Cyber Security and Cyberpsychology
This piece looks at how cyber security can be related to the discipline of cyberpsychology.
What is Cyberpsychology?
Cyberpsychology is a diverse area of research aiming to formalise the psychological and scientific understanding of the impact, processes and outcomes that digital technologies have facilitated in individuals, social groups and society. The cyberpsychology discipline involves research surrounding gaming, social media, virtual reality, online learning and virtual interest groups and the impact of such technologies on people. However, another growing research area is the application of psychology to cyber security (also referred to as information security).
How does cyber security fit in?
If we are looking to understand the impact that digital technologies have facilitated in individuals, groups and society, we also need to understand how, why and where security comes into play; how are individuals, groups and society, as well as their privacy and information, protected online? and why and by what means are adversaries attempting to gain unauthorised access to this information? The research in this area has largely surrounded technological solutions to cyber security. However, in more recent years, researchers in the field have realised the human factor cannot be ignored. People still, and will likely always, interact with technologies, design technologies, be targets of attacks, and are also the adversaries. This is where the application of psychology to cyber security is not only useful, but necessary. Psychology can help to answer these questions, and there is previous existing research that can easily be applied. Therefore, cyber security provides other avenues for the cyberpsychology discipline.
One of these avenues looks at how we might encourage ‘better’ cyber security behaviours in individuals (Al-Daeef, Basir & Saudi, 2017). This involves the design of cyber security awareness campaigns and training; engaging individuals in the cyber security area. As well as understanding why certain methods may be effective, while others may fail (Bada, Sasse & Nurse, 2019). These awareness and training techniques often use psychological theories such as Protection Motivation Theory (Rogers, 1975), to understand how individuals respond to different behaviour change techniques. However, this area of research is still heavily under-researched, owing to a lack of psychologists in the area, and of course, new training methods are needed all the time. This area also involves using psychological research on perceptions, biases and attitudes to better understand how individuals perceive cyber security, in order for training methods to be better designed.
Another looks at the usability of cyber security technologies (Smetters, 2008). This is the process of understanding the impact of cyber security technology and policy design on individuals. For example, some previous research has found that the reason many people use poorly formulated and unsecure passwords is because password policies are often so overly complicated. If in an organisation, you require each individual to have ten passwords, all with numbers, letters and different cases, it is no surprise people are sharing passwords, or writing them down. This area of research aims to bridge security and usability.
Overall, these were two examples of a very diverse area of research. Other psychologists in cyber security have also researched the psychology of ‘hackers’ (Gold, 2014) and cybercrime, cross-cultural understandings of cyber security (Chen, Chen, Lo & Yang, 2008), and individual differences in cyber security behaviours (Whitty, Doodson, Creese & Hodges, 2015). This research area is still heavily under-researched, hopefully the application of psychology can assist in beginning to fill such research gaps.
Al-Daeef, M. M., Basir, N., & Saudi, M. M. (2017, July). Security awareness training: A review. In Proceedings of the World Congress on Engineering (Vol. 1, pp. 5-7).
Bada, M., Sasse, A. M., & Nurse, J. R. (2019). Cyber security awareness campaigns: Why do they fail to change behaviour?. arXiv preprint arXiv:1901.02672.
Chen, H. G., Chen, C. C., Lo, L., & Yang, S. C. (2008). Online privacy control via anonymity and pseudonym: Cross-cultural implications. Behaviour & Information Technology, 27(3), 229-242.
Gold, S. (2014). Get your head around hacker psychology [Information Technologycyber-Security]. Engineering & Technology, 9(1), 76-80.
Rogers, R. W. (1975). A protection motivation theory of fear appeals and attitude change1. The journal of psychology, 91(1), 93-114.
Smetters, D. K. (2008). Cyber security technology usability and management. Wiley Handbook of Science and Technology for Homeland Security, 1-1.
Whitty, M., Doodson, J., Creese, S., & Hodges, D. (2015). Individual differences in cyber security behaviors: an examination of who is sharing passwords. Cyberpsychology, Behavior, and Social Networking, 18(1), 3-7.