Human aspects of cyber security.
Human aspects are now widely recognised as a key factor in providing a holistic cyber security solution. The nature of what we mean by human aspects can vary considerably, ranging from intuitive areas such as information security awareness and human–computer interaction to less instinctive yet equally important aspects, such as the development of technical solutions that remove or reduce the security burden placed upon individuals. What all these areas have in common is the impact they have on the people involved.
With this in mind, the Human Aspects of Information Security and Assurance symposium series seeks to provide a forum for a community of researchers working in this area. In July 2024, the 18th event in the series was held in Skövde, Sweden. A total of 39 peer-reviewed papers were presented over three days. From these, six authors were invited to submit extended versions of their work for publication in this special issue. The resulting papers span a range of topics, including cyber security awareness, perceptions of cyber security policy and practice within small and medium-sized enterprises (SMEs), and the human factors of incident reporting.
SMEs underpin economic productivity and innovation, yet they remain disproportionately exposed to cyber risk due to limited expertise, constrained resources and fragmented access to actionable guidance. As cyber threats continue to scale in volume and sophistication, improving how SMEs access, interpret and act upon cyber security knowledge has become a critical research and policy priority. The first paper, by Khan et al., examines the fragmented landscape of online cyber security guidance available to UK SMEs, analysing over 30 sources and demonstrating substantial variation in coverage, clarity and completeness, which risks inconsistent decision-making and persistent practitioner confusion. Complementing this, the second paper, by Button et al., explores how SMEs perceive and respond to cyber security awareness messaging, revealing that message framing, psychological heuristics such as self-efficacy and perceived cost, and business context significantly influence behavioural adoption, with no single communication strategy proving universally effective. Together, these contributions highlight that both the quality of information provision and the behavioural design of communication strategies must be addressed to deliver scalable, trusted and impactful cyber resilience interventions for SMEs.
Building on the theme of awareness, the third and fourth papers focus on improving the effectiveness of learning and behavioural change. The third paper, by Jashari et al., develops a conceptual framework linking personality types, learning styles and social influence vulnerabilities to support the tailoring of Information Security Awareness (ISA) interventions. Using directed content analysis across the DISC personality model, Kolb’s learning styles and Cialdini’s persuasion principles, the authors derive a Personality–Learning–Social (PLS) framework that identifies four behavioural relationships for each personality type, establishing a theoretical basis for more personalised and effective security awareness strategies. The framework offers practical value for managers seeking to optimise engagement and behavioural compliance, while also providing a structured foundation for future empirical validation and adaptive awareness system design. The fourth paper, by Charalambous et al., argues that a central limitation lies not in the availability of training content, but in the lack of multidisciplinary expertise required to design engaging, targeted and behaviourally effective initiatives. Leveraging the ENISA European Cybersecurity Skills Framework, the study identifies the core knowledge areas and transferable skills required for effective SETA development, maps these capabilities to relevant cybersecurity career roles, and highlights those roles that demonstrate cross-cutting competence. The findings reinforce the value of collaborative, multi-role SETA design teams and the critical importance of lifelong learning in sustaining programme relevance and impact. Collectively, the work provides a practical framework for strengthening SETA capability and advancing a resilient cyber security culture.
As cyber incidents grow in frequency and sophistication, timely employee reporting has become a critical component of organisational cyber resilience. Drawing on survey data from 549 Australian employees using the Cyber Security Incident Reporting Inventory (CSIRI), the fifth study, by Ahola et al., examines the factors influencing individuals’ willingness to report cyber incidents. The findings show that the presence of organisational cyber security policies – formal or informal – and the perceived relevance of cyber security to an employee’s role significantly increase reporting likelihood. The study also identifies important disparities in attitudes and perceived behavioural control among employees with diverse gender identities, highlighting the need for more inclusive policy and training design. Collectively, this work underscores the strategic importance of policy clarity, role relevance, and inclusive training in strengthening the human firewall and improving organisational incident response capability.
The final study, by Reittinger et al., explores the gap between motivational theory and real-world cyber security practice. The research investigates how German organisations incentivise and sustain secure behaviour in everyday operations. Based on semi-structured interviews with 18 participants across executive management, security specialists and frontline employees, the analysis maps current practices against established motivational frameworks. The findings reveal which strategies are effectively embedded in organisational contexts and where gaps persist between intent and implementation. The paper concludes with actionable recommendations to strengthen and complement existing motivational approaches, reinforcing employees’ role as the organisation’s final line of defence.
Collectively, the papers illustrate the breadth and vitality of research within the human aspects of cyber security, and demonstrate that this domain will continue to offer rich opportunities for impactful scholarship in the years to come.
