Research Library

The world’s first globally accessible archive of research into the human aspect of cyber security and behavioural science as applied to cyber security awareness and online behavioural change.

To see the latest studies from pioneering academics, scroll down.

This study examined the ways in which Internet users construct their risk judgments about online privacy. The results, based on telephone survey data from a national probability sample in Singapore (n = 910), revealed that (a) individuals distinguish between two separate dimensions of risk judgment (personal level and societal level), (b) individuals display a strong optimistic bias about online privacy risks, judging themselves to be significantly less vulnerable than others to these risks, and (c) internal belief (perceived controllability) and individual difference (prior experience) significantly moderate optimistic bias by increasing or decreasing the gap between personal- and societal-level risk estimates. The implications of the findings for research and practice are discussed.  
Research   , ,
In an effort to aid policy makers seeking to change behaviour, a team of researchers summarise nine non-coercive influencers of human behaviour: the messanger (who a message comes from); incentives (such as loss avoidance); norms (what other people already do); defaults (ie, maintaining the status quo); salience (the novel and interesting); priming (acting after subconscious cues); affect (our emotions); commitments (to maintain consistent behaviour) and ego (to feel better about ourselves).    
Research   , , , ,
Although online retailers detail their privacy practices in online privacy policies, this information often remains invisible to consumers, who seldom make the effort to read and understand those policies. This paper reports on research undertaken to determine whether a more prominent display of privacy information will cause consumers to incorporate privacy considerations into their online purchasing decisions. We designed an experiment in which a shopping search engine interface clearly and compactly displays privacy policy information. When such information is made available, consumers tend to purchase from online retailers who better protect their privacy. In fact, our study indicates that when privacy information is made more salient and accessible, some consumers are willing to pay a premium to purchase from privacy protective websites. This result suggests that businesses may be able to leverage privacy protection as a selling point.
Research   , , ,
The purpose of this paper is to better understand what factors influence college students to run anti-spyware tools, with the hopes of finding ways to better inform future students about the spyware epidemic and ways to combat spyware. In order to determine what influences students to use anti-spyware tools, we conducted multiple structured interviews (n=10) and a survey (n=68). These provided insight into the factors influencing students to run anti-spyware tools. We also found significant differences between Computer Information Systems (CIS) majors and non-CIS majors in their usage of anti-spyware software. Our research suggests that Attitude, Perceived Behavioral Control,and Technology Awareness have the most impact on influencing a college student’s intentions to use anti-spyware tools.
Research   ,
According to this book’s authors, we need only understand how our minds work to unlock shortcuts that can lead to long term behavour change. This book explores how our minds work and some shortcuts tha might be of use when seeking to change human behaviour.  
Research   ,
As technology such as the Internet, computers and mobile devices become ubiquitous throughout society, the need to ensure our information remains secure is imperative. Unfortunately, it has long been understood that good security cannot be achieved through technical means alone and a solid understanding of the issues and how to protect yourself is required from users. Whilst many initiatives, programs and strategies have been proposed to improve the level of information security awareness, most have been directed at organizations, with a few national programs focused upon home users. Given people’s use of technology is primarily focused upon those two areas: the workplace and home, this paper seeks to understand the knowledge and practice relationship between these environments. Through the survey that was developed, it was identified that the majority of the learning about information security occurred in the workplace, where clear motivations, such as legislation and regulation, existed. It was also found that user’s were more than willing to engage with such awareness raising initiatives. From a comparison of practice between work and home environments, it was found that this
Research   , ,
The home Internet user faces a hostile environment abundant in potential attacks on their computers. These attacks have been increasing at an alarming rate and cause damage to individuals and organizations regularly, and have the potential to cripple the critical infrastructures of entire countries. Recent research has determined that some individuals are not utilizing additional software protections available to mitigate these potential security risks. This paper seeks to further examine the reasons by proposing a conceptual framework that utilizes the Health Belief Model as a possible way to explain why some people do not perceive a threat sufficient to prompt the adoption of computer security software.  
Research   ,
Information security was the main topic in this paper. An investigation of the compliance to information security policies were discussed. The author mentions that the insignificant relationship between rewards and actual compliance with information security policies does not make sense. Quite possibly this relationship results from not applying rewards for security compliance. Also mentions that based on the survey conducted, careless employee behavior places an organization’s assets and reputation in serious jeopardy. The major threat to information security arises from careless employees who fail to comply with organizations’ information security policies and procedures.
Research   , ,
