Human Factors and Behaviour Change Interventions for Cybersecurity

About the Project

Cyberattacks are increasingly designed to exploit and manipulate users’ behaviour rather than targeting purely technical vulnerabilities. Phishing emails, social engineering phone calls, and fraudulent websites often imitate trusted communication channels or rely on compromised legitimate accounts to encourage users to perform insecure actions. Despite significant investment in technical solutions such as firewalls, intrusion detection, and malware analysis, human behaviour remains a critical and persistent point of vulnerability.

Understanding the underlying causes of users’ susceptibility to cyberattacks is complex. Susceptibility varies between individuals and is influenced by cognitive, social, and contextual factors across their everyday technological environment. Prior research has shown that factors such as trust, stress, cognitive load, and even interface design can contribute to users engaging in behaviours that undermine security. Consequently, there is growing recognition that addressing human factors is central to advancing cybersecurity.

Behaviour Change and Persuasive Technologies

Behaviour change interventions are designed to encourage safer practices without coercion. Persuasive technologies — ranging from nudges, prompts, and reminders to gamified feedback and personalised messages — have been widely adopted in domains such as health, education, and safety. These interventions demonstrate that subtle design changes can lead to measurable and lasting behavioural improvements.

However, their potential within cybersecurity is still underdeveloped. While awareness campaigns and basic training are common, systematic approaches that draw upon behavioural science, human–computer interaction (HCI), and persuasive system design remain limited. This project addresses this gap by exploring how behaviour change techniques and persuasive technologies can be applied to improve users’ awareness, resilience, and responses to cyberattacks.

Aims and Objectives

The overall aim of this project is to investigate the role of behaviour change interventions and persuasive technologies in reducing user susceptibility to cyberattacks. This may include:

1. Mapping susceptibility factors – analysing the behavioural, cognitive, and contextual influences that shape user responses to cyberattacks.
2. Exploring design opportunities – exploring how behaviour change and persuasive design principles can be applied to cybersecurity contexts.
3. Developing candidate interventions – creating prototype approaches informed by behavioural theory and user research.
4. Evaluating effectiveness – conducting empirical studies to assess which interventions demonstrate measurable potential to reduce susceptibility.

Students will have the flexibility to shape the research design, drawing on methods such as user studies, experiments, prototype development and evaluation.

The project is intended to generate new insights into the behavioural factors underlying susceptibility to cyberattacks. It will also provide evidence on the potential of behaviour change interventions to improve cybersecurity resilience and reduce susceptibility.

The project would suit applicants from computing, psychology, human–computer interaction, or related disciplines, with an interest in the human aspects of cybersecurity.

Academic qualifications

Have, or expect to achieve by the time of start of the studentship a first-class honours degree, or a distinction at master level, ideally in Computing Science, Human Computer Interaction, User Experience or equivalent with a good fundamental knowledge of Research methods.

English language requirement

IELTS score must be at least 6.5 (with not less than 6.0 in each of the four components). Other, equivalent qualifications will be accepted. Full details of the University’s policy are available online.

Essential attributes:

• Self motivated, self learning, organisational and time-management skills, persistence and resilience, attention to detail, ability and willingness to collaborate with others
• Only a first-class honours degree, or a distinction at master level in a subject relevant to the PhD project will be considered, or equivalent achievements.

Desirable attributes:

• Knowledge and experience of machine learning, statistical analysis, user research, programming
• Practical experience in research or industry will be considered an advantage.

APPLICATION CHECKLIST

• Completed application form
• CV
• 2 academic references, using the Postgraduate Educational Reference Form (download)
• Research project outline of 2 pages (list of references excluded). The outline may provide details about:
  1. Background and motivation of the project. The motivation, explaining the importance of the project, should be supported also by relevant literature. You can also discuss the applications you expect for the project results.
  2. Research questions or objectives.
  3. Methodology: types of data to be used, approach to data collection, and data analysis methods.
  4. List of references.
• The outline must be created solely by the applicant. Supervisors can only offer general discussions about the project idea without providing any additional support.
• Statement no longer than 1 page describing your motivations and fit with the project.
• Evidence of proficiency in English (if appropriate)

To be considered, the application must use

• the advertised title as project title

For informal enquiries about this PhD project, please contact Dr John Paul Vargheese email j.vargheese@napier.ac.uk