Psychology and Security Resource Page

Ross Anderson


A fascinating dialogue is developing between psychologists and security engineers. At the macro scale, societal overreactions to terrorism are founded on the misperception of risk and uncertainty, which has deep psychological roots. At the micro scale, more and more crimes involve deception; as security engineering gets better, it's easier to mislead people than to hack computers or hack through walls. Many systems also fail because of usability problems: the designers have different mental models of threats and protection mechanisms from users. Wrong assumptions about users can lead systems to discriminate against women, the less educated and the elderly. And misperceptions cause security markets to fail: many users buy snake oil, while others distrust quite serviceable mechanisms. Security is both a feeling and a reality, and they're different. The gap gets ever wider, and ever more important.

At a deeper level, the psychology of security touches on fundamental scientific and philosophical problems. The `Machiavellian Brain' hypothesis states that we evolved high intelligence not to make better tools, but to use other monkeys better as tools: primates who were better at deception, or at detecting deception in others, left more descendants. Conflict is also deeply tied up with social psychology and anthropology, while evolutionary explanations for the human religious impulse involve both trust and conflict. The dialogue between researchers in security and in psychology has thus been widening, bringing in people from usability engineering, protocol design, privacy, and policy on the one hand, and from social psychology, evolutionary biology, and behavioral economics on the other. We believe that this new discipline will increasingly become one of the active contact points between computing and psychology – an exchange that has hugely benefited both disciplines for over a generation.

This page provides links to a number of key papers, workshops, the home pages of active researchers, relevant books, and other resources. Complementary pages include my security economics resource page and Alessandro Acquisti's privacy economics page.

The most relevant regular event is the Security and Human Behaviour workshop – see

See also the Symposium On Usable Privacy and Security which has been established since 2005 and is the focus for security usability work; and the Workshop on Socio-Technical Aspects of Security and Trust which has some relevant papers.

Introductory Papers

Deception

Security and Usability

See also Alma Whitten's HCISec bibliography and the HCISEC mailing list.

Social Attitudes to Risk

Behavioral Economics of Security

See also Alessandro Acquisti's privacy economics page.

Miscellaneous Papers

Conferences

The Security and Human Behaviour workshop brings security engineers together with psychologists, behavioral economists and others. See the papers and the liveblog for SHB 2014; the papers and the liveblog for SHB 2013; the papers and the liveblog for SHB 2012; the papers and the liveblog for SHB 2011; the papers, liveblog and audio recordings of SHB 2010; the papers, my liveblog (and Bruce's) and audio for 2009; and the papers, liveblog and audio for the first meeting in 2008. SHB 2015 will be held in Washington DC.

The Symposium On Usable Privacy and Security (SOUPS) is the workshop for research on the usability of security systems. It has been running since 2005; here are the programs (with links to the papers) for 2005, 2006, 2007, 2008, 2009, 2010 and 2011.

The Workshop on the Economics of Information Security (WEIS) has some relevant papers; its focus is the interface between security and economics. Here are the programs (with links to the papers) for 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 and 2011. WEIS 2012 will be held in Berlin.

Some relevant papers appear at other conferences including SafeConfig (here are the papers from 2009).

Community – Home Pages of People Interested in Security Psychology

Books

Other Resources

Here are some suggestions for further reading: