The cyber security design principles emphasize psychology over technology. Here is a collection of scientific studies, research papers, design books, and related resources.
This is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.
Paths They Take
Number of steps; Familiarity of each step; Friction at each step.
Shosuke Suzuki, Victoria M. Lawlor, Jessica A. Cooper, Amanda R. Arulpragasam, Michael T. Treadway. Distinct regions of the striatum underlying effort, movement initiation and effort discounting. Nature Human Behaviour, 2020; DOI: 10.1038/s41562-020-00972-y
G. Suri, G. Sheppes, C. Schwartz, J. J. Gross. Patient Inertia and the Status Quo Bias: When an Inferior Option Is Preferred. Psychological Science, 2013; DOI: 10.1177/0956797613479976
Julia Watzek, Sarah F. Brosnan. Capuchin and rhesus monkeys show sunk cost effects in a psychomotor task. Scientific Reports, 2020; 10 (1) DOI: 10.1038/s41598-020-77301-wBongiorno,
Basu, R., Gebauer, R., Herfurth, T. et al. The orbitofrontal cortex maps future navigational goals. Nature, 2021 // How do goal maps guide the brain toward a destination?
C., Zhou, Y., Kryven, M. et al. Vector-based pedestrian navigation in cities. Nat Comput Sci, 2021 DOI: 10.1038/s43588-021-00130-y. // People don’t follow the shortest path. They follow the easiest path to recall and follow. That is, the pointiest path.
Li Zheng, Zhiyao Gao, Andrew S. McAvan, Eve A. Isham, Arne D. Ekstrom. Partially overlapping spatial environments trigger reinstatement in hippocampus and schema representations in prefrontal cortex. Nature Communications, 2021 // Navigating an environment that’s sort of similar but not, is harder than navigating an entirely new environment.
Choices They Make
Number of choices; Predictability of the choice; Cognitive load of each choice.
Choosing Not to Choose, by Cass Sunstein
How to Decide: Simple Tools for Making Better Choices, by Annie Duke
Being Wrong: Adventures in the Margin of Error, by Kathryn Schulz
Think Again: The Power of Knowing What You Don’t Know, by Adam Grant
Sunstein, C. (2020). Sludge Audits. Behavioural Public Policy, 1-20. doi:10.1017/bpp.2019.32
Soman, Dilip and Cowen, Daniel and Kannan, Niketana and Feng, Bing, Seeing Sludge: Towards a Dashboard to Help Organizations Recognize Impedance to End-User Decisions and Action (September 27, 2019). Research Report Series Behaviourally Informed Organizations Partnership; Behavioural Economics in Action at Rotman, September 2019
Chadd, I., Filiz-Ozbay, E. & Ozbay, E.Y. The relevance of irrelevant information. Exp Econ (2020). // Unavailable options and irrelevant information often cause people to make bad choices. The likelihood of poor decisions is even greater when people are presented with both.
Thomas L. Saltsman, Mark D. Seery, Deborah E. Ward, Veronica M. Lamarche, Cheryl L. Kondrak. Is satisficing really satisfying? Satisficers exhibit greater threat than maximizers during choice overload. Psychophysiology (2020). // To get past frustration, satisficers make a speedy choice instead of thinking too deeply about the choices being presented.
Stuart Mills. Personalized Nudging. Cambridge University Press (2020). // Choice architects can personalize both the choices being nudged towards (choice personalization) and the method of nudging itself (delivery personalization).
Stephanie Mertens, Mario Herberz, Ulf J. J. Hahnel, Tobias Brosch. The effectiveness of nudging: A meta-analysis of choice architecture interventions across behavioral domains. Proceedings of the National Academy of Sciences, 2022. // Over 450 strategies analyzed, with nudges across three groups: “information,” “structure” and “assistance.” Strong proof of nudging over mandates for leading to behavior change.
Gabrielle S. Adams, Benjamin A. Converse, Andrew H. Hales, Leidy E. Klotz. People systematically overlook subtractive changes. Nature, 2021. // People approaching a problem rarely think removing something as a solution. People almost always add something whether it helps or not.
Cary Frydman, Ian Krajbich. Using Response Times to Infer Others’ Private Information: An Application to Information Cascades. Management Science, 2021. // If people in a group pause when making a decision, other people are twice as likely to break from the group to make their own choice.
Narayan Ramasubbu and Indranil R. Bardhan. Reconfiguring for Agility: Examining the Performance Implications for Project Team Autonomy Through an Organizational Policy Experiment. MIS Quarterly, 2021. // More freedom means greater productivity and better customer satisfaction. By contrast, more top-down governance results in lower productivity and customer satisfaction.
The behavior we want people to perform.
Hall, Jonathan D. and Madsen, Joshua, Can Behavioral Interventions Be Too Salient? Evidence From Traffic Safety Messages (September 16, 2020).
Robison, M. K., Unsworth, N., & Brewer, G. A. Examining the effects of goal-setting, feedback, and incentives on sustained attention. (August 7, 2021). // Providing feedback on performance is a strong motivator and sustains attention over a longer-term than goal-setting alone.
Barriers preventing people from completing the behavior.
