Rewind
All the content from last year’s PeepSec, Impact and flagship industry events
An exploratory investigation of message-person congruence in information security awareness campaigns
In this study, we sought to answer the question of whether certain information security awareness message themes are more or less effective for different types of individuals based on their personality traits. We considered five message themes (deterrence, morality,...
Predicting facebook users’ online privacy protection: Risk, trust, norm focus theory, and the theory of planned behavior
The present research adopts an extended theory of the planned behavior model that included descriptive norms, risk, and trust to investigate online privacy protection in Facebook users. Facebook users (N = 119) completed a questionnaire assessing their attitude,...
Is the influence of privacy and security on online trust the same for all type of consumers?
This article analyzes the relationships among online trust and two of its most important antecedents, namely privacy and security, and explains how consumers’ characteristics (gender, age, education and extraversion), moderate the influence of both privacy and...
Why deterrence is not enough: The role of endogenous motivations on employees’ information security behavior
Information systems security (ISS) is an increasingly critical issue for companies worldwide. In 2013 cybercrime has caused losses worth US $113 billion affecting 378m victims (Norton Symantec Cybercrime Report 2013). Besides criminal attacks and system malfunctions,...
Nudging whom how: IT proficiency, impulse control and secure behaviour
This paper considers the utility of employing behavioural nudges to change security-related behaviours. We examine the possibility that the effectiveness of nudges may depend on individual user characteristics – which represents a starting point for more personalized...
Security literacy: The missing link in today’s online society?
With the successive revolutions in personal computing, Internet access, and mobility, the last few decades have seen an unprecedented period of technological growth and accompanying information access. While most of the consequences have been positive, and in many...
Sensitizing employees’ corporate IS security risk perception
Motivated by recent practical observations of employees’ unapproved sourcing of cloud services at work, this study empirically evaluates bring your own cloud (BYOC) policies and social interactions of the IT department to sensitize employees’ security risk perception....
Chatbot for IT security training: Using motivational interviewing to improve security behaviour
We conduct a pre-study with 25 participants on Mechanical Turk to find out which security behavioural problems are most important for online users. These questions are based on motivational interviewing (MI), an evidence-based treatment methodology that enables to...
Determining employee awareness using the human aspects of information security questionnaire (HAIS-Q)
This paper delves into the realm of Cyber Security Awareness Campaigns, with a specific focus on identifying critical factors that may hinder their effectiveness in driving behavioral change. Despite past and ongoing efforts to enhance information security practices...
Using personal examples to improve risk communication for security & privacy decisions
IT security systems often attempt to support users in taking a decision by communicating associated risks. However, a lack of efficacy as well as problems with habituation in such systems are well known issues. In this paper, we propose to leverage the rich set of...
A field trial of privacy nudges for facebook
This study explores the design of two modifications to the Facebook web interface aimed at nudging users to consider their online disclosures more carefully. The modifications, reminders about the audience of posts and a time delay before publishing, were evaluated in...
“My religious aunt asked why I was trying to sell her viagra”: Experiences with account hijacking
With so much of our lives digital, online, and not entirely under our control, we risk losing access to our communications, reputation, and data. Recent years have brought a rash of high-profile account compromises, but account hijacking is not limited to high-profile...
Betrayed by updates: How negative experiences affect future security
This paper discusses the importance of installing security-relevant software updates as a key computer protection mechanism. Interviews with non-expert Windows users revealed that negative experiences with past updates often lead users to decide against installing...
Decision-making under risk: Integrating perspectives from Biology, Economics, and Psychology
This review critiques four influential theories of decision-making from economics, psychology, and biology: expected utility theory; prospect theory; risk-sensitivity theory; and heuristic approaches. After doing so, it offers suggestions for integrating theories from...
Evaluating social media privacy settings for personal and advertising purposes
The purpose of this paper is to define two types of privacy, which are distinct but often reduced to each other. It also investigates which form of privacy is most prominent in privacy settings of online social networks (OSN). Privacy between users is different from...
Using comics to teach users about mobile online privacy
Users’ privacy is increasingly being jeopardized by images uploaded using smartphones. These images have detailed metadata that can be used maliciously. We designed an online interactive comic to study whether this kind of teaching media can effectively communicate to...
EAST: Four simple ways to apply behavioural insights
Following extensive engagement with policy makers through lectures, seminars, workshops, and discussions, the UK government's Behavioral Insights Team has distilled years of insights into a simplified framework designed to promote behavioral change. According to their...
Sixty years of fear appeal research: Current state of the evidence
This paper reviews empirical evidence on the effectiveness of fear appeals, concluding campaigns that empower users are more effective than campaigns that aim to scare users (at least in the health sector), and that fear shouldn't necessarily be the go-to tactic when...
Learning from “Shadow Security”: Why understanding non-compliant behaviors provides the basis for effective security
Over the past decade, security researchers and practitioners have tried to understand why employees do not comply with organizational security policies and mechanisms. Past research has treated compliance as a binary decision: people comply, or they do not. From our...
Building a self-regulatory model of sleep deprivation and deception: The role of caffeine and social influence
This study first examines the role that caffeine plays in moderating the depletion of self-regulatory resources, finding caffeine does indeed boost self-regulatory resources. The study also examines how social influence impacts deceptive behaviours at work, finding...
A longitudinal study to determine non-technical deterrence effects of severity and communication of internet use policy for reducing employee internet abuse
This is the second part of a longitudinal study that examines how employee Internet abuse may be reduced by non-technical deterrence methods, specifically via IT acceptable use policies (AUP). Both studies used actual usage and audit logs (not self-reporting measures)...