Lecture 1: Introduction
I. Introduction to Cybersecurity
Why do we care?
● Protection of Critical National Infrastructure
➔ CIA-triad of information security:
◆ Confidentiality (e.g., email content).
◆ Integrity (i.e., data is properly adjusted, deleted or managed).
◆ Availability (i.e., actual access to the data).
● Financial reasons
● Privacy & sensitive data
Different perspectives in cybersecurity:
● Technical
● Socio-technical (how people interact with technology).
● Governance
Humans are the weakest link in data protection (major cause of computer security failures).
II. Introduction to Behavioural Change
If people were rational, security could be improved by providing information, providing arguments &
“increasing awareness”:
● No one would use the same password twice.
● Never a successful phishing scam.
● No ransomware attacks.
HOWEVER, giving the public information on cybersecurity awareness does NOT work satisfactorily.
Principles of psychology = trying to make sense of human behaviour:
● Why we do what we do
● Why we think what we think
● Why we feel what we feel
“Black swan approach” in philosophy & psychology = events that are surprising from the observer’s
perspective (BUT NOT necessarily from that of the originator), have major impact & are often
rationalised after they occurred, as if they could be well predicted.
➔ All swans are white, until a black one gets discovered.
Behavioural change mostly focuses on ‘doing’ & ‘thinking’.
➔ Took flight after WWII.
◆ Attempted to answer questions such as what made the Holocaust possible?
◆ Initial studies on authority as a way to influence behaviour.
➔ Milgram’s Obedience to Authority Study (1960s): 1960s set of experiments which explored
the effects of authority on obedience. In the experiments, an authority figure ordered
participants to deliver what they believed were dangerous electrical shocks to another
, 2
person. These results suggested that people are highly influenced by authority & highly
obedient.
➔ The Asch Experiment (1950s): Revealed the degree to
which a person’s own opinions are influenced by those
of a group. Asch found that people were willing to
ignore reality & give an incorrect answer in order to
conform to the rest of the group (group pressure).
III. Social Influence
Behaviour does NOT occur in a vacuum. People are affected by their social situations (others,
situation & physical environment).
➔ Fundamental attribution error = who cares about the situation?
Cialdini’s Six Weapons of Influence
● Data driven approach.
● How do companies persuade consumers? (telemarketing, car salesmen, restaurants).
● 6 weapons of influence:
1. Authority (formal/informal) = mostly a matter of perception.
➔ In cybersecurity, bring in the experts.
2. Social proof/validation = behaviour/following the majority (e.g., “edition X is the
most popular among customers,” empty vs. full tip jars).
➔ In cybersecurity, 37% more explorers of security options when presented
with social proof.
3. Liking = the more we like someone the more ‘likely’ we are to act.
➔ Ways of influencing:
I. Be friendly
II. Similarity
III. Mimicry (e.g., posture, verbal).
➔ In cybersecurity, stories from people who are similar to you. Ability to
identify yourself with others.
4. Scarcity = restricting access increases wanting (FOMO, time/stock limits).
➔ In cybersecurity, companies can limit resources (at first). Often used in
scams.
5. Commitment/consistency = people dislike being inconsistent. Once people commit,
they are more likely to act (e.g., public commitment, foot in the door technique).
➔ In cybersecurity, do NOT expect people to do everything at once. Let them
first (publicly) commit to it. This makes it easier to be consistent.
➔ 1. sign up to something, then 2. commit to broader policy.
6. Reciprocity = tit for tat. We reciprocate favours & gifts (e.g., waiters in restaurants
giving chocolates increases tipping behaviour).
➔ “That’s not all” Technique: Additional effort is reciprocated in increased
likelihood of sale.
, 3
➔ In cybersecurity, better services, CIA-triad & other rewards can be given to
people in return for good cyber behaviour (e.g., message framing).
Lecture 2: The PATHS Model
Behavioural Change
E.g., how to influence people to install a VPN:
1. Scarcity = limited time offers.
2. Reciprocation = free trial period, provide courses/information.
3. Authority = experts government recommendations.
Behavioural change:
● Largely solution-based
● Client requirements for interventions:
1. Solutions work for everyone all the time
2. Cheap
3. Limited time frame
● HOWEVER, need for a transition from solution → understanding.
PATHS model (completed on a small scale first, before doing a big rollout):
1. Problem = problem to a problem definition.
➔ What is the problem exactly? 6 questions:
◆ Companies often struggle 1. What is the problem?
with specificity (e.g., 2. Why is it a problem?
3. For whom is it a problem?
phishing does the company
4. What causes the problem?
want people not to click on
5. What is the target group?
the email or just report it
6. What are key aspects of the problem?
directly).
➔ Based on the 6 questions = what behaviour should you focus on changing?
◆ Usually focused on developing a clear, simple, concise behaviour that can be
measured.
2. Analysis = problem definition to analysis & explanation.
➔ Link the findings of the Problem-stage to the scientific literature.
◆ What has been written about your problem?
◆ What are the relevant theories?
◆ Which concepts are related to the problem?
➔ Which human factors OR situational factors need to be taken into consideration?
◆ Why does this happen?
3. Testing = explanations to a process model.
➔ Is there research on the possible causes?
➔ How are the relevant concepts/causes related?
➔ Can you find interventions that were effective (different target groups/related
behaviours)?
Les avantages d'acheter des résumés chez Stuvia:
Qualité garantie par les avis des clients
Les clients de Stuvia ont évalués plus de 700 000 résumés. C'est comme ça que vous savez que vous achetez les meilleurs documents.
L’achat facile et rapide
Vous pouvez payer rapidement avec iDeal, carte de crédit ou Stuvia-crédit pour les résumés. Il n'y a pas d'adhésion nécessaire.
Focus sur l’essentiel
Vos camarades écrivent eux-mêmes les notes d’étude, c’est pourquoi les documents sont toujours fiables et à jour. Cela garantit que vous arrivez rapidement au coeur du matériel.
Foire aux questions
Qu'est-ce que j'obtiens en achetant ce document ?
Vous obtenez un PDF, disponible immédiatement après votre achat. Le document acheté est accessible à tout moment, n'importe où et indéfiniment via votre profil.
Garantie de remboursement : comment ça marche ?
Notre garantie de satisfaction garantit que vous trouverez toujours un document d'étude qui vous convient. Vous remplissez un formulaire et notre équipe du service client s'occupe du reste.
Auprès de qui est-ce que j'achète ce résumé ?
Stuvia est une place de marché. Alors, vous n'achetez donc pas ce document chez nous, mais auprès du vendeur giacomoef. Stuvia facilite les paiements au vendeur.
Est-ce que j'aurai un abonnement?
Non, vous n'achetez ce résumé que pour €6,99. Vous n'êtes lié à rien après votre achat.
