Behavior change approaches for cyber security and the need for ethics

Research output: Contribution to conferencePaperpeer-review

99 Downloads (Pure)


Humans are reportedly exploited as the main attack vector for security breaches. In order to minimize the susceptibility of humans to security at-tacks, it is not sufficient for individuals to just be aware, but they need to change their behavior as well. Such behavior change, that is, the modification of user behavior, can occur via targeted interventions, which are gradually being introduced in cyber security. In this paper, we identify and categorize the main approaches used to change user behavior and portray the main limitations of these approaches. Other fields, like health sciences, psychology and economics, have been traditionally more mature in ethics-related considerations. We suggest that although individual behavior change is increasingly being embraced by security practitioners and professionals, ethical aspects of the accompanied interventions are by large neglected in the field. We explore the ethical traditions of utilitarian, deontological and virtue ethics and their relations with security. We posit that ethical frameworks are needed for cyber behavior change interventions as a means to enhance security hygiene on both an individual and an organizational level.
Original languageEnglish
Publication statusPublished - 4 Jul 2023
EventCyber Science: Centre for Multidisciplinary Research, Innovation and Collaboration (C-MRiC) - Aalborg University Copenhagen, Copenhagen, Denmark
Duration: 3 Jul 20234 Jul 2023


ConferenceCyber Science
Internet address


  • cyber security
  • behavior change
  • behavioral interventions
  • ethics

Cite this