Is cybersecurity research missing a trick? Integrating insights from the psychology of habit into research and practice

The idea that people should form positive security habits is gaining increasing attention amongst security practitioners. Habit is a well-studied concept in psychology, but the extent to which the richness of that literature has been fully utilised for security is currently unclear. In order to address this gap, we com-pared usage of the term habit-and connected constructs -in the cybersecurity and habit fields using a co-occurrence networks-based analysis. We aimed to answer three research questions: 1. What is the context within which habit has been discussed in the habit literature and the cybersecurity literature; 2. How does the discussion in these two fields compare; and 3. What are the implications of the outcomes of this analysis for the future research agenda for cybersecurity behaviour? The analysis showed that the habit construct tended to be discussed primarily in the context of other models, rather than on its own. The depth of discussion was therefore limited; resulting gaps in knowledge have important implications for security, like the idea that habits moderate the relationship between intention and behaviour. Given the popularity of the theory of planned behaviour in security research, this represents a key omission. Furthermore, the cybersecurity literature we surveyed contained very little discussion surrounding meth-ods for formation and changing of habits, nor of the role of cues in triggering habitual behaviours. Habits require a different behaviour change approach than intentional behaviours, and many day-to-day security behaviours may in fact be habits. For that reason, these topics represents a potentially productive avenue of research for both security and privacy behaviour.(c) 2023 The Authors. Published by Elsevier Ltd. This is an open access article under the CC BY license ( http://creativecommons.org/licenses/by/4.0/ )

Automated summary

The idea of forming positive security habits is gaining attention among security practitioners. The literature on habits in psychology has not been fully utilized in the context of security. Through analysis, it was found that habit construct is discussed in relation to other models rather than on its own, indicating limited depth of discussion. The lack of discussion on habit formation methods and the role of cues in triggering habitual behaviors in cybersecurity literature suggests a potential research avenue.