100% tevredenheidsgarantie Direct beschikbaar na betaling Zowel online als in PDF Je zit nergens aan vast
logo-home
Behavioural Change Approaches to Cybersecurity Lecture Notes (Lectures 1-14) €6,99   In winkelwagen

College aantekeningen

Behavioural Change Approaches to Cybersecurity Lecture Notes (Lectures 1-14)

 5 keer bekeken  1 keer verkocht

Notes on the lectures from the course (2024) Behavioural Change Approaches to Cybersecurity. INCLUDES notes from lectures 1-14 (Total: 31 pages).

Laatste update van het document: 3 weken geleden

Voorbeeld 4 van de 31  pagina's

  • 23 oktober 2024
  • 25 oktober 2024
  • 31
  • 2024/2025
  • College aantekeningen
  • Dr. t. van steen
  • Alle colleges
Alle documenten voor dit vak (3)
avatar-seller
giacomoef
Notes on the lectures from the course (2024) Behavioural Change Approaches to Cybersecurity.
INCLUDES notes from lectures 1-14 (Total: 31 pages).


Behavioural Change Approaches to Cybersecurity Lecture Notes
(Lectures 1-14)


Behavioural Change Approaches to Cybersecurity Lecture Notes (Lectures 1-14) 0

Lecture 1: Introduction 1

Lecture 2: The PATHS Model 3

Lecture 3: Problems in Cybersecurity 6

Lecture 5: Behavioural Change Models & Theories 10

Lecture 6: Cybersecurity Training 16

Lecture 7: Intervention Design & Behavioural Change Techniques 18

Lecture 8: Nudging & Techno Regulation 20

Lecture 9: Effectivity Testing & Measuring Cybersecurity 22

Lecture 10: Survey Design 26

Lecture 11: Statistics 28

Lecture 13: Reporting & Executive Summary 29

Lecture 14: Ethics 30

, 1


Lecture 1: Introduction
I. Introduction to Cybersecurity
Why do we care?
● Protection of Critical National Infrastructure
➔ CIA-triad of information security:
◆ Confidentiality (e.g., email content).
◆ Integrity (i.e., data is properly adjusted, deleted or managed).
◆ Availability (i.e., actual access to the data).
● Financial reasons
● Privacy & sensitive data

Different perspectives in cybersecurity:
● Technical
● Socio-technical (how people interact with technology).
● Governance

Humans are the weakest link in data protection (major cause of computer security failures).

II. Introduction to Behavioural Change
If people were rational, security could be improved by providing information, providing arguments &
“increasing awareness”:
● No one would use the same password twice.
● Never a successful phishing scam.
● No ransomware attacks.

HOWEVER, giving the public information on cybersecurity awareness does NOT work satisfactorily.

Principles of psychology = trying to make sense of human behaviour:
● Why we do what we do
● Why we think what we think
● Why we feel what we feel

“Black swan approach” in philosophy & psychology = events that are surprising from the observer’s
perspective (BUT NOT necessarily from that of the originator), have major impact & are often
rationalised after they occurred, as if they could be well predicted.
➔ All swans are white, until a black one gets discovered.

Behavioural change mostly focuses on ‘doing’ & ‘thinking’.
➔ Took flight after WWII.
◆ Attempted to answer questions such as what made the Holocaust possible?
◆ Initial studies on authority as a way to influence behaviour.
➔ Milgram’s Obedience to Authority Study (1960s): 1960s set of experiments which explored
the effects of authority on obedience. In the experiments, an authority figure ordered
participants to deliver what they believed were dangerous electrical shocks to another

, 2


person. These results suggested that people are highly influenced by authority & highly
obedient.
➔ The Asch Experiment (1950s): Revealed the degree to
which a person’s own opinions are influenced by those
of a group. Asch found that people were willing to
ignore reality & give an incorrect answer in order to
conform to the rest of the group (group pressure).




III. Social Influence
Behaviour does NOT occur in a vacuum. People are affected by their social situations (others,
situation & physical environment).
➔ Fundamental attribution error = who cares about the situation?

