Research Library

The world’s first globally accessible archive of research into the human aspect of cyber security and behavioural science as applied to cyber security awareness and online behavioural change.

To see the latest studies from pioneering academics, scroll down.

Technological development towards automation has been taking place for years and a wide range of autonomous systems (AS) have been introduced in homes and retailing spaces. Although these AS seem to be riskless, if they are exploited they can endanger private information of users, which opens a new stage for the security of AS. Humans have an initial and positive bias towards automation that might lead to errors related to unintentional actions or lack of actions. Therefore, the effective adoption of AS relies on users’ attitudes, like the propensity to take risks and the calibration of human trust to avoid situations of mistrust, over trust, and distrust, increasin

A construct for intentional habit formation is suggested as possible mitigation to the disparity between user capability and systems requirements. The importance of usable security is well represented in early discussions (Sasse 2001). Twenty years after M. S. Ackerman provided a significant discussion of the “gap” between what humans need and what computers can support, the “social-technical gap” in privacy and security management continues. Humans, for many reasons, cannot make good, consistent decisions regarding security. Current and foundational theoretical understandings of human limitations are outlined, in both an individual and social context. The differenc

While there are a variety of sophisticated system attacks, phishing emails continues to be successful in gaining users attention and leading to disastrous security consequences. In designing strategies to protect users from fraudulent phishing emails, system designers need to know which attack approaches and type of content seems to exploit human limitations and vulnerabilities. In this study, we are focusing on the attackers’ footprints (emails) and examining the phishing email content and characteristics utilizing publicly available phishing attack repository databases. We analyzed several variables to gain a better understanding of the techniques and language use

As cybersecurity (CS) threats become more sophisticated and diversified, organisations are urged to constantly adopt and update measures for contrasting different types of attacks. Particularly, as novel techniques (e.g., social engineering and phishing) are aimed at leveraging individual users’ vulnerabilities to attack and breach a larger system or an entire company, user awareness and behaviour have become key factors in preventing adverse events, mitigating their damage, and responding appropriately. As a result, the concept of Cyber Hygiene (CH) is becoming increasingly relevant to address the risk associated to an individual’s CS practices. Consequently, self-assessment tools are becom

SMEs constitute a very large part of the economy in every country and they play an important role in economic growth and social development. SMEs are frequent targets of cybersecurity attacks similar to large enterprises. However, unlike large enterprises, SMEs mostly have limited capabilities regarding cybersecurity practices. Given the increasing cybersecurity risks and the large impact that the risks may bring to the SMEs, assessing and improving the cybersecurity capabilities is crucial for SMEs for sustainability. This research aims to provide an approach for SMEs for assessing and improving their cybersecurity capabilities by integrating key elements from existing industry standards.

Social engineering cyberattacks are a major threat because they often prelude sophisticated and devastating cyberattacks. Social engineering cyberattacks are a kind of psychological attack that exploits weaknesses in human cognitive functions. Adequate defense against social engineering cyberattacks requires a deeper understanding of what aspects of human cognition are exploited by these cyberattacks, why humans are susceptible to these cyberattacks, and how we can minimize or at least mitigate their damage. In this paper, we review human cognition through the lens of social engineering cyberattacks. Then, we propose an extended framework of human cognitive function

Installing security applications is a common way to protect against malicious apps, phishing emails, and other threats in mobile operating systems. While these applications can provide essential security protections, they also tend to access large amounts of people’s sensitive information. Therefore, individuals need to evaluate the trade-off between the security features and the privacy invasion when deciding on which protection mechanisms to use. This paper examines factors affecting the willingness to install mobile security applications by taking into account the invasion levels and security features of cyber-security applications. The results indicate that a lo

The Coronavirus disease 2019 (COVID-19) pandemic continues to cause prevalent issues and risks relating to cybersecurity and data privacy in Malaysia, which should be viewed meticulously and tackled appropriately. Moreover, Malaysia’s ageing population is limited on cybersecurity awareness. The aim of this research is to explore the cybersecurity mindset of Malaysia’s older population and its impact on their well-being. For this purpose, this study used a qualitative methodology aimed at understanding the aging population’s cybersecurity mindset and developing a supporting policy framework. The issues of concern range from cybercriminals targeting a novice work from

Current world events have forced a sudden remote-working economy that many businesses were simply not prepared for. According to a Gartner survey of 229 human resources (HR) managers, 81% or more are working remotely, and 41% are likely to do so at least some of the time even once a return to normal working is permitted. This sudden rise in remote working is not only challenging employees to work in a way they had not previously, but it has also impacted the cyber-risk profile of enterprises worldwide. Organisations have built policies and procedures that protect i

Android parental control applications are used by parents to monitor and limit their children’s mobile behaviour (e.g., mobile apps usage, web browsing, calling, and texting). In order to offer this service, parental control apps require privileged access to system resources and access to sensitive data. This may significantly reduce the dangers associated with kids’ online activities, but it raises important privacy concerns. We conduct the first in-depth study of the Android parental control app’s ecosystem from a privacy and regulatory point of view. In summary, parental control applications lack transparency and lack compliance with regulatory requirements. This holds even for those appl

