Angela Sasse

Ruhr-University Bochum

Bio: Prof. Dr. Angela Sasse studied psychology at the Bergische Universität Wuppertal in the 1980s and continued her studies in Great Britain. She received her Masters in Industrial Psychology from Sheffield University and received her PhD from Birmingham University.

In 1990 she began teaching computer science at University College London. Since 2003 she has been professor for human-centered technology there. From 2012 to 2017 she headed the British Research Institute for Empirical Safety Research and was admitted to the Royal Academy of Engineering in 2015.

On May 1, 2018, she took over the chair of Human-Centered Security at the Horst Görtz Institute for IT Security at the Ruhr University in Bochum.

Behavioural Science Meets Security: Why a Little Knowledge is a Dangerous Thing

Friday, February 11th 2022 at 10:00 a.m.

Abstract: Increasing digitalisation means more activities take place online, and more things that are of value to both their legitimate owners and attackers. Companies hire security experts to protect against the latter, and invest in protection measures. So far, so good? The increasing number of incidents and losses tell us it is not. If we believe security vendors and some security researchers, the single most important reason why It security measures are not working is because employees are “the weakest link” who do not use security mechanisms and processes correctly – or not at all. And the reason why they don’t is assumed to be lack of knowledge and motivation – which is tackled by a rapidly growing branch of the industry offering security awareness products. There is also an increasing number of security researchers trying to change employee behaviour through mechanisms from behavioural economics and psychology, e.g. nudging or psychometric profiling and targeting. In this talk, I will review some of these efforts, and argue that they are doomed to fail: There are no individual “silver bullet” interventions that can magically transform non-compliant behaviours into secure ones. Behaviour change in organisations is a serious business, which can achieved through a planned effort to remove triggers and latent failures, and leadership and positive reinforcement. In conclusion, we need to re-consider what are valid research questions for studying security behaviour.