Cialdini’s Six Weapons of Influence
● Data driven approach.
● How do companies persuade consumers? (telemarketing, car salesmen, restaurants).
● 6 weapons of influence:
1. Authority (formal/informal) = mostly a matter of perception.
➔ In cybersecurity, bring in the experts.
2. Social proof/validation = behaviour/following the majority (e.g., “edition X is the
most popular among customers,” empty vs. full tip jars).
➔ In cybersecurity, 37% more explorers of security options when presented
with social proof.
3. Liking = the more we like someone the more ‘likely’ we are to act.
➔ Ways of influencing:
I. Be friendly
II. Similarity
III. Mimicry (e.g., posture, verbal).
➔ In cybersecurity, stories from people who are similar to you. Ability to
identify yourself with others.
4. Scarcity = restricting access increases wanting (FOMO, time/stock limits).
➔ In cybersecurity, companies can limit resources (at first). Often used in
scams.
5. Commitment/consistency = people dislike being inconsistent. Once people commit,
they are more likely to act (e.g., public commitment, foot in the door technique).
➔ In cybersecurity, do NOT expect people to do everything at once. Let them
first (publicly) commit to it. This makes it easier to be consistent.
➔ 1. sign up to something, then 2. commit to broader policy.
6. Reciprocity = tit for tat. We reciprocate favours & gifts (e.g., waiters in restaurants
giving chocolates increases tipping behaviour).
➔ “That’s not all” Technique: Additional effort is reciprocated in increased
likelihood of sale.

, 3


➔ In cybersecurity, better services, CIA-triad & other rewards can be given to
people in return for good cyber behaviour (e.g., message framing).



Lecture 2: The PATHS Model
Behavioural Change
E.g., how to influence people to install a VPN:
1. Scarcity = limited time offers.
2. Reciprocation = free trial period, provide courses/information.
3. Authority = experts government recommendations.


Behavioural change:
● Largely solution-based
● Client requirements for interventions:
1. Solutions work for everyone all the time
2. Cheap
3. Limited time frame
● HOWEVER, need for a transition from solution → understanding.

PATHS model (completed on a small scale first, before doing a big rollout):
1. Problem = problem to a problem definition.
➔ What is the problem exactly? 6 questions:
◆ Companies often struggle 1. What is the problem?
with specificity (e.g., 2. Why is it a problem?
3. For whom is it a problem?
phishing does the company
4. What causes the problem?
want people not to click on
5. What is the target group?
the email or just report it
6. What are key aspects of the problem?
directly).
➔ Based on the 6 questions = what behaviour should you focus on changing?
◆ Usually focused on developing a clear, simple, concise behaviour that can be
measured.
2. Analysis = problem definition to analysis & explanation.
➔ Link the findings of the Problem-stage to the scientific literature.
◆ What has been written about your problem?
◆ What are the relevant theories?
◆ Which concepts are related to the problem?
➔ Which human factors OR situational factors need to be taken into consideration?
◆ Why does this happen?
3. Testing = explanations to a process model.
➔ Is there research on the possible causes?
➔ How are the relevant concepts/causes related?
➔ Can you find interventions that were effective (different target groups/related
behaviours)?

Voordelen van het kopen van samenvattingen bij Stuvia op een rij:

Verzekerd van kwaliteit door reviews

Verzekerd van kwaliteit door reviews

Stuvia-klanten hebben meer dan 700.000 samenvattingen beoordeeld. Zo weet je zeker dat je de beste documenten koopt!

Snel en makkelijk kopen

Snel en makkelijk kopen

Je betaalt supersnel en eenmalig met iDeal, creditcard of Stuvia-tegoed voor de samenvatting. Zonder lidmaatschap.

Focus op de essentie

Focus op de essentie

Samenvattingen worden geschreven voor en door anderen. Daarom zijn de samenvattingen altijd betrouwbaar en actueel. Zo kom je snel tot de kern!

Veelgestelde vragen

Wat krijg ik als ik dit document koop?

Je krijgt een PDF, die direct beschikbaar is na je aankoop. Het gekochte document is altijd, overal en oneindig toegankelijk via je profiel.

Tevredenheidsgarantie: hoe werkt dat?

Onze tevredenheidsgarantie zorgt ervoor dat je altijd een studiedocument vindt dat goed bij je past. Je vult een formulier in en onze klantenservice regelt de rest.

Van wie koop ik deze samenvatting?

Stuvia is een marktplaats, je koop dit document dus niet van ons, maar van verkoper giacomoef. Stuvia faciliteert de betaling aan de verkoper.

Zit ik meteen vast aan een abonnement?

Nee, je koopt alleen deze samenvatting voor €6,99. Je zit daarna nergens aan vast.

Is Stuvia te vertrouwen?

4,6 sterren op Google & Trustpilot (+1000 reviews)

Afgelopen 30 dagen zijn er 71184 samenvattingen verkocht

Opgericht in 2010, al 14 jaar dé plek om samenvattingen te kopen

Start met verkopen
€6,99  1x  verkocht
  • (0)
  Kopen