When was the last time you changed your computer password? Cyberattacks and privacy breaches are regularly in the news, but as individuals we often fail to take positive action to protect ourselves. In this piece, Emily Collins and Joanne Hinds of the University of Bath School of Management describe their new project to prompt people into action.
Over the last five years the cost of cyberattacks is reported to have risen by 67%, with the majority of these data breaches being traced back to human error. It is anticipated that 75% of UK companies plan to address human factors in cyberattacks in the next three years in an attempt to mitigate this.
Despite this, people routinely put off, ignore or forget cyber security measures such as changing passwords, updating privacy settings and locking computer screens. We suffer from “privacy fatigue”, feeling exhausted and turned off by seemingly endless reports of data breaches in the news, and we’ve become weary of installing software updates, updating privacy settings and changing passwords. Work-based training on cybersecurity is generally very conventional, often just delivered as a one-off when people join an organisation. It doesn’t seem to galvanise people to act and is quickly forgotten.
Using technology to change behaviour
In recent years we’ve seen how the technology used in exercise and fitness apps can successfully nudge people to make behavioural changes. We’ve taken inspiration from this to investigate whether we could make a difference to people’s behaviour using a simple device that plugs in to a PC and signals when action is needed.
The project, entitled Encouraging cyber security behaviour through gentle interventions: Can ambient displays support users in making more secure decisions?, will use Adafruit Circuit Playgrounds, a small electronic piece of kit which can be programmed to display coloured lights in different configurations or patterns, vibrate or emit various sounds.
The device can be connected to a variety of sensors that detect a person’s movement. It will sit next to someone’s computer and uses a sequence of these lights, sounds and vibrations to subtly nudge the user to lock their computer screen (if they forget to) as they leave their desk.
Using devices external to the computer (but on the desk) can allow reminders to stay in someone’s periphery, hopefully increasing the chance that they will act on them. Using soft lights and sounds provides an opportunity to try to change people’s behaviour in ways that are less “aggressive” or annoying than constant pop-up windows or screen based alerts which cause irritation and can easily be dismissed and forgotten.
Developing good habits
Over time, the prompts should help to encourage the person to develop a new habit, such as locking a screen, changing a password, or updating their privacy settings. Our aim is to create a working prototype with open-source code that will be available to businesses later in the year. It could also be tailored for home use in the future. We hope that by exploring new approaches to “nudging” people’s behaviour, we can help to reduce our vulnerability to security threats – creating safer work and home environments for everyone.
The research team (which includes researchers from the University of Bath and Goldsmiths University of London), is inviting people to take part in a creative element of the study by drawing their cybersecurity concerns and solutions. The findings will help the team to develop more innovative, creative ways to tackle cybersecurity problems. For more information, or to take part, visit https://tinyurl.com/yxluc6lf.
Header image of Adafruit device by Nic Delves-Broughton, University of Bath