Research Library

The world’s first globally accessible archive of research into the human aspect of cyber security and behavioural science as applied to cyber security awareness and online behavioural change.

To see the latest studies from pioneering academics, scroll down.

Since information security (InfoSec) incidents often involve human error, businesses are investing greater resources into improving staff awareness and compliance with best-practice InfoSec behaviours. This research examined whether employees who feel that they may be personally affected by workplace InfoSec incidents are more likely to behave in accordance with those best-practice behaviours. To further understand this, we also examined organisational commitment and risk perception. Data collection involved an online questionnaire measuring these constructs in relation to three workplace cyber threats: phishing, malware, and mobile devices. The questionnaire was co

Cyber crime is rising at an unprecedented rate. Organisations are spending more than ever combating the human element through training and other interventions, such as simulated phishing. Organisations employ “carrots” (rewards) and “sticks” (sanctions) to reduce risky behaviour. Sanctions (such as locking computers and informing one’s line manager) are problematic as they lead to unintended consequences towards employee trust and productivity. This study explored how organisations use rewards and sanctions both in their campaigns and specifically following simulated phishing. We also assessed what factors (such as control over rewards, tendency to blame users) infl

There has been an increasing prevalence of global cyber attacks. Because of the possible breaches in information security, it has become pertinent that organisations change organisational and individual cultures to become more secure. However, there are challenges regarding the implementation of these processes within organisations. Organisations have become dependent on information systems, which stores large quantities of data and can be considered as one of an organisation’s greatest assets. Whilst employees are considered as the next important asset, their negligence, whether intentional or not, and due to their possible lack of knowledge regarding information s

There is a lack of consensus when using the term “cyberspace” []. Computers and network devices are prominent in definitions of cyberspace; less common is the essential and inclusion of human users. However, the human user is both implicitly integral to and actively part of the cyberspace. A new human-centric model of cyberspace is proposed (the HCCM), with the user as a physical and integral entity, together with recognition of the cognitive representation of cy

Technological development towards automation has been taking place for years and a wide range of autonomous systems (AS) have been introduced in homes and retailing spaces. Although these AS seem to be riskless, if they are exploited they can endanger private information of users, which opens a new stage for the security of AS. Humans have an initial and positive bias towards automation that might lead to errors related to unintentional actions or lack of actions. Therefore, the effective adoption of AS relies on users’ attitudes, like the propensity to take risks and the calibration of human trust to avoid situations of mistrust, over trust, and distrust, increasin

A construct for intentional habit formation is suggested as possible mitigation to the disparity between user capability and systems requirements. The importance of usable security is well represented in early discussions (Sasse 2001). Twenty years after M. S. Ackerman provided a significant discussion of the “gap” between what humans need and what computers can support, the “social-technical gap” in privacy and security management continues. Humans, for many reasons, cannot make good, consistent decisions regarding security. Current and foundational theoretical understandings of human limitations are outlined, in both an individual and social context. The differenc

While there are a variety of sophisticated system attacks, phishing emails continues to be successful in gaining users attention and leading to disastrous security consequences. In designing strategies to protect users from fraudulent phishing emails, system designers need to know which attack approaches and type of content seems to exploit human limitations and vulnerabilities. In this study, we are focusing on the attackers’ footprints (emails) and examining the phishing email content and characteristics utilizing publicly available phishing attack repository databases. We analyzed several variables to gain a better understanding of the techniques and language use

As cybersecurity (CS) threats become more sophisticated and diversified, organisations are urged to constantly adopt and update measures for contrasting different types of attacks. Particularly, as novel techniques (e.g., social engineering and phishing) are aimed at leveraging individual users’ vulnerabilities to attack and breach a larger system or an entire company, user awareness and behaviour have become key factors in preventing adverse events, mitigating their damage, and responding appropriately. As a result, the concept of Cyber Hygiene (CH) is becoming increasingly relevant to address the risk associated to an individual’s CS practices. Consequently, self-assessment tools are becom

SMEs constitute a very large part of the economy in every country and they play an important role in economic growth and social development. SMEs are frequent targets of cybersecurity attacks similar to large enterprises. However, unlike large enterprises, SMEs mostly have limited capabilities regarding cybersecurity practices. Given the increasing cybersecurity risks and the large impact that the risks may bring to the SMEs, assessing and improving the cybersecurity capabilities is crucial for SMEs for sustainability. This research aims to provide an approach for SMEs for assessing and improving their cybersecurity capabilities by integrating key elements from existing industry standards.

