Is cybersecurity research missing a trick? Integrating insights from the psychology of habit into research and practice.

The idea that people should form positive security habits is gaining increasing attention amongst security practitioners. Habit is a well-studied concept in psychology, but the extent to which the richness of that literature has been fully utilised for security is currently unclear. In order to address this gap, we compared usage of the term ”habit” and connected constructs in the cybersecurity and habit fields using a co-occurrence networks-based analysis. We aimed to answer three research questions: 1. What is the context within which habit has been discussed in the habit literature and the cybersecurity literature; 2. How does the discussion in these two fields compare; and 3. What are the implications of the outcomes of this analysis for the future research agenda for cybersecurity behaviour? The analysis showed that the habit construct tended to be discussed primarily in the context of other models, rather than on its own. The depth of discussion was therefore limited; resulting gaps in knowledge have important implications for security, like the idea that habits moderate the relationship between intention and behaviour. Given the popularity of the theory of planned behaviour in security research, this represents a key omission. Furthermore, the cybersecurity literature we surveyed contained very little discussion surrounding methods for formation and changing of habits, nor of the role of cues in triggering habitual behaviours. Habits require a different behaviour change approach than intentional behaviours, and many day-to-day security behaviours may in fact be habits. For that reason, these topics represents a potentially productive avenue of research for both security and privacy behaviour.