Summary of the reading materials for the final exam (2024) for Behavioural Change Approaches to
Cybersecurity. INCLUDES notes from (Total: 77 pages):
● See * Summary List * on page 1.
Behavioural Change Approaches to Cybersecurity Notes on Readings
Table of Contents
* Summary List * 1
“Applying Social Psychology: From Problems to Solutions (3rd Edition)” 2
1. Applying Social Psychology 2
2. The Problem Phase: From a Problem to a Problem Definition 5
3. The Analysis Phase: Finding Theory- Based Explanations for Problems 7
4. The Test Phase: Developing & Testing the Process Model 11
5. The Help Phase: Developing the Intervention 13
6. The Success Phase: Evaluating the Intervention 17
“Toward Sustainable Behaviour Change: An Approach for Cyber Security Education Training and Awareness” 20
“The Science and Practice of Persuasion” 24
“When enough is enough: Investigating the antecedents and consequences of information security fatigue” 26
“Employees Attitude towards Cyber Security and Risky Online Behaviours: An Empirical Assessment in the United
Kingdom” 29
“When enough is enough: Investigating the antecedents and consequences of information security fatigue” 31
“Leveraging behavioral science to mitigate cybersecurity risk” 34
“Risk perceptions of cyber-security and precautionary behaviour” 39
“User preference of cyber security awareness delivery methods” 43
“Handling User-Oriented Cyber-Attacks: STRIM, a User-Based Security Training Model” 47
“Understanding information systems security policy compliance: An integration of the theory of planned behavior and
the protection motivation theory” 54
“A systematic review of current cybersecurity training methods” 56
“The Theory of Planned Behavior and Information Security Policy Compliance” 58
“An application and empirical test of the Capability Opportunity Motivation-Behaviour model to data leakage prevention
in financial organizations” 60
“Your Location has been Shared 5,398 Times! A Field Study on Mobile App Privacy Nudging” 63
“Nudging People Away from Privacy-Invasive Mobile Apps through Visual Framing” 65
“SCENE: A Structured Means for Creating and Evaluating Behavioral Nudges in a Cyber Security Environment” 67
“Nudging users towards better security decisions in password creation using whitebox-based multidimensional
visualisations” 70
“Nudge me right: Personalizing online security nudges to people’s decision-making styles” 72
“Is cybersecurity research missing a trick? Integrating insights from the psychology of habit into research and practice” 75
, 1
* Summary List *
These notes include a summary of each of the following readings:
● Abraham P. Buunk & Mark van Vugt’s book (2021) “Applying Social Psychology: From Problems to
Solutions (3rd Edition)”.
● Moneer Alshaikh, Humza Naseer, Atif Ahmad & Sean B. Maynard’s article (2019) “Toward Sustainable
Behaviour Change: An Approach for Cyber Security Education Training and Awareness”.
● Robert B. Cialdini & Noah J. Goldstein’s article (2002) “The Science and Practice of Persuasion”.
● W. Alec Cram, Jeffrey G. Proudfoot & John D’Arcy’s article (2019) “When enough is enough:
Investigating the antecedents and consequences of information security fatigue”.
● Lee Hadlington’s article (2018) “Employees Attitude towards Cyber Security and Risky Online
Behaviours: An Empirical Assessment in the United Kingdom”.
● Shari Lawrence Pfleeger and Deanna D. Caputo’s article (2011) “Leveraging behavioral science to
mitigate cybersecurity risk”.
● Paul van Schaik et al.’s article (2017) “Risk perceptions of cyber-security and precautionary behaviour”.
● Jemal Abawajy’s article (2014) “User preference of cyber security awareness delivery methods”.
● Aymen Hamoud and Esma Aïmeur’s article (2020) “Handling User-Oriented Cyber-Attacks: STRIM, a
User-Based Security Training Model”.
● Princely Ifinedo’s article (2011) “Understanding information systems security policy compliance: An
integration of the theory of planned behavior and the protection motivation theory”.
● Julia Prümmer, Tommy van Steen and Bibi van den Berg’s article (2024) “A systematic review of current
cybersecurity training methods”.
● Teodor Sommestad, Henrik Karlzén and Jonas Hallberg’s article (2019) “The Theory of Planned
Behavior and Information Security Policy Compliance”.
● Rick van der Kleij, Remco Wijn and Tineke Hof’s article (2020) “An application and empirical test of the
Capability Opportunity Motivation-Behaviour model to data leakage prevention in financial
organizations”.
● Hazim Almuhimedi, Florian Schaub, Norman Sadeh, Idris Adjerid, Alessandro Acquisti, Joshua Gluck,
Lorrie Cranor & Yuvraj Agarwal’s article (2015) “Your Location has been Shared 5,398 Times! A Field
Study on Mobile App Privacy Nudging”.
