Lecture 1: Introduction
I. Introduction to Cybersecurity
Why do we care?
● Protection of Critical National Infrastructure
➔ CIA-triad of information security:
◆ Confidentiality (e.g., email content).
◆ Integrity (i.e., data is properly adjusted, deleted or managed).
◆ Availability (i.e., actual access to the data).
● Financial reasons
● Privacy & sensitive data
Different perspectives in cybersecurity:
● Technical
● Socio-technical (how people interact with technology).
● Governance
Humans are the weakest link in data protection (major cause of computer security failures).
II. Introduction to Behavioural Change
If people were rational, security could be improved by providing information, providing arguments &
“increasing awareness”:
● No one would use the same password twice.
● Never a successful phishing scam.
● No ransomware attacks.
HOWEVER, giving the public information on cybersecurity awareness does NOT work satisfactorily.
Principles of psychology = trying to make sense of human behaviour:
● Why we do what we do
● Why we think what we think
● Why we feel what we feel
“Black swan approach” in philosophy & psychology = events that are surprising from the observer’s
perspective (BUT NOT necessarily from that of the originator), have major impact & are often
rationalised after they occurred, as if they could be well predicted.
➔ All swans are white, until a black one gets discovered.
Behavioural change mostly focuses on ‘doing’ & ‘thinking’.
➔ Took flight after WWII.
◆ Attempted to answer questions such as what made the Holocaust possible?
◆ Initial studies on authority as a way to influence behaviour.
➔ Milgram’s Obedience to Authority Study (1960s): 1960s set of experiments which explored
the effects of authority on obedience. In the experiments, an authority figure ordered
participants to deliver what they believed were dangerous electrical shocks to another
, 2
person. These results suggested that people are highly influenced by authority & highly
obedient.
➔ The Asch Experiment (1950s): Revealed the degree to
which a person’s own opinions are influenced by those
of a group. Asch found that people were willing to
ignore reality & give an incorrect answer in order to
conform to the rest of the group (group pressure).
III. Social Influence
Behaviour does NOT occur in a vacuum. People are affected by their social situations (others,
situation & physical environment).
➔ Fundamental attribution error = who cares about the situation?
Cialdini’s Six Weapons of Influence
● Data driven approach.
● How do companies persuade consumers? (telemarketing, car salesmen, restaurants).
● 6 weapons of influence:
1. Authority (formal/informal) = mostly a matter of perception.
➔ In cybersecurity, bring in the experts.
2. Social proof/validation = behaviour/following the majority (e.g., “edition X is the
most popular among customers,” empty vs. full tip jars).
➔ In cybersecurity, 37% more explorers of security options when presented
with social proof.
3. Liking = the more we like someone the more ‘likely’ we are to act.
➔ Ways of influencing:
I. Be friendly
II. Similarity
III. Mimicry (e.g., posture, verbal).
➔ In cybersecurity, stories from people who are similar to you. Ability to
identify yourself with others.
4. Scarcity = restricting access increases wanting (FOMO, time/stock limits).
➔ In cybersecurity, companies can limit resources (at first). Often used in
scams.
5. Commitment/consistency = people dislike being inconsistent. Once people commit,
they are more likely to act (e.g., public commitment, foot in the door technique).
➔ In cybersecurity, do NOT expect people to do everything at once. Let them
first (publicly) commit to it. This makes it easier to be consistent.
➔ 1. sign up to something, then 2. commit to broader policy.
6. Reciprocity = tit for tat. We reciprocate favours & gifts (e.g., waiters in restaurants
giving chocolates increases tipping behaviour).
➔ “That’s not all” Technique: Additional effort is reciprocated in increased
likelihood of sale.
, 3
➔ In cybersecurity, better services, CIA-triad & other rewards can be given to
people in return for good cyber behaviour (e.g., message framing).
Lecture 2: The PATHS Model
Behavioural Change
E.g., how to influence people to install a VPN:
1. Scarcity = limited time offers.
2. Reciprocation = free trial period, provide courses/information.
3. Authority = experts government recommendations.
Behavioural change:
● Largely solution-based
● Client requirements for interventions:
1. Solutions work for everyone all the time
2. Cheap
3. Limited time frame
● HOWEVER, need for a transition from solution → understanding.
PATHS model (completed on a small scale first, before doing a big rollout):
1. Problem = problem to a problem definition.
➔ What is the problem exactly? 6 questions:
◆ Companies often struggle 1. What is the problem?
with specificity (e.g., 2. Why is it a problem?
3. For whom is it a problem?
phishing does the company
4. What causes the problem?
want people not to click on
5. What is the target group?
the email or just report it
6. What are key aspects of the problem?
directly).
➔ Based on the 6 questions = what behaviour should you focus on changing?
◆ Usually focused on developing a clear, simple, concise behaviour that can be
measured.
2. Analysis = problem definition to analysis & explanation.
➔ Link the findings of the Problem-stage to the scientific literature.
◆ What has been written about your problem?
◆ What are the relevant theories?
◆ Which concepts are related to the problem?
➔ Which human factors OR situational factors need to be taken into consideration?
◆ Why does this happen?
3. Testing = explanations to a process model.
➔ Is there research on the possible causes?
➔ How are the relevant concepts/causes related?
➔ Can you find interventions that were effective (different target groups/related
behaviours)?
The benefits of buying summaries with Stuvia:
Guaranteed quality through customer reviews
Stuvia customers have reviewed more than 700,000 summaries. This how you know that you are buying the best documents.
Quick and easy check-out
You can quickly pay through credit card or Stuvia-credit for the summaries. There is no membership needed.
Focus on what matters
Your fellow students write the study notes themselves, which is why the documents are always reliable and up-to-date. This ensures you quickly get to the core!
Frequently asked questions
What do I get when I buy this document?
You get a PDF, available immediately after your purchase. The purchased document is accessible anytime, anywhere and indefinitely through your profile.
Satisfaction guarantee: how does it work?
Our satisfaction guarantee ensures that you always find a study document that suits you well. You fill out a form, and our customer service team takes care of the rest.
Who am I buying these notes from?
Stuvia is a marketplace, so you are not buying this document from us, but from seller giacomoef. Stuvia facilitates payment to the seller.
Will I be stuck with a subscription?
No, you only buy these notes for $7.83. You're not tied to anything after your purchase.