The behave hub > BLOG
08 November 2022
Achievement unlocked: How behavioral science transforms device security
People lock their houses, their cars, and even their sheds full of worthless junk. So why don’t they lock their devices?

Why this security no-brainer gets pushback, and what you can do about it

Last time we looked at why dirty password habits are so persistent. This time we’re taking stock of locks—or a lack thereof. Be it PIN, pattern, or biometrics, a lock screen is a cybersecurity cornerstone.

It’s the most basic of security measures. And with remote and hybrid working environments, paired with people’s ever-growing collection of portable devices, it’s more important than ever.

Because if they’re not securing their devices, they’re opening themselves—and your organization—up to security risks like data theft and identity theft.

What are we up against?

Safe to say, not everyone is making the right choices with their devices.

Take your colleague, Tony, for instance. He locks his house every morning before leaving for work. Locks his car when he heads for the office. And even locks his shed full of old lawnmowers.

But Tony doesn’t lock his smart phone.

It’s clear that Tony’s receptive to security messaging. He already has some good security habits, and he’ll adopt one more, with a little nudge in the right direction.

While Tony’s behavior is concerning. It’s just as concerning as people that do lock their devices, but use simple PINs like 1-2-3-4 or their birth year.

And that’s because people just don’t think a cyberattack is something that would ever happen to them. But shoulder-surfing and smudge attacks are more common than most would like to believe.

The science part

A recent study looked at screen lock behaviors and perceptions, how long it took to create security information, and how memorable it was. The researchers also looked at how long it took to log in, how often login attempts were successful, and whether screen size made a difference to screen lock functions.

Here are a few thought-provoking insights:

People spend an hour every month (about two minutes a day) to unlock their devices. On average, that’s only 2.9% of their overall screen time.

Out of the nearly 3,500 situations the participants were asked to consider, shoulder-surfing was considered a potential risk in just 11 of them.

Size matters: people found it quickest to use a pattern on a tablet, and a PIN on a phone.

Patterns are better remembered than PINs. This is because it’s easier to remember an image than a string of numbers.

12 percent of people write down their password in order to remember it.

3 in 4 people choose difficult patterns (e.g. 8-1-6-4-3) over easy patterns (e.g. 1-2-3-6-5). 90 percent of people opted for a difficult PIN instead of an easy one.

Crucially, another recent study showed a short, informative video explaining the risks of unauthorized access to people who didn’t lock their devices. And it worked. Just this simple intervention changed their behaviors.

So, what does all of this mean for your security strategy?

If 75 percent of people are choosing difficult patterns over easy ones, it means they’re willing to make some extra effort if it keeps data safe, and they just need some support, education and encouragement.

A lot of people forget their logins. So, encourage biometrics and password managers.

Don’t overlook simple interventions like raising awareness through a short video.

You can read more about how using lock screens links to security risks on SebDB.

Or, if we’ve got you thinking about influencing behaviors across the board, why not take a look at our whitepaper on behavior change.

FAQs

[dipi_faq faq_categories="2312" faq_layout="accordion" accordion_close_all="on" icon_animate="on" icon_closed="||fa||900" icon_open="||fa||900" icon_open_color="#534b4f" icon_closed_color="#534b4f" icon_open_bg_color="RGBA(255,255,255,0)" icon_closed_bg_color="RGBA(255,255,255,0)" icon_open_font_size="20px" icon_closed_font_size="20px" icon_open_border_radius="100px" icon_closed_border_radius="100px" icon_open_padding="10px|10px|10px|10px|false|false" icon_closed_padding="10px|10px|10px|10px|false|false" entry_background_closed="#f7c66c" entry_background_open="#ffffff" entry_margin_closed="||15px||false|false" entry_padding_closed="10px|0px|10px|30px|false|false" entry_padding_open="10px|0px|30px|30px|false|false" title_background_closed="RGBA(255,255,255,0)" title_background_open="rgba(255,255,255,0)" title_padding_closed="20px|70px|20px|20px|false|false" title_padding_open="20px|70px|20px|20px|false|false" content_background_open="RGBA(255,255,255,0)" content_padding_closed="0px|60px|10px|20px|false|false" entry_padding_closed_tablet=" entry_padding_closed_phone="0px|0px|0px|15px|false|false" entry_padding_closed_last_edited="on|phone" entry_padding_open_tablet=" entry_padding_open_phone="10px|0px|30px|15px|false|false" entry_padding_open_last_edited="on|phone" content_padding_closed_tablet=" content_padding_closed_phone=" content_padding_closed_last_edited="on|phone" title_closed_font="|600|||||||" title_closed_text_color="#534b4f" title_closed_font_size="18px" title_open_font="|600|||||||" title_open_text_color="#534b4f" title_open_font_size="18px" content_closed_font="||||||||" content_closed_text_color="#534b4f" content_closed_font_size="16px" content_open_text_color="#534b4f" title_closed_font_size_tablet="18px" title_closed_font_size_phone="16px" title_closed_font_size_last_edited="on|phone" title_open_font_size_tablet="18px" title_open_font_size_phone="16px" title_open_font_size_last_edited="on|phone" content_closed_font_size_tablet=" content_closed_font_size_phone=" content_closed_font_size_last_edited="on|desktop" border_radii_entries_closed="on|4px|4px|4px|4px" border_color_all_entries_closed="RGBA(255,255,255,0)" border_style_all_entries_closed="none" border_radii_entries_open="on|4px|4px|4px|4px" border_width_all_entries_open="2px" border_color_all_entries_open="#f2f8f8" border_color_bottom_title_open="rgba(21,2,42,0)" border_style_bottom_title_open="none" box_shadow_style_entries_open="preset4" box_shadow_horizontal_entries_open="5px" box_shadow_vertical_entries_open="5px" box_shadow_color_entries_open="#f2f8f8" global_colors_info="{}"][/dipi_faq]

Testimonials

CybSafe is just another level. It gives us really robust metrics that help us measure where our people are. It shows their behaviours as well as their attitudes.

Having the data and metrics available has allowed us to confidently make informed decisions and get tangible results regarding employee vigilance. We can now focus on the right areas and track our progress whilst doing so.

CybSafe has allowed us to identify changes in security behaviour and respond accordingly. We now see and understand aspects of our human cyber risk that we simply couldn’t get from training & phishing.

Caroline Bansraj

Chief Security Office, Credit Suisse

Alexandre Pieyre

Group Information Security Leader, IQ-EQ

Steven Pendleton

Chief Information Security Officer, BMT

You may also like

September 15, 2025
Why “we already have that data” is bullsh*t

CybSafe’s CEO and founder Oz Alashe unpacks why your colleagues keep missing the point on behavioral risk – and what to do about it

September 15, 2025
What is Human Risk Management?

Human risk management (HRM) is a modern approach to solving workforce-related cyber challenges. It uses data to identify risky behaviors in real time and applies automated, personalized interventions to reduce the likelihood and impact of cyber incidents caused by people.

September 1, 2025
Security awareness/security culture/human risk management specific job titles

Behavioral security,
AI-powered

CybSafe is the adaptive Human Risk Management platform that helps security teams reduce risky behaviors at scale.

About
About usLatest releasesAbout Science & ResearchContact us
Other
Partner portalLegalCareersSupportCybStore
Copyright © 2025 CybSafe Ltd. All rights reserved.
Privacy notice
Cookies policy
Terms of website useAccessibility