Leveraging behavioral science to mitigate cyber security risk

Pfleeger, Shari Lawrence; Caputo, Deanna D.

doi:10.1016/j.cose.2011.12.010

Cited by 196 publications

(138 citation statements)

References 21 publications

Supporting

Mentioning

138

Contrasting

Order By: Relevance

“…Although this impact is clearly computable when it only concerns a limited control over a technological system (e.g., hiding some attributes in an access control system), it is not necessarily the case in general. Research in psychology tells us that decision-makers can be influenced (e.g., [11,23,10,5]), and there is a growing interest in using behavioural sciences when developing and implementing security products revealed recently (e.g., [15,20,24,18,6]). However, more research is needed to eventually provide a catalog of effects applicable to a decision-maker, together with a measure of their impact.…”

Section: Resultsmentioning

confidence: 99%

Nudging for Quantitative Access Control Systems

Morisset

Groβ

Moorsel

et al. 2014

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. We propose in this paper a formal model for soft enforcement, where a decision-maker is influenced towards a decision, rather than forced to select that decision. This novel type of enforcement is particularly useful when the policy enforcer cannot fully control the environment of the decision-maker, as we illustrate in the context of attribute-based access control, by limiting the control over attributes. We also show that soft enforcement can improve the security of the system when the influencer is uncertain about the environment, and when neither forcing the decision-maker nor leaving them make their own selection is optimal. We define the general notion of optimal influencing policy, that takes into account both the control of the influencer and the uncertainty in the system.

show abstract

Section: Resultsmentioning

confidence: 99%

Nudging for Quantitative Access Control Systems

Morisset

Groβ

Moorsel

et al. 2014

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…Users are not equipped with the right mental models to understand how their actions impact their privacy. Privacy self-management is also not considered to be their primary task (Pfleeger and Caputo, 2012). However, an important part of the app store experience requires users to consent to a certain level of data access that may involve detrimental consequences like identity theft.…”

Section: Introductionmentioning

confidence: 97%

Re-designing Permission Requirements to Encourage BYOD Policy Adherence

Lee

Still

2015

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Many corporations and organizations support a Bring Your Own Device (BYOD) policy, which allows employees to use their personal smartphones for work-related purposes. Access to proprietary company data and information from an employee's smartphone raises serious privacy and security concerns. Companies are vulnerable to data breaches if employees are unable to discern which applications are safe to install. Situating privacy requirements ought to encourage safer application install decisions and decrease risker ones. This study examines the use of context-relevant warning messages, which alert employees to be cautious when the company's BYOD policy may be violated. We also explore the impact of presenting permission requirements before and after making the install decision. We provide evidence that the presence of warnings, despite the timing of when they were presented, facilitated a lower number of risky installations. In situations when it was safe to install an application, warning messages presented before the install decision drastically encouraged installations compared to when there were no warnings. Interestingly, the opposite pattern was found when warning messages were presented after the decision. Overall, better privacy and security decisions will be made if permission requirements are displayed with relevant warning messages. In addition, safe installations will be encouraged through the placement of these meaningful warnings on the description page of a mobile application before a user has decided to install it.

show abstract

“…Poor security communication makes it difficult for users to respond to a real security threat since they may underestimate the likelihood of the threat. Often users are motivated to respond to a security threat when the risk is evident and personal (Pfleeger & Caputo, 2011). Furthermore, little is known about the circumstances in which individuals feel fearful and the characteristics of the individuals that may serve to accentuate or diminish the emotion of fear in security compliance situations (Crossler et al, 2013).…”

Section: Severity and Vulnerability Of Security Threatsmentioning

confidence: 99%

“…Furnell and Rajendran (2012) identified a mix of job characteristics, and organisational and non-work factors that all play a role in affecting employees' security compliance. To complicate the issue fur-ther, individuals' personality attributes can also act as a filter of the environmental impact and affect individual attitudes and behaviour toward security behaviour (Furnell Rajendran, 2012;Pfleeger & Caputo, 2011).…”

Section: Research Challenges For Improving Security Behaviourmentioning

confidence: 99%

Review of Behavioural Theories in Security Compliance and Research Challenge

2017

View full text Add to dashboard Cite

Aim/PurposeInconsistent findings on the effect of various determinants of cyber security behaviour emphasise the need for further understanding of the applicability of compliance theories. The paper provides a critical review of determinants of users' cyber security behaviour and establishes directions for future research. Background Cyber security behaviour has been studied using a range of behavioural theories. Factors from these theories help organisations to develop suitable initiatives to encourage positive compliance from the employees. ContributionThe paper integrates factors that can impact cyber security behaviour from Theory of Planned Behaviour, Protection Motivation Theory, Rational Choice Theory and General Deterrence Theory into an overarching framework for better connection of the theories. Previous studies' findings were analysed to establish research challenges in the field. Future Research Future research should investigate the complex interaction between organizational and personal characteristics so that a security program can be developed that can effectively engage employees with security tasks even in demanding work environment.

show abstract

Leveraging behavioral science to mitigate cyber security risk

Cited by 196 publications

References 21 publications

Nudging for Quantitative Access Control Systems

Nudging for Quantitative Access Control Systems

Re-designing Permission Requirements to Encourage BYOD Policy Adherence

Review of Behavioural Theories in Security Compliance and Research Challenge

Contact Info

Product

Resources

About