able to understand and apply the advice, and secondly,
  , ,
Most business organizations lack a human factors program and remain inattentive to human-centric issues and human-related problems that are leading to cybersecurity incidents, significant financial losses, reputational damage, and lost production. Other industries such as aviation, nuclear power, healthcare, and industrial safety leverage human factors problems as platforms to reduce human errors. The underappreciation and under-exploration of human factors in cybersecurity threatens the existence of every business. Cybersecurity operations are becoming increasingly abstruse and technologically sophisticated resulting in heightened opportunities for human errors. A human factors program can provide the foundation to address and mitigate human-centric issues, properly train the workforce, and integrate psychology-based professionals as stakeholders to remediate human factors-based problems.
Information security is one of the growing sources of concern that organizations are dealing with today. With increased levels of sophistication of social engineering threats, the exploits from such attacks are evolving. This study highlights some of the challenges that organizations encounter in the process of developing the human knowledge to fight against social engineering attacks. Despite state-of-the-art cyber security preparations and trained personnel, hackers are still successful in their malicious acts of stealing sensitive information that is crucial to organizations. This study further discusses the need for human resource departments to impose training requirements for new hires as part of onboarding processes. The factors influencing users’ proficiency in the process of threat detection and mitigation have been identified as
The cybersecurity of autonomous vehicles (AVs) is an important emerging area of research in traffic safety. Because human failure is the most common reason for a successful cyberattack, human-factor researchers and psychologists might improve AV cybersecurity by researching how to decrease the probability of a successful attack. We review some areas of research connected to the human factor in cybersecurity and find many potential issues. Psychologists might research the characteristics of people prone to cybersecurity failure, the types of scenarios they fail in and the factors that influence this failure or over-trust of AV. Human behavior during a cyberattack might be researched, as well as how to educate people about cybersecurity. Multitasking has an effect on the ability to defend
  , , ,
Social engineering is a method that has been used by criminals and scammers for centuries in order to manipulate people in order to manipulate people into performing a particular action or into giving up sensitive or confidential information. Today, social engineering is a tactic employed by cybercriminals who carry out phishing attacks, one of the most pervasive forms of cyber-attacks. Phishing attacks exploit one of cybersecurity’s greatest vulnerabilities, people, by leveraging both technology and the art of human deception in order to turn targets into victims. Social engineering and phishing rely on human behavior and emotion, factors that technology has yet to find a defense for, making social engineering and phishing a lucrative avenue for cybercriminals. Secure protocols, security awareness
Personality may better predict cybersecurity behavior relative to an individual’s stated intentions; however, people often behave in ways that are discordant with what they intend. Assuming most people have the intention of complying with safe practices, it is still no surprise that people violate policies and put sensitive data at risk regularly. Previous research has investigated all of the “Big Five” personality factors in relation to cybersecurity behavior, although there is no consensus regarding which factors are most important. In this study, data were collected from 676 undergraduate students who were administered the Employees’ Online Security Behavior and Beliefs questionnaire and the Big Five Inventory–44. Significant correlations were observed between self-reported cybersecurity behaviors and some, but not all, personality constructs.
  , ,
The present report is concerned with human aspects of cybersecurity including not only psychology and sociology, but also ethnography, anthropology, human biology, behavioural economics and any other subject that takes humans as its main focal point.     Read full paper     Authors: ENISA
As internet technology and mobile applications increase in volume and complexity, malicious cyber-attacks are evolving, and as a result, society is facing greater security risks in cyberspace more than ever before. This study has extended the published literature on cybersecurity by theoretically defining the conceptual domains of employees’ security behavior, and developed and tested operational measures to advance information security behavior research in the workplace. A conceptual framework is proposed and tested using survey results from579 business managers and professionals. Structural equation modelling and ANOVA procedures are employed totest the proposed hypotheses. The results show that when employees are aware of their company’s informationsecurity policy and procedures, they are more competent to manage cybersecurity tasks than those who are not
  , , , , ,
In this study we investigated the behaviour and physiological responding of trainee cyber security workers while undertaking a Capture-the-Flag (CTF) task. Participants were equipped with armbands that recorded two measures of cognitive load, including; heat flux and galvanic skin response (GSR). Several conclusions were drawn from this exploratory project: 1. Participants’ physiological measurements exhibited idiosyncratic profiles, even when participants performed the same task; 2. Raw physiological measures failed to indicate anything clear about how participants reacted to specific events within the studies; 3. Utilising a Red-vs-Blue CTF competition enabled the development of a new way of examining the physiological data, which indicated a consistent trend amongst all participants across all physiological measures; and, 4. In the CTF competition, winning and
  , ,
The unawareness of users about threats that can face them in cyberspace, can cause the successful execution of such threats. Users should establish a culture of awareness before entering the workforce. This study found that there is a lack among students to engage with cyber security awareness (CSA) initiatives that are available. It is suggested that academic institutions can contribute to the awareness of students by providing CSA material on a regular basis to them. Institutions can make use of social media platforms (Facebook and YouTube) and also communication mediums (institutional website and e-mails) to communicate CSA material with the students.
