{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,5]],"date-time":"2026-05-05T17:55:18Z","timestamp":1778003718388,"version":"3.51.4"},"publisher-location":"Cham","reference-count":31,"publisher":"Springer International Publishing","isbn-type":[{"value":"9783031254598","type":"print"},{"value":"9783031254604","type":"electronic"}],"license":[{"start":{"date-parts":[[2023,1,1]],"date-time":"2023-01-01T00:00:00Z","timestamp":1672531200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2023,2,18]],"date-time":"2023-02-18T00:00:00Z","timestamp":1676678400000},"content-version":"vor","delay-in-days":48,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2023]]},"abstract":"<jats:title>Abstract<\/jats:title><jats:p>Most organisations are using online security awareness training and simulated phishing attacks to encourage their employees to behave securely. Buying off-the-shelf training packages and making it mandatory for all employees to complete them is easy, and satisfies most regulatory and audit requirements, but does not lead to secure behaviour becoming a routine. In this paper, we identify the additional steps employees must go through to develop secure routines, and the blockers that stop a new behaviour from becoming a routine. Our key message is: security awareness as we know it is only the first step; organisations who want employees have to do more to smooth the path: they have to ensure that secure behaviour is feasible, and support their staff through the stages of the <jats:italic>Security Behaviour Curve<\/jats:italic> \u2013 concordance, self-efficacy, and embedding \u2013 for secure behaviour to become a routine. We provide examples of those organisational activities, and specific recommendations to different organisational stakeholders.<\/jats:p>","DOI":"10.1007\/978-3-031-25460-4_14","type":"book-chapter","created":{"date-parts":[[2023,2,17]],"date-time":"2023-02-17T09:12:22Z","timestamp":1676625142000},"page":"248-265","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":16,"title":["Rebooting IT Security Awareness \u2013 How Organisations Can Encourage and\u00a0Sustain Secure Behaviours"],"prefix":"10.1007","author":[{"given":"M. Angela","family":"Sasse","sequence":"first","affiliation":[]},{"given":"Jonas","family":"Hielscher","sequence":"additional","affiliation":[]},{"given":"Jennifer","family":"Friedauer","sequence":"additional","affiliation":[]},{"given":"Annalina","family":"Buckmann","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2023,2,18]]},"reference":[{"issue":"12","key":"14_CR1","doi-asserted-by":"publisher","first-page":"40","DOI":"10.1145\/322796.322806","volume":"42","author":"A Adams","year":"1999","unstructured":"Adams, A., Sasse, M.A.: Users are not the enemy. Commun. ACM 42(12), 40\u201346 (1999). https:\/\/doi.org\/10.1145\/322796.322806","journal-title":"Commun. ACM"},{"key":"14_CR2","doi-asserted-by":"crossref","unstructured":"Alshaikh, M.: Developing cybersecurity culture to influence employee behavior: a practice perspective. Comput. Secur. 98(November 2020) (2020)","DOI":"10.1016\/j.cose.2020.102003"},{"key":"14_CR3","unstructured":"Alshaikh, M., Naseer, H., Ahmad, A., Maynard, S.B.: Toward sustainable behaviour change: an approach for cyber security education training and awareness. In: Proceedings of the 27th European Conference on Information Systems (ECIS). ECIS, Stockholm & Uppsala, Sweden (2019)"},{"issue":"3","key":"14_CR4","doi-asserted-by":"publisher","first-page":"82","DOI":"10.1109\/MSP.2016.57","volume":"14","author":"D Ashenden","year":"2016","unstructured":"Ashenden, D., Lawrence, D.: Security dialogues: building better relationships between security and business. IEEE Secur. Privacy 14(3), 82\u201387 (2016). https:\/\/doi.org\/10.1109\/MSP.2016.57","journal-title":"IEEE Secur. Privacy"},{"issue":"4","key":"14_CR5","doi-asserted-by":"publisher","first-page":"287","DOI":"10.1007\/BF01663995","volume":"1","author":"A Bandura","year":"1977","unstructured":"Bandura, A., Adams, N.E.: Analysis of self-efficacy theory of behavioral change. Cogn. Ther. Res. 1(4), 287\u2013310 (1977)","journal-title":"Cogn. Ther. Res."