Research Library

The world’s first globally accessible archive of research into the human aspect of cyber security and behavioural science as applied to cyber security awareness and online behavioural change.

To see the latest studies from pioneering academics, scroll down.

This study looks into how mood and audience influence gambling behaviours. Although mood seems to have no effect on gambling behavior, participants with a negative mood prior to gambling report more positive moods after gambling. Those with positive and neutral moods report more negative moods after gambling. Additionally, the study finds observed participants spend less time gambling than unobserved participants.  
Research   , , ,
The purpose of this paper is to measure and discuss the effects of an e-learning tool aiming at improving the information security knowledge, awareness, and behaviour of employees. Design/methodology/approach – The intervention study has a pre- and post-assessment of knowledge and attitudes among employees. In total, 1,897 employees responded to a survey before and after the intervention. The population is divided into an intervention group and a control group, where the only thing that separates the groups is participation in the intervention (i.e. the e-learning tool). Findings – The study documents significant short-time improvements in security knowledge, awareness, and behavior of members of the intervention group. Research limitations/implications – The study looks at short-time effects of the intervention. The paper has done a follow-up study of the long-term effects, which is also submitted to Information Management & Computer Security. Practical implications – The study can document that software that support Information Security Awareness programs have a short-time effect on employees’ knowledge, behaviour, and awareness; more interventions studies, following the same principles as presented in this paper, of other user-directed measures
Research   ,
The ultimate success of information security depends on appropriate information security practice behaviors by the end users. Based on social cognitive theory, this study models and tests relationships among self-efficacy in information security, security practice behavior and motivation to strengthen security efforts. This study also explores antecedents to individuals’ self-efficacy beliefs in information security. Results provide support for the many hypothesized relationships. This study provides an initial step toward understanding of the applicability of social cognitive theory in a new domain of information security. The results suggest that simply listing what not to do and penalties associated with a wrong doing in the users’ information security policy alone will have a limited impact on effective implementation of security measures. The findings may help information security professionals design security awareness programs that more effectively increase the self-efficacy in information security.
Research   , ,
This paper explores the ultimate causes of risk-taking and anti-social behavior. In particular, it explores the notion of such behaviors as evolutionary. It suggests a research program informed by life history analysis may reveal the ultimate causes of risk-taking and anti-social behavior.
Research   ,
The purpose of this paper based on compensation theory, is to incorporate perceived technical security protection into the theory of planned behavior and examined factors affecting end‐user security behaviors, specifically, compliance with security policies. The results show that both perceived behavioral control (PBC) and attitude have significant impact on intention to comply with security policy. Perceived technical protection affects behavioral intentions both indirectly, through PBC, and directly. The negative direct effect (i.e. perceived high technical protection leads to low intention to comply with security policy) suggests possible risk compensation effects in the information security context.
Research   , ,
With Rogers’ protection motivation theory as the theoretical framework, this study identified determinants of young adolescents’ level of privacy concerns, which, in turn, affects their resultant coping behaviors to protect privacy. Survey data from 144 middle school students revealed that perceived risks of information disclosure increased privacy concerns, whereas perceived benefits offered by information exchange decreased privacy concerns. Subsequently, privacy concerns had an impact on risk‐coping behaviors such as seeking out interpersonal advice or additional information (e.g., privacy statement) or refraining from using Web sites that ask for personal information. Counter to our expectation, privacy self‐efficacy did not appear to be related to privacy concerns. Implications of privacy education to protect online privacy among young adolescents were discussed.
Research  
Conventional wisdom is that phishing represents easy money. In this paper we examine the economics that underlie the phenomenon, and find a very different picture. Phishing is a classic example of tragedy of the commons, where there is open access to a resource that has limited ability to regenerate. Since each phisher independently seeks to maximise his return, the resource is over-grazed and yields far less than it is capable of. The situation stabilises only when the average phisher is making only as much as he gives up in opportunity cost. Since the picture we paint is at variance with accepted wisdom we check against several publicly available data sources on phishing. We find the oft-quoted survey based estimates of phishing losses unreliable. In particular the victimisation rate found in most surveys is smaller than the margin of error, and dollar losses are estimated by averaging unverified self-reported numbers. We estimate that recent public estimates overstate phishing losses by as much as a factor of fifty. This economic portrait illuminates our enemy in an entirely new light. Far from being a path
Research   ,
Research focusing on educating users about phishing and identifying phishing emails, as opposed to using technology for prevention and detection. The research identified multiple problems, namely: that people were not motivated to learn about security; that security is seen as a secondary task; and that it’s difficult to teach people to identify threats without them also misidentifying non-threats. The authors conclude that education should be used in conjunction with automated detection systems to best stop losses.  
Research   , , , ,
This paper develops and tests a theoretical model of the incentive effects of penalties, pressures and perceived effectiveness of employee actions.  
Research   ,
This study examines the extent to which individuals seek confirming – or disconfirming – evidence, instead of actually testing a hypothesis. Results indicated that, often, individuals are unwilling (or unable) to test their hypotheses.    
Research  
The success of many attacks on computer systems can be traced back to the security engineers not understanding the psychology of the system users they meant to protect. We examine a variety of scams and “short cons” that were investigated, documented and recreated for the BBC TV programme The Real Hustle and we extract from them some general principles about the recurring behavioural patterns of victims that hustlers have learnt to exploit. We argue that an understanding of these inherent “human factors” vulnerabilities, and the necessity to take them into account during design rather than naïvely shifting the blame onto the “gullible users”, is a fundamental paradigm shift for the security engineer which, if adopted, will lead to stronger and more resilient systems security.
Research   ,
The Windows Vista personal firewall provides its diverse users with a basic interface that hides many operational details. However, concealing the impact of network context on the security state of the firewall may result in users developing an incorrect mental model of the protection provided by the firewall. We present a study of participants’ mental models of Vista Firewall (VF). We investigated changes to those mental models and their understanding of the firewall’s settings after working with both the VF basic interface and our prototype. Our prototype was designed to support development of a more contextually complete mental model through inclusion of network location and connection information. We found that participants produced richer mental models after using the prototype than when working with the VF basic interface; they were also significantly more accurate in their understanding of the configuration of the firewall. Based on our results, we discuss methods of improving user understanding of underlying system states by revealing hidden context, while considering the tension between complexity of the interface and security of the system.
Research   , ,
The security of computer systems that store our data is a major issue facing the world. This research project investigated the roles of ease of use, facilitating conditions, intention to use passwords securely, experience and age on usage of passwords, using a model based on the Unified Theory of Acceptance and Use of Technology. Data was collected via an online survey of computer users, and analyzed using PLS. The results show there is a significant relationship between ease of use of passwords, intention to use them securely and the secure usage of passwords. Despite expectations, facilitating conditions only had a weak impact on intention to use passwords securely and did not influence actual secure usage. Computing experience was found to have an effect on intention to use passwords securely, but age did not. The results of this research lend themselves to assisting in policy design and better understanding user behavior.  
Research   , ,
Social engineering is now a major threat to users and systems in the online context, and it is therefore vital to educate potential victims in order to reduce their susceptibility to the related attacks. However, as with other aspects of security education, this firstly requires a means of getting the user’s attention. This paper presents details of an awareness raising game that was developed in order to educate users in a more interactive way. A board game approach, combining reference material with themed multiple-choice questions, was implemented as an initial prototype, and evaluated with 21 users. The results suggested that the approach helped to increase players’ awareness of social engineering, with nobody scoring under 55% whilst playing the game, and 86% feeling they had improved their knowledge of the subjects involved.  
Research   ,
There is a need to understand what makes information security successful in an organization. What are the threats that the organization must deal with and what are the criteria of a beneficial information security policy? Policies are in place, but why employees are not complying? This study is the first step in trying to highlight effective approaches and strategies that might help organizations to achieve good information security through looking at success factors for the implementation. This dissertation will focus on human factors by looking at what concerns employees about information security. It will explore the importance of information security policy in organizations, and employee’s attitudes to compliance with organizations’ policies. This research has been divided into four stages. Each stage was developed in light of the results from the previous stage. The first two stages were conducted in the Sultanate of Oman in order to use a population just starting out in the information security area. Stage one started with a qualitative semi-structured interview to explore and identify factors contributing towards successful implementation of information security in an organization.
Research  
Phishing, or the attempt of criminals to obtain sensitive information through a variety of techniques, is still a serious problem for IT managers and Internet consumers. With over 57 million Americans exposed to phishing in 2005, a reported 5% of recipients were victimized. Some believe that one percent of all email is phishing-related, and estimates of financial losses vary from 100 million to 1 billion dollars (US) a year (Goth, 2005). Our research examines the properties in a phishing email that may or may not influence the users to give out personal and sensitive information. For this field experiment we use students to test the effect that certain types of content have on the phishing process. The study outcomes suggest that user’s do not pay attention to the sender’s domain in a phishing email but do respond to personalized messages and messages that demand an immediate response.  
Research   ,
Managing Information Security is becoming more challenging in today’s business because people are both a cause of information security incidents as well as a key part of the protection from them. As the impact of organizational culture (OC) on employees is significant, many researchers have called for the creation of information security culture (ISC) in organizations to influence the actions and behaviour of employees towards better organizational information security. Although researchers have called for the creation of ISC to be embedded in organizations, nonetheless, literature suggests that little past research examining the relationship between the nature of OC and ISC. This paper seeks to explore the relationship between the nature of OC and ISC and argues that organizations that have a medium to high security risk profile need to embed the ISC to influence employee actions and behaviours in relation to information security practices. In addition, this paper also introduces a framework to assist organizations in determining the extent to which the desired ISC is embedded into OC.  
Research   , ,
This paper discusses the result of two case studies performed in a large international company to test the use of chatbots for internal security training. The first study targeted 26 end users in the company while the second study examined 80 security specialists. From a quantitative analytical perspective there does not appears to be any significant findings when chatbots are used for security training. However there does appear to be qualitative data that suggest that the attitudes of the respondents appear to be more positive to security when chatbots are used than with the current traditional e-learning security training courses at the company.    
Research   , ,
This comprehensive report seeks to understand the persuasion techniques employed by scammers that successfully provoke human errors in judgement. It finds a successful scam involves all the standard elements of the ‘marketing mix’ – although scams differ from conventional marketing in their illegal and illegitimate nature.  
Research   , ,
It is widely agreed that employee non-adherence to information security policies poses a major problem for organizations. Previous research has pointed to the potential of theories of moral reasoning to better understand this problem. However, we find no empirical studies that examine the influence of moral reasoning on compliance with information security policies. We address this research gap by proposing a theoretical model that explains non-compliance in terms of moral reasoning and values. The model integrates two well-known psychological theories: the Theory of Cognitive Moral Development by Kohlberg and the Theory of Motivational Types of Values by Schwartz. Our empirical findings largely support the proposed model and suggest implications for practice and research on how to improve information security policy compliance.  
Research   ,