The cyber security design principles emphasize psychology over technology. Here is a collection of scientific studies, research papers, design books, and related resources.
This is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.
Paths They Take
Number of steps; Familiarity of each step; Friction at each step.
Shosuke Suzuki, Victoria M. Lawlor, Jessica A. Cooper, Amanda R. Arulpragasam, Michael T. Treadway. Distinct regions of the striatum underlying effort, movement initiation and effort discounting. Nature Human Behaviour, 2020; DOI: 10.1038/s41562-020-00972-y
G. Suri, G. Sheppes, C. Schwartz, J. J. Gross. Patient Inertia and the Status Quo Bias: When an Inferior Option Is Preferred. Psychological Science, 2013; DOI: 10.1177/0956797613479976
ulia Watzek, Sarah F. Brosnan. Capuchin and rhesus monkeys show sunk cost effects in a psychomotor task. Scientific Reports, 2020; 10 (1) DOI: 10.1038/s41598-020-77301-w
Choices They Make
Number of choices; Predictability of the choice; Cognitive load of each choice.
Choosing Not to Choose, by Cass Sunstein
How to Decide: Simple Tools for Making Better Choices, by Annie Duke
Being Wrong: Adventures in the Margin of Error, by Kathryn Schulz
Think Again: The Power of Knowing What You Don’t Know, by Adam Grant
Sunstein, C. (2020). Sludge Audits. Behavioural Public Policy, 1-20. doi:10.1017/bpp.2019.32
Soman, Dilip and Cowen, Daniel and Kannan, Niketana and Feng, Bing, Seeing Sludge: Towards a Dashboard to Help Organizations Recognize Impedance to End-User Decisions and Action (September 27, 2019). Research Report Series Behaviourally Informed Organizations Partnership; Behavioural Economics in Action at Rotman, September 2019
Chadd, I., Filiz-Ozbay, E. & Ozbay, E.Y. The relevance of irrelevant information. Exp Econ (2020). // Unavailable options and irrelevant information often cause people to make bad choices. The likelihood of poor decisions is even greater when people are presented with both.
Thomas L. Saltsman, Mark D. Seery, Deborah E. Ward, Veronica M. Lamarche, Cheryl L. Kondrak. Is satisficing really satisfying? Satisficers exhibit greater threat than maximizers during choice overload. Psychophysiology (2020). // To get past frustration, satisficers make a speedy choice instead of thinking too deeply about the choices being presented.
Stuart Mills. Personalized Nudging. Cambridge University Press (2020). // Choice architects can personalize both the choices being nudged towards (choice personalization) and the method of nudging itself (delivery personalization).
Gabrielle S. Adams, Benjamin A. Converse, Andrew H. Hales, Leidy E. Klotz. People systematically overlook subtractive changes. Nature, 2021; 592 (7853). // People approaching a problem rarely think removing something as a solution. People almost always add something whether it helps or not.
The behavior we want people to perform.
Hall, Jonathan D. and Madsen, Joshua, Can Behavioral Interventions Be Too Salient? Evidence From Traffic Safety Messages (September 16, 2020).
Barriers preventing people from completing the behavior.
Helen Demetriou, Bill Nicholl. Empathy is the mother of invention: Emotion and cognition for creativity in the classroom. Improving Schools (2021).
Rachel C. Forbes and Jennifer E. Stellar. When the Ones We Love Misbehave: Exploring Moral Processes Within Intimate Bonds. Journal of Personality and Social Psychology, 2021 // This applies to security champion and security advocate programs. Tighter relationships mean more forgiveness, which in turn provides more room for the security team to maneuver.
Benefits of completing the behavior.
Vadiveloo, M. K., Dixon, L. B., & Elbel, B. (2011). Consumer purchasing patterns in response to calorie labeling legislation in New York City. The International Journal of Behavioral Nutrition and Physical Activity, 8(1), 51-51.
Fernandes, D., Lynch, J. G., & Netemeyer, R. G. (2014). Financial literacy, financial education, and downstream financial behaviors. Management Science, 60(8), 1861-1883.
Beisswingert, B. M., Zhang, K., Goetz, T., Fang, P., & Fischbacher, U. (2015). The effects of subjective loss of control on risk-taking behavior: the mediating role of anger. Frontiers in psychology, 6, 774.
Yana Fandakova, Elliott G Johnson, Simona Ghetti. Distinct neural mechanisms underlie subjective and objective recollection and guide memory-based decision making. eLife, 2021. // Memory involves both recall of specific details (who, where, when) and feelings of remembering and reliving past events. New research shows that these objective and subjective memories function independently, involve different parts of the brain, and that we make decisions based on subjective memory.
Elizabeth A. Minton, T. Bettina Cornwell, Hong Yuan. I know what you are thinking: How theory of mind is employed in product evaluations. Journal of Business Research, 2021
Adrian R. Walker, Danielle J. Navarro, Ben R. Newell, Tom Beesley. Protection from uncertainty in the exploration/exploitation trade-off. Journal of Experimental Psychology: Learning, Memory, and Cognition, 2021.
More people, better technology.
Drive: The Surprising Truth About What Motivates Us, by Daniel H. Pink
Gneezy, U., & Rustichini, A. (2000). A Fine is a Price. The Journal of Legal Studies, 29(1), 1–17. doi: 10.1086/468061
Rey-Biel, Pedro & Gneezy, Uri & Meier, Stephan. (2011). When and Why Incentives (Don’t) Work to Modify Behavior. Journal of Economic Perspectives. 25. 191-210. 10.2307/41337236.
University of Pennsylvania. (2021, January 19). Money matters to happiness–perhaps more than previously thought.
Johnny Långstedt. How will our Values Fit Future Work? An Empirical Exploration of Basic Values and Susceptibility to Automation. Labour & Industry: a journal of the social and economic relations of work, 202. // A look at the intrinsic value people feel from doing the work.
How to Measure Anything in Cybersecurity Risk, by Douglas W. Hubbard, Richard Seiersen
Adam Beautement, Ingolf Becker, Simon Parkin, Kat Krol, and M. Angela Sasse. 2016. Productive security: a scalable methodology for analysing employee security behaviours. In Proceedings of the Twelfth USENIX Conference on Usable Privacy and Security (SOUPS ’16). USENIX Association, USA, 253–270.
- The design of everyday things, by Don Norman
- Designing for the digital age: How to create human-centered products and services, by Kim Goodwin
- Design research: Methods and perspectives, by Brenda Laurel
- User experience revolution, by Paul Boag
Does security have a design problem? Designing Security for Systems that are Bigger on the Inside.
How does design apply to securing application development and DevOps? Securing without Slowing.
How does design apply to BYOD and Cloud apps? Security Design Strategies for the Age of BYO.
How does design apply to blue teaming? Design Thinking for Blue Teams.Posted by