Psychology and Security Resource Page

Ross Anderson

A fascinating dialogue is developing between psychologists and security engineers. At the macro scale, societal overreactions to terrorism are founded on the misperception of risk and uncertainty, which has deep psychological roots. At the micro scale, more and more crimes involve deception; as security engineering gets better, it's easier to mislead people than to hack computers or hack through walls. Many systems also fail because of usability problems: the designers have different mental models of threats and protection mechanisms from users. Wrong assumptions about users can lead systems to discriminate against women, the less educated and the elderly. And misperceptions cause security markets to fail: many users buy snake oil, while others distrust quite serviceable mechanisms. Security is both a feeling and a reality, and they're different. The gap gets ever wider, and ever more important.

At a deeper level, the psychology of security touches on fundamental scientific and philosophical problems. The `Machiavellian Brain' hypothesis states that we evolved high intelligence not to make better tools, but to use other monkeys better as tools: primates who were better at deception, or at detecting deception in others, left more descendants. Conflict is also deeply tied up with social psychology and anthropology, while evolutionary explanations for the human religious impulse involve both trust and conflict. The dialogue between researchers in security and in psychology has thus been widening, bringing in people from usability engineering, protocol design, privacy, and policy on the one hand, and from social psychology, evolutionary biology, and behavioral economics on the other. We believe that this new discipline will increasingly become one of the active contact points between computing and psychology – an exchange that has hugely benefited both disciplines for over a generation.

This page provides links to a number of key papers, workshops, the home pages of active researchers, relevant books, and other resources. Complementary pages include my security economics resource page and Alessandro Acquisti's privacy economics page.

The most relevant regular event is the Security and Human Behaviour workshop – see

See also Decepticon, a new conference on deception; the Symposium On Usable Privacy and Security which has been established since 2005 and is the focus for security usability work; and the Workshop on Socio-Technical Aspects of Security and Trust which has some relevant papers.

Introductory Papers


Security and Usability

See also Alma Whitten's HCISec bibliography and the HCISEC mailing list.

Social Attitudes to Risk

Behavioral Economics of Security

See also Alessandro Acquisti's privacy economics page.

Miscellaneous Papers


The Security and Human Behaviour workshop brings security engineers together with psychologists, behavioral economists and others. See the liveblog for SHB 2015; the papers and the liveblog for SHB 2014; the papers and the liveblog for SHB 2013; the papers and the liveblog for SHB 2012; the papers and the liveblog for SHB 2011; the papers, liveblog and audio recordings of SHB 2010; the papers, my liveblog (and Bruce's) and audio for 2009; and the papers, liveblog and audio for the first meeting in 2008. SHB 2016 will be held in Harvard.

Decepticon is a new conference on deception that we're organising in August 2015. It will bring together people interested in deception, whose publications are currently scattered the APLS, iIIRG, SARMAC, and EAPL conferences, as well as some technical and multidisciplinary events. (See also the forthcoming special issue of Cognitive Science.)

The Symposium On Usable Privacy and Security (SOUPS) is the workshop for research on the usability of security systems. It has been running since 2005; here are the programs (with links to the papers) for 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013 and 2014.

The Workshop on the Economics of Information Security (WEIS) has some relevant papers; its focus is the interface between security and economics. Here are the programs (with links to the papers) for 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013 and 2014. WEIS 2015 will be held in Delft.

Some relevant papers appear at other conferences including SafeConfig (here are the papers from 2009).

Community – Home Pages of People Interested in Security Psychology


Other Resources

Here are some suggestions for further reading: