Date post: | 14-Apr-2017 |
Category: |
Technology |
Upload: | joinson |
View: | 43 times |
Download: | 0 times |
StreamTwoPeople:TheStrongestLink
#CYBERUK17
BehaviourChange,Cyber-SecurityandlessonsfromotherdomainsProfessorAdamJoinson,UniversityofBath
Lesson1:Identifyabehaviourtochange
• Fifteencampaignsanalysed
• Majorityawarenessraising• natureofcybersecurity
• raisingfearofconsequences
• Onepresentedevidenceofeffectiveness
• Onlyoneseemedtobebasedonbehaviourchangeprinciples
PasswordmanagementUp-to-dateanti-virus/OSLogout/shutdownTrusted/secureconnectionsandsitesStayinformedMinimizepersonalidentityBeawareofphysicalsurroundingReporting
https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/309652/14-835-cyber-security-behavioural-insights.pdf
The ‘who and what?’ of security behaviour
“…thestyles,approachesandvaluesthattheorganisationwishestoadopttowardssecurity.Itcanrangefromwhetheremployeesadheretoacleardeskpolicytowhethertheysharesensitiveinformationonsocialnetworkingsites.”http://www.cpni.gov.uk/Documents/Publications/2016/03.08.2016%20SeCuRE%20Tool.pdf
8
COM-B system for analysing behaviour in context (Michie et al., 2011)
Michieetal.,2011
Lesson2:Knowwhatsuccess(andfailure)lookslike
Interventionmapping
Define‘Cyber’
TakeTraining
MeasureCompliance
Lesson3:Looktounderstandthecauses ofthebehaviour
23
The Behaviour Change Wheel: hub
Michieetal.,2011
24Michieetal.,2011
Michieetal.,2011
7
Common terms for methods for inducing behaviour change
EducateTrainHelp
Expose toInformDiscussSuggestEncourageIncentiviseAskOrderPleadCoerceForce
ProvidePromptConstrain
Michieetal.,2011
9
Common terms for methods for inducing behaviour change
CapabilityEducateTrainHelp
MotivationExpose toInformDiscussSuggestEncourageIncentiviseAskOrderPleadCoerceForce
OpportunityProvidePromptConstrain
Michieetal.,2011
self-monitoring in cycling
Piwek, L., Joinson, A., & Morvan, J. (2015). The use of self-monitoring solutions amongst cyclists: An online survey and empirical study. Transportation Research Part A: Policy and Practice, 77, 126-136.
isself-monitoringmainlyrelevantforperformance-orientedcyclists?
13NON-TRACKERS
12TRACKERS
5 weeks
+INITIAL
SURVEY
DEBRIEFING INTERVIEW
pedometeronly
pedometer + calendar
+ cycling computer
experiencesamplingcalendar
total number of days cycled to campus in 5 weeks
total distancecycled across5 weeks (km)
non-trackerstrackers, high engagement with self-monitoring trackers, low engagement with self-monitoring
self-monitoringismainlyrelevantforperformance-orientedcyclists>
Spear Phishing Simulations
WorkingwithorganisationsintheCNI(gov,defenceindustry,finance)
Studyingtheirresultsfrominternalspearphishingexercises
>120,000spearphishemailssenttostaff
Codedbyresearchersoninfluencetechnique
Someindividualdataalsocollected
Inonecase,clickingledtosurvey
Commonphishingtechniques• Exploitsocialnormsanddecision-makingprocesses
SocialInfluenceProcesses
SenseofUrgency
InvokingEmotions
DecisionBiases
• Useofdeadlines
• Timepressure• Canbenegative
orpositive
• Excitement,desire,hopeorcuriosity
• Fear,panicoranxiety
• Anger
• Authority• Liking&
similarity• Reciprocity• Conformity
• Truthbias• Confirmationbias• Expectations
• Mimictrustedentities
• Exploitauthenticitycues
LegitimacyCues
Click rates vary hugelyAverage ~ 15% in largest data set (63,000)Authority, Urgency, Curiosity worked bestFew demographic differences, subsets of vulnerable users.
Followupfocusgroups
Example:Theroleoffamiliarityandexpectations
• “it’sacompanyshedealswith,we’vecurrentlygotproblemswithaccountspayable…andactuallywhywouldshenotbelievethatitwastrue.”
• “whenIfirstcamehere,Iwas,becauseIwasn’tfamiliarwithwhatthecompanieswerethatweregoingtoemailmenecessarilyIwasjustsortofclickingonanything…butitwasjustbecauseIwasn’tfamiliarwiththecompaniesthatweweredealingwith”.
• “Imeantherearesomeplaces,youdoget,yougetsomeemailsfromAmericaandtheywriteinadifferentwayanditdoesmakeitdifficultsometimestosortofspotthedifference”.
Williams, Hinds & Joinson (under review) ‘Employee susceptibility to
phishing’
E-A-S-TframeworkJoinson,A.,&Piwek,L.(2016).Technologyandtheformationofsociallypositivebehaviours.BeyondBehaviourChange:KeyIssues,InterdisciplinaryApproachesandFutureDirections,157.
Lesson4:Acceptcomplexityanddifficulty
Societal Influences Individual
Psychology
Individual Activity Activity
EnvironmentFood production industry
Consumption and practices
Biological Factors
Typeoftrigger
Lesson5:Workwith theflow,notagainstit
Kairos– themoment• Theopportunemomenttoaimaninterventiontowardsusers.• B.J.Fogg:PersuasiveTechnology,p.41
Make it easier to do the right thing
Lesson6:Evaluate,repeat