A Holistic Approach Towards Human Factors in Information Security and Risk

  • Omolola FagbuleEmail author
Conference paper
Part of the Lecture Notes in Business Information Processing book series (LNBIP, volume 385)


Businesses take various precautions and measures to protect their assets, and at the centre of their computer systems are users. Many data breaches originate from accidental human error, which has lasting damaging financial or reputation loss. Although companies intend to change behaviour, one of the biggest problems with this approach is the lack of Psychology informed theories to understand why and how users are targeted. To understand why users defy compliance procedures and policy, despite warnings and training, we need to understand every internal and external factor that contributes to such behaviour. The literature proposes that users are the main cause for system dysfunction, and this is accentuated by media headlines that portray users as the source of the problem. One of the biggest problems is that, research continues to evaluate surface level problems, rather than explore or acknowledge more systemic factors that can have damaging results. In this paper, we discuss factors, that could impact the way that information is processed and how this is translated into action or no action. Also we, identify how an environment can encourage or discourage desired behaviour.


Human factors Psychology Cyber security 


  1. 1.
    Prescott, C.: Internet users, UK - office for national statistics. (2019). Accessed 20 Dec 2019
  2. 2.
    Akers, R.L.: Rational choice, deterrence, and social learning theory in criminology: the path not taken. J. Crim. L. Criminology 81, 653 (1990)CrossRefGoogle Scholar
  3. 3.
    Witte, K.: Putting the fear back into fear appeals: the extended parallel process model. Commun. Monogr. 59(4), 329–349 (1992)CrossRefGoogle Scholar
  4. 4.
    Islam, S., Dong, W.: Human factors in software security risk management. In: Proceedings of the First International Workshop on Leadership and Management in Software Architecture, pp. 13–16. ACM (2008)Google Scholar
  5. 5.
    Tunner Jr., J.F., Day, E., Crask, M.R.: Protection motivation theory: an extension of fear appeals theory in communication. J. Bus. Res. 19(4), 267–276 (1989)CrossRefGoogle Scholar
  6. 6.
    Pfaffenberger, B.: The rhetoric of dread: fear, uncertainty, and doubt (FUD) in information technology marketing. Knowl. Technol. Policy 13(3), 78–92 (2000). Scholar
  7. 7. Beha Behaviour change: gener viour change: general approaches al approaches (2007). Accessed 10 Jan 2020
  8. 8.
    Cranor, L.F., Garfinkel, S.: Security and Usability: Designing Secure Systems that People Can Use. O’Reilly Media Inc., Sebastopol (2005)Google Scholar
  9. 9.
    Anwar, M., He, W., Ash, I., Yuan, X., Li, L., Xu, L.: Gender difference and employees’ cybersecurity behaviors. Comput. Hum. Behav. 69, 437–443 (2017)CrossRefGoogle Scholar
  10. 10.
    Vogel, T., Wänke, M.: Attitudes and Attitude Change, 2dn edn., April 2016Google Scholar
  11. 11.
    Martin, L.M., Matlay, H.: “blanket" approaches to promoting ICT in small firms: some lessons from the DTI ladder adoption model in the UK. Internet Res. 11(5), 399–410 (2001)CrossRefGoogle Scholar
  12. 12.
    Beautement, A., Becker, I., Parkin, S., Krol, K., Sasse, A.: Productive security: a scalable methodology for analysing employee security behaviours. In: Twelfth Symposium on Usable Privacy and Security (SOUPS 2016), pp. 253–270 (2016)Google Scholar
  13. 13.
    Wever, R., Van Kuijk, J., Boks, C.: User-centred design for sustainable behaviour. Int. J. Sustain. Eng. 1(1), 9–20 (2008)CrossRefGoogle Scholar
  14. 14.
    Pfleeger, S.L., Sasse, M.A., Furnham, A.: From weakest link to security hero: transforming staff security behavior. J. Homel. Secur. Emerg. Manage. 11(4), 489–510 (2014)Google Scholar
  15. 15.
    Ajzen, I., Fishbein, M.: Attitudes and the attitude-behavior relation: reasoned and automatic processes. Eur. Rev. Soc. Psychol. 11(1), 1–33 (2000)CrossRefGoogle Scholar
  16. 16.
    Henriques, G.R.: Psychology defined. J. Clin. Psychol. 60(12), 1207–1221 (2004)CrossRefGoogle Scholar
  17. 17.
    Rinaldi, S.M., Peerenboom, J.P., Kelly, T.K.: Identifying, understanding, and analyzing critical infrastructure interdependencies. IEEE Control Syst. Mag. 21(6), 11–25 (2001)CrossRefGoogle Scholar
  18. 18.
    Abawajy, J.: User preference of cyber security awareness delivery methods. Behav. Inf. Technol. 33(3), 237–248 (2014)MathSciNetCrossRefGoogle Scholar
  19. 19.
    National Research Council, System Security Study Committee, et al.: Computers At Risk: Safe Computing in the Information Age. National Academies Press, Washington, DC (1990)Google Scholar
  20. 20.
    Dhamija, R., Tygar, J.D., Hearst, M.: Why phishing works. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pp. 581–590 (2006)Google Scholar
  21. 21.
    Wilson, M., Hash, J.: SP 800–50. Building an information technology security awareness and training program (2003)Google Scholar
  22. 22.
    Grobler, M., Dlamini, Z., Ngobeni, S., Labuschagne, A.: Towards a cyber security aware rural community (2011)Google Scholar
  23. 23.
    Vaidya, R.: Cyber security breaches survey 2019. (2019)Google Scholar
  24. 24.
    Kumaraguru, P., Rhee, Y., Acquisti, A., Cranor, L.F., Hong, J., Nunge, E.: Protecting people from phishing: the design and evaluation of an embedded training email system. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pp. 905–914(2007)Google Scholar
  25. 25.
    Susanto, H., Almunawar, M.N.: Information security awareness within business environment: an it review. SSRN 2150821 (2012)Google Scholar
  26. 26.
    Khan, B., Alghathbar, K.S., Nabi, S.I., Khan, M.K.: Effectiveness of information security awareness methods based on psychological theories. Afr. J. Bus. Manag. 5(26), 10862 (2011)Google Scholar
  27. 27.
    Thomas, D.R.: A general inductive approach for analyzing qualitative evaluation data. Am. J. Eval. 27(2), 237–246 (2006)CrossRefGoogle Scholar
  28. 28.
    Castleberry, A., Nolen, A.: Thematic analysis of qualitative research data: is it as easy as it sounds? Curr. Pharm. Teach. Learn. 10(6), 807–815 (2018)CrossRefGoogle Scholar
  29. 29.
    Ryan, F., Coughlan, M., Cronin, P.: Interviewing in qualitative research: the one-to-one interview. Int. J. Ther. Rehabil. 16(6), 309–314 (2009)CrossRefGoogle Scholar
  30. 30.
    McCambridge, J., Witton, J., Elbourne, D.R.: Systematic review of the hawthorne effect: new concepts are needed to study research participation effects. J. Clin. Epidemiol. 67(3), 267–277 (2014)CrossRefGoogle Scholar
  31. 31.
    Larson, K., Grudens-Schuck, N., Allen, B.L.: Methodology brief: can you call it a focus group? (2004)Google Scholar
  32. 32.
    Hesse-Biber, S.N., Leavy, P.: Handbook of Emergent Methods. Guilford Press, New York (2010)Google Scholar
  33. 33.
    Smithson, J.: Using and analysing focus groups: limitations and possibilities. Int. J. Soc. Res. Methodol. 3(2), 103–119 (2000)CrossRefGoogle Scholar
  34. 34.
    Karmowska, G., Marciniak, M.: Small and medium-sized enterprises in European Union (2015)Google Scholar
  35. 35.
    Smetters, D.K., Grinter, R.E.: Moving from the design of usable security technologies to the design of useful secure applications. In: Proceedings of the 2002 Workshop on New Security Paradigms, pp. 82–89 (2002)Google Scholar
  36. 36.
    Girden, E.R.: ANOVA: Repeated Measures. Number 84. Sage, London (1992)CrossRefGoogle Scholar

Copyright information

© Springer Nature Switzerland AG 2020

Authors and Affiliations

  1. 1.Bournemouth UniversityPooleUK

Personalised recommendations