Rewind
All the content from last year’s PeepSec, Impact and flagship industry events
A diary study of password usage in daily life
While past work has examined password usage on a specific computer, web site, or organization, there is little work examining overall password usage in daily life. Through a diary study, we examine all usage of passwords, and offer some new findings based on...
Using and managing multiple passwords: A week to a view
Security policies are required that protect information from unauthorised access, and also respect challenges users face in creating, and particularly managing, increasing numbers of passwords. This paper investigates real password use in the context of daily life. It...
F for fake: Four studies on how we fall for phish
This paper reports findings from a multi-method set of four studies that investigate why we continue to fall for phish. Current security advice suggests poor spelling and grammar in emails can be signs of phish. But a content analysis of a phishing archive indicates...
Text, lies and electronic bait: An analysis of email fraud
What is it that makes people fall for email scams? This analysis concluded that scammers are most concerned about building solidarity with their victims and playing to a mark’s egocentrism, which both ultimately prevent victims from making well-informed decisions....
Does domain highlighting help people identify phishing sites?
Phishers are fraudsters that mimic legitimate websites to steal user’s credential information and exploit that information for identity theft and other criminal activities. Various anti-phishing techniques attempt to mitigate such attacks. Domain highlighting is one...
The behaviour change wheel: A new method for characterising and designing behaviour change interventions
Interventions and policies to change behaviour can be usefully characterised by means of a BCW comprising: a 'behaviour system' at the hub, encircled by intervention functions and then by policy categories. Research is needed to establish how far the BCW can lead to...
Bridging the gap in computer security warnings: A mental model approach
Computer security warnings are intended to protect users and their computers. However, research suggests that users frequently ignore these warnings. The authors describe a study designed to gain insight into how users perceive and respond to computer alerts.
Effectiveness of information security awareness methods based on psychological theories
Effective user security awareness campaign can greatly enhance the information assurance posture of an organization. Information security includes organizational aspects, legal aspects, institutionalization and applications of best practices in addition to security...
Digital literacy and safety skills
This study evaluated the digital skills of 25,000 European internet users aged 9-16 by examining their online activities, skills, and self-efficacy. It was found that the range of digital skills is linked to the variety of online activities. However, many children in...
A review and analysis of deterrence theory in the IS security literature: making sense of the disparate findings
Deterrence theory is one of the most widely applied theories in information systems (IS) security research, particularly within behavioral IS security studies. Based on the rational choice view of human behavior, the theory predicts that illicit behavior can be...
The adoption of computer security: An analysis of home personal computer user behavior using the health belief model
The primary purpose of this research was to examine the adoption of computer security software in the home computer environment. The use of the Health Belief Model as a framework to design a model to examine home user adoption of computer security provided the basis...
It’s all about the Benjamins: An empirical study on incentivizing users to ignore security advice
We examine the cost for an attacker to pay users to execute arbitrary code—potentially malware. We asked users at home to download and run an executable we wrote without being told what it did and without any way of knowing it was harmless. Each week, we increased the...
Toward a typology of internet users and online privacy concerns
Traditional typologies of consumer privacy concern suggest that consumers fall into three distinct groups: One-fourth of consumers are not concerned about privacy, one-fourth are highly concerned, and half are pragmatic, in that their concerns about privacy depend on...
Cyber security in the workplace: Understanding and promoting behaviour change
Cyber security and the role employees play in securing information are major concerns for businesses. The aim of this research is to explore employee security behaviours and design interventions that can motivate behaviour change. Previous research has focused on...
Individual differences in need for cognition and decision-making competence among leaders
This paper measured leadership and need for cognition alongside decision making, concluding both need for cognition and leadership moderate susceptibility to decision-making biases.
How to change management and user resistance to password security
A study of 425 people suggested perceived severity of security threats has no significant influence on security attitudes, and that more technically literate users resist manditory security implementations moreso than less technically literate users.
The evolution and psychology of self-deception
This paper's authors argue self-deception is an evolved trait with the evolutionary advantage of helping deceive others without severe cognitive strain. They suggest self-decpetion – which should in theory be paradoxical – is actually achieved through dissociations of...
An overview of international cyber-security awareness raising and educational initiatives
This report provides an overview international cyber-security awareness raising and educational initiatives.
Under-reporting of errors: An information technology perspective
We congratulate Ernesa¨ter et al. on their study of incident reporting in nurse-led telephone triage in Sweden. The reporting of errors is crucial to the process of error management. If adverse incidents are to be minimised, organisations must learn from their...
Death by a thousand facts: Criticising the technocratic approach to information security awareness
The purpose of this paper is to examine why mainstream information security awareness techniques have failed to evolve at the same rate as automated technical security controls and to suggest improvements based on psychology and safety science.
Improving employees’ compliance through information systems security training: An action research study
We propose a training program based on two theories: the universal constructive instructional theory and the elaboration likelihood model. We then validate the training program for IS security policy compliance training through an action research project. The action...