Understanding human factors in cyber security as a dynamic system

The perspective of human factors is largely missing from the wider cyber security dialogue and its scope is often limited. We propose a framework in which we consider cyber security as a state of a system. System change is brought on by an entity’s behavior. Interventions are ways of changing entities’ behavior to inhibit undesirable behavior and increase desirable behavior. Choosing an intervention should take into account the dynamic nature of how humans use cyberspace. People are not likely to change old behavior at the drop of a hat. The key is to invent new ways to maintain old behavior in new circumstances. Our framework differentiates three basic pathways of actor behavior that influence the cyber security of a system. The distinction between reflex, habit and thoughtful paths to action does facilitate the endeavor to develop successful interventions.