We examine the cost for an attacker to pay users to execute arbitrary code—potentially malware. We asked users at home to download and run an executable we wrote without being told what it did and without any way of knowing it was harmless. Each week, we increased the...
Research Library
The world’s first globally accessible archive of research into the human aspect of cyber security and behavioral science as applied to cyber security awareness and online behavioral change.
Toward a typology of internet users and online privacy concerns
Traditional typologies of consumer privacy concern suggest that consumers fall into three distinct groups: One-fourth of consumers are not concerned about privacy, one-fourth are highly concerned, and half are pragmatic, in that their concerns about privacy depend on...
Cyber security in the workplace: Understanding and promoting behaviour change
Cyber security and the role employees play in securing information are major concerns for businesses. The aim of this research is to explore employee security behaviours and design interventions that can motivate behaviour change. Previous research has focused on...
Individual differences in need for cognition and decision-making competence among leaders
This paper measured leadership and need for cognition alongside decision making, concluding both need for cognition and leadership moderate susceptibility to decision-making biases.
How to change management and user resistance to password security
A study of 425 people suggested perceived severity of security threats has no significant influence on security attitudes, and that more technically literate users resist manditory security implementations moreso than less technically literate users.
The evolution and psychology of self-deception
This paper's authors argue self-deception is an evolved trait with the evolutionary advantage of helping deceive others without severe cognitive strain. They suggest self-decpetion – which should in theory be paradoxical – is actually achieved through dissociations of...
An overview of international cyber-security awareness raising and educational initiatives
This report provides an overview international cyber-security awareness raising and educational initiatives.
Under-reporting of errors: An information technology perspective
We congratulate Ernesa¨ter et al. on their study of incident reporting in nurse-led telephone triage in Sweden. The reporting of errors is crucial to the process of error management. If adverse incidents are to be minimised, organisations must learn from their...
Death by a thousand facts: Criticising the technocratic approach to information security awareness
The purpose of this paper is to examine why mainstream information security awareness techniques have failed to evolve at the same rate as automated technical security controls and to suggest improvements based on psychology and safety science.
Improving employees’ compliance through information systems security training: An action research study
We propose a training program based on two theories: the universal constructive instructional theory and the elaboration likelihood model. We then validate the training program for IS security policy compliance training through an action research project. The action...