Abstract
Habits are “memory-based propensities to respond automatically to specific cues, which are acquired by the repetition of cue-specific behaviours in stable contexts” (Verplanken, 2018, p. 4). Despite having been widely studied in psychology, the implications of habit theory for the field of cybersecurity have thus far been insufficiently investigated; consequently, this thesis aims to address this gap.Study I is a bibliographic analysis of the use of the key terms ‘habit’ and ‘cue’ in the cybersecurity literature compared to their use in the habit literature. The aim of this work was to understand how these terms are conceptualised in the context of cybersecurity, and thus to identify areas where habit theory might be fruitfully applied. This analysis found that the term ‘habit’ tended to be used in the context of other theories, and discussions surrounding habits were lacking a deeper theoretical engagement, with the consequence that many essential insights from habit theory, such as the moderating role of habits in the intention-behaviour link, are not integrated into the cybersecurity discourse, highlighting important gaps in understanding.
Study II focuses on the degree to which common security behaviours are habitual for the average user. The results suggest that many widespread security behaviours, such as using complex passwords and locking screens, are performed with varying degrees of automaticity, indicating a significant presence of habitual behaviour in everyday security practices. Study III then expands on these findings by comparing users’ and security practitioners’ perceptions of the effectiveness of these behaviours. The results showed a wide disconnect between the perceived effectiveness of certain behaviours by non-experts and experts. For example, non-experts undervalued the effectiveness of password managers and overvalued the effectiveness of changing passwords regularly. Taken together, Study II and III serve to give an overview of the status quo of security habits with regard to current practices, addressing questions about the prevalence of effective versus ineffective security behaviours, the extent to which these practices are adopted, and the alignment between common habits and optimal security protocols.
Finally, Study IV uses Markov chains to analyse the habits of users interacting with a phishing simulation, with the aim to better understand the sequences of actions and situational cues that lead to safe and unsafe responses to phishing emails, and to evaluate whether certain ‘good’ security behaviours (e.g., verifying email senders’ email addresses) might offer a protective effect. This study revealed role-specific differences in the effectiveness of sender checks, suggesting that certain security habits require knowledge to be effective. The study highlights other key challenges of designing habit-based behavioural interventions for complex security problems such as phishing, advocating the design of smarter security indicators to anchor protective habits as part of a multi-pronged behaviour change approach.
This thesis, through its systematic exploration of habit theory in the context of cybersecurity, begins to bridge a critical gap in existing research and lays the groundwork for developing more robust and user-centric cybersecurity strategies. The findings from these studies collectively inform a deeper understanding of the role of habits in cybersecurity behaviour, supporting the creation of interventions and policies that are better aligned with natural user tendencies, ultimately contributing to a more secure digital environment.
| Date of Award | 19 Feb 2025 |
|---|---|
| Original language | English |
| Awarding Institution |
|
| Sponsors | Engineering and Physical Sciences Research Council |
| Supervisor | Adam Joinson (Supervisor) & Barnaby Craggs (Supervisor) |
Keywords
- alternative format