Although cyber attacks have tremendous financial and reputational ramifications for organisations, the number of high-profile data breaches continues to grow. Oftentimes, these data losses can be attributed to companies leaving themselves vulnerable through poor cyber security practices. This paper argues that companies must protect their businesses and customers from data breaches by implementing companywide changes and improving their overall security behaviour. The high-profile data breach experienced by Equifax, which affected millions of Equifax clients around the world, is used to illustrate the logic for enhancing organisational-level privacy programmes based on ethical reasoning. As new cyber security risks emerge, this case demonstrates that to protect critical data companies must be proactive in their technology security efforts.
Security advice is one key way that consumers learn security behaviors. However, prior work has shown that this advice may not always be helpful and may be less accessible to those with lower internet skill or less education. As a first step toward improving the quality of security advice, we analyzed the readability of 1878 internet security advice documents drawn from crowdsourced search queries and expert recommendations. We measured readability via the commonly used Flesch Reading Ease Score. Our results provide the first characterization, to our knowledge, of the readability of a large corpus of security advice. We find that less than 25% of security advice meets or exceeds the “Standard” (e.g., Reader’s Digest) reading level. Preliminary results suggest that
  , , , , , ,
This paper proposes 10 cyber security challenges that need to be addressed, in an attempt to spark discussion about the global approach to cyber security.     Read full paper     Authors: Richard Horne PwC
This paper proposes a multi-layered approach to defending your organisation against phishing attacks, condensed into four layers. At each layer, the authors recommend tactical interventions to help organisations achieve this multi-layered security.     Read full paper     Authors: NCSC, CPNI
Creative security engagements can take many forms and can be configured in different ways but they follow a similar pattern of actions: Frame, Identity, Process, Narrate. The process is not a linear, step-by-step process but an iterative one where the Facilitator of a creative security engagement responds dynamically to the pace and the interests of the participants in an engagement. Prior to the creative security engagement taking place, the Facilitator works with a particular community to identify the topic of the engagement, identify the appropriate medium through which to conduct the engagement and agree how the engagement might benefit the participant group. In this booklet, we outline the roles that routinely appear in a creative security engagement and we present
This report summarises key findings from ‘The Global State of Information Security Survey 2018’, which surveyed 9,500 global C-suite executives and directors about their organisation’s security practises. The report identifies and expands on nine data privacy and trust insights drawn from the survey.     Read full paper     Authors: PwC
What the Internet of Things means for consumer privacy discusses the findings of an Economist Intelligence Unit (EIU) research programme, sponsored by ForgeRock, that explores the privacy concerns and priorities of global consumers stemming from the Internet of Things (IoT) and related technologies.
Creative security engagement is an approach that helps participants to draw out the details of day-to-day security practices. As a result, such engagement methods are not only able to sketch out issues related to IT infrastructure and its use but also the everyday security issues that arise through the building and maintenance of relationships with individuals, organisations and governments. Everyday security relates to an individual’s mundane, day-to-day security concerns and the daily routines and practices that are used to respond to these concerns. It is important to understand, engage with and respond to these everyday issues because this is where challenges related to information production, sharing and protection are situated.     Read full paper     Authors: Royal Holloway, Creative Securities Team
Sharing experiences about digital practices and about digital security in particular is an important means of learning and sharing security practices. These stories are also important because they bring out the difficulties and inconsistencies people face in day-to-day situations that give rise to everyday digital security concerns. In this booklet series we introduce a number of engagement practices and methods that can be sued to structure conversations about digital security in day-to-day situations. These conversations make it easier for information security practitioners and researchers to identify where interventions might be needed to adjust information security sharing and protection practices or to adjust the security policies and technologies. We have developed these engagement practices and methods from eight years of research
This report is designed to educate and inform organisations on the cyber threat landscape. It explores what to consider when disaster strikes and explains the importance of people and partnerships.     Read full paper     Authors: Microsoft