Human Factors and Cybersecurity - The Psychology of Online Safety and Security

Read more

Human Factors in Cybersecurity examines the intricate interplay between human behaviour and digital security, offering a comprehensive exploration of how psychological, dispositional, and situational factors influence cybersecurity practices.

List of contents

Preface. 7
1 Chapter 1: The Foundations of Cybersecurity. 11
1.0 Abstract 11
1.1 Misplacing information is not something new! 11
1.2 The Development of modern Information Security. 12
1.3 What is this thing you humans call 'Information Security?' 13
1.3.2 Is the CIA model still relevant?. 15
1.4 The Origins of Cybersecurity. 16
1.4.1 Defining Cybersecurity. 16
1.5 Cyber-harm.. 19
1.6 Consolidating Cyber and Information Security. 21
1.7 Summary. 23
2 The Insider Threat: Understanding the Risks Within. 24
Abstract 24
2.1 Introduction. 24
2.2 What is an Insider Threat?. 25
2.3 The Accidental or Unintentional Insider Threat 26
2.4 Taxonomical approaches to The Malicious Insider Threat 27
2.5 Psychological Precursors for Malicious Insider Threat 31
2.6 Mitigating the Insider Threat 41
2.7 Summary. 43
3 3. A Human-Centred Approach. 45
Abstract 45
3.1 Examples from the Past 45
3.2 Why Work on Human Factors in Cybersecurity?. 46
3.3 Introducing the Human Factors Approach. 47
3.4 Cybersecurity as a Complex System.. 48
3.5 Applying the Human Factors Approach. 49
3.6 Previous work on Human Factors and Cybersecurity. 52
3.7 Summary. 57
4 The Role of Context and Individual Differences. 59
4.1 Abstract 59
4.2 Introduction. 59
4.3 Psychological Factors. 59
4.3.1 Human Attention. 60
4.3.2 Limits on Attentional Capacity. 61
4.3.3 Memory. 61
4.3.4 Decision Making. 63
4.3.5 Emotion. 65
4.4 Dispositional Factors. 66
4.4.1 Personality. 66
4.4.2 Risk Perception and Risk Taking. 67
4.4.3 Locus of Control 68
4.5 Demographic Factors. 68
4.5.1 Age. 68
4.5.2 Gender 69
4.5.3 Culture. 70
4.6 Fatigue. 71
4.7 Summary. 72
5 When Mistakes Happen. 74
Abstract 74
5.1 Introduction. 74
5.2 What is an Error?. 75
5.3 Understanding the types of Human Error. 76
5.4 The Role of Prior Intent in Errors; Did we really mean to do that?! 77
5.5 Non-Intentional Voluntary Actions. 78
5.6 The Types of Errors that can emerge. 79
5.6.1 Slips. 79
5.6.2 Lapses. 79
5.6.3 Mistakes. 79
5.7 Active versus Latent errors. 81
5.8 Situational Awareness. 82
5.8.1 Endsley's Three Tier Model for SA. 82
5.8.2 Application to Cybersecurity. 84
5.9 Enhancing SA for Cybersecurity Awareness. 85
5.10 Summary. 87
6 Cognitive Pitfalls and Cybersecurity. 90
Abstract 90
6.1 Introduction. 90
6.2 Type 1: Heuristic or Inductive Processing. 91
6.3 Type 2: Systematic, Deductive Processing. 92
6.4 Heuristics and Biases. 93
6.4.1 Representativeness. 93
6.4.2 Availability Heuristic. 95
6.4.3 Anchoring and Adjustment 96
6.4.4 Recognition. 97
6.4.5 Affect Heuristic. 97
6.5 Cognitive Biases. 98
6.5.1 Optimism Bias. 98
6.5.2 Confirmation Bias. 99
6.5.3 Framing Effect 100
6.5.4 Status Quo Bias. 101
6.5.5 Illusion of Control 102
6.6 How do we deal with Cognitive Biases?. 103
6.7 Summary. 104
7 Decision Making Under Pressure. 106
Abstract 106
7.1 Introduction. 106
7.2 The Theory of Planned Behaviour (TPB, Ajzen, 1985; 1991) 107
7.2.1 Theory of Planned Behaviour and Cybersecurity. 108
7.3 Protection Motivation Theory (PMT) 109
7.3.1 Threat Appraisal 110
7.3.2 Coping Appraisals. 110
7.3.3 PMT and Cybersecurity. 110
7.4 Technology Theat Avoidance Theory (TTAT) 112
7.4.1 TTAT and Cybersecurity. 113
7.5 General Deterrence Theory. 113
7.5.1 GDT and Cybersecurity Awareness. 114
7.6 Neutralisation Theory. 115
7.6.1 Neutralisation theory and Cybersecurity. 117
7.7 Which theory is best?. 118
7.8 Summary. 122
8 Assessing Cybersecurity Awareness. 123
Abstract 123
8.1 Introduction. 123
8.2 Self-report measures. 124
8.2.1 The Security Behaviour Intentions Scale (SeBIS) 126