},{"key":"14_CR6","unstructured":"Beautement, A., Becker, I., Parkin, S., Krol, K., Sasse, A.: Productive security: a scalable methodology for analysing employee security behaviours. In: Proceedings of SOUPS 2016, Twelfth Symposium on Usable Privacy and Security, pp. 253\u2013270. USENIX Association, Berkeley (2016). https:\/\/www.usenix.org\/system\/files\/conference\/soups2016\/soups2016-paper-beautement.pdf"},{"key":"14_CR7","doi-asserted-by":"crossref","unstructured":"Beautement, A., Sasse, M.A., Wonham, M.: The compliance budget: managing security behaviour in organisations. In: Proceedings of the 2008 New Security Paradigms Workshop, pp. 47\u201358 (2008)","DOI":"10.1145\/1595676.1595684"},{"key":"14_CR8","doi-asserted-by":"publisher","unstructured":"Becker, I., Parkin, S., Sasse, M.A.: Finding security champions in blends of organisational culture. In: Acar, Y., Fahl, S. (eds.) Proceedings 2nd European Workshop on Usable Security. Internet Society, Reston (2017). https:\/\/doi.org\/10.14722\/eurousec.2017.23007","DOI":"10.14722\/eurousec.2017.23007"},{"key":"14_CR9","unstructured":"Beyer, M., et al.: HP enterprise - awareness is only the first step: a framework for progressive engagement of staff in cyber security (2015). https:\/\/www.riscs.org.uk\/wp-content\/uploads\/2015\/12\/Awareness-is-Only-the-First-Step.pdf"},{"key":"14_CR10","unstructured":"Fogg, B.J.: Tiny Habits: The Small Changes that Change Everything. Houghton Mifflin Harcourt (2019)"},{"key":"14_CR11","doi-asserted-by":"crossref","unstructured":"Chater, N., Loewenstein, G.: The i-Frame and the s-Frame: how focusing on individual-level solutions has led behavioral public policy astray (2022). https:\/\/ssrn.com\/abstract=4046264","DOI":"10.2139\/ssrn.4046264"},{"key":"14_CR12","unstructured":"ENISA-European Union Agency for Network and Information Security: Cybersecurity Culture Guidelines: Behavioural Aspects of Cybersecurity (2019). https:\/\/www.enisa.europa.eu\/publications\/cybersecurity-culture-guidelines-behavioural-aspects-of-cybersecurity"},{"key":"14_CR13","unstructured":"Heath, C., Heath, D.: Switch: How to Change Things When Change is Hard, 1st. edn. Broadway Books, New York (2010)"},{"issue":"2","key":"14_CR14","first-page":"65","volume":"11","author":"CP Heath","year":"2018","unstructured":"Heath, C.P., Hall, P.A., Coles-Kemp, L.: Holding on to dissensus: participatory interactions in security design. Strateg. Des. Res. J. 11(2), 65\u201378 (2018)","journal-title":"Strateg. Des. Res. J."},{"key":"14_CR15","unstructured":"Hewlett Packard: Awareness is only the first step: new white paper from RISCs, HPE and NCSC urges organisations to engage employees in order to improve cyber security"},{"key":"14_CR16","doi-asserted-by":"publisher","unstructured":"Hielscher, J., Kluge, A., Menges, U., Sasse, M.A.: \u201cTaking out the Trash\u201d: why security behavior change requires intentional forgetting. In: New Security Paradigms Workshop, pp. 108\u2013122. ACM, New York (2021). https:\/\/doi.org\/10.1145\/3498891.3498902","DOI":"10.1145\/3498891.3498902"},{"key":"14_CR17","unstructured":"Kahneman, D.: Thinking, Fast and Slow. Macmillan, New York (2011)"},{"key":"14_CR18","unstructured":"KasperskyDaily: The Human Factor in IT Security: How Employees are Making Businesses Vulnerable from Within (2017). https:\/\/www.kaspersky.com\/blog\/the-human-factor-in-it-security\/"},{"key":"14_CR19","doi-asserted-by":"crossref","unstructured":"Kirlappos, I., Parkin, S., Sasse, M.A.: \u201cshadow security\u201d