Security by Behavioural Design: A Rapid Review

In 2021, NCSC-NL commissioned Leiden University to carry out a rapid review to gain insight in best practices and potential future research avenues so that behavioural science can be integrated in broader security by design methodologies and projects. This academic field is referred to as security by behavioural design. The aim of security by behavioural design is to design systems in such a way that the user of these systems is more likely to behave in a secure manner. The goal of this rapid review was to cover the research that empirically tests the effectiveness of various methods. The methods covered are nudging or also called choice architecture, and techno-regulation[1].

When using nudging to influence cybersecurity behaviour, there are some considerations to take into account. Nudges need to be implemented in an ethical manner and developers must thoroughly test the effectiveness of the proposed nudges to avoid unwanted side-effects. Collaboration between developers and behavioural scientists is recommended to cover more complex decisions or user behaviours, or to apply effective nudges in complex environments.

To test the findings a sense check with some experts in the field was carried out to examine their views of the viability of behavioural solutions. Some experts explicitly stated that they incorporate security by design principles in their software design. The way in which they consider the potential for end-users to behave in an unsecure manner varies. The behavioural components of the software are sometimes tested for effectiveness, but a structured, regular, systematic test of these components is often lacking. Nudging could be a useful tool in improving cybersecurity (behaviours), according to the experts. Furthermore, the experts see potential in using techno-regulation and nudging alongside each other. Techno-regulation can be used for high-risk behaviours where removing options is justified, whereas nudging can be implemented in cases where the risk is low, of when systems are used for a variety of tasks, each with their own risk level.

If you want to know more about this research, please read the attached document or come listen to Dr. Tommy van Steen and Dr. Els De Busser’s presentation at the upcoming NCSC-NL’s research symposium Let’s do Cybersecurity Research Together’ on the 26th and 27th of October. More information on this event will be available shortly on our website.

[1] Techno-regulation is a subfield of law, which suggests that security can be forced by taking away the freedom to act differently.