UNDERSTANDING USER SECURITY BEHAVIOUR: FACTORS,

CHALLENGES, AND STRATEGIES TO IMPROVE

CYBERSECURITY

MUHAMMAD HAMMAD ANWAR

STUDENT NO # 34548635

ICT615 IT RESEARCH METHORD

CONTENTS
1. INTRODUCTION................................................................................................................................3
2. FACTORS INFLUENCING USER SECURITY BEHAVIOUR.....................................................................4
2.1. Psychological Factors.................................................................................................................4
2.2. Organizational Factors...............................................................................................................4
2.3 Technological Factors..................................................................................................................4
3. CHALLENGES IN USER SECURITY BEHAVIOUR.................................................................................5
3.1 Non-compliance and human error.............................................................................................5
3.2 Change Resistance and New Security Practices.........................................................................5
4. STRATEGIES FOR ENHANCING USER SECURITY BEHAVIOUR...........................................................6
4.1 Enhancing Security Awareness and Training Programs.............................................................6
4.2 Implementing User-Centered Security Design...........................................................................6
4.3 Fostering a Strong Organizational Security Culture...................................................................7
4.4 Utilizing Technology to Enhance Security...................................................................................7
5. CONCLUSION....................................................................................................................................7
7. REFERENCES.....................................................................................................................................8
1. INTRODUCTION
In today's increasingly connected world, cybersecurity has become a critical concern for
individuals, organizations, and governments. Technology plays an important role in securing
digital assets, but human behaviour plays a significant role in determining the effectiveness
of information security measures. It is therefore crucial to understand the factors that
motivate individuals to adopt or neglect security practices and to identify strategies to
improve their security behaviour. Examining factors that influence user security behaviour,
highlighting key challenges, and discussing strategies to enhance cybersecurity, this
literature review examines factors that influence user security behaviour. As technology
continues to evolve, users are expected to interact with an increasing number of digital
devices, applications, and services. The growing reliance on technology for various aspects
of daily life, work, and communication has resulted in an expanding attack surface for
cybercriminals. Simultaneously, the number of cyber threats, such as malware, phishing,
and data breaches, has also risen. Although advanced security measures can provide
protection against many threats, the human factor remains a potential weak link in the
security chain. For instance, a user may inadvertently disclose sensitive information or fall
victim to social engineering attacks, compromising the security of personal or organizational
assets.
Researchers have studied users' security decisions and activities since human behaviour is
so important to information security. Risk perception, motivation, and beliefs influence user
security behaviour. Security-related decision-making is explained by Protection Motivation
Theory and Planned Behaviour Theory. Security rules, training, and awareness campaigns
can also influence user security behaviour. The usability and accessibility of security
solutions can also affect users' security practices. Despite growing understanding of user
security behaviour, creating a secure digital environment is challenging. Weakened security
can be caused by noncompliance with security policies, human errors, and resistance to new
security practices. Organizations struggle to reconcile security with user convenience and
productivity. Researchers and practitioners have suggested ways to improve user security
behaviour. Security awareness and training can help users recognize and manage cyber
dangers. User-centred security design and organizational security culture can promote
secure behaviour. Understanding what motivates or discourages people from following
security measures can help improve rules and initiatives.
In conclusion, understanding user security behaviour is crucial for developing effective
strategies to improve cybersecurity. This literature review will synthesize the current state
of knowledge on factors influencing user security behaviour, challenges associated with it,
and strategies to enhance security practices. By examining the existing literature, this review
will contribute to the broader understanding of user security behaviour and provide insights
for future research and practical applications.
2. FACTORS INFLUENCING USER SECURITY BEHAVIOUR
2.1. Psychological Factors
There is a strong influence of psychological factors on security behaviour. Protection
Motivation Theory (PMT) asserts that motivation to adopt a certain behaviour, such as
adopting security practices, is determined by two factors: perceived threat and perceived
effectiveness (Grobler, 2021). Users' security behaviour is influenced by factors such as
perceived vulnerability, perceived severity, and response efficacy (Ameen et al., 2020; Hag &
Liu, 2021), according to studies (Ali & Sohail, 2021).
The Theory of Planned Behaviour (TPB) has also been used to study psychological factors
that influence security behaviour. A person's attitude, subjective norms, and perceived
control determine their behavioural intentions, according to TPB (Ajzen, 1991). TPB can help
explain how attitudes, social influence, and perceived control affect security-related
decisions. (Ali et al., 2021; Shahbaznezhad et al, 2021). Risk perception, trust, and fear also
affect user security behaviour, according to research. According to the fear appeals theory,
inducing fear can encourage protective behaviour. (Ou et al., 2022). Fear appeals can
increase users' security policy compliance, especially when combined with easy-to-adopt
behaviours. (Ou et al., 2022).

