Skip to main content
Springer Nature Link
Log in

Measuring Behavioural Cybersecurity: An Overview of Options

  • Conference paper
  • First Online:
Augmented Cognition (HCII 2023)

Part of the book series: Lecture Notes in Computer Science ((LNAI,volume 14019))

Included in the following conference series:

  • 1223 Accesses

Abstract

As the field of cybersecurity is maturing, there is more attention to the behaviour of end-users in securing data and systems. Awareness campaigns are gaining popularity and behavioural change initiatives are deployed. However, many organisations do not know where to start when attempting to effectively measure the maturity of the behavioural component in their cybersecurity strategy. While some measures, such as knowledge, attitudes and skills are assessed, (objective) measurements of behaviour, and the interplay between these factors are less commonly measured. This paper discusses the importance of measuring behavioural cybersecurity and presents an overview of possible measurements and relevant factors. First, the paper outlines why measuring behavioural cybersecurity is vital in understanding behaviour related problems and coming up with evidence-based solutions. Then, the various measurement levels and current practices are discussed before turning to options regarding these levels. These include both self-reported as well as objective behavioural measurements in addition to attitudes, knowledge and skills. Lastly, some issues surrounding these measurements are discussed including spill-over effects and ethical considerations.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Chowdhury, A., Maiti, S.K., Bhattacharyya, S.: How to communicate climate change ‘impact and solutions’ to vulnerable population of Indian Sundarbans? From theory to practice. Springerplus 5(1), 1–17 (2016). https://doi.org/10.1186/s40064-016-2816-y

    Article  Google Scholar 

  2. Albrechtsen, E., Hovden, J.: Improving information security awareness and behaviour through dialogue, participation and collective reflection an intervention study. Comput. Secur. 29, 432–445 (2010)

    Article  Google Scholar 

  3. van Steen, T., Deeleman, J.R.A.: Successful gamification of cybersecurity training. Cyberpsychol. Behav. Soc. Netw. 1–6 (2021). https://doi.org/10.1089/cyber.2020.0526

  4. van Steen, T.: When choice is (not) an option: nudging and techno-regulation approaches to behavioural cybersecurity. In: In: Schmorrow, D.D., Fidopiastis, C.M. (eds.) Augmented Cognition. HCII 2022. Lecture Notes in Computer Science(), vol. 13310. pp. 120–130. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-05457-0

  5. van Steen, T., Norris, E., Atha, K., Joinson, A.: What (if any) behaviour change techniques do government-led cybersecurity awareness campaigns use? J. Cybersecur. 6, 1–8 (2020). https://doi.org/10.1093/cybsec/tyaa019

    Article  Google Scholar 

  6. Tversky, A., Kahneman, D.: Judgment Under Uncertainty: Heuristics and Biases. Science, vol. 80, no. 185, pp. 1124–1131 (1974)

    Google Scholar 

  7. Ajzen, I.: The theory of planned behavior. Organ. Behav. Hum. Decis. Process. 50, 179–211 (1991). https://doi.org/10.1016/0749-5978(91)90020-T

    Article  Google Scholar 

  8. Michie, S., van Stralen, M.M., West, R.: The behaviour change wheel: a new method for characterising and designing behaviour change interventions. Implement. Sci. 6, 42 (2011). https://doi.org/10.1186/1748-5908-6-42

    Article  Google Scholar 

  9. Rogers, R.: A protection motivation theory of fear appeals and attitude change (1975). http://search.ebscohost.com/login.aspx?direct=true&db=psyh&AN=1976-04488-001&site=ehost-live%5Cnpapers2://publication/uuid/8D45EFD8-4F1C-431B-8819-E2210FF3D68E. https://doi.org/10.1080/00223980.1975.9915803

  10. Venkatesh, V., Bala, H.: Technology acceptance model 3 and a research agenda on interventions. Decis. Sci. (2008). https://doi.org/10.1111/j.1540-5915.2008.00192.x

    Article  Google Scholar 

  11. Peer, E., Egelman, S., Harbach, M., Malkin, N., Mathur, A., Frik, A.: Nudge me right: Personalizing online security nudges to people’s decision-making styles. Comput. Human Behav. 109, 106347 (2020)

    Article  Google Scholar 

  12. Moghavvemi, S., Salleh, N.A.M., Sulaiman, A., Abessi, M.: Effect of external factors on intention–behaviour gap. Behav. Inf. Technol. 34, 1171–1185 (2015)

    Article  Google Scholar 

  13. Bada, M., Sasse, M.A., Nurse, J.R.C.: Cyber security awareness campaigns: why do they fail to change behaviour? In: Proceedings of International Conference Cybersecurity Sustainable Society 118–131 (2015)

    Google Scholar 

  14. Fabisiak, L., Hyla, T.: Measuring cyber security awareness within groups of medical professionals in Poland. In: Proceedings of the Annual Hawaii International Conference on System Sciences 2020, pp. 3871–3880, January 2020. https://doi.org/10.24251/hicss.2020.473

  15. Parsons, K., McCormac, A., Butavicius, M., Pattinson, M., Jerram, C.: Determining employee awareness using the human aspects of information security questionnaire (HAIS-Q). Comput. Secur. 42, 165–176 (2014)

    Article  Google Scholar 

  16. Parsons, K., Calic, D., Pattinson, M., Butavicius, M., McCormac, A., Zwaans, T.: The human aspects of information security questionnaire (HAIS-Q): two further validation studies. Comput. Secur. 66, 40–51 (2017)

    Article  Google Scholar 

  17. Egelman, S., Peer, E.: Scaling the security wall: developing a security behavior intentions scale (SeBIS). In: Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems, pp. 2873–2882 (2015)

    Google Scholar 

  18. Hadlington, L.: Human factors in cybersecurity; examining the link between Internet addiction, impulsivity, attitudes towards cybersecurity, and risky cybersecurity behaviours. Heliyon. 3, e00346 (2017). https://doi.org/10.1016/j.heliyon.2017.e00346

    Article  Google Scholar 

  19. Ifinedo, P.: Understanding information systems security policy compliance: an integration of the theory of planned behavior and the protection motivation theory. Comput. Secur. 31, 83–95 (2012)

    Article  Google Scholar 

  20. Williams, E.J., Joinson, A.N.: Developing a measure of information seeking about phishing. J. Cybersecur. 6, 1–16 (2020). https://doi.org/10.1093/cybsec/tyaa001

    Article  Google Scholar 

  21. Hartwig, K., Reuter, C.: Nudging users towards better security decisions in password creation using whitebox-based multidimensional visualisations. Behav. Inf. Technol., 1–24 (2021). https://doi.org/10.1080/0144929X.2021.1876167

  22. Wang, N., Wisniewski, P., Xu, H., Grossklags, J.: Designing the default privacy settings for facebook applications. In: Proceedings of the Companion Publication of the 17th ACM Conference on Computer Supported Cooperative Work & Social Computing, pp. 249–252 (2014)

    Google Scholar 

  23. Cho, H., Roh, S., Park, B.: Of promoting networking and protecting privacy: effects of defaults and regulatory focus on social media users’ preference settings. Comput. Human Behav. 101, 1–13 (2019)

    Article  Google Scholar 

  24. Steves, M., Greene, K., Theofanos, M.: Categorizing human phishing difficulty: a phish scale. J. Cybersecur. 6, tyaa009 (2020)

    Google Scholar 

  25. Topham, G.: Train firm’s ‘worker bonus’ email is actually cybersecurity test (2021)

    Google Scholar 

  26. Beautement, A., Sasse, M.A., Wonham, M.: The compliance budget: managing security behaviour in organisations. In: Proceedings of the 2008 New Security Paradigms Workshop, pp. 47–58 (2008). https://doi.org/10.1145/1595676.1595684

Download references

Author information

Authors and Affiliations

  1. Institute of Security and Global Affairs, Leiden University, Turfmarkt 99, 2511DP, The Hague, The Netherlands

    Tommy van Steen

Authors
  1. Tommy van Steen
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Tommy van Steen .

Editor information

Editors and Affiliations

  1. Soar Technology Inc., Orlando, FL, USA

    Dylan D. Schmorrow

  2. Katmai Government Services, Orlando, FL, USA

    Cali M. Fidopiastis

Rights and permissions

Reprints and permissions

Copyright information

© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

van Steen, T. (2023). Measuring Behavioural Cybersecurity: An Overview of Options. In: Schmorrow, D.D., Fidopiastis, C.M. (eds) Augmented Cognition. HCII 2023. Lecture Notes in Computer Science(), vol 14019. Springer, Cham. https://doi.org/10.1007/978-3-031-35017-7_29

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-35017-7_29

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-35016-0

  • Online ISBN: 978-3-031-35017-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics