Cybersecurity Behavior Change: A conceptualization of Ethical Principles for Behavioral Interventions

Konstantinos Mersinas, Maria Bada, Steven Furnell

Research output: Contribution to journalArticlepeer-review

Abstract

The importance of changing behaviors is gradually being acknowledged in cyber security, and the reason is the realization that the majority of security incidents have a human-related component. Thus, enhancing behaviors at individual level, can bring a significant reduction in security breaches overall. Behavior change refers to any modification of human behavior through some type of intervention. Interventions from behavioral economics and psychology are being increasingly introduced in the field, however, the ethics surrounding such interventions are largely neglected. In this paper, we raise the potential ethical issues associated with behavioral intervention approaches. We draw on the traditionally more mature field of biomedical ethics and propose six clusters of ethical principles suitable for cybersecurity behavior change. We conducted a survey (N=141) to identify individuals’ perceptions on the proposed ethical principles and validate their perceived usefulness. We analyze an existing intervention in the light of our six-principle conceptualization to showcase how it can be used as a practical apparatus. Our set of ethical principles are aimed for cyber security professionals, policy makers, and behavioral intervention designers, and can serve as a starting point for best-practice development in cybersecurity behavior change ethics.
Original languageEnglish
JournalComputers and Security
Publication statusSubmitted - 1 Apr 2024

Cite this