Our research

Human Factors in Information Security

                      

SIR Lab Manager and Principal Investigator Dr Marco Cinnirella is leading a psychological arm of research into human factors in information security. Initially this research project was funded by GSK, with whom the Royal Holloway team continues to collaborate. Working with Professor David Denney and Dr Rikke Jensen (Law, Royal Holloway), the team have developed a unique multi-disciplinary approach to understanding information security challenges in large multi-national organizations. Our work has deployed qualitative and quantitative social science methodologies to audit information security beliefs and practices, and our findings have been used to inform information security comms, policy and training. We have also worked with GSK to develop and test comms-based interventions aimed at improving information security awareness and behaviours, and early findings on the efficacy of these interventions are very promising. The Royal Holloway team are looking to publish a range of the findings from this ground-breaking GSK-funded research over the next 18 months. Watch this space !

If you feel that your organization might benefit from our unique social science-based approach to understanding information security behaviours, then please get in touch. We are already in talks with other multi-nationals who wish to address issues such as:

  • How does culture, working at national, company, site and team levels, impact information security beliefs and behaviours ?
  • What is the best way to deploy training on information security ?
  • How are phishing simulations, ethical hacking and other penetration testing methods perceived by employees, and how do they impact information security behaviours within the organisation ?
  • How and why might some employees breach or even actively subvert information security policies and procedures?
  • Why does compliance with information security policies often vary between sites and within teams ?

 

There are two broad kinds of project that we can assist your business with:-

  1. The audit model – the aim here is to deploy our unique social science methods throughout your business with as wide a range of employees as possible, with an aim to develop a detailed understanding of the information security beliefs and behaviours held by your workforce across multiple sites. Armed with this knowledge we can assist your business in identifying weak points that could be exploited by social engineering attacks or that might lead to unintended errors and lapses, thus future-proofing your business against future attacks and mistakes.
  2. The problem-centred model – here, your business has already identified one or more critical problems, such as a vulnerability to phishing attacks or lapses in employee committment to procedures. Our team can deploy our social science methods in a focused way to help your business understand the psychology behind these problems, leading to us assisting your business in designing, deploying and testing interventions aimed at reducing and ultimately eradicating these problem behaviours and attitudes.

What we can offer differs from what is already offered in the Informatrion Security space because our team are leading, respected academics in behavioural science, working within a top UK university. We deploy a unique behavioural science approach to understanding Information Security challenges that is not offered elsewhere. A reference is available from the CISO of GSK which outlines some of the work we have undertaken for that organisation.

Please get in touch with us if you are interested in hearing more about our work in this area and what we could do for your organisation: m.cinnirella@rhul.ac.uk

In March 2017 I co-presented the Royal Holloway Stevenson Science Lecture with colleagues from the Information Security Group – if you would like an insight into how I believe Psychology has a crucial role to play in understanding Information Security then please take a look at the video of the lecture:-  https://tv.theiet.org/?videoid=10011 

If you would like to read a short piece I have recently written about human factors in Information Security, please look at page 20 of the Information Security Group annual news letter 2016-17, which can be downloaded here: https://www.royalholloway.ac.uk/isg/aboutus/isgreviewnewsletter.aspx