Human-centered Cybersecurity | ZHAW Institute of Business Information Technology IWI

“Cybersecurity and privacy cannot be ensured by technology and law alone, but are primarily shaped by people. Effective solutions can only be created if the human factor is taken into account.”

Nico Ebert, Head of Human-centered Cybersecurity

The human factor in cybersecurity and privacy

How can an organization better prepare for a cyberattack? How can staff awareness be improved and behaviour made more secure? How can individuals better protect their personal data? And how can technology be designed to support people in navigating the digital space more securely?

In an interdisciplinary team with backgrounds in computer science, organization and psychology, we develop innovative solutions in the field of cybersecurity and privacy (e.g. measuring cybersecurity awareness or developing IT security management frameworks). Our focus is on individuals and organizations alike. We use established methods, for example from the fields of behaviour change, organizational learning and safety, and work closely with other experts, such as through the Cyber Resilience Network for the Canton of Zurich or the Cybersecurity Lab der ZHAW.

Project Example – Measuring IT Security Behavior in Organizations

The information security culture in organizations is largely shaped by the everyday behavior of employees. Together with researchers from ETH Zurich and the University of Zurich, as well as cybersecurity practitioners, we developed a multilingual questionnaire to measure the IT security behavior of employees in organizations. In contrast to previous questionnaires, this one deliberately avoids measuring other behavioral factors (e.g., knowledge or attitudes) and instead focuses on 34 specific behaviors across six categories. The questionnaire is also deliberately technology-neutral and therefore robust against new technological trends. This provides the basis for a comprehensive behavioral diagnosis as well as for the development of behavior-change measures. Instead of broad awareness campaigns, organizations can therefore address particularly security-relevant behaviors in a targeted way (e.g., training to promote phishing reporting). The questionnaire can be flexibly expanded with additional behaviors depending on the organization and has already been tested by several public and private organizations with thousands of employees.