Notes on the lectures from the course (2024) Behavioural Change Approaches to Cybersecurity.
INCLUDES notes from lectures 1-14 (Total: 31 pages).
Behavioural Change Approaches to Cybersecurity Lecture Notes
(Lectures 1-14)
Behavioural Change Approaches to Cybersecurity Lecture Notes (Lectures 1-14) 0
Lecture 1: Introduction 1
Lecture 2: The PATHS Model 3
Lecture 3: Problems in Cybersecurity 6
Lecture 5: Behavioural Change Models & Theories 10
Lecture 6: Cybersecurity Training 16
Lecture 7: Intervention Design & Behavioural Change Techniques 18
Lecture 8: Nudging & Techno Regulation 20
Lecture 9: Effectivity Testing & Measuring Cybersecurity 22
Lecture 10: Survey Design 26
Lecture 11: Statistics 28
Lecture 13: Reporting & Executive Summary 29
Lecture 14: Ethics 30
, 1
Lecture 1: Introduction
I. Introduction to Cybersecurity
Why do we care?
● Protection of Critical National Infrastructure
➔ CIA-triad of information security:
◆ Confidentiality (e.g., email content).
◆ Integrity (i.e., data is properly adjusted, deleted or managed).
◆ Availability (i.e., actual access to the data).
● Financial reasons
● Privacy & sensitive data
Different perspectives in cybersecurity:
● Technical
● Socio-technical (how people interact with technology).
● Governance
Humans are the weakest link in data protection (major cause of computer security failures).
II. Introduction to Behavioural Change
If people were rational, security could be improved by providing information, providing arguments &
“increasing awareness”:
● No one would use the same password twice.
● Never a successful phishing scam.
● No ransomware attacks.
HOWEVER, giving the public information on cybersecurity awareness does NOT work satisfactorily.
Principles of psychology = trying to make sense of human behaviour:
● Why we do what we do
● Why we think what we think
● Why we feel what we feel
“Black swan approach” in philosophy & psychology = events that are surprising from the observer’s
perspective (BUT NOT necessarily from that of the originator), have major impact & are often
rationalised after they occurred, as if they could be well predicted.
➔ All swans are white, until a black one gets discovered.
Behavioural change mostly focuses on ‘doing’ & ‘thinking’.
➔ Took flight after WWII.
◆ Attempted to answer questions such as what made the Holocaust possible?
◆ Initial studies on authority as a way to influence behaviour.
➔ Milgram’s Obedience to Authority Study (1960s): 1960s set of experiments which explored
the effects of authority on obedience. In the experiments, an authority figure ordered
participants to deliver what they believed were dangerous electrical shocks to another
, 2
person. These results suggested that people are highly influenced by authority & highly
obedient.
➔ The Asch Experiment (1950s): Revealed the degree to
which a person’s own opinions are influenced by those
of a group. Asch found that people were willing to
ignore reality & give an incorrect answer in order to
conform to the rest of the group (group pressure).
III. Social Influence
Behaviour does NOT occur in a vacuum. People are affected by their social situations (others,
situation & physical environment).
➔ Fundamental attribution error = who cares about the situation?
Cialdini’s Six Weapons of Influence
● Data driven approach.
● How do companies persuade consumers? (telemarketing, car salesmen, restaurants).
● 6 weapons of influence:
1. Authority (formal/informal) = mostly a matter of perception.
➔ In cybersecurity, bring in the experts.
2. Social proof/validation = behaviour/following the majority (e.g., “edition X is the
most popular among customers,” empty vs. full tip jars).
➔ In cybersecurity, 37% more explorers of security options when presented
with social proof.
3. Liking = the more we like someone the more ‘likely’ we are to act.
➔ Ways of influencing:
I. Be friendly
II. Similarity
III. Mimicry (e.g., posture, verbal).
➔ In cybersecurity, stories from people who are similar to you. Ability to
identify yourself with others.
4. Scarcity = restricting access increases wanting (FOMO, time/stock limits).
➔ In cybersecurity, companies can limit resources (at first). Often used in
scams.
5. Commitment/consistency = people dislike being inconsistent. Once people commit,
they are more likely to act (e.g., public commitment, foot in the door technique).
