Lecture 1: Introduction to behavioural
change and cybersecurity
All lectures discussed, paraphrased and cited in this document are presented by Dr. Tommy
van Steen during the course Behavioural Change Approaches to Cybersecurity at Leiden
Universiteit (2020).
Introduction to cybersecurity
● Discussion board on Brightspace → for general questions.
● 4 10 ECTS courses in cybersecurity governance → focussed on governance
● 2 SPOCS → spoc = private online course. These give you technical background in
cyberspace and cybersecurity. Separate, but embedded in courses in block 1 and 3.
Embedded in this course and in Digital Justice. They are not part of the course, but are
part of the course as something separate. So you have the regular courses and in 2 of
them you have the SPOCS as well.
● SPOCS → 1 credit-ish. 6 videos per SPOC (5-10 minutes per video), additional
readings as well. You have to pass the SPOC to pass the course, but it does not up or
down your grade. It’s a fail or pass. Lecturer suggests: watch all the videos, do all the
readings, watch the videos again, then do the assignment. Quiz will be put online.
● Learning goal in this course: learn to collect meaningful data → measure the
effectiveness of behaviour change / cybersecurity solutions
● Weekly topics:
- Week 1: introduction + path model = method of designing interventions that are
likely to succeed
- Week 2: behavioural side of cybersecurity problems
- Week 3: behavioural change models and literature
- Week 4: intervention design and effectiveness testing
- Week 5: designing surveys and statistics
- Week 6: other forms of data collection
- Week 7: reporting and ethics
- Literature: Buunk & Van Vught + articles, see syllabus.
● 14 sessions in 7 weeks
● Some sessions will be more interactive, others will be lectures. Schedule is not always
right
● Week 3 and week 6 → some of us on campus. Afternoon is on campus, in the morning
it will be online. Have to sign up for campus sessions if you want to join.
● Examination!!
- Group paper (max 5000 words), 30% of final grade → will be explained next
Thursday. Deadline is 16 October. Everyone gets the same grade in the group.
1
, - Individual paper (max 1500 words), 30%
- Take home exam, 40% 20 October between 12.00 and 16.00
- SPOC: fail/pass, multiple choice quiz
- Powerpoint will be uploaded to Brightspace :-)
- Groups should be formed ourselves. Will be given some guidance in the second
session. Form groups based on what cybersecurity problems you would like to
solve.
● Course is mostly about methods. (zin in!!!!!!!!!!!!!!!!!11!!)
What is cyberspace?
“Cyberspace is composed of all the computerized networks in the world, as well as all
computerized end points, including telecommunications n
etworks, special purpose networks,
the internet, computer systems, and computer-based systems. The concept also includes the
information stored, processed, and transmitted on the devices and between these networks.”
- Ben-Israel & Tabanksy (2011).
Why care about cyberspace?
- Protection of Critical National Infrastructure → water supply, electricity etc. could be
hacked
- Financial reasons → example: ransomware attack on Maastricht University. Being more
cyber-secure in advance saves you money.
- Privacy and sensitive data
Protection of Data: CIA-triad
→ Triad of information security
- Confidentiality → who has access to this data? Breaching confidentiality by hacking
emails for example.
- Integrity → trustworthiness of data. Example: someone gets access to the Brightspace
account of the teacher, someone could alter grades, this makes the grades
untrustworthy. This is not very subject to cyber attacks.
- Availability → whether the people who should have access can access the data.
Maastricht attack: availability went down, restricted by an outside party.
- Any cyber security attack can be identified as one or multiple of the CIA-triad.
2
,Cyber security background
Model:
3
, - We will mostly look at the social-technical layer in this course
- You can have all the best data security software, but human errors would still happen.
Complex systems do not protect human errors.
People are the weakest link
- Schneier: “Only amateurs attack machines, professionals target people”
- Cranor: “It is becoming increasingly apparent that humans are a major cause of
computer security failures.”
- Cyber security issues cannot be solved by just clever programming → human error
A CEO of a UK company ran phishing tests, to see if employees would click the links that were
sent. They wanted to fire everyone who clicked the link. Assumption that end-users are at fault,
but the board and the CEO were not part of the test. But.. the CEO actually forwarded a
phishing link to one of his employees (so he was in the wrong). He would not acknowledge his
fault in thinking the email was real. Cybersecurity is not on the forefront of anyone’s mind.
Interventions should always be aimed at individuals getting better at something.
Introduction to behavioural change
How can you change behaviour?
Video: human behaviour experiment lift antics
- https://www.youtube.com/watch?v=XZDLbbfT9_Q
- 3 people standing in an elevator, all facing the wall, 4th person joins. Eventually, the 4th
person also turns around to face the wall.
- The experiment is done with other things as well, liking taking off your hat. The person
that does not know he is being filmed follows what the others are doing.
Video: the Asch Experiment
- https://www.youtube.com/watch?v=qA-gbpt7Ts8
- Experiment about group conformity.
