100% satisfaction guarantee Immediately available after payment Both online and in PDF No strings attached
logo-home
Previously searched by you
Previously searched by you
logo
Behavioural Change Approaches to Cybersecurity Lecture Notes (Lectures 1-14) CA$10.66   Add to cart
Quickly navigate to
Preview
  2.  
  3. Universiteit Leiden (UL)
  4.  
  5. Behavioural Change Approaches to Cybersecurity (8921CS001)

Class notes

Behavioural Change Approaches to Cybersecurity Lecture Notes (Lectures 1-14)
 4 views  1 purchase
  • Course
  • Behavioural Change Approaches to Cybersecurity (8921CS001)
  • Institution
  • Universiteit Leiden (UL)

Notes on the lectures from the course (2024) Behavioural Change Approaches to Cybersecurity. INCLUDES notes from lectures 1-14 (Total: 31 pages).

Last document update: 2 weeks ago

Preview 4 out of 31  pages

Document information

  • October 23, 2024
  • October 25, 2024
  • 31
  • 2024/2025
  • Class notes
  • Dr. t. van steen
  • All classes

Subjects

  • behaviour
  • paths model
  • cybersecurity
  • intervention
  • surveys
  • statistics
  • behavioural change
  • models
  • theories
  • nudging
  • techno regulation
  • ethics

Written for

  • Universiteit Leiden (UL)
  • Crisis and Security Management
  • Behavioural Change Approaches to Cybersecurity (8921CS001)
All documents for this subject (3)

Seller

avatar-seller
giacomoef

Reviews received

Content preview

Notes on the lectures from the course (2024) Behavioural Change Approaches to Cybersecurity.
INCLUDES notes from lectures 1-14 (Total: 31 pages).


Behavioural Change Approaches to Cybersecurity Lecture Notes
(Lectures 1-14)


Behavioural Change Approaches to Cybersecurity Lecture Notes (Lectures 1-14) 0

Lecture 1: Introduction 1

Lecture 2: The PATHS Model 3

Lecture 3: Problems in Cybersecurity 6

Lecture 5: Behavioural Change Models & Theories 10

Lecture 6: Cybersecurity Training 16

Lecture 7: Intervention Design & Behavioural Change Techniques 18

Lecture 8: Nudging & Techno Regulation 20

Lecture 9: Effectivity Testing & Measuring Cybersecurity 22

Lecture 10: Survey Design 26

Lecture 11: Statistics 28

Lecture 13: Reporting & Executive Summary 29

Lecture 14: Ethics 30

, 1


Lecture 1: Introduction
I. Introduction to Cybersecurity
Why do we care?
● Protection of Critical National Infrastructure
➔ CIA-triad of information security:
◆ Confidentiality (e.g., email content).
◆ Integrity (i.e., data is properly adjusted, deleted or managed).
◆ Availability (i.e., actual access to the data).
● Financial reasons
● Privacy & sensitive data

Different perspectives in cybersecurity:
● Technical
● Socio-technical (how people interact with technology).
● Governance

Humans are the weakest link in data protection (major cause of computer security failures).

II. Introduction to Behavioural Change
If people were rational, security could be improved by providing information, providing arguments &
“increasing awareness”:
● No one would use the same password twice.
● Never a successful phishing scam.
● No ransomware attacks.

HOWEVER, giving the public information on cybersecurity awareness does NOT work satisfactorily.

Principles of psychology = trying to make sense of human behaviour:
● Why we do what we do
● Why we think what we think
● Why we feel what we feel

“Black swan approach” in philosophy & psychology = events that are surprising from the observer’s
perspective (BUT NOT necessarily from that of the originator), have major impact & are often
rationalised after they occurred, as if they could be well predicted.
➔ All swans are white, until a black one gets discovered.

Behavioural change mostly focuses on ‘doing’ & ‘thinking’.
➔ Took flight after WWII.
◆ Attempted to answer questions such as what made the Holocaust possible?
◆ Initial studies on authority as a way to influence behaviour.
➔ Milgram’s Obedience to Authority Study (1960s): 1960s set of experiments which explored
the effects of authority on obedience. In the experiments, an authority figure ordered
participants to deliver what they believed were dangerous electrical shocks to another

, 2


person. These results suggested that people are highly influenced by authority & highly
obedient.
➔ The Asch Experiment (1950s): Revealed the degree to
which a person’s own opinions are influenced by those
of a group. Asch found that people were willing to
ignore reality & give an incorrect answer in order to
conform to the rest of the group (group pressure).




III. Social Influence
Behaviour does NOT occur in a vacuum. People are affected by their social situations (others,
situation & physical environment).
➔ Fundamental attribution error = who cares about the situation?

