Is cybersecurity research missing a trick? Integrating insights from the psychology of habit into research and practice

Tobias D. Weickert*, Adam Joinson, Barnaby Craggs

*Corresponding author for this work

Research output: Contribution to journalArticle (Academic Journal)peer-review

4 Citations (Scopus)

Abstract

The idea that people should form positive security habits is gaining increasing attention amongst security practitioners. Habit is a well-studied concept in psychology, but the extent to which the richness of that literature has been fully utilised for security is currently unclear. In order to address this gap, we compared usage of the term “habit”—and connected constructs —in the cybersecurity and habit fields using a co-occurrence networks-based analysis. We aimed to answer three research questions: 1. What is the context within which habit has been discussed in the habit literature and the cybersecurity literature; 2. How does the discussion in these two fields compare; and 3. What are the implications of the outcomes of this analysis for the future research agenda for cybersecurity behaviour? The analysis showed that the habit construct tended to be discussed primarily in the context of other models, rather than on its own. The depth of discussion was therefore limited; resulting gaps in knowledge have important implications for security, like the idea that habits moderate the relationship between intention and behaviour. Given the popularity of the theory of planned behaviour in security research, this represents a key omission. Furthermore, the cybersecurity literature we surveyed contained very little discussion surrounding methods for formation and changing of habits, nor of the role of cues in triggering habitual behaviours. Habits require a different behaviour change approach than intentional behaviours, and many day-to-day security behaviours may in fact be habits. For that reason, these topics represents a potentially productive avenue of research for both security and privacy behaviour.
Original languageEnglish
Article number103130
JournalComputers and Security
Volume128
DOIs
Publication statusPublished - 1 Feb 2023

Bibliographical note

Funding Information:
This research is funded through the EPSRC Centre for Doctoral Training (EP/S022465/1 ). We would like to thank Dr. Lukasz Piwek for his help with the analysis and comments on a draft of this paper.

Publisher Copyright:
© 2023

Structured keywords

  • Cyber Security

Keywords

  • Security habits
  • Habit
  • Habit theory
  • Co-occurence
  • Cybersecurity

Fingerprint

Dive into the research topics of 'Is cybersecurity research missing a trick? Integrating insights from the psychology of habit into research and practice'. Together they form a unique fingerprint.

Cite this