as a tool for the learning organization. ACM SIGCAS Comput. Soc. 45(1), 29\u201337 (2015)","DOI":"10.1145\/2738210.2738216"},{"key":"14_CR20","doi-asserted-by":"publisher","DOI":"10.15358\/9783800646159","volume-title":"Leading Change: Wie Sie Ihr Unternehmen in acht Schritten erfolgreich ver\u00e4ndern","author":"JP Kotter","year":"2011","unstructured":"Kotter, J.P.: Leading Change: Wie Sie Ihr Unternehmen in acht Schritten erfolgreich ver\u00e4ndern. Verlag Franz Vahlen, M\u00fcnchen (2011)"},{"key":"14_CR21","unstructured":"Marinker, M., et al.: From compliance to concordance: achieving shared goals in medicine taking. Royal Pharmaceutical Society, in partnership with Merck Sharp & Dohme (1997)"},{"key":"14_CR22","doi-asserted-by":"publisher","unstructured":"Menges, U., Hielscher, J., Buckmann, A., Kluge, A., Sasse, M.A., Verret, I.: Why IT security needs therapy. In: Computer Security. ESORICS 2021 International Workshops (2022). https:\/\/doi.org\/10.1007\/978-3-030-95484-0","DOI":"10.1007\/978-3-030-95484-0"},{"key":"14_CR23","doi-asserted-by":"crossref","unstructured":"Michie, S., van Stralen, M., West, R.: The behaviour change wheel: a new method for characterising and designing behaviour change interventions. Implement. Sci. 6(42) (2011)","DOI":"10.1186\/1748-5908-6-42"},{"key":"14_CR24","unstructured":"National Cyber Security Center: Password administration for system owners. https:\/\/www.ncsc.gov.uk\/collection\/passwords\/updating-your-approach"},{"key":"14_CR25","doi-asserted-by":"publisher","unstructured":"Parkin, S., van Moorsel, A., Inglesant, P., Sasse, M.A.: A stealth approach to usable security: helping it security managers to identify workable security solutions. In: Proceedings of the 2010 New Security Paradigms Workshop. NSPW 2010, pp. 33\u201350. Association for Computing Machinery, New York (2010). https:\/\/doi.org\/10.1145\/1900546.1900553","DOI":"10.1145\/1900546.1900553"},{"issue":"4","key":"14_CR26","doi-asserted-by":"publisher","first-page":"489","DOI":"10.1515\/jhsem-2014-0035","volume":"11","author":"SL Pfleeger","year":"2014","unstructured":"Pfleeger, S.L., Sasse, M.A., Furnham, A.: From weakest link to security hero: transforming staff security behavior. J. Homel. Secur. Emerg. Manag. 11(4), 489\u2013510 (2014)","journal-title":"J. Homel. Secur. Emerg. Manag."},{"key":"14_CR27","doi-asserted-by":"crossref","unstructured":"Reeder, R.W., Ion, I., Consolvo, S.: 152 simple steps to stay safe online: security advice for non-tech-savvy users, vol. 15, pp. 55\u201364. IEE (2017)","DOI":"10.1109\/MSP.2017.3681050"},{"key":"14_CR28","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"244","DOI":"10.1007\/978-3-319-08506-7_13","volume-title":"Privacy Enhancing Technologies","author":"K Renaud","year":"2014","unstructured":"Renaud, K., Volkamer, M., Renkema-Padmos, A.: Why doesn\u2019t Jane protect her privacy? In: De Cristofaro, E., Murdoch, S.J. (eds.) PETS 2014. LNCS, vol. 8555, pp. 244\u2013262. Springer, Cham (2014). https:\/\/doi.org\/10.1007\/978-3-319-08506-7_13"},{"key":"14_CR29","doi-asserted-by":"publisher","first-page":"22","DOI":"10.1016\/j.ijhcs.2018.05.011","volume":"120","author":"K Renaud","year":"2018","unstructured":"Renaud, K., Zimmermann, V.: Ethical guidelines for nudging in information security & privacy. Int. J. Hum. Comput. Stud. 120, 22\u201335 (2018). https:\/\/doi.org\/10.1016\/j.ijhcs.2018.05.011","journal-title":"Int. J. Hum. Comput. Stud."},{"key":"14_CR30","unstructured":"Thaler, R.H., Sunstein, C.R.: Nudge. The Final Edition, [Revised edition, 2021] edn. Penguin Books, Yale University Press (2021)"},{"key":"14_CR31","doi-asserted-by":"publisher","unstructured":"Zimmermann, V., Renaud, K.: The nudge puzzle: matching nudge interventions to cybersecurity decisions. ACM Trans. Comput.-Hum. Interact. 