Exploring workers' subjective experiences of habit formation in cyber-security: A qualitative survey

Emily Collins, Joanne Hinds

Research output: Contribution to journalArticlepeer-review


Employee behaviours remain at the centre of the cyber-security of workplaces, despite the challenges they face in doing so. Time-pressures and competing demands mean users tend to rely on habitual behaviours that often run counter to good cyber-security practice. One possible solution may be to encourage positive habit formation. Designing such interventions, however, relies on knowledge of the perception and experience of habit formation in the context of cyber-security. To this end, a qualitative survey containing open-ended questions was completed by 195 participants (mean age=35.51, 53% female) recruited via an online participant panel. Participants were asked what cyber-security behaviours they perform at work and how they believe any habits were prompted, formed and maintained. Thematic analysis identified three over-arching themes: (1) forming habits unavoidably or unconsciously (some were mandated, or formed without conscious awareness), (2) consciously cultivating habits (including the roles of intrinsic motivation and external
prompts), and (3) social and organisational influences (including the influence of occupational culture, social modelling, previous experiences and information gathering practices). Based on these findings, we present guidelines for supporting workplace cyber-security habit formation reflecting these subjective experiences, namely introducing automatic solutions, facilitating external cues, fostering interest in cyber-security issues amongst employees, creating a positive cyber-security
occupational culture and highlighting positive behaviour, and providing access to accessible cybersecurity information to employees. These results constitute a first step in identifying how habits can be exploited for positive cyber-security behaviour change in a way that accounts for the reliance on habitual behaviours in busy, time-pressured workplaces.
Original languageEnglish
JournalCyberpsychology, Behavior, and Social Networking
Publication statusPublished - 2021

Cite this