Behavioral Cybersecurity

More than ever before in history, the tasks that compose everyday life crisscross digital spaces. On the one hand, this modern reality had led individuals and organizations to celebrate the innovation and sophistication of computer networks and information systems that drive their digital lives. This innovation and sophistication have enabled quicker and more efficient manufacturing, production, critical infrastructure, and supply chain management, as well as access to things such as online shopping, education, banking, and education. At the same time on the other hand, this new digital landscape has opened up a world of tremendous vulnerability for the cybersecurity of both individuals and organizations.

With the explosion of cyberattacks in recent years, the importance of cybersecurity has grown almost without bound. In order to gain an understanding of how to combat these threats, it is necessary to understand cybersecurity from a number of reference points. First, it is imperative to understand the approaches available to design a healthy defense strategy. Second, a necessary component to understand the role of defense is being able to identify the possible attack strategies. Finally, often omitted in cybersecurity research on the technological approaches and strategies is how they can be compromised by human behavior. Thus, we have developed a behavioral cybersecurity model for research, development of higher education curricula, and the pursuit of safer digital lives for individuals and organizations.

This book builds upon our first, as well as the more recent, work we have conducted with our colleagues to explore both the technological and human behavioral issues that are integral to understand cybersecurity. Within the past 6 years, we have led and worked with our colleagues to introduce a new scientific field, behavioral cybersecurity. As we have done so, we have developed the following technical definition of the field: Behavioral cybersecurity integrates behavioral science theories, methods, and research findings to answer questions about behavior involved in the identification, management (i.e., defenses, collateral damage control), and analysis of cybersecurity events faced by individuals, as well as within organizations (Patterson et al., 2016a,b; Patterson & Sone, 2017, 2018; Patterson et al., 2017; Patterson & Winston-Proctor, 2019; Patterson, Murray et al., 2020; Patterson & Gergely, 2020; Patterson. Orgah, et al., 2020). The purpose of this chapter is to introduce the reader to the new field of behavioral cybersecurity.

Cybersecurity Without the Human: Is it Only a Matter of Time?

Can you imagine the nature and consequences of one of the recent cybersecurity events that we described in Chapter 1, where the human actor is removed? One might argue that the time will come when the human is out of the loop.

Understanding human behavior is integral to cybersecurity. Without a human actor, virtually all cybersecurity issues would be nonexistent. Within computer science and engineering, human factor psychology is the most common psychological subfield used to solve problems. Human factor psychology is a scientific discipline that studies how people interact with machines and technology to guide the design of products, systems, and devices that are used every day, most often focusing on performance and safety (Bannon, 1991; Bannon & Bodker, 1991; Salvendy, 2012). Sometimes, human factor psychology is referred to as ergonomics or human engineering. Within our initial formulation of our behavioral cybersecurity model, we extend this human factor psychology focus to include personality psychology.

Cybersecurity and Personality Psychology: Why this Field of Psychological Science?

Personality psychologists study the whole person with respect to the following three dimensions of personality that develop within the complex sociocultural context in which individuals’ lives develop: personality traits, personality characteristic adaptations, and narrative identity. We will explore each of these dimensions of personhood and how personality psychologists assess each within Chapter 3. We started the development of our behavioral cybersecurity model with personality psychology because it provides a robust framework to describe human nature (i.e., how all individuals are alike), individual differences (i.e., how some individuals are alike), and human uniqueness (i.e., how an individual in some ways is like no other person). Personality psychology is also the only subfield of psychological science that at its founding in the 1930s had its distinctive mission to understand human uniqueness, which is an integral to gain a full understanding of behavioral cybersecurity approaches, strategies, and behaviors.

In sum, with the interest and rapid acceleration of cyberattacks worldwide, it has become clear to us that it is insufficient to gain a comprehensive understanding of the overall landscape of cybersecurity for us to only explore mathematics- and engineering-related approaches within cybersecurity research, education, and public information dissemination. The expertise of personality psychologists along with their colleagues from their sister disciplines of cognitive, developmental, neuro, health, and developmental psychology is imperative. Thus, behavioral cybersecurity is a necessary new discipline with potential to transform the way in which individuals and organizations conceive of cybersecurity and respond within the new normal of modern digital life.


Bannon, L. J. 1991. From human factors to human actors: The role of psychology and human-computer interaction studies in system design. In J. Greenbaum & M. Kyng (Eds.), Design at Work: Cooperative Design of Computer Systems. L. Erlbaum Associates, Hillsdale, NJ, pp. 25-44.