This article examines the impact of negative message framing on security technology adoption. Based on previous studies, it was hypothesized that negatively-framed messages would have a greater effect on the adoption of security technologies which detect system abuse than on technologies for prevention. To test this hypothesis, two security technologies were selected: one to represent preventative technologies and one to represent detective technologies. Undergraduate business students at a major southeastern university were first introduced to both security technologies, then exposed to negatively-framed messages and asked to complete a survey regarding their attitudes and intentions toward adopting each. In line with previous studies, it was determined that negatively-framed messages are better suited for detection technologies than for prevention technologies, and that IS managers should become more sensitive to the manner in which new security technologies are introduced and to the factors that help shape adoption intentions.
Research   , ,
This paper investigates the impact of the characteristics of information security policy (ISP) on an employee’s security compliance in the workplace. Two factors were proposed as the antecedents of employees’ security compliance: ISP Fairness and ISP Quality. ISP Quality is comprised of three quality dimensions–Clarity, Completeness, and Consistency. It is shown that ISP fairness has a strong positive effect on an employee’s ISP Compliance. In addition, it is found that ISP quality does not only have a strong positive influence on an employee’s ISP compliance but also have a strong influence on an employee’s perceived ISP fairness. This study contributes to the literature by highlighting the importance of ISP characteristics; namely, ISP quality and ISP fairness as an organizational resource to enhance an organization’s information security.  
Research   , ,
Two online experiments examine the effects of different e-commerce deception tactics on decision-making. The study finds consumers’ product choices are influenced by manipulation of product details and the order in which products are displayed, and concludes consumers are frequently vulnerable deception by online retailers.  
Research  
Although computer users are aware of spyware, they typically do not take protective steps against it. A recent study looks into the reasons for this apathy and suggests boosting users’ confidence in installing and operating antispyware solutions as an effective remedy.
Research   ,
In this study, participants performed a computer memory task while compliance to three safety measures was monitored. Compling with indirect warnings – that is, warnings triggered by entities other than researchers – was not significantly different to compliance with direct warnings. The research suggests there are effective ways to warn people other than from the top down.
Research   ,
This paper proposes a research method that investigates the risk perceptions of computer endusers relating to organisational Information Security (InfoSec) and the situational factors that influence these perceptions. This method uses the Repertory Grid Technique (RGT) within recorded semi-structured interviews to elicit computer end-user perceptions, thoughts, beliefs and views pertaining to information security risks and threats. The suitability and appropriateness of using the RGT for this task is also discussed.
Research   ,
In this paper we present the results of a roleplay survey instrument administered to 1001 online survey respondents to study both the relationship between demographics and phishing susceptibility and the effectiveness of several anti- phishing educational materials. Our results suggest that women are more susceptible than men to phishing and participants between the ages of 18 and 25 are more susceptible to phishing than other age groups. We explain these demographic factors through a mediation analysis. Educational materials reduced users’ tendency to enter information into phishing webpages by 40% percent; however, some of the educational materials we tested also slightly decreased participants’ tendency to click on legitimate links.
Research   , , , ,
Employee violations of IS security policies is recognized as a key concern for organizations. Although interest in IS security has risen in recent years, little empirical research has examined this problem. To address this research gap, this dissertation identifies deliberate IS security policy violations as a phenomenon unique from other forms of computer abuse.
Research  
This article reports human memories as reconstructed fragments of information, as opposed to recorded feedback. According to the article false memories are easily recalled, jeopardising eyewitness reports. Eyewitness reports should therefore perhaps be used with caution, the article warns.  
Research   ,
End users are frequently criticised as the sources of bad security practice, and it is suggested they might take the issue more seriously if they experienced a breach. An option for enabling this would be for security administrators to deliberately create conditions and situations that provide first-hand demonstrations to targeted users. Such approaches are referred to as scare tactics. It is widely accepted that securing information technology requires much more than just technology-based protection. We can hone the technology as much as we like but not get any benefit if people fail to use it properly. It might seem harsh, but security would be much easier to maintain if users could be taken out of the equation altogether. Feelings sometimes run so high that those working in the field say that security would be much easier to push, and more readily accepted, if you could teach users a lesson every once in a while.  
Research   , ,
By using the protection motivation theory, this article tests a model of password protection intentions for online users. Hypotheses are proposed concerning the intention to engage in good password practices. Data were collected from 182 college students of 3 universities in the southern United States. The results suggest that fear, response cost, and response efficacy are significantly related to online password protection intentions. However, perceived severity and vulnerability are not significant predictors. The study suggests that reducing cognitive costs for passwords is imperative.
Research   ,
We present the design and evaluation of PhishDuck, an anti-phishing tool for email clients. Phishduck presents a interfaces to users if they click on suspicious emails, and helps guide them towards making safe decisions. We present two different interfaces, a warning interface and a redundancy interface. In our user study, we found that the Phishduck warning interface was statistically significantly better than the warning in Mozilla Thunderbird, with the participants falling for phish decreasing from 70% to 0%
Research