2.2. Organizational Factors

Organizational factors, such as security policies and awareness programs, can significantly
influence user security behaviour. To ensure the security of organizational assets, security
policies and procedures define the rules and regulations users must follow. Compliance with
security policies is critical to maintaining a secure computing environment. According to
studies (Ali et al., 2021; Hadlington et al., 2021), perceived effectiveness of security policies
and procedures may influence users' adherence to security practices.
Educating users and training them on security can also have a significant impact on their
behaviour. A security education program aims to educate users about the importance of
security, the risks associated with insecure behaviour, and how to stay secure. Security
awareness and training programs can significantly improve users' security behaviour and
reduce the likelihood of security breaches, according to research (Koohang et al., 2020).

2.3 Technological Factors

Technological factors, such as the usability of security tools and system vulnerabilities, can
also impact user security behaviour. Security tools and technologies, such as firewalls and
antivirus software, are designed to protect systems from various threats. The effectiveness
of such tools depends, however, on their usability and accessibility. If security tools are
difficult to use or require significant effort to maintain, users may be less likely to adopt
them (Moustafa & Maurushat, 2021). On the other hand, tools that are easy to use and
integrate seamlessly into users' workflows can encourage adoption and compliance with
security practices.
System vulnerabilities, such as software bugs and configuration errors, can also pose a
significant risk to information security. Users may inadvertently expose systems to threats
by not following secure practices, such as regularly updating software or avoiding risky
behaviours like clicking on suspicious links. Research has shown that the presence of system
vulnerabilities can significantly impact users' security behaviour, and efforts to reduce
vulnerabilities can improve compliance with security practices (Shahbaznezhad et al., 2021;
Gwebu et al., 2020).
Recent research has also explored the role of emerging technologies, such as artificial
intelligence and blockchain, in improving user security behaviour. For example, AI-based
tools can analyse users' behaviour patterns to identify potential security threats and provide
real-time feedback and recommendations (Giwah et al., 2021). On the other hand,
blockchain-based solutions can enhance the security of information sharing and
collaboration through transparent and secure access control mechanisms (Gwebu et al.,
2020). There is, however, a need for further research into the effectiveness and adoption of
these technologies within the context of user security behaviours.

3. CHALLENGES IN USER SECURITY BEHAVIOUR

Despite efforts to improve user security behaviour, several challenges hinder security
measures. This section discusses user security behaviour's main challenges.

3.1 Non-compliance and human error

Non-compliance with security policies and procedures is a major security issue. Users may
unknowingly violate security policies, which weakens security. Non-compliance can result
from misunderstanding security policies, inconvenient security practices, or a lack of
consequences. (Ameen et al., 2020). Human error can also compromise user security. Users
may accidentally disclose sensitive information or fall prey to social engineering attacks,
compromising personal or organizational assets. Lack of security awareness, training, or
understanding can cause such errors. (Chaudhary et al., 2022). Regular security training and
awareness programs are needed to prevent non-compliance and human errors. Security
programs can teach users how to stay safe. To ensure users follow security policies,
organizations must impose penalties for noncompliance.