8.2.2 Summary of self-report methods. 130
8.3 Qualitative methods. 131
8.3.1 Interviews and focus groups. 132
8.4 Other methods - simulations and games. 134
8.5 Summary. 137
9 Personality and Workplace Cybersecurity. 138
Abstract 138
9.1 Introduction. 138
9.2 Personality Traits. 139
9.2.1 Openness to Experience. 139
9.2.2 Neuroticism.. 140
9.2.3 Agreeableness. 141
9.2.4 Conscientiousness. 141
9.2.5 Extraversion. 141
9.3 Personality and Counterproductive work behaviours. 142
9.4 Dark Triad and Cybersecurity. 143
9.4.1 Machiavellianism.. 143
9.4.2 Narcissism.. 144
9.4.3 Psychopathy. 144
9.5 The Dark Triad and Counterproductive Work Behaviours. 145
9.6 How Relevant are Personality factors in Cybersecurity?. 145
9.6.1 Additional Considerations. 146
9.7 Summary. 147
10 Cultural Influences on Cybersecurity Practices. 148
Abstract 148
10.1 Introduction. 148
10.2 National Culture. 148
10.3 National Culture and Trust 152
10.4 National Culture and Risk Perception. 153
10.5 Culture and Information Security Awareness. 157
10.6 Organisational Culture. 159
10.7 Defining Cybersecurity Culture. 161
10.8 Summary. 165
11 Counterproductive Work Behaviour and Cybersecurity. 167
11.1 Introduction. 167
11.2 Counterproductive Work Behaviours. 167
11.3 Cyber-Counterproductive Work Behaviours (C-CWB). 168
11.4 Predictors for Counterproductive Work Behaviours. 170
11.4.1 Boredom.. 170
11.4.2 Workplace stress. 172
11.4.3 Job Attitudes. 174
11.4.4 Social Norms. 174
11.4.5 Moral Disengagement 175
11.5 Work Locus of Control 178
11.6 Strategies for Dealing with Counterproductive Work Behaviours. 179
11.7 Summary. 180
12 The Dark Side of Technology in the Workplace: Implications for Cybersecurity. 181
Abstract 181
12.1 Introduction. 181
12.2 Technostress. 182
12.2.1 Technostress and Cybersecurity Fatigue. 184
12.2.2 Mitigating Technostress and Cybersecurity Fatigue. 186
12.3 Multitasking. 187
12.3.1 Multitasking and Cybersecurity. 188
12.4 Interruptions. 189
12.4.1 Interruptions and Cybersecurity. 190
12.5 Internet Addiction. 191
12.6 The Social Media Paradox and the Fear of Missing Out (FoMO) 192
12.7 Cyberloafing. 193
12.7.1 Cyberloafing - Surely it does not impact Cybersecurity. 194
12.7.2 Mitigation strategies for Cyberloafing. 195
12.8 Summary. 196
13 The Psychology of Cybercrime. 198
13.1 Abstract 198
13.2 Introduction. 198
13.3 The Psychological Foundations of Cybercrime. 198
13.4 Cognitive Biases and Heuristics in Cybercrime. 199
13.5 Influence and Persuasion. 200
13.5.1 Authority. 200
13.5.2 Social proof. 202
13.5.3 Conformity and Social Proof. 203
13.5.4 Liking/similarity. 204
13.5.5 Commitment and consistency. 205
13.5.6 Scarcity. 206
13.5.7 Reciprocation. 207
13.6 Social Engineering. 207
13.7 Marking your Target 208
13.8 Mitigation Strategies. 209
13.9 Summary. 210
14 The Final Frontier. 212
Abstract 212
14.1 Introduction. 212
14.2 Training. 213
14.3 Gamification. 214
14.3.1 Gamification Mechanics. 215
14.3.2 Gamification and Cybersecurity. 215
14.3.3 Barriers to implementation of Gamification. 216
14.4 Behavioural Nudges. 216
14.5 On the Effectiveness of Nudges. 219
14.6 Social and Peer Led learning. 220
14.7 Cybersecurity Awareness Campaigns. 222
14.8 Cybersecurity Judgement and Decision Making. 224
14.9 Summary. 224
15 Index. 226

About the author

Lee Hadlington is Senior Lecturer in Cyberpsychology at Nottingham Trent University. His research focuses directly on aspects of risk and resilience in Cyberspace, with a particular emphasis on susceptibility to cybercrime, fake news and misinformation, cybersecurity, and information security.
Chloe Ryding has a PhD in Psychology from Nottingham Trent University. Her research interests focus in the area of Cyberpsychology, particularly online behaviours and well-being outcomes regarding social networking sites and digital technologies, and fake news and misinformation.