28(1), 7:1\u20137:45 (2021). https:\/\/doi.org\/10.1145\/3429888","DOI":"10.1145\/3429888"}],"container-title":["Lecture Notes in Computer Science","Computer Security. ESORICS 2022 International Workshops"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-031-25460-4_14","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2024,2,5]],"date-time":"2024-02-05T18:10:51Z","timestamp":1707156651000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/978-3-031-25460-4_14"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023]]},"ISBN":["9783031254598","9783031254604"],"references-count":31,"URL":"https:\/\/doi.org\/10.1007\/978-3-031-25460-4_14","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"value":"0302-9743","type":"print"},{"value":"1611-3349","type":"electronic"}],"subject":[],"published":{"date-parts":[[2023]]},"assertion":[{"value":"18 February 2023","order":1,"name":"first_online","label":"First Online","group":{"name":"ChapterHistory","label":"Chapter History"}},{"value":"ESORICS","order":1,"name":"conference_acronym","label":"Conference Acronym","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"European Symposium on Research in Computer Security","order":2,"name":"conference_name","label":"Conference Name","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Copenhagen","order":3,"name":"conference_city","label":"Conference City","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Denmark","order":4,"name":"conference_country","label":"Conference Country","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"2022","order":5,"name":"conference_year","label":"Conference Year","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"26 September 2022","order":7,"name":"conference_start_date","label":"Conference Start Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"30 September 2022","order":8,"name":"conference_end_date","label":"Conference End Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"27","order":9,"name":"conference_number","label":"Conference Number","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"esorics2022","order":10,"name":"conference_id","label":"Conference ID","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"https:\/\/esorics2022.compute.dtu.dk\/","order":11,"name":"conference_url","label":"Conference URL","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Single-blind","order":1,"name":"type","label":"Type","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"EasyChair","order":2,"name":"conference_management_system","label":"Conference Management System","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"80","order":3,"name":"number_of_submissions_sent_for_review","label":"Number of Submissions Sent for Review","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"38","order":4,"name":"number_of_full_papers_accepted","label":"Number of Full Papers Accepted","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"1","order":5,"name":"number_of_short_papers_accepted","label":"Number of Short Papers Accepted","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"48% - The value is computed by the equation \"Number of Full Papers Accepted \/ Number of Submissions Sent for Review * 100\" and then rounded to a whole number.","order":6,"name":"acceptance_rate_of_full_papers","label":"Acceptance Rate of Full Papers","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"3.4","order":7,"name":"average_number_of_reviews_per_paper","label":"Average Number of Reviews per Paper","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"1.7","order":8,"name":"average_number_of_papers_per_reviewer","label":"Average Number of Papers per Reviewer","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"No","order":9,"name":"external_reviewers_involved","label":"External Reviewers Involved","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}}]}}