Bannon, L. J., & Bodker, S. 1991. Beyond the interface: Encountering artifacts in use. In J. M. Carroll (Ed.). Designing interaction: Psychology at the Human Computer Interface. Cambridge University Press, New York. pp. 227-253.

Patterson. W.. Boboye, J.. Hall, S., & Hornbuckle, H. 2017. The gender Turing test. Proceedings of the 3rd International Conference on Human Factors in Cybersecurity, July 2017, Los Angeles, CA.

Patterson. W.. & Gergely, M. 2020. Economic prospect theory applied to cybersecurity. Proceedings of the AHFE 2020 International Conference on Human Factors in Cybersecurity, July 16-20, 2020, San Diego, CA. pp. 113-121.

Patterson. W., Murray, A., & Fleming, L. 2020. Distinguishing a human or machine cyberattacker. Proceedings of the 3rd Annual Conference on Intelligent Human Systems Integration. Modena, Italy. February 2020. pp. 335-340.

Patterson, W., Orgah, A., Chakraborty, S.. & Winston-Proctor, C. E. 2020. The impact of Fake News on the African-American community. Proceedings of the AHFE 2020 International Conference on Human Factors in Cybersecurity, July 16-20, 2020, San Diego. CA, pp. 30-37.

Patterson. W.. & Sone, M. 2017. Behavioural cybersecurity: A new metric to assess cyberattacks. Proceedings of Contemporary Mathematics and the Real World, University of Ibadan, May 2017. Nigeria.

Patterson. W., & Sone. M. 2018. A metric to assess cyberattacks. Proceedings of the 4th International Conference on Human Factors in Cybersecurity, July 2018, Orlando, FL.

Patterson. W., & Winston-Proctor, C. E. 2019. An international extension of Sweeney’s Data Privacy Research. Advances in Human Factors in Cybersecurity, T. Ahram & W. Karwowski (Eds.), Proceedings of the AHFE 2019 International Conference on Human Factors in Cybersecurity, July 24-28, 2019. Washington, DC, pp. 28-37.

Patterson, W., Winston-Proctor, C. E.. & Fleming, L. 2016a. Behavioral cybersecurity: Human factors in the cybersecurity curriculum. Proceedings of the 2nd International Conference on Human Factors in Cybersecurity, July 2016, Orlando, FL.

Patterson, W., Winston-Proctor, C. E., & Fleming, L. 2016b. Behavioral cybersecurity: A needed aspect of the security curriculum. Proceedings of the IEEE SoutheastCon 2016, March 2016, Norfolk, VA.

Salvendy. G. 2012 (Ed.). Handbook of Human Factors and Ergonomics (4th ed.). Wiley and Sons, Hoboken, NJ.

Personality Theory and Methods of Assessment

What do we know when we know a person? There are many ways to answer this question. Personality psychologists’ answer to this question is that to know a person means that you understand the stable dimensions of their social behavior (i.e., personality traits), the adaptative aspects of their needs, wants, motives, and goals (i.e., personality characteristic adaptations), and the person’s internalized, evolving, and integrative inner narrative (i.e., narrative identity). These dimensions of knowing a person constitute a person’s personality. The purpose of this chapter is to briefly describe the dimensions of human personality and methods personality psychologists use to assess each. We adopt this focus because at the heart of our foundational development of the field of behavioral cybersecurity has been to integrate cybersecurity with a personality psychological approach to behavioral science. From this perspective, we have begun to develop a field of behavioral cybersecurity that centers on understanding the attacker’s personality in terms of how it can inform questions about behavior involved in the identification, analysis, and management of cybersecurity events faced by individuals, as well as within organizations (Patterson & Winston-Proctor, 2019).

In his book entitled The Art and Science of Personality Development, Dan McAdams (2015) presents the heuristic to understand the personality of a person by thinking of the person as intricately behaving across the life course as a social actor, the motivated agent, and the author. This is his shorthand way to identify and describe each of the three layers of human personality that psychologists have discovered over more than a century of research: personality traits, personality characteristic adaptations, and narrative identity. Each of these dimensions of personality has a differential relation to culture (McAdams & Pals, 2006). To further explain McAdams’ (2015) heuristic for conceptualizing personality,

he described that across the course of a person’s life, we know an actor who first has a style of presentation or temperament that gradually morphs into personality traits; an agent with a dynamic arrangement of evolving motives, goals, values, and personal projects; and an author seeking to understand who they are and how they are to live, love, and work within the social and cultural context of their adult society. Thus, applications of personality psychology to identify, analyze, and manage cybersecurity problems require an understanding of cross-cultural variations in personality traits, motivation, and narrative identity within the social contexts in which cybersecurity problems emerge within and across cultures.

< Prev   CONTENTS   Source   Next >