Social engineering cyberattacks are a major threat because they often prelude sophisticated and devastating cyberattacks. Social engineering cyberattacks are a kind of psychological attack that exploits weaknesses in human cognitive functions. Adequate defense against social engineering cyberattacks requires a deeper understanding of what aspects of human cognition are exploited by these cyberattacks, why humans are susceptible to these cyberattacks, and how we can minimize or at least mitigate their damage. In this paper, we review human cognition through the lens of social engineering cyberattacks. Then, we propose an extended framework of human cognitive function

The research conducted for this project sought to understand the factors that impact the likelihood an individual will be victimized by a phishing attack. The research also sought to identify effective training approaches and technology available to supplement human defenses. Understanding these factors, training methods, and technology will allow organizations to strengthen their information security program. The research conducted confirmed that certain personality types and habits, such as gullibility, narcissism, psychopathy, and habitual email use, influence the likelihood an individual will fall victim to a phishing attack. Rule-based and mindfulness training,

This study purposed to examine the key human factors that impact on favourable cybersecurity culture in Kenyan SMEs premised in Nairobi City County and that provides enterprise wide Information Systems(IS) solutions. Primary data was collected through mail survey method from 34 SMEs that were selected from the official 2019 yellow pages Kenya online directory. The data collection tool was a structured questionnaire. To achieve this, quantitative research inform of descriptive research design was conducted. Judgmental sampling technique was used to choose respondents believed to have the required information relatin

Installing security applications is a common way to protect against malicious apps, phishing emails, and other threats in mobile operating systems. While these applications can provide essential security protections, they also tend to access large amounts of people’s sensitive information. Therefore, individuals need to evaluate the trade-off between the security features and the privacy invasion when deciding on which protection mechanisms to use. This paper examines factors affecting the willingness to install mobile security applications by taking into account the invasion levels and security features of cyber-security applications. The results indicate that a lo

The Coronavirus disease 2019 (COVID-19) pandemic continues to cause prevalent issues and risks relating to cybersecurity and data privacy in Malaysia, which should be viewed meticulously and tackled appropriately. Moreover, Malaysia’s ageing population is limited on cybersecurity awareness. The aim of this research is to explore the cybersecurity mindset of Malaysia’s older population and its impact on their well-being. For this purpose, this study used a qualitative methodology aimed at understanding the aging population’s cybersecurity mindset and developing a supporting policy framework. The issues of concern range from cybercriminals targeting a novice work from

Current world events have forced a sudden remote-working economy that many businesses were simply not prepared for. According to a Gartner survey of 229 human resources (HR) managers, 81% or more are working remotely, and 41% are likely to do so at least some of the time even once a return to normal working is permitted. This sudden rise in remote working is not only challenging employees to work in a way they had not previously, but it has also impacted the cyber-risk profile of enterprises worldwide. Organisations have built policies and procedures that protect i

Android parental control applications are used by parents to monitor and limit their children’s mobile behaviour (e.g., mobile apps usage, web browsing, calling, and texting). In order to offer this service, parental control apps require privileged access to system resources and access to sensitive data. This may significantly reduce the dangers associated with kids’ online activities, but it raises important privacy concerns. We conduct the first in-depth study of the Android parental control app’s ecosystem from a privacy and regulatory point of view. In summary, parental control applications lack transparency and lack compliance with regulatory requirements. This holds even for those appl

Cybersecurity is paramount in modern cyber defense. One important factor linked to reducing human-instigated breaches of cybersecurity includes cyber hygiene. Cyber hygiene is the adaptive knowledge and behavior to mitigate risky online activities that put an individual’s social, financial, and personal information at risk – a danger that is significantly compounded when discussing the risk to entire countries as opposed to a single individual. Interestingly, even though the human is the greatest risk to cybersecurity, very little research has examined the latent individual differences associated with developing cyber hygiene-related knowledge, attitudes, and behavi

Retirement is a major life transition, which leads to substantial changes across almost all aspects of day-to-day life. Although this transition has previously been seen as the normative marker for entry into older adulthood, its influence on later life has remained relatively unstudied in terms of technology use and cybersecurity behaviours. This is problematic as older adults are at particular risk of becoming victims of cyber-crime. This study aimed to investigate which factors associated with the retirement transition were likely to increase vulnerability to cyber-attack in a sample of 12 United Kingdom based older adults, all of whom had retired within t

In this chapter we use a social psychology approach to discuss people’s behaviour in relation to cybersecurity, by considering human errors, personality traits, the relationship between attitude and behaviour and the influence of social and situational factors. Human error has been widely studied in literature, especially in aviation and health care fields. Regardless of the area involved, analysing human factors is fundamental to understand the causes of accidents. With respect to cybersecurity, in fact, human errors—deriving from, e.g., work pressure, distraction, lack of awareness, organizational factors—can be considered one of the most important causes of secur

Every year online scams cause substantial emotional and financial adversity. A recently developed self-report measure of gullibility has the potential to provide insight into how individual differences in gullibility are related to susceptibility to scams. The current study investigated the behavioural validity of the Gullibility Scale and explored individual differences expected to be related to this construct. Undergraduate psychology students (N = 219) initially rated example phishing emails, and completed the HEXACO personality factors, Need for Cognition, Need for Closure, Sense of Self, and the Gullibility Scale. After six weeks, they were sent simulated phishing emails. Respo