The present paper focuses on Cyber Security Awareness Campaigns, and aims to identify key factors regarding security which may lead them to failing to appropriately change people’s behaviour. Past and current efforts to improve information-security practices and...
Background: We reflect on a methodology for developing scenario-based security behaviour surveys that evolved through deployment in two large partner organisations (A & B). In each organisation, scenarios are grounded in workplace tensions between security and...
Usable security research to date has focused on making users more secure, by identifying and addressing usability issues that lead users to making mistakes, or by persuading users to pay attention to security and make secure choices.However, security goals were set by...
Security managers define policies and procedures to express how employees should behave to ‘do their bit’ for information security. They assume these policies are compatible with the business processes and individual employees’ tasks as they know...
Organisational security policies are often written without sufficiently taking in to account the goals and capabilities of the employees that must follow them. Effective security management requires that security managers are able to assess the effectiveness of their...
Improving cyber security awareness is often assumed to improve cyber security, however this paper suggests it’s necessary for people to be engaged in cyber security in order to make people a robust cyber defence. The paper builds a model for engaging people in...
Users will pay attention to reliable and credible indicators of risks they want to avoid. Security mechanisms with a high false positive rate undermine the credibility of security and train users to ignore them. We need more accurate detection and better security...
Traditionally, organizations manage information security through policies and mechanisms that employees are expected to comply with. Noncompliance with security is regarded as undesirable, and often sanctions are threatened to deter it. But in a recent study, we...
Over the past decade, security researchers and practitioners have tried to understand why employees do not comply with organizational security policies and mechanisms. Past research has treated compliance as a binary decision: people comply, or they do not. From our...
Software engineering researcher Shari Lawrence Pfleeger and her co-authors review the latest psychological research on moral values and habit formation, discussing how principles and theories can be leverages to encourage people to behave in a cyber secure manner....
While personal data is a source of competitive advantage, businesses should consider the potential reaction of individuals to certain types of data requests. Privacy research has identified some factors that impact privacy perceptions, but these have not yet been...
Information security has adapted to the modern collaborative organisational nature, and abandoned “command-and-control” approaches of the past. But when it comes to managing employee’s information security behaviour, many organisations still use policies proscribing...
User education must focus on challenging and correcting the misconceptions that guide current user behavior. To date, user education on phishing has tried to persuade them to check URLs and a number of other indicators, with limited success. The authors evaluate a...
Many organizations struggle with ineffective and/or inefficient access control, but these problems and their consequences often remain invisible to security decision-makers. Prior research has focused on improving the policy-authoring part of authorization and does...
In this study, 120 participants were asked to test an (arbitrary) online tool. During testing, participants encountered a PDF download warning. All participants noticed the warning, but 81.7% downloaded the PDF file that triggered it regardless. The authors’ attribute...
Effective user security awareness campaign can greatly enhance the information assurance posture of an organization. Information security includes organizational aspects, legal aspects, institutionalization and applications of best practices in addition to security...
The paper is based on the findings and conclusions of research, observations and projects carried out in large organizations over the last two decades. It highlights failings and critical success factors in contemporary approaches to transform organizational culture....
This paper finds individuals comply with security practices up to a certain point only, after which point compliance wains. Organisations can influence an individual’s perception of where the compliance threshold lies so long as they know of and can manipulate...
This whitepaper discusses human vulnerabilities in full, including what they are, why they occur, how they can be mitigated, the challenges of mitigation and potential areas for further research.
Security experts frequently refer to people as “the weakest link in the chain” of system security. Famed hacker Kevin Mitnick revealed that he hardly ever cracked a password, because it “was easier to dupe people into revealing it” by employing a range of social...
This paper argues that simply blaming users for security breaches will not lead to more effective security systems and that security designers must address the causes of undesirable user behaviour to design effective security systems. Focusing on passwords in...
As the use of ubiquitous multimedia communication increases so do the privacy risks associated with widespread accessibility and utilisation of data generated by such applications. Most invasions of privacy are not intentional but due to designers inability to...
In the late 90’s, it was largely considered users were unmotivated and lazy when it came to cyber security. This UCL research suggested, actually, users compromised security systems through lack of security knowledge and non-user centric security mechanisms....
Stay up to date
Sign up to our newsletter for the latest news, views and insights.
