behaviour change and cyber-security
TRANSCRIPT
![Page 1: Behaviour Change and Cyber-Security](https://reader035.vdocuments.site/reader035/viewer/2022062412/58efc66a1a28aba77f8b45d5/html5/thumbnails/1.jpg)
StreamTwoPeople:TheStrongestLink
#CYBERUK17
BehaviourChange,Cyber-SecurityandlessonsfromotherdomainsProfessorAdamJoinson,UniversityofBath
![Page 2: Behaviour Change and Cyber-Security](https://reader035.vdocuments.site/reader035/viewer/2022062412/58efc66a1a28aba77f8b45d5/html5/thumbnails/2.jpg)
Lesson1:Identifyabehaviourtochange
![Page 3: Behaviour Change and Cyber-Security](https://reader035.vdocuments.site/reader035/viewer/2022062412/58efc66a1a28aba77f8b45d5/html5/thumbnails/3.jpg)
• Fifteencampaignsanalysed
• Majorityawarenessraising• natureofcybersecurity
• raisingfearofconsequences
• Onepresentedevidenceofeffectiveness
• Onlyoneseemedtobebasedonbehaviourchangeprinciples
![Page 4: Behaviour Change and Cyber-Security](https://reader035.vdocuments.site/reader035/viewer/2022062412/58efc66a1a28aba77f8b45d5/html5/thumbnails/4.jpg)
PasswordmanagementUp-to-dateanti-virus/OSLogout/shutdownTrusted/secureconnectionsandsitesStayinformedMinimizepersonalidentityBeawareofphysicalsurroundingReporting
https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/309652/14-835-cyber-security-behavioural-insights.pdf
![Page 5: Behaviour Change and Cyber-Security](https://reader035.vdocuments.site/reader035/viewer/2022062412/58efc66a1a28aba77f8b45d5/html5/thumbnails/5.jpg)
The ‘who and what?’ of security behaviour
“…thestyles,approachesandvaluesthattheorganisationwishestoadopttowardssecurity.Itcanrangefromwhetheremployeesadheretoacleardeskpolicytowhethertheysharesensitiveinformationonsocialnetworkingsites.”http://www.cpni.gov.uk/Documents/Publications/2016/03.08.2016%20SeCuRE%20Tool.pdf
![Page 6: Behaviour Change and Cyber-Security](https://reader035.vdocuments.site/reader035/viewer/2022062412/58efc66a1a28aba77f8b45d5/html5/thumbnails/6.jpg)
8
COM-B system for analysing behaviour in context (Michie et al., 2011)
Michieetal.,2011
![Page 7: Behaviour Change and Cyber-Security](https://reader035.vdocuments.site/reader035/viewer/2022062412/58efc66a1a28aba77f8b45d5/html5/thumbnails/7.jpg)
Lesson2:Knowwhatsuccess(andfailure)lookslike
![Page 8: Behaviour Change and Cyber-Security](https://reader035.vdocuments.site/reader035/viewer/2022062412/58efc66a1a28aba77f8b45d5/html5/thumbnails/8.jpg)
Interventionmapping
![Page 9: Behaviour Change and Cyber-Security](https://reader035.vdocuments.site/reader035/viewer/2022062412/58efc66a1a28aba77f8b45d5/html5/thumbnails/9.jpg)
Define‘Cyber’
TakeTraining
MeasureCompliance
![Page 10: Behaviour Change and Cyber-Security](https://reader035.vdocuments.site/reader035/viewer/2022062412/58efc66a1a28aba77f8b45d5/html5/thumbnails/10.jpg)
Lesson3:Looktounderstandthecauses ofthebehaviour
![Page 11: Behaviour Change and Cyber-Security](https://reader035.vdocuments.site/reader035/viewer/2022062412/58efc66a1a28aba77f8b45d5/html5/thumbnails/11.jpg)
23
The Behaviour Change Wheel: hub
Michieetal.,2011
![Page 12: Behaviour Change and Cyber-Security](https://reader035.vdocuments.site/reader035/viewer/2022062412/58efc66a1a28aba77f8b45d5/html5/thumbnails/12.jpg)
24Michieetal.,2011
![Page 13: Behaviour Change and Cyber-Security](https://reader035.vdocuments.site/reader035/viewer/2022062412/58efc66a1a28aba77f8b45d5/html5/thumbnails/13.jpg)
Michieetal.,2011
![Page 14: Behaviour Change and Cyber-Security](https://reader035.vdocuments.site/reader035/viewer/2022062412/58efc66a1a28aba77f8b45d5/html5/thumbnails/14.jpg)
7
Common terms for methods for inducing behaviour change
EducateTrainHelp
Expose toInformDiscussSuggestEncourageIncentiviseAskOrderPleadCoerceForce
ProvidePromptConstrain
Michieetal.,2011
![Page 15: Behaviour Change and Cyber-Security](https://reader035.vdocuments.site/reader035/viewer/2022062412/58efc66a1a28aba77f8b45d5/html5/thumbnails/15.jpg)
9
Common terms for methods for inducing behaviour change
CapabilityEducateTrainHelp
MotivationExpose toInformDiscussSuggestEncourageIncentiviseAskOrderPleadCoerceForce
OpportunityProvidePromptConstrain
Michieetal.,2011
![Page 16: Behaviour Change and Cyber-Security](https://reader035.vdocuments.site/reader035/viewer/2022062412/58efc66a1a28aba77f8b45d5/html5/thumbnails/16.jpg)
self-monitoring in cycling
Piwek, L., Joinson, A., & Morvan, J. (2015). The use of self-monitoring solutions amongst cyclists: An online survey and empirical study. Transportation Research Part A: Policy and Practice, 77, 126-136.
