Cardiff University | Prifysgol Caerdydd ORCA
Online Research @ Cardiff 
WelshClear Cookie - decide language by browser settings

Human cyber risk management by awareness professionals: carrots or sticks to drive behaviour change?

Blythe, John M., Gray, Alan and Collins, Emily ORCID: 2020. Human cyber risk management by awareness professionals: carrots or sticks to drive behaviour change? Presented at: 22nd International Conference on Human-Computer Interaction (HCII 2020), Virtual, 19-24 July 2020. Published in: Moallem, Abbas ed. HCI for Cybersecurity, Privacy and Trust: Second International Conference, HCI-CPT 2020, Held as Part of the 22nd HCI International Conference, HCII 2020, Copenhagen, Denmark, July 19–24, 2020, Proceedings. Lecture Notes in Computer Science and Information Systems and Applications, incl. Internet/Web, and HCI Springer, Cham, pp. 76-91. 10.1007/978-3-030-50309-3_6

Full text not available from this repository.


Cyber crime is rising at an unprecedented rate. Organisations are spending more than ever combating the human element through training and other interventions, such as simulated phishing. Organisations employ “carrots” (rewards) and “sticks” (sanctions) to reduce risky behaviour. Sanctions (such as locking computers and informing one’s line manager) are problematic as they lead to unintended consequences towards employee trust and productivity. This study explored how organisations use rewards and sanctions both in their campaigns and specifically following simulated phishing. We also assessed what factors (such as control over rewards, tendency to blame users) influenced security awareness professionals’ use of rewards and sanctions. The findings revealed that organisations use a variety of rewards and sanctions within their campaigns, with sanctions being used across 90% of the organisations. We did not find any factors that influence security awareness professionals’ usage of rewards and sanctions. Our findings suggest the need for a greater consideration of the human element of cyber security. In particular, campaigns should take a more informed approach to use of behaviour change strategies that consider the organisational structure in which they are implemented and the role (and influence) of security awareness professionals within that structure.

Item Type: Conference or Workshop Item (Paper)
Date Type: Published Online
Status: Published
Schools: Psychology
Publisher: Springer, Cham
ISBN: 9783030503086
ISSN: 0302-9743
Date of First Compliant Deposit: 16 October 2020
Date of Acceptance: 11 March 2020
Last Modified: 09 Nov 2022 09:25

Citation Data

Cited 2 times in Scopus. View in Scopus. Powered By Scopus® Data

Actions (repository staff only)

Edit Item Edit Item