4
change and cybersecurity
All lectures discussed, paraphrased and cited in this document are presented by Dr. Tommy
van Steen during the course Behavioural Change Approaches to Cybersecurity at Leiden
Universiteit (2020).
Introduction to cybersecurity
● Discussion board on Brightspace → for general questions.
● 4 10 ECTS courses in cybersecurity governance → focussed on governance
● 2 SPOCS → spoc = private online course. These give you technical background in
cyberspace and cybersecurity. Separate, but embedded in courses in block 1 and 3.
Embedded in this course and in Digital Justice. They are not part of the course, but are
part of the course as something separate. So you have the regular courses and in 2 of
them you have the SPOCS as well.
● SPOCS → 1 credit-ish. 6 videos per SPOC (5-10 minutes per video), additional
readings as well. You have to pass the SPOC to pass the course, but it does not up or
down your grade. It’s a fail or pass. Lecturer suggests: watch all the videos, do all the
readings, watch the videos again, then do the assignment. Quiz will be put online.
● Learning goal in this course: learn to collect meaningful data → measure the
effectiveness of behaviour change / cybersecurity solutions
● Weekly topics:
- Week 1: introduction + path model = method of designing interventions that are
likely to succeed
- Week 2: behavioural side of cybersecurity problems
- Week 3: behavioural change models and literature
- Week 4: intervention design and effectiveness testing
- Week 5: designing surveys and statistics
- Week 6: other forms of data collection
- Week 7: reporting and ethics
- Literature: Buunk & Van Vught + articles, see syllabus.
● 14 sessions in 7 weeks
● Some sessions will be more interactive, others will be lectures. Schedule is not always
right
● Week 3 and week 6 → some of us on campus. Afternoon is on campus, in the morning
it will be online. Have to sign up for campus sessions if you want to join.
● Examination!!
- Group paper (max 5000 words), 30% of final grade → will be explained next
Thursday. Deadline is 16 October. Everyone gets the same grade in the group.
1
, - Individual paper (max 1500 words), 30%
- Take home exam, 40% 20 October between 12.00 and 16.00
- SPOC: fail/pass, multiple choice quiz
- Powerpoint will be uploaded to Brightspace :-)
- Groups should be formed ourselves. Will be given some guidance in the second
session. Form groups based on what cybersecurity problems you would like to
solve.
● Course is mostly about methods. (zin in!!!!!!!!!!!!!!!!!11!!)
What is cyberspace?
“Cyberspace is composed of all the computerized networks in the world, as well as all
computerized end points, including telecommunications n
etworks, special purpose networks,
the internet, computer systems, and computer-based systems. The concept also includes the
information stored, processed, and transmitted on the devices and between these networks.”
- Ben-Israel & Tabanksy (2011).
Why care about cyberspace?
- Protection of Critical National Infrastructure → water supply, electricity etc. could be
hacked
- Financial reasons → example: ransomware attack on Maastricht University. Being more
cyber-secure in advance saves you money.
- Privacy and sensitive data
Protection of Data: CIA-triad
→ Triad of information security
- Confidentiality → who has access to this data? Breaching confidentiality by hacking
emails for example.
- Integrity → trustworthiness of data. Example: someone gets access to the Brightspace
account of the teacher, someone could alter grades, this makes the grades
untrustworthy. This is not very subject to cyber attacks.
- Availability → whether the people who should have access can access the data.
Maastricht attack: availability went down, restricted by an outside party.
- Any cyber security attack can be identified as one or multiple of the CIA-triad.
2
,Cyber security background
Model:
3
, - We will mostly look at the social-technical layer in this course
- You can have all the best data security software, but human errors would still happen.
Complex systems do not protect human errors.
People are the weakest link
- Schneier: “Only amateurs attack machines, professionals target people”
- Cranor: “It is becoming increasingly apparent that humans are a major cause of
computer security failures.”
- Cyber security issues cannot be solved by just clever programming → human error
A CEO of a UK company ran phishing tests, to see if employees would click the links that were
sent. They wanted to fire everyone who clicked the link. Assumption that end-users are at fault,
but the board and the CEO were not part of the test. But.. the CEO actually forwarded a
phishing link to one of his employees (so he was in the wrong). He would not acknowledge his
fault in thinking the email was real. Cybersecurity is not on the forefront of anyone’s mind.
Interventions should always be aimed at individuals getting better at something.
Introduction to behavioural change
How can you change behaviour?
Video: human behaviour experiment lift antics
- https://www.youtube.com/watch?v=XZDLbbfT9_Q
- 3 people standing in an elevator, all facing the wall, 4th person joins. Eventually, the 4th
person also turns around to face the wall.
- The experiment is done with other things as well, liking taking off your hat. The person
that does not know he is being filmed follows what the others are doing.
Video: the Asch Experiment
- https://www.youtube.com/watch?v=qA-gbpt7Ts8
- Experiment about group conformity.
4
