Human Factors Excellence (HuFEx), School of Psychology, Cardiff University, Cardiff, United Kingdom.
Information, Decisions and Operations (IDO), School of Management, University of Bath, Bath, Somerset, United Kingdom.
Cyberpsychol Behav Soc Netw. 2021 Sep;24(9):599-604. doi: 10.1089/cyber.2020.0631. Epub 2021 Aug 17.
Employee behaviors remain at the center of the cybersecurity of workplaces, despite the challenges they face in doing so. Time pressures and competing demands mean that users tend to rely on habitual behaviors that often run counter to good cybersecurity practice. One possible solution may be to encourage positive habit formation. Designing such interventions, however, relies on knowledge of the perception and experience of habit formation in the context of cybersecurity. To this end, a qualitative survey containing open-ended questions was completed by 195 participants (mean age = 35.51, 53 percent female) recruited via an online participant panel. Participants were asked what cybersecurity behaviors they perform at work and how they believe any habits were prompted, formed, and maintained. Thematic analysis identified three over-arching themes: (a) (some were mandated, or formed without conscious awareness), (b) (including the roles of intrinsic motivation and external prompts), and (c) (including the influence of occupational culture, social modeling, previous experiences, and information gathering practices). Based on these findings, we present guidelines for supporting workplace cybersecurity habit formation reflecting these subjective experiences, namely introducing automatic solutions, facilitating external cues, fostering interest in cybersecurity issues among employees, creating a positive cybersecurity occupational culture and highlighting positive behavior, and providing access to accessible cybersecurity information to employees. These results constitute a first step in identifying how habits can be exploited for positive cybersecurity behavior change in a way that accounts for the reliance on habitual behaviors in busy, time-pressured workplaces.
员工行为仍然是工作场所网络安全的核心,尽管他们在这样做时面临挑战。时间压力和竞争需求意味着用户往往依赖于习惯性行为,而这些行为往往与良好的网络安全实践背道而驰。一种可能的解决方案是鼓励积极的习惯养成。然而,设计此类干预措施依赖于对网络安全背景下习惯形成的感知和经验的了解。为此,通过在线参与者小组招募了 195 名参与者(平均年龄为 35.51 岁,女性占 53%),完成了一份包含开放式问题的定性调查。参与者被要求描述他们在工作中执行的网络安全行为,以及他们认为哪些习惯是如何被提示、形成和维持的。主题分析确定了三个总体主题:(a)一些是强制性的,或者是在无意识的情况下形成的),(b)(包括内在动机和外部提示的作用),和(c)(包括职业文化、社会模仿、以前的经验和信息收集实践的影响)。基于这些发现,我们提出了支持工作场所网络安全习惯形成的指导方针,反映了这些主观经验,即引入自动解决方案、为员工提供外部提示、激发对网络安全问题的兴趣、营造积极的网络安全职业文化并强调积极行为,并为员工提供易于访问的网络安全信息。这些结果是确定如何利用习惯来实现积极的网络安全行为改变的第一步,这种方法考虑到了在忙碌、时间紧迫的工作场所中对习惯性行为的依赖。