Helen Demetriou, Bill Nicholl. Empathy is the mother of invention: Emotion and cognition for creativity in the classroom. Improving Schools (2021).
Rachel C. Forbes and Jennifer E. Stellar. When the Ones We Love Misbehave: Exploring Moral Processes Within Intimate Bonds. Journal of Personality and Social Psychology, 2021 // This applies to security champion and security advocate programs. Tighter relationships mean more forgiveness, which in turn provides more room for the security team to maneuver.
Benefits of completing the behavior.
Benefits of completing the behavior.
loria Mark, Mary Czerwinski, and Shamsi T. Iqbal. Effects of Individual Differences in Blocking Workplace Distractions. Proceedings of the 2018 CHI Conference on Human Factors in Computing Systems, 2018. // Security needs to be extremely careful not to overload people’s already overloaded attention. Check this for strategies people use to manage (ignore?) notifications.
Richard Huskey, Justin Robert Keene, Shelby Wilcox, Xuanjun (Jason) Gong, Robyn Adams, Christina J Najera, Flexible and Modular Brain Network Dynamics Characterize Flow Experiences During Media Use: A Functional Magnetic Resonance Imaging Study, Journal of Communication, 2021. // The sweet spot is when “activities are engaging enough to fully involve someone to the point of barely being distracted, but not so difficult that the activity becomes frustrating.”
Nesra Yannier, Scott E. Hudson, Kenneth R. Koedinger, Kathy Hirsh-Pasek, Roberta Michnick Golinkoff, Yuko Munakata, Sabine Doebel, Daniel L. Schwartz, Louis Deslauriers, Logan McCarty, Kristina Callaghan, Elli J. Theobald, Scott Freeman, Katelyn M. Cooper, Sara E. Brownell. Active learning: “Hands-on” meets “minds-on”. Science, 2020 // It’s no surprise that hands-on training exceeds lecture. But who does that in security? These researchers evaluate and share ways to make learning active.
Vadiveloo, M. K., Dixon, L. B., & Elbel, B. (2011). Consumer purchasing patterns in response to calorie labeling legislation in New York City. The International Journal of Behavioral Nutrition and Physical Activity, 8(1), 51-51.
Fernandes, D., Lynch, J. G., & Netemeyer, R. G. (2014). Financial literacy, financial education, and downstream financial behaviors. Management Science, 60(8), 1861-1883.
Beisswingert, B. M., Zhang, K., Goetz, T., Fang, P., & Fischbacher, U. (2015). The effects of subjective loss of control on risk-taking behavior: the mediating role of anger. Frontiers in psychology, 6, 774.
Yana Fandakova, Elliott G Johnson, Simona Ghetti. Distinct neural mechanisms underlie subjective and objective recollection and guide memory-based decision making. eLife, 2021. // Memory involves both recall of specific details (who, where, when) and feelings of remembering and reliving past events. New research shows that these objective and subjective memories function independently, involve different parts of the brain, and that we make decisions based on subjective memory.
Elizabeth A. Minton, T. Bettina Cornwell, Hong Yuan. I know what you are thinking: How theory of mind is employed in product evaluations. Journal of Business Research, 2021
Adrian R. Walker, Danielle J. Navarro, Ben R. Newell, Tom Beesley. Protection from uncertainty in the exploration/exploitation trade-off. Journal of Experimental Psychology: Learning, Memory, and Cognition, 2021.
More people, better technology.
Drive: The Surprising Truth About What Motivates Us, by Daniel H. Pink
Gneezy, U., & Rustichini, A. (2000). A Fine is a Price. The Journal of Legal Studies, 29(1), 1–17. doi: 10.1086/468061
Rey-Biel, Pedro & Gneezy, Uri & Meier, Stephan. (2011). When and Why Incentives (Don’t) Work to Modify Behavior. Journal of Economic Perspectives. 25. 191-210. 10.2307/41337236.
University of Pennsylvania. (2021, January 19). Money matters to happiness–perhaps more than previously thought.
Johnny Långstedt. How will our Values Fit Future Work? An Empirical Exploration of Basic Values and Susceptibility to Automation. Labour & Industry: a journal of the social and economic relations of work, 202. // A look at the intrinsic value people feel from doing the work.
How to Measure Anything in Cybersecurity Risk, by Douglas W. Hubbard, Richard Seiersen
Adam Beautement, Ingolf Becker, Simon Parkin, Kat Krol, and M. Angela Sasse. 2016. Productive security: a scalable methodology for analysing employee security behaviours. In Proceedings of the Twelfth USENIX Conference on Usable Privacy and Security (SOUPS ’16). USENIX Association, USA, 253–270.
- The design of everyday things, by Don Norman
- Designing for the digital age: How to create human-centered products and services, by Kim Goodwin
- Design research: Methods and perspectives, by Brenda Laurel
- User experience revolution, by Paul Boag
Does security have a design problem? Designing Security for Systems that are Bigger on the Inside.
How does design apply to securing application development and DevOps? Securing without Slowing.
How does design apply to BYOD and Cloud apps? Security Design Strategies for the Age of BYO.
How does design apply to blue teaming? Design Thinking for Blue Teams.Posted by