Psychology and Security Resource Page

Ross Anderson


A fascinating dialogue is developing between psychologists and security engineers. At the macro scale, societal overreactions to terrorism are founded on the misperception of risk and uncertainty, which has deep psychological roots. At the micro scale, more and more crimes involve deception; as security engineering gets better, it's easier to mislead people than to hack computers or hack through walls. Many systems also fail because of usability problems: the designers have different mental models of threats and protection mechanisms from users. Wrong assumptions about users can lead systems to discriminate against women, the less educated and the elderly. And misperceptions cause security markets to fail: many users buy snake oil, while others distrust quite serviceable mechanisms. Security is both a feeling and a reality, and they're different. The gap gets ever wider, and ever more important.

At a deeper level, the psychology of security touches on fundamental scientific and philosophical problems. The `Machiavellian Brain' hypothesis states that we evolved high intelligence not to make better tools, but to use other monkeys better as tools: primates who were better at deception, or at detecting deception in others, left more descendants. Conflict is also deeply tied up with social psychology and anthropology, while evolutionary explanations for the human religious impulse involve both trust and conflict. The dialogue between researchers in security and in psychology has thus been widening, bringing in people from usability engineering, protocol design, privacy, and policy on the one hand, and from social psychology, evolutionary biology, and behavioral economics on the other. We believe that this new discipline will increasingly become one of the active contact points between computing and psychology – an exchange that has hugely benefited both disciplines for over a generation.

This page provides links to a number of key papers, workshops, the home pages of active researchers, relevant books, and other resources. Complementary pages include my security economics resource page and Alessandro Acquisti's privacy economics page.