Cybersecurity Behavior Change: A conceptualization of Ethical Principles for Behavioral Interventions

Konstantinos Mersinas, Maria Bada, Steven Furnell

Research output: Contribution to journalArticlepeer-review

Abstract

The importance of changing behaviors is gradually being acknowledged in cybersecurity, and the reason is the realization that a notable portion of security incidents have a human-related component. Thus, enhancing behaviors at individual level, can bring a significant reduction in security breaches overall. Behavior change refers to any modification of human behavior through some type of intervention. Interventions from behavioral economics and psychology are being increasingly introduced in the field, however, the ethics surrounding such interventions are largely neglected. In this paper, we raise the ethical issues associated with behavioral intervention approaches. We draw on the traditionally more mature field of biomedical ethics and propose six clusters of ethical principles suitable for cybersecurity behavior change. We conducted a survey (N=141) to identify individuals’ perceptions on the proposed ethical principles and validate their perceived usefulness. We analyze an existing intervention in the light of our six-principle conceptualization to showcase how it can be used as a practical apparatus. Our set of ethical principles are aimed for cybersecurity professionals, policy makers, and behavioral intervention designers, and can serve as a starting point for best-practice development in cybersecurity behavior change ethics.
Original languageEnglish
Article number104025
Number of pages9
JournalComputers and Security
Volume148
Early online date7 Sept 2024
DOIs
Publication statusPublished - Jan 2025

Cite this