➔ In cybersecurity, do NOT expect people to do everything at once. Let them
first (publicly) commit to it. This makes it easier to be consistent.
➔ 1. sign up to something, then 2. commit to broader policy.
6. Reciprocity = tit for tat. We reciprocate favours & gifts (e.g., waiters in restaurants
giving chocolates increases tipping behaviour).
➔ “That’s not all” Technique: Additional effort is reciprocated in increased
likelihood of sale.
, 3
➔ In cybersecurity, better services, CIA-triad & other rewards can be given to
people in return for good cyber behaviour (e.g., message framing).
Lecture 2: The PATHS Model
Behavioural Change
E.g., how to influence people to install a VPN:
1. Scarcity = limited time offers.
2. Reciprocation = free trial period, provide courses/information.
3. Authority = experts government recommendations.
Behavioural change:
● Largely solution-based
● Client requirements for interventions:
1. Solutions work for everyone all the time
2. Cheap
3. Limited time frame
● HOWEVER, need for a transition from solution → understanding.
PATHS model (completed on a small scale first, before doing a big rollout):
1. Problem = problem to a problem definition.
➔ What is the problem exactly? 6 questions:
◆ Companies often struggle 1. What is the problem?
with specificity (e.g., 2. Why is it a problem?
3. For whom is it a problem?
phishing does the company
4. What causes the problem?
want people not to click on
5. What is the target group?
the email or just report it
6. What are key aspects of the problem?
directly).
➔ Based on the 6 questions = what behaviour should you focus on changing?
◆ Usually focused on developing a clear, simple, concise behaviour that can be
measured.
2. Analysis = problem definition to analysis & explanation.
➔ Link the findings of the Problem-stage to the scientific literature.
◆ What has been written about your problem?
◆ What are the relevant theories?
◆ Which concepts are related to the problem?
➔ Which human factors OR situational factors need to be taken into consideration?
◆ Why does this happen?
3. Testing = explanations to a process model.
➔ Is there research on the possible causes?
➔ How are the relevant concepts/causes related?
➔ Can you find interventions that were effective (different target groups/related
behaviours)?
INCLUDES notes from lectures 1-14 (Total: 31 pages).
Behavioural Change Approaches to Cybersecurity Lecture Notes
(Lectures 1-14)
Behavioural Change Approaches to Cybersecurity Lecture Notes (Lectures 1-14) 0
Lecture 1: Introduction 1
Lecture 2: The PATHS Model 3
Lecture 3: Problems in Cybersecurity 6
Lecture 5: Behavioural Change Models & Theories 10
Lecture 6: Cybersecurity Training 16
Lecture 7: Intervention Design & Behavioural Change Techniques 18
Lecture 8: Nudging & Techno Regulation 20
Lecture 9: Effectivity Testing & Measuring Cybersecurity 22
Lecture 10: Survey Design 26
Lecture 11: Statistics 28
Lecture 13: Reporting & Executive Summary 29
Lecture 14: Ethics 30
, 1
Lecture 1: Introduction
I. Introduction to Cybersecurity
Why do we care?
● Protection of Critical National Infrastructure
➔ CIA-triad of information security:
◆ Confidentiality (e.g., email content).
◆ Integrity (i.e., data is properly adjusted, deleted or managed).
◆ Availability (i.e., actual access to the data).
● Financial reasons
● Privacy & sensitive data
Different perspectives in cybersecurity:
● Technical
● Socio-technical (how people interact with technology).
● Governance
Humans are the weakest link in data protection (major cause of computer security failures).
II. Introduction to Behavioural Change
If people were rational, security could be improved by providing information, providing arguments &
“increasing awareness”:
● No one would use the same password twice.
● Never a successful phishing scam.
● No ransomware attacks.
HOWEVER, giving the public information on cybersecurity awareness does NOT work satisfactorily.
Principles of psychology = trying to make sense of human behaviour:
● Why we do what we do
● Why we think what we think
● Why we feel what we feel
“Black swan approach” in philosophy & psychology = events that are surprising from the observer’s
perspective (BUT NOT necessarily from that of the originator), have major impact & are often
rationalised after they occurred, as if they could be well predicted.