isself-monitoringmainlyrelevantforperformance-orientedcyclists?
![Page 17: Behaviour Change and Cyber-Security](https://reader035.vdocuments.site/reader035/viewer/2022062412/58efc66a1a28aba77f8b45d5/html5/thumbnails/17.jpg)
13NON-TRACKERS
12TRACKERS
5 weeks
+INITIAL
SURVEY
DEBRIEFING INTERVIEW
pedometeronly
pedometer + calendar
+ cycling computer
![Page 18: Behaviour Change and Cyber-Security](https://reader035.vdocuments.site/reader035/viewer/2022062412/58efc66a1a28aba77f8b45d5/html5/thumbnails/18.jpg)
experiencesamplingcalendar
![Page 19: Behaviour Change and Cyber-Security](https://reader035.vdocuments.site/reader035/viewer/2022062412/58efc66a1a28aba77f8b45d5/html5/thumbnails/19.jpg)
total number of days cycled to campus in 5 weeks
total distancecycled across5 weeks (km)
non-trackerstrackers, high engagement with self-monitoring trackers, low engagement with self-monitoring
![Page 20: Behaviour Change and Cyber-Security](https://reader035.vdocuments.site/reader035/viewer/2022062412/58efc66a1a28aba77f8b45d5/html5/thumbnails/20.jpg)
self-monitoringismainlyrelevantforperformance-orientedcyclists>
![Page 21: Behaviour Change and Cyber-Security](https://reader035.vdocuments.site/reader035/viewer/2022062412/58efc66a1a28aba77f8b45d5/html5/thumbnails/21.jpg)
Spear Phishing Simulations
WorkingwithorganisationsintheCNI(gov,defenceindustry,finance)
Studyingtheirresultsfrominternalspearphishingexercises
>120,000spearphishemailssenttostaff
Codedbyresearchersoninfluencetechnique
Someindividualdataalsocollected
Inonecase,clickingledtosurvey
![Page 22: Behaviour Change and Cyber-Security](https://reader035.vdocuments.site/reader035/viewer/2022062412/58efc66a1a28aba77f8b45d5/html5/thumbnails/22.jpg)
Commonphishingtechniques• Exploitsocialnormsanddecision-makingprocesses
SocialInfluenceProcesses
SenseofUrgency
InvokingEmotions
DecisionBiases
• Useofdeadlines
• Timepressure• Canbenegative
orpositive
• Excitement,desire,hopeorcuriosity
• Fear,panicoranxiety
• Anger
• Authority• Liking&
similarity• Reciprocity• Conformity
• Truthbias• Confirmationbias• Expectations
• Mimictrustedentities
• Exploitauthenticitycues
LegitimacyCues
![Page 23: Behaviour Change and Cyber-Security](https://reader035.vdocuments.site/reader035/viewer/2022062412/58efc66a1a28aba77f8b45d5/html5/thumbnails/23.jpg)
Click rates vary hugelyAverage ~ 15% in largest data set (63,000)Authority, Urgency, Curiosity worked bestFew demographic differences, subsets of vulnerable users.
![Page 24: Behaviour Change and Cyber-Security](https://reader035.vdocuments.site/reader035/viewer/2022062412/58efc66a1a28aba77f8b45d5/html5/thumbnails/24.jpg)
Followupfocusgroups
![Page 25: Behaviour Change and Cyber-Security](https://reader035.vdocuments.site/reader035/viewer/2022062412/58efc66a1a28aba77f8b45d5/html5/thumbnails/25.jpg)
Example:Theroleoffamiliarityandexpectations
• “it’sacompanyshedealswith,we’vecurrentlygotproblemswithaccountspayable…andactuallywhywouldshenotbelievethatitwastrue.”
