The behaviour of people is known to be critical to the security of organizations across all sectors of the economy. The action, or inaction, of users of IT systems can create cyber security vulnerabilities. For example, users can be tempted to give away their authentication credentials (by phishing), to install malign software (malware), choose weak or inadequate passwords, or they may fail to install security patches, to scan computers for viruses, or to make secure backups of critical data. Organizations design security policies which users are supposed to follow, for example, instructing them not to give away their authentication (login) credentials, or not to open certain kinds of attachments sent in unsolicited emails. However, in practice managers often find it very difficult to encourage users to follow policy.

This project will investigate effective ways to improve security communications with users, to enable them to understand security risks, and to persuade them to comply with policy. Our hypothesis is that to be most effective, communications and policy implementations must take into account individual personalities and motivations. Technological support is therefore required to support security communications and security persuasion so that it can scale up to large organizations. We propose to transfer ideas and knowledge from the existing academic field of persuasive technologies and digital behaviour interventions, and apply them to the user security compliance problem.

We will build and trial real technologies that implement persuasive strategies in real user security scenarios. These scenarios will be selected in partnership with industrial security practitioners. The project takes a broad interdisciplinary view of the roots of the user compliance challenge, and draws additionally on expert knowledge from the fields of psychology, behavioural decision, security, sentiment analysis and argumentation in search of solutions. This project (EP/P011829/1) is funded under the UK Engineering and Physical Sciences Council Human Dimensions of Cyber Security call (2016).