➔ All swans are white, until a black one gets discovered.
Behavioural change mostly focuses on ‘doing’ & ‘thinking’.
➔ Took flight after WWII.
◆ Attempted to answer questions such as what made the Holocaust possible?
◆ Initial studies on authority as a way to influence behaviour.
➔ Milgram’s Obedience to Authority Study (1960s): 1960s set of experiments which explored
the effects of authority on obedience. In the experiments, an authority figure ordered
participants to deliver what they believed were dangerous electrical shocks to another
, 2
person. These results suggested that people are highly influenced by authority & highly
obedient.
➔ The Asch Experiment (1950s): Revealed the degree to
which a person’s own opinions are influenced by those
of a group. Asch found that people were willing to
ignore reality & give an incorrect answer in order to
conform to the rest of the group (group pressure).
III. Social Influence
Behaviour does NOT occur in a vacuum. People are affected by their social situations (others,
situation & physical environment).
➔ Fundamental attribution error = who cares about the situation?
Cialdini’s Six Weapons of Influence
● Data driven approach.
● How do companies persuade consumers? (telemarketing, car salesmen, restaurants).
● 6 weapons of influence:
1. Authority (formal/informal) = mostly a matter of perception.
➔ In cybersecurity, bring in the experts.
2. Social proof/validation = behaviour/following the majority (e.g., “edition X is the
most popular among customers,” empty vs. full tip jars).
➔ In cybersecurity, 37% more explorers of security options when presented
with social proof.
3. Liking = the more we like someone the more ‘likely’ we are to act.
➔ Ways of influencing:
I. Be friendly
II. Similarity
III. Mimicry (e.g., posture, verbal).
➔ In cybersecurity, stories from people who are similar to you. Ability to
identify yourself with others.
4. Scarcity = restricting access increases wanting (FOMO, time/stock limits).
➔ In cybersecurity, companies can limit resources (at first). Often used in
scams.
5. Commitment/consistency = people dislike being inconsistent. Once people commit,
they are more likely to act (e.g., public commitment, foot in the door technique).
➔ In cybersecurity, do NOT expect people to do everything at once. Let them
first (publicly) commit to it. This makes it easier to be consistent.
➔ 1. sign up to something, then 2. commit to broader policy.
6. Reciprocity = tit for tat. We reciprocate favours & gifts (e.g., waiters in restaurants
giving chocolates increases tipping behaviour).
➔ “That’s not all” Technique: Additional effort is reciprocated in increased
likelihood of sale.
, 3
➔ In cybersecurity, better services, CIA-triad & other rewards can be given to
people in return for good cyber behaviour (e.g., message framing).
Lecture 2: The PATHS Model
Behavioural Change
E.g., how to influence people to install a VPN:
1. Scarcity = limited time offers.
2. Reciprocation = free trial period, provide courses/information.
3. Authority = experts government recommendations.
Behavioural change:
● Largely solution-based
● Client requirements for interventions:
1. Solutions work for everyone all the time
2. Cheap
3. Limited time frame
● HOWEVER, need for a transition from solution → understanding.
PATHS model (completed on a small scale first, before doing a big rollout):
1. Problem = problem to a problem definition.
➔ What is the problem exactly? 6 questions:
◆ Companies often struggle 1. What is the problem?
with specificity (e.g., 2. Why is it a problem?
3. For whom is it a problem?
phishing does the company
4. What causes the problem?
want people not to click on
5. What is the target group?
the email or just report it
6. What are key aspects of the problem?
directly).
➔ Based on the 6 questions = what behaviour should you focus on changing?
◆ Usually focused on developing a clear, simple, concise behaviour that can be
measured.
2. Analysis = problem definition to analysis & explanation.
➔ Link the findings of the Problem-stage to the scientific literature.
◆ What has been written about your problem?
◆ What are the relevant theories?
◆ Which concepts are related to the problem?
➔ Which human factors OR situational factors need to be taken into consideration?
◆ Why does this happen?
3. Testing = explanations to a process model.
➔ Is there research on the possible causes?
➔ How are the relevant concepts/causes related?
➔ Can you find interventions that were effective (different target groups/related
behaviours)?