• “whenIfirstcamehere,Iwas,becauseIwasn’tfamiliarwithwhatthecompanieswerethatweregoingtoemailmenecessarilyIwasjustsortofclickingonanything…butitwasjustbecauseIwasn’tfamiliarwiththecompaniesthatweweredealingwith”.
• “Imeantherearesomeplaces,youdoget,yougetsomeemailsfromAmericaandtheywriteinadifferentwayanditdoesmakeitdifficultsometimestosortofspotthedifference”.
Williams, Hinds & Joinson (under review) ‘Employee susceptibility to
phishing’
![Page 26: Behaviour Change and Cyber-Security](https://reader035.vdocuments.site/reader035/viewer/2022062412/58efc66a1a28aba77f8b45d5/html5/thumbnails/26.jpg)
E-A-S-TframeworkJoinson,A.,&Piwek,L.(2016).Technologyandtheformationofsociallypositivebehaviours.BeyondBehaviourChange:KeyIssues,InterdisciplinaryApproachesandFutureDirections,157.
![Page 27: Behaviour Change and Cyber-Security](https://reader035.vdocuments.site/reader035/viewer/2022062412/58efc66a1a28aba77f8b45d5/html5/thumbnails/27.jpg)
Lesson4:Acceptcomplexityanddifficulty
![Page 28: Behaviour Change and Cyber-Security](https://reader035.vdocuments.site/reader035/viewer/2022062412/58efc66a1a28aba77f8b45d5/html5/thumbnails/28.jpg)
![Page 29: Behaviour Change and Cyber-Security](https://reader035.vdocuments.site/reader035/viewer/2022062412/58efc66a1a28aba77f8b45d5/html5/thumbnails/29.jpg)
Societal Influences Individual
Psychology
Individual Activity Activity
EnvironmentFood production industry
Consumption and practices
Biological Factors
![Page 30: Behaviour Change and Cyber-Security](https://reader035.vdocuments.site/reader035/viewer/2022062412/58efc66a1a28aba77f8b45d5/html5/thumbnails/30.jpg)
![Page 31: Behaviour Change and Cyber-Security](https://reader035.vdocuments.site/reader035/viewer/2022062412/58efc66a1a28aba77f8b45d5/html5/thumbnails/31.jpg)
![Page 32: Behaviour Change and Cyber-Security](https://reader035.vdocuments.site/reader035/viewer/2022062412/58efc66a1a28aba77f8b45d5/html5/thumbnails/32.jpg)
![Page 33: Behaviour Change and Cyber-Security](https://reader035.vdocuments.site/reader035/viewer/2022062412/58efc66a1a28aba77f8b45d5/html5/thumbnails/33.jpg)
![Page 34: Behaviour Change and Cyber-Security](https://reader035.vdocuments.site/reader035/viewer/2022062412/58efc66a1a28aba77f8b45d5/html5/thumbnails/34.jpg)
![Page 35: Behaviour Change and Cyber-Security](https://reader035.vdocuments.site/reader035/viewer/2022062412/58efc66a1a28aba77f8b45d5/html5/thumbnails/35.jpg)
![Page 36: Behaviour Change and Cyber-Security](https://reader035.vdocuments.site/reader035/viewer/2022062412/58efc66a1a28aba77f8b45d5/html5/thumbnails/36.jpg)
Typeoftrigger
![Page 37: Behaviour Change and Cyber-Security](https://reader035.vdocuments.site/reader035/viewer/2022062412/58efc66a1a28aba77f8b45d5/html5/thumbnails/37.jpg)
Lesson5:Workwith theflow,notagainstit
![Page 38: Behaviour Change and Cyber-Security](https://reader035.vdocuments.site/reader035/viewer/2022062412/58efc66a1a28aba77f8b45d5/html5/thumbnails/38.jpg)
Kairos– themoment• Theopportunemomenttoaimaninterventiontowardsusers.• B.J.Fogg:PersuasiveTechnology,p.41
![Page 39: Behaviour Change and Cyber-Security](https://reader035.vdocuments.site/reader035/viewer/2022062412/58efc66a1a28aba77f8b45d5/html5/thumbnails/39.jpg)
Make it easier to do the right thing
![Page 40: Behaviour Change and Cyber-Security](https://reader035.vdocuments.site/reader035/viewer/2022062412/58efc66a1a28aba77f8b45d5/html5/thumbnails/40.jpg)
![Page 41: Behaviour Change and Cyber-Security](https://reader035.vdocuments.site/reader035/viewer/2022062412/58efc66a1a28aba77f8b45d5/html5/thumbnails/41.jpg)
Lesson6:Evaluate,repeat