Cialdini’s Six Weapons of Influence
● Data driven approach.
● How do companies persuade consumers? (telemarketing, car salesmen, restaurants).
● 6 weapons of influence:
1. Authority (formal/informal) = mostly a matter of perception.
➔ In cybersecurity, bring in the experts.
2. Social proof/validation = behaviour/following the majority (e.g., “edition X is the
most popular among customers,” empty vs. full tip jars).
➔ In cybersecurity, 37% more explorers of security options when presented
with social proof.
3. Liking = the more we like someone the more ‘likely’ we are to act.
➔ Ways of influencing:
I. Be friendly
II. Similarity
III. Mimicry (e.g., posture, verbal).
➔ In cybersecurity, stories from people who are similar to you. Ability to
identify yourself with others.
4. Scarcity = restricting access increases wanting (FOMO, time/stock limits).
➔ In cybersecurity, companies can limit resources (at first). Often used in
scams.
5. Commitment/consistency = people dislike being inconsistent. Once people commit,
they are more likely to act (e.g., public commitment, foot in the door technique).
➔ In cybersecurity, do NOT expect people to do everything at once. Let them
first (publicly) commit to it. This makes it easier to be consistent.
➔ 1. sign up to something, then 2. commit to broader policy.
6. Reciprocity = tit for tat. We reciprocate favours & gifts (e.g., waiters in restaurants
giving chocolates increases tipping behaviour).
➔ “That’s not all” Technique: Additional effort is reciprocated in increased
likelihood of sale.

, 3


➔ In cybersecurity, better services, CIA-triad & other rewards can be given to
people in return for good cyber behaviour (e.g., message framing).



Lecture 2: The PATHS Model
Behavioural Change
E.g., how to influence people to install a VPN:
1. Scarcity = limited time offers.
2. Reciprocation = free trial period, provide courses/information.
3. Authority = experts government recommendations.


Behavioural change:
● Largely solution-based
● Client requirements for interventions:
1. Solutions work for everyone all the time
2. Cheap
3. Limited time frame
● HOWEVER, need for a transition from solution → understanding.

PATHS model (completed on a small scale first, before doing a big rollout):
1. Problem = problem to a problem definition.
➔ What is the problem exactly? 6 questions:
◆ Companies often struggle 1. What is the problem?
with specificity (e.g., 2. Why is it a problem?
3. For whom is it a problem?
phishing does the company
4. What causes the problem?
want people not to click on
5. What is the target group?
the email or just report it
6. What are key aspects of the problem?
directly).
➔ Based on the 6 questions = what behaviour should you focus on changing?
◆ Usually focused on developing a clear, simple, concise behaviour that can be
measured.
2. Analysis = problem definition to analysis & explanation.
➔ Link the findings of the Problem-stage to the scientific literature.
◆ What has been written about your problem?
◆ What are the relevant theories?
◆ Which concepts are related to the problem?
➔ Which human factors OR situational factors need to be taken into consideration?
◆ Why does this happen?
3. Testing = explanations to a process model.
➔ Is there research on the possible causes?
➔ How are the relevant concepts/causes related?
➔ Can you find interventions that were effective (different target groups/related
behaviours)?

The benefits of buying summaries with Stuvia:

Guaranteed quality through customer reviews

Guaranteed quality through customer reviews

Stuvia customers have reviewed more than 700,000 summaries. This how you know that you are buying the best documents.

Quick and easy check-out

Quick and easy check-out

You can quickly pay through credit card or Stuvia-credit for the summaries. There is no membership needed.

Focus on what matters

Focus on what matters

Your fellow students write the study notes themselves, which is why the documents are always reliable and up-to-date. This ensures you quickly get to the core!

Frequently asked questions

What do I get when I buy this document?

You get a PDF, available immediately after your purchase. The purchased document is accessible anytime, anywhere and indefinitely through your profile.

Satisfaction guarantee: how does it work?

Our satisfaction guarantee ensures that you always find a study document that suits you well. You fill out a form, and our customer service team takes care of the rest.

Who am I buying these notes from?

Stuvia is a marketplace, so you are not buying this document from us, but from seller giacomoef. Stuvia facilitates payment to the seller.

Will I be stuck with a subscription?

No, you only buy these notes for CA$10.66. You're not tied to anything after your purchase.

Can Stuvia be trusted?

4.6 stars on Google & Trustpilot (+1000 reviews)

81113 documents were sold in the last 30 days

Founded in 2010, the go-to place to buy study notes for 14 years now

Start selling
CA$10.66  1x  sold
  • (0)
  Add to cart