3.2 Change Resistance and New Security Practices

Resistance to change and new security practices can also hinder user security behaviour. If
security changes disrupt workflows, users may resist them. (Hong & Furnell, 2021). If they
find new security tools difficult to use or incompatible with their workflows, users may not
adopt them. Security policies and practices must be user-friendly to overcome resistance to
change and adoption. To encourage secure behaviour, security must balance convenience
and security. User-centred security design ensures that security tools and technologies meet
user needs.
4. STRATEGIES FOR ENHANCING USER SECURITY BEHAVIOUR
To enhance user security behaviour, organizations must adopt a holistic approach that
addresses the psychological, organizational, and technological factors that influence security
behaviour. In this section, we will discuss some strategies that have been proposed to
improve user security behaviour.

Training and Fostering a Utilizing

Implementing
awareness Strong Technology to
User-Centred
programs for Organizational Enhance
Security Design
security Security Culture Security

Figure 1 Implications for user security enhancements

4.1 Training and awareness programs for security

User security behaviour can be significantly improved by effective security awareness and
training programs. In such programs, users are taught the importance of security, the risks
associated with insecure behaviour, and the best practices for staying secure (Mou et al.,
2022). Research shows that security awareness and training programs can improve user
knowledge, attitudes, and behaviours regarding security (Koohang et al., 2020).
Training programs should be tailored to individual user needs and delivered through
different channels, including classroom training, e-learning modules, and newsletters.
Additionally, such programs should be ongoing and regularly updated to reflect changes in
the security landscape and new threats.

4.2 Implementing User-Centred Security Design

In security tools and technologies, user-centred security design focuses on the needs and
preferences of users. User-centred security design aims to create user-friendly security
solutions that are easy to use and adopt. By designing security tools and technologies with
user needs in mind, organizations can increase the likelihood of user adoption and
compliance with security practices (Moustafa & Maurushat, 2021).
Effective user-centred security design requires collaboration between security experts and
users to ensure that security tools and technologies are designed with user needs and
preferences in mind. Additionally, user-centred security design should incorporate user
feedback and testing throughout the design process to ensure that the resulting solutions
meet user needs.

4.3 Fostering a Strong Organizational Security Culture

A company's security culture consists of the values, attitudes, and behaviours that support a
secure computing environment. A strong organizational security culture can significantly
impact user security behaviour by promoting security as a priority and providing a
supportive environment for secure behaviour (Ali & Sohail, 2021).
To foster a strong organizational security culture, organizations must establish clear security
policies and procedures, provide regular security training and awareness programs, and
enforce consequences for non-compliance. Additionally, organizations can incorporate
security into their hiring and performance evaluation processes to ensure that employees
who exhibit strong security behaviour are recognized and rewarded.

4.4 Utilizing Technology to Enhance Security

Users can also enhance their security behaviour with the help of technology. Security
measures can be improved by implementing emerging technologies such as Artificial
Intelligence (AI) and blockchain. For example, AI-based tools can analyse users' behaviour
patterns to identify potential security threats and provide real-time feedback and
recommendations (Giwah et al., 2021). Alternatively, blockchain-based solutions facilitate
secure and transparent access control mechanisms for sharing and collaborating
information (Gwebu et al., 2020).
To effectively utilize technology to enhance security, organizations must carefully evaluate
the benefits and drawbacks of different technologies and ensure that they are compatible
with users' workflows and needs. Additionally, organizations must ensure that such
technologies are implemented in a secure and transparent manner to minimize the risk of
security breaches.

