The cyber security design principles emphasize psychology over technology. Here is a collection of scientific studies, research papers, design books, and related resources.
This is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.
Paths They Take
Number of steps; Familiarity of each step; Friction at each step.
Shosuke Suzuki, Victoria M. Lawlor, Jessica A. Cooper, Amanda R. Arulpragasam, Michael T. Treadway. Distinct regions of the striatum underlying effort, movement initiation and effort discounting. Nature Human Behaviour, 2020; DOI: 10.1038/s41562-020-00972-y
G. Suri, G. Sheppes, C. Schwartz, J. J. Gross. Patient Inertia and the Status Quo Bias: When an Inferior Option Is Preferred. Psychological Science, 2013; DOI: 10.1177/0956797613479976
ulia Watzek, Sarah F. Brosnan. Capuchin and rhesus monkeys show sunk cost effects in a psychomotor task. Scientific Reports, 2020; 10 (1) DOI: 10.1038/s41598-020-77301-w
Choices They Make
Number of choices; Predictability of the choice; Cognitive load of each choice.
Choosing Not to Choose, by Cass Sunstein
How to Decide: Simple Tools for Making Better Choices, by Annie Duke
Being Wrong: Adventures in the Margin of Error, by Kathryn Schulz
Sunstein, C. (2020). Sludge Audits. Behavioural Public Policy, 1-20. doi:10.1017/bpp.2019.32
Soman, Dilip and Cowen, Daniel and Kannan, Niketana and Feng, Bing, Seeing Sludge: Towards a Dashboard to Help Organizations Recognize Impedance to End-User Decisions and Action (September 27, 2019). Research Report Series Behaviourally Informed Organizations Partnership; Behavioural Economics in Action at Rotman, September 2019
Chadd, I., Filiz-Ozbay, E. & Ozbay, E.Y. The relevance of irrelevant information. Exp Econ (2020). // Unavailable options and irrelevant information often cause people to make bad choices. The likelihood of poor decisions is even greater when people are presented with both.
The behavior we want people to perform.
Hall, Jonathan D. and Madsen, Joshua, Can Behavioral Interventions Be Too Salient? Evidence From Traffic Safety Messages (September 16, 2020).
Barriers preventing people from completing the behavior.
Benefits of completing the behavior.
Vadiveloo, M. K., Dixon, L. B., & Elbel, B. (2011). Consumer purchasing patterns in response to calorie labeling legislation in New York City. The International Journal of Behavioral Nutrition and Physical Activity, 8(1), 51-51.
Fernandes, D., Lynch, J. G., & Netemeyer, R. G. (2014). Financial literacy, financial education, and downstream financial behaviors. Management Science, 60(8), 1861-1883.
More people, better technology.
Drive: The Surprising Truth About What Motivates Us, by Daniel H. Pink
Gneezy, U., & Rustichini, A. (2000). A Fine is a Price. The Journal of Legal Studies, 29(1), 1–17. doi: 10.1086/468061
Rey-Biel, Pedro & Gneezy, Uri & Meier, Stephan. (2011). When and Why Incentives (Don’t) Work to Modify Behavior. Journal of Economic Perspectives. 25. 191-210. 10.2307/41337236.
- The design of everyday things, by Don Norman
- Designing for the digital age: How to create human-centered products and services, by Kim Goodwin
- Design research: Methods and perspectives, by Brenda Laurel
- User experience revolution, by Paul Boag
Does security have a design problem? Designing Security for Systems that are Bigger on the Inside.
How does design apply to securing application development and DevOps? Securing without Slowing.
How does design apply to BYOD and Cloud apps? Security Design Strategies for the Age of BYO.
How does design apply to blue teaming? Design Thinking for Blue Teams.