The cyber security design principles emphasize psychology over technology. Here is a collection of scientific studies, research papers, design books, and related resources.
This is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.
Paths They Take
Number of steps; Familiarity of each step; Friction at each step.
Introduction to Customer Journey Mapping (ebook)
Flow Design Processes – Focusing on the Users’ Needs
Shosuke Suzuki, Victoria M. Lawlor, Jessica A. Cooper, Amanda R. Arulpragasam, Michael T. Treadway. Distinct regions of the striatum underlying effort, movement initiation and effort discounting. Nature Human Behaviour, 2020; DOI: 10.1038/s41562-020-00972-y
G. Suri, G. Sheppes, C. Schwartz, J. J. Gross. Patient Inertia and the Status Quo Bias: When an Inferior Option Is Preferred. Psychological Science, 2013; DOI: 10.1177/0956797613479976
ulia Watzek, Sarah F. Brosnan. Capuchin and rhesus monkeys show sunk cost effects in a psychomotor task. Scientific Reports, 2020; 10 (1) DOI: 10.1038/s41598-020-77301-w
Choices They Make
Number of choices; Predictability of the choice; Cognitive load of each choice.
Nudge to Health: Harnessing Decision Research to Promote Health Behavior
Sludge: “activities that are essentially nudging for evil”
Intentional and Unintentional Sludge
Choosing Not to Choose, by Cass Sunstein
How to Decide: Simple Tools for Making Better Choices, by Annie Duke
Being Wrong: Adventures in the Margin of Error, by Kathryn Schulz
Think Again: The Power of Knowing What You Don’t Know, by Adam Grant
Sunstein, C. (2020). Sludge Audits. Behavioural Public Policy, 1-20. doi:10.1017/bpp.2019.32
Soman, Dilip and Cowen, Daniel and Kannan, Niketana and Feng, Bing, Seeing Sludge: Towards a Dashboard to Help Organizations Recognize Impedance to End-User Decisions and Action (September 27, 2019). Research Report Series Behaviourally Informed Organizations Partnership; Behavioural Economics in Action at Rotman, September 2019
Chadd, I., Filiz-Ozbay, E. & Ozbay, E.Y. The relevance of irrelevant information. Exp Econ (2020). // Unavailable options and irrelevant information often cause people to make bad choices. The likelihood of poor decisions is even greater when people are presented with both.
Thomas L. Saltsman, Mark D. Seery, Deborah E. Ward, Veronica M. Lamarche, Cheryl L. Kondrak. Is satisficing really satisfying? Satisficers exhibit greater threat than maximizers during choice overload. Psychophysiology (2020). // To get past frustration, satisficers make a speedy choice instead of thinking too deeply about the choices being presented.
Stuart Mills. Personalized Nudging. Cambridge University Press (2020). // Choice architects can personalize both the choices being nudged towards (choice personalization) and the method of nudging itself (delivery personalization).
Gabrielle S. Adams, Benjamin A. Converse, Andrew H. Hales, Leidy E. Klotz. People systematically overlook subtractive changes. Nature, 2021; 592 (7853). // People approaching a problem rarely think removing something as a solution. People almost always add something whether it helps or not.
The behavior we want people to perform.
Hall, Jonathan D. and Madsen, Joshua, Can Behavioral Interventions Be Too Salient? Evidence From Traffic Safety Messages (September 16, 2020).
Barriers preventing people from completing the behavior.
Helen Demetriou, Bill Nicholl. Empathy is the mother of invention: Emotion and cognition for creativity in the classroom. Improving Schools (2021).
Benefits of completing the behavior.
40 Clever and Creative Bus Stop Advertisements
Vadiveloo, M. K., Dixon, L. B., & Elbel, B. (2011). Consumer purchasing patterns in response to calorie labeling legislation in New York City. The International Journal of Behavioral Nutrition and Physical Activity, 8(1), 51-51.
Fernandes, D., Lynch, J. G., & Netemeyer, R. G. (2014). Financial literacy, financial education, and downstream financial behaviors. Management Science, 60(8), 1861-1883.
Yana Fandakova, Elliott G Johnson, Simona Ghetti. Distinct neural mechanisms underlie subjective and objective recollection and guide memory-based decision making. eLife, 2021. // Memory involves both recall of specific details (who, where, when) and feelings of remembering and reliving past events. New research shows that these objective and subjective memories function independently, involve different parts of the brain, and that we make decisions based on subjective memory.
More people, better technology.
Drive: The Surprising Truth About What Motivates Us, by Daniel H. Pink
Gneezy, U., & Rustichini, A. (2000). A Fine is a Price. The Journal of Legal Studies, 29(1), 1–17. doi: 10.1086/468061
Rey-Biel, Pedro & Gneezy, Uri & Meier, Stephan. (2011). When and Why Incentives (Don’t) Work to Modify Behavior. Journal of Economic Perspectives. 25. 191-210. 10.2307/41337236.
University of Pennsylvania. (2021, January 19). Money matters to happiness–perhaps more than previously thought.
Johnny Långstedt. How will our Values Fit Future Work? An Empirical Exploration of Basic Values and Susceptibility to Automation. Labour & Industry: a journal of the social and economic relations of work, 202. // A look at the intrinsic value people feel from doing the work.
How to Measure Anything in Cybersecurity Risk, by Douglas W. Hubbard, Richard Seiersen
Adam Beautement, Ingolf Becker, Simon Parkin, Kat Krol, and M. Angela Sasse. 2016. Productive security: a scalable methodology for analysing employee security behaviours. In Proceedings of the Twelfth USENIX Conference on Usable Privacy and Security (SOUPS ’16). USENIX Association, USA, 253–270.
From “Economic Man” to Behavioral Economics
- The design of everyday things, by Don Norman
- Designing for the digital age: How to create human-centered products and services, by Kim Goodwin
- Design research: Methods and perspectives, by Brenda Laurel
- User experience revolution, by Paul Boag
Does security have a design problem? Designing Security for Systems that are Bigger on the Inside.
How does design apply to securing application development and DevOps? Securing without Slowing.
How does design apply to BYOD and Cloud apps? Security Design Strategies for the Age of BYO.
How does design apply to blue teaming? Design Thinking for Blue Teams.