What is the goal that you have pursued with CySec4Psych?
The general idea of the project is to make the field of cybersecurity more interesting for psychologists, also as a career path. Our intention was not only to highlight opportunities, but also to advertise the fact that there are jobs for psychologists in cybersecurity.
How did you come up with the idea for the project?
The project was started at Saarland University, in the Department of Industrial and Organizational Psychology. It has long been a topic for them that technology is having an ever greater influence on work routines and structures. You can also see that computer scientists are quite happy to deal with psychological topics. For example, they use artificial intelligence to try and predict the rating of certain people in assessment centers. They are really very skilled in these things. But you notice that, in some places, they lack the methodological or theoretical background knowledge. That's where it would be helpful to have a greater exchange between the disciplines. That was the basic idea behind our project. This is why Dr. Nida Bajwa at the chair of Professor Dr. Cornelius König submitted the project proposal, which was accepted by the EU.
What was the approach that you chose in CySec4Psych?
On the one hand, we examined how many psychologists are involved in cybersecurity research and what psychological topics are addressed in the field. On the other, we created training materials that university teachers and lecturers can use to introduce the field of cybersecurity and to establish it in psychology. There were also two summer schools that served for networking. They were mainly attended by students, both from computer science and psychology.
Will there be a publication containing the project’s results?
In the project, we produced two publications. First, we conducted a scientometric analysis. This analysis examines how strongly psychological topics or psychologists are represented in cybersecurity. Scientometric analysis means that you look at the scientific articles in a certain field on a quantitative level: which authors have contributed and who of them has a background in psychology. Our second publication was a review, that is, a qualitative paper. There, we took a closer look at the psychological theories that are employed more frequently in cybersecurity.
Are there any psychological theories in cybersecurity?
Yes, quite a few. Password security, for example, or social engineering are two areas of research in which psychology is naturally more prominent than in network security, for example. There are a number of theories that are applied there. One example is the Theory of Planned Behavior. This is a classic in psychology that tries to explain what guidelines or what preconditions it takes for people to carry out a certain action or behavior. This theory is also used in cybersecurity.
Would this theory be used, for example, if you wanted to get people to use strong passwords?
Exactly. The challenge with passwords is of course that they are difficult to remember. This means that you either write them down on a piece of paper or else you forget them. Of course, it is best to use a password manager. The question is how do you get people to use the password manager. You have to do the groundwork: that there are certain advantages to a password manager, because you don't have to remember the passwords anymore; that the input fields are filled in automatically; that the usability is more attractive than constantly having to create a new password because you've forgotten the old one. But of course, first people have to get to know this new tool and overcome some hurdles. In this case, you would try to make the preconditions in the study particularly positive and then hope that people will continue to use the password manager beyond the study and that the knowledge will spread.
Were there any project results that you found particularly surprising?
It was quite surprising that, in our scientometric analysis, we only found four people with psychological training who had also published articles in cybersecurity. I figured that there would only be a few, but the fact that there were so very few did surprise me. It also interesting that you often hear people say, "the human factor is important in security", but that is not reflected so much in the number of articles. The area of human security takes up a relatively small proportion of the articles - only around 5 percent. In other words, more often than not it is computer scientists with an interest in psychology who address these topics.
At CISPA you work in the department of Empirical Research Support. Is this department unique in the field of cybersecurity research?
The main goal of our department is to consult with the researchers at CISPA and not to conduct research ourselves. With our background, that’s rather unique I think. The idea is that we primarily support studies in which people play a role or which are conducted with people. As psychologists, that is our expertise.
What research questions do you support the researchers with?
The projects we are involved in are very diverse. Sometimes we are involved from the very beginning, sometimes we only join in during the experimental planning, study design or data analysis. But it is always the case that the researchers approach us with their research questions and we then consider whether something small might need to be adjusted or made more concise. Sometimes we also have tips on supporting literature.
Is your expertise made good use of?
Yes, we are all quite busy. In the first step, the researchers come to us, so there is this fundamental openness. I think that's actually the beauty of the work, that the researchers are willing to exchange ideas right from the start. That makes for a nice collaboration.