Human-centered Cybersecurity

A holistic approach to cybersecurity and data protection

How can an organisation better prepare for a cyberattack? How can staff awareness be improved and their behaviour made more secure? How can individuals better protect their personal data? And how can technology be designed to help people navigate the digital space more safely?

We view cybersecurity and data protection as an interplay between people, technology and processes. To this end, we combine different disciplines: psychology, to understand and change behaviour; management, to design effective structures and processes; and technology, to develop secure and usable systems. As part of an interdisciplinary team, we develop practical approaches, for example to measure cyber security awareness or to further develop IT security management frameworks. In doing so, we draw on established concepts from behaviour change, organisational learning and safety. We work closely with other experts, for example within the Cyber Resilience Network Zurich or at the ZHAW Cybersecurity Lab.

Project example – Measuring IT security behaviour in organisations

The information security culture within organisations is largely shaped by the day-to-day behaviour of employees. In collaboration with researchers from ETH Zurich and the University of Zurich, as well as cybersecurity practitioners, we have developed a multilingual questionnaire to measure the IT security behaviour of employees in organisations. Unlike previous questionnaires, this one deliberately avoids measuring other behavioural factors (e.g. knowledge or attitudes) and instead focuses on 34 specific behaviours across six categories. The questionnaire is also deliberately designed to be technology-neutral, making it resilient to new technological trends. It thus forms the basis for a comprehensive behavioural assessment and for the development of behaviour change measures. Instead of broad awareness campaigns, this allows for the targeted addressing of behaviour that is particularly relevant to security (e.g. training to encourage phishing reporting). The questionnaire can be flexibly expanded to include further behaviours depending on the organisation and has already been tested by several public and private organisations with several thousand employees.

Project example – Developing a zero-trust framework for today’s SMEs

Small and medium-sized enterprises are increasingly affected by cyber risks, whilst their security resources remain limited. Cloud services, hybrid IT, external service providers and distributed identities are undermining perimeter-based security models. Existing zero-trust frameworks are not tailored to national requirements. We have therefore developed a framework, which can be used as a basis for decision-making when selecting and prioritising appropriate security measures.