Exploring Workers' Subjective Experiences of Habit Formation in Cybersecurity: A Qualitative Survey

Emily I.M. Collins, Joanne Hinds

Research output: Contribution to journalReview articlepeer-review

5 Citations (SciVal)
33 Downloads (Pure)


Employee behaviors remain at the center of the cybersecurity of workplaces, despite the challenges they face in doing so. Time pressures and competing demands mean that users tend to rely on habitual behaviors that often run counter to good cybersecurity practice. One possible solution may be to encourage positive habit formation. Designing such interventions, however, relies on knowledge of the perception and experience of habit formation in the context of cybersecurity. To this end, a qualitative survey containing open-ended questions was completed by 195 participants (mean age = 35.51, 53 percent female) recruited via an online participant panel. Participants were asked what cybersecurity behaviors they perform at work and how they believe any habits were prompted, formed, and maintained. Thematic analysis identified three over-arching themes: (a) forming habits unavoidably or unconsciously (some were mandated, or formed without conscious awareness), (b) consciously cultivating habits (including the roles of intrinsic motivation and external prompts), and (c) social and organizational influences (including the influence of occupational culture, social modeling, previous experiences, and information gathering practices). Based on these findings, we present guidelines for supporting workplace cybersecurity habit formation reflecting these subjective experiences, namely introducing automatic solutions, facilitating external cues, fostering interest in cybersecurity issues among employees, creating a positive cybersecurity occupational culture and highlighting positive behavior, and providing access to accessible cybersecurity information to employees. These results constitute a first step in identifying how habits can be exploited for positive cybersecurity behavior change in a way that accounts for the reliance on habitual behaviors in busy, time-pressured workplaces.

Original languageEnglish
Pages (from-to)599-604
Number of pages6
JournalCyberpsychology, Behavior, and Social Networking
Issue number9
Early online date17 Aug 2021
Publication statusPublished - 15 Sept 2021


  • cybersecurity
  • habit formation
  • habits

ASJC Scopus subject areas

  • Social Psychology
  • Communication
  • Applied Psychology
  • Human-Computer Interaction
  • Computer Science Applications


Dive into the research topics of 'Exploring Workers' Subjective Experiences of Habit Formation in Cybersecurity: A Qualitative Survey'. Together they form a unique fingerprint.

Cite this