5. CONCLUSION
In this literature review, we have explored the psychological, organizational, and
technological factors that influence user security behaviour. Non-compliance, human error,
and reluctance to change and new security procedures are user security behaviour issues.
We also recommend security awareness and training programs, user-centred security
design, a strong organizational security culture, and security technologies. All these
variables must be considered to establish a secure and user-friendly computer environment.
Protection motivation and planned behaviour theories can explain security behaviour's
cognitive processes. Security rules, training, awareness initiatives, and repercussions for
non-compliance can affect how important security is and how well recommended
behaviours work. Security tool usability and system vulnerabilities can affect security
practice adoption and compliance. This literature analysis revealed various ways to improve
user security behaviour, however good security practices require continual work and
commitment. Organizations must employ user-centred security design, frequent security
training and awareness campaigns, and developing security technologies. Such tactics can
boost security and lower security breaches.

7. REFERENCES
Mou, J., Cohen, J. F., Bhattacherjee, A., & Kim, J. (2022). A test of protection motivation
theory in the information security literature: A meta-analytic structural equation modeling
approach. Journal of the Association for Information Systems, 23(1), 196-236.
Chaudhary, S., Gkioulos, V., & Katsikas, S. (2022). Developing metrics to assess the
effectiveness of cybersecurity awareness program. Journal of Cybersecurity, 8(1), tyac006.
Ali, R. F., Dominic, P. D. D., Ali, S. E. A., Rehman, M., & Sohail, A. (2021). Information security
behaviour and information security policy compliance: A systematic literature review for
identifying the transformation process from noncompliance to compliance. Applied
Sciences, 11(8), 3383.
Hong, Y., & Furnell, S. (2021). Understanding cybersecurity behavioural habits: Insights from
situational support. Journal of Information Security and Applications, 57, 102710.
Giwah, A. D., Wang, L., Levy, Y., & Hur, I. (2020). Empirical assessment of mobile device
users’ information security behaviour towards data breach: Leveraging protection
motivation theory. Journal of Intellectual Capital, 21(2), 215-233.
Grobler, M., Gaire, R., & Nepal, S. (2021). User, usage and usability: Redefining human
centric cyber security. Frontiers in big Data, 4, 583723.
Ameen, N., Tarhini, A., Shah, M. H., & Madichie, N. O. (2020). Employees’ behavioural
intention to smartphone security: A gender-based, cross-national study. Computers in
Human Behaviour, 104, 106184.
Haag, S., Siponen, M., & Liu, F. (2021). Protection motivation theory in information systems
security research: A review of the past and a road map for the future. ACM SIGMIS
Database: the DATABASE for Advances in Information Systems, 52(2), 25-67.
Ou, C. X., Zhang, X., Angelopoulos, S., Davison, R. M., & Janse, N. (2022). Security breaches
and organization response strategy: Exploring consumers’ threat and coping appraisals.
International Journal of Information Management, 65, 102498.
Shahbaznezhad, H., Kolini, F., & Rashidirad, M. (2021). Employees’ behaviour in phishing
attacks: what individual, organizational, and technological factors matter?. Journal of
Computer Information Systems, 61(6), 539-550.
Moustafa, A. A., Bello, A., & Maurushat, A. (2021). The role of user behaviour in improving
cyber security management. Frontiers in Psychology, 12, 561011.
Koohang, A., Anderson, J., Nord, J. H., & Paliszkiewicz, J. (2020). Building an awareness-
centered information security policy compliance model. Industrial Management & Data
Systems.
Vance, A., Siponen, M. T., & Straub, D. W. (2020). Effects of sanctions, moral beliefs, and
neutralization on information security policy violations across cultures. Information &
Management, 57(4), 103212.
Ali, R. F., Dominic, P. D. D., Ali, S. E. A., Rehman, M., & Sohail, A. (2021). Information security
behaviour and information security policy compliance: A systematic literature review for
identifying the transformation process from noncompliance to compliance. Applied
Sciences, 11(8), 3383.
Gwebu, K. L., Wang, J., & Hu, M. Y. (2020). Information security policy noncompliance: An
integrative social influence model. Information Systems Journal, 30(2), 220-269.
Hadlington, L., Binder, J., & Stanulewicz, N. (2021). Exploring role of moral disengagement
and counterproductive work behaviours in information security awareness. Computers in
Human Behaviour, 114, 106557.