● Eun Kyoung Chloe, Jaeyeon Jung, Bongshin Lee & Kristie Fisher’s article (2014) “Nudging People Away
from Privacy-Invasive Mobile Apps through Visual Framing”.
● Lynne Coventry, Pam Briggs, Debora Jeske and Aad van Moorsel’s article (2014) “SCENE: A Structured
Means for Creating and Evaluating Behavioral Nudges in a Cyber Security Environment”.
● Katrin Hartwig and Christian Reuter’s article (2022) “Nudging users towards better security decisions in
password creation using whitebox-based multidimensional visualisations”.
● Eyal Peer, Serge Egelman, Marian Harbach, Nathan Malkin, Arunesh Mathur and Alisa Frik’s article
(2020) “Nudge me right: Personalizing online security nudges to people’s decision-making styles”.
● Tobias D. Weickert, Adam Joinson and Barnaby Cragg’s article (2023) “Is cybersecurity research missing
a trick? Integrating insights from the psychology of habit into research and practice”.
, 2
“Applying Social Psychology: From Problems to Solutions (3rd
Edition)”
1. Applying Social Psychology
Example of the Application of Social Psychological Theories
Social Psychology: Basic science which tries to build knowledge primarily through experiments &
surveys.
Steps (PATH):
1. Problem = from a problem to a problem definition.
➔ Identifying & defining the problem (requires consideration & deliberation).
➔ Specify:
◆ Precisely what the problem is (concrete > a general scientific question).
◆ The main problem’s causes.
◆ The population we aim to target with the intervention (target group).
● Who do we need to convince that this problem has to be solved?
● Who must help solve this problem?
➔ The problem’s key aspects need to be considered.
◆ A good problem definition = makes clear that the problem has an applied
rather than a basic nature, & is formulated in concrete terms.
◆ There must be a feeling that the problem has social psychological aspects &
that it is potentially solvable or relievable.
2. Analysis = from a problem definition to analysis & explanation.
➔ Formulating appropriate concepts & developing theory-based explanations.
1. Decide what the outcome variable is (i.e., which variable eventually needs
changing).
2. After generating many different explanations, reduce the explanations based
on their:
○ Relevance
○ (external) Validity = assess the extent to which the typical
experiments on which the theory is based represent the real world.
○ Plausibility
3. Test = from explanations to a process model.
➔ Developing & testing an explanatory process model. It should:
◆ Contain the outcome variable that must be influenced.
◆ Primarily contain variables that can be influenced, at least to some extent.
◆ Describe the relationship between the variables in the form of a process
model.
◆ Specify just a few possible relationships between its variables (any given
variable should not affect more than 2-3 other variables).
➔ Ultimately, a model is only complete if there is sufficient evidence from research for
the relationships between the variables.
, 3
➔ Frequently, one can only find empirical evidence that validates parts of the process
model (NOT the entire model).
4. Help = from a process model to interventions.
➔ Developing & evaluating a programme of interventions.
➔ Important that the model contains primarily factors that can be influenced through
intervention.
➔ First come up with as many interventions as possible, aimed at the most promising
& important factors in the model.
5. Success = from implementing the intervention to evaluating its success.
➔ It is of vital importance to evaluate the intervention in terms of effects & process:
➔ Parts of the evaluation have to be executed even before &/or during the
implementation of the intervention.
➔ The process evaluation (intended to evaluate the implementation process) starts as
the implementation of the intervention begins.
◆ What problems occur(red)?
◆ How can they be dealt with/how effective were they dealt with?
The PATH method helps social scientists to develop a theoretically based intervention programme
relatively quickly & smoothly. HOWEVER, some obstacles do exist:
1. Problems may seem too complex.
2. Gathering the relevant social psychological literature might take time.
3. There may be little relevant research on the topic OR there may be too many relevant social
psychological theories (difficult to choose between them).
4. Difficult to determine an intervention’s success rate.
HIV/AIDS Example: Many people in Africa suffer from HIV/AIDS, & there is insufficient funding to provide
adequate forms of medical & psychosocial help & support for these people.
● Which factors determine potential donors’ willingness to donate money for this cause?
● How can we set up a campaign that would raise money to help people with HIV/AIDS in Africa?
Problem 1. When are people most inclined to help others?
2. What attributes of victims elicit the most helping responses?
Analysis Literature:
● Helping, altruism, cooperation & prosocial behaviour.
● Social influence.
Schartz’s model = various steps that affect people’s prosocial behaviour (awareness,
opportunities to help, personal norms, responsibility).
The campaign would have to emphasise the unfairness of the plight of people with HIV/AIDS in
Africa.
