Security by behavioural design
In 2021, the National Cyber Security Centre (NCSC) asked Leiden University to conduct a rapid review of best practices and possibilities for follow-up research on the integration of behavioral sciences in security by design methodologies and projects. This academic field is called security by behavioral design. Its purpose is to design systems in such a way that the user behaves more safely almost automatically.
- Dr. Els de Busser & Dr. Tommy van Steen
- 20 September 2021
- NCSC 'Security by behavioural design'
The rapid review is a literature study, supplemented by a sense check, in which the global findings are presented to experts to investigate the potential for a security by behavioral design solution for cybersecurity problems. The research focuses mainly on nudging, also known as choice architecture, and techno-regulation. This is an area of law that suggests that security can be forced by taking away the freedom not to choose it.
Nudging examines how choices can be offered in such a way that they can be steered in a premeditated direction, such as improving cybersecurity behaviour. The results of the study show that security by behavioral design is a good method for improving cybersecurity behaviour. For a long-term improvement, it is necessary to apply a nudge several times when users have to make a choice between security and usability.
When using nudging, ethical aspects must be taken into account, in addition, nudges must be extensively tested for effectiveness. Developers and behavioral scientists can work well together, especially in the case of complex decisions and user behavior.
The experts consulted see the added value of including safe cybersecurity behavior in design processes. The combination of techno-regulation and nudging is particularly relevant here. Techno-regulation can be used for high risk behavior and nudging for cases where there is little to no risk.