Cybersecurity is paramount in modern cyber defense. One important factor linked to reducing human-instigated breaches of cybersecurity includes cyber hygiene. Cyber hygiene is the adaptive knowledge and behavior to mitigate risky online activities that put an individual’s social, financial, and personal information at risk – a danger that is significantly compounded when discussing the risk to entire countries as opposed to a single individual. Interestingly, even though the human is the greatest risk to cybersecurity, very little research has examined the latent individual differences associated with developing cyber hygiene-related knowledge, attitudes, and behavi

Retirement is a major life transition, which leads to substantial changes across almost all aspects of day-to-day life. Although this transition has previously been seen as the normative marker for entry into older adulthood, its influence on later life has remained relatively unstudied in terms of technology use and cybersecurity behaviours. This is problematic as older adults are at particular risk of becoming victims of cyber-crime. This study aimed to investigate which factors associated with the retirement transition were likely to increase vulnerability to cyber-attack in a sample of 12 United Kingdom based older adults, all of whom had retired within t

In this chapter we use a social psychology approach to discuss people’s behaviour in relation to cybersecurity, by considering human errors, personality traits, the relationship between attitude and behaviour and the influence of social and situational factors. Human error has been widely studied in literature, especially in aviation and health care fields. Regardless of the area involved, analysing human factors is fundamental to understand the causes of accidents. With respect to cybersecurity, in fact, human errors—deriving from, e.g., work pressure, distraction, lack of awareness, organizational factors—can be considered one of the most important causes of secur

Every year online scams cause substantial emotional and financial adversity. A recently developed self-report measure of gullibility has the potential to provide insight into how individual differences in gullibility are related to susceptibility to scams. The current study investigated the behavioural validity of the Gullibility Scale and explored individual differences expected to be related to this construct. Undergraduate psychology students (N = 219) initially rated example phishing emails, and completed the HEXACO personality factors, Need for Cognition, Need for Closure, Sense of Self, and the Gullibility Scale. After six weeks, they were sent simulated phishing emails. Respo

Many theories from behavioural science like the theory of planned behaviour and protection motivation theory have been used to investigate the factors that affect the cybersecurity behaviour and practices of the end-user. In this paper, the researchers have used Fogg behaviour model (FBM) to study factors affecting the cybersecurity behaviour and practices of smartphone users. This study found that the odds of secure behaviour and practices by respondents with high motivation and high ability were 4.64 times more than the respondents with low motivation and low ability. This study describes how FBM may be used in the design and development of cybersecurity awareness

This paper examines online users’ perceived susceptibility to phishing attacks. We posit that an individual’s phishing susceptibility may be shaped by recent phishing encounters and, more importantly, that the effect of new experience on susceptibility will be heterogeneous among users. To facilitate our investigation, we focus on both the process and outcome of phishing detection. Survey data from college students confirms that one’s susceptibility is affected by detection process difficulty and detection outcome failures in the recent phishing encounter. Results also reveal the importance of personal attributes, such as past success in phishing detection and phishing desensitization, in re

Phishing e-mails are fraudulent e-mails used to gain access to sensitive information or secure computer systems. They persuade users to click on malicious links, download attachments, or provide sensitive information, such as usernames or passwords. One approach that aims to reduce people’s susceptibility to phishing is the provision of information to users regarding the phishing threat and the techniques used within phishing e-mails. In line with this, awareness campaigns are often used within organizations and wider society to raise awareness of phishing and encourage people to engage with protective information. In order to understand how current and future interventions regarding phishin

The role of the human in cyber security is well acknowledged. Many cyber security incidents rely upon targets performing specific behavioural actions, such as opening a link within a phishing email. Cyber adversaries themselves are driven by psychological processes such as motivation, group dynamics and social identity. Furthermore, both intentional and unintentional insider threats are associated with a range of psychological factors, including cognitive load, mental wellbeing, trust and interpersonal relations. By incorporating psychology into cyber security education, practitioners will be better equipped with the skills they need to address cyber security issues. However, there are chall

This study investigated the security gains of using a multilingual passphrase policy in user generated passphrases that are based on African and Indo-European languages. The research on passwords has been largely focused on the Global North where English is often the first or only language. Targeted password guessing of English and Chinese-based passwords shows that a user’s mother tongue language can influence password structure, something that reflects on security. Given a multilingual user group, for example in Africa, it is interesting to establish whether such a population can generate secure multilingual passphrases. Accordingly, the findings of this study could be extrapolated to othe

Cognitive processes are broadly considered to be of vital importance to understanding phishing email feature detection or misidentification. This research extends the current literature by introducing the concept of cue utilization as a unique predictor of phishing feature detection. First year psychology students (n=127) undertook three tasks measuring cue utilization, phishing feature detection and phishing email detection. A multiple linear regression model provided evidence that those in a higher cue utilization typology (n=55) performed better at identifying phishing features than those in a lower cue utilization typology (n=72). Furthermore, as predicted by the Elaboration Likelihood M