Cardiff University | Prifysgol Caerdydd ORCA
Online Research @ Cardiff 
WelshClear Cookie - decide language by browser settings

Exploring workers' subjective experiences of habit formation in cyber-security: A qualitative survey

Collins, Emily I. M. ORCID: and Hinds, Joanne 2021. Exploring workers' subjective experiences of habit formation in cyber-security: A qualitative survey. Cyberpsychology, Behavior, and Social Networking 24 (9) , pp. 599-604. 10.1089/cyber.2020.0631

[thumbnail of Collins. Exploring workers' subjective.pdf] PDF - Accepted Post-Print Version
Download (204kB)


Employee behaviors remain at the center of the cybersecurity of workplaces, despite the challenges they face in doing so. Time pressures and competing demands mean that users tend to rely on habitual behaviors that often run counter to good cybersecurity practice. One possible solution may be to encourage positive habit formation. Designing such interventions, however, relies on knowledge of the perception and experience of habit formation in the context of cybersecurity. To this end, a qualitative survey containing open-ended questions was completed by 195 participants (mean age = 35.51, 53 percent female) recruited via an online participant panel. Participants were asked what cybersecurity behaviors they perform at work and how they believe any habits were prompted, formed, and maintained. Thematic analysis identified three over-arching themes: (a) forming habits unavoidably or unconsciously (some were mandated, or formed without conscious awareness), (b) consciously cultivating habits (including the roles of intrinsic motivation and external prompts), and (c) social and organizational influences (including the influence of occupational culture, social modeling, previous experiences, and information gathering practices). Based on these findings, we present guidelines for supporting workplace cybersecurity habit formation reflecting these subjective experiences, namely introducing automatic solutions, facilitating external cues, fostering interest in cybersecurity issues among employees, creating a positive cybersecurity occupational culture and highlighting positive behavior, and providing access to accessible cybersecurity information to employees. These results constitute a first step in identifying how habits can be exploited for positive cybersecurity behavior change in a way that accounts for the reliance on habitual behaviors in busy, time-pressured workplaces.

Item Type: Article
Date Type: Publication
Status: Published
Schools: Psychology
Publisher: Mary Ann Liebert
ISSN: 2152-2715
Date of First Compliant Deposit: 8 June 2021
Date of Acceptance: 26 May 2021
Last Modified: 30 May 2023 20:20

Citation Data

Cited 1 time in Scopus. View in Scopus. Powered By Scopus® Data

Actions (repository staff only)

Edit Item Edit Item


Downloads per month over past year

View more statistics