From Weakest Link to Security Hero: Transforming Staff Security Behavior

Abstract Practitioners, researchers and policy-makers involved with cyber security often talk about “security hygiene:” ways to encourage users of computer technology to use safe and secure behavior online. But how do we persuade workers to follow simple, fundamental processes to protect themselves and others? These issues are raised by behavioral scientists, to encourage worker, passenger and patient compliance. In this paper, we explore and summarize findings in social psychology about moral values and habit formation, and then integrate them into suggestions for transforming staff security behavior online.

[1]  Shari Lawrence Pfleeger,et al.  Going Spear Phishing: Exploring Embedded Training and Awareness , 2014, IEEE Security & Privacy.

[2]  D. Murphey,et al.  The Righteous Mind: Why Good People Are Divided by Politics and Religion , 2013 .

[3]  H. Kirshner The Power of Habit: Why We Do What We Do in Life and Business , 2013 .

[4]  Kat Krol,et al.  Don't work. Can't work? Why it's time to rethink security warnings , 2012, 2012 7th International Conference on Risks and Security of Internet and Systems (CRiSIS).

[5]  Shari Lawrence Pfleeger,et al.  Leveraging behavioral science to mitigate cyber security risk , 2012, Comput. Secur..

[6]  M. Angela Sasse,et al.  Security Education against Phishing: A Modest Proposal for a Major Rethink , 2012, IEEE Security & Privacy.

[7]  James Kohnen,et al.  Switch: How to Change Things When Change Is Hard , 2012 .

[8]  H. Tohidi,et al.  Organizational culture and leadership , 2012 .

[9]  Adam M. Grant,et al.  It’s Not All About Me , 2011, Psychological science.

[10]  D. Kahneman Thinking, Fast and Slow , 2011 .

[11]  D. M. Clarke The human contribution: unsafe acts, accidents and heroic recoveries , 2011 .

[12]  Indirect warnings and instructions produce behavioral compliance , 2010 .

[13]  Cormac Herley,et al.  So long, and no thanks for the externalities: the rational rejection of security advice by users , 2009, NSPW '09.

[14]  Geoffrey M. Hodgson,et al.  The Nature and Replication of Routines , 2009 .

[15]  M. Angela Sasse,et al.  The compliance budget: managing security behaviour in organisations , 2009, NSPW '08.

[16]  F. Herzberg One More Time: How Do You Motivate Employees? , 2008 .

[17]  Mark Muraven,et al.  Helpful Self-Control: Autonomy Support, Vitality, and Depletion. , 2008, Journal of experimental social psychology.

[18]  Lorrie Faith Cranor,et al.  You've been warned: an empirical study of the effectiveness of web browser phishing warnings , 2008, CHI.

[19]  Kevin L. Blankenship,et al.  Opening the mind to close it: considering a message in light of important values increases message processing and later resistance to change. , 2008, Journal of personality and social psychology.

[20]  Albert Bandura,et al.  Impeding ecological sustainability through selective moral disengagement , 2007 .

[21]  Charles Abraham,et al.  Social psychological factors in lifestyle change and their relevance to policy , 2007 .

[22]  A. Furnham The Psychology of Behaviour at Work - The Individual in the Organization Adrian Furnham The Psychology of Behaviour at Work - The Individual in the Organization Psychology Press 821pp £16.95 1 84169 504 184169504 [Formula: see text]. , 2005, Nursing standard (Royal College of Nursing (Great Britain) : 1987).

[23]  K. Hobson Thinking Habits into Action: The role of knowledge and process in questioning household consumption practices , 2003 .

[24]  F. Herzberg One more time: how do you motivate employees? 1968. , 2003, Harvard business review.

[25]  A. Acquisti Losses , Gains , and Hyperbolic Discounting : An Experimental Approach to Information Security Attitudes and Behavior , 2003 .

[26]  Sacha Brostoff,et al.  Transforming the ‘Weakest Link’ — a Human/Computer Interaction Approach to Usable and Effective Security , 2001 .

[27]  Karl E. Weick,et al.  Managing the unexpected: Assuring high performance in an age of complexity. , 2001 .

[28]  K. Stanovich,et al.  Heuristics and Biases: Individual Differences in Reasoning: Implications for the Rationality Debate? , 2002 .

[29]  Edgar H. Schein,et al.  Career anchors revisited: Implications for career development in the 21st century , 1996 .

[30]  P. Stern,et al.  Psychological research for the new energy problems: Strategies and opportunities. , 1992 .

[31]  Andreas Diekmann,et al.  Persónliches umweltverhalten: Diskrepanzen zwischen Anspruch und Wirklichkeit. , 1992 .

[32]  Scott P. Robertson,et al.  Proceedings of the SIGCHI Conference on Human Factors in Computing Systems , 1991 .

[33]  Willett Kempton,et al.  Chapter 6 do consumers know "what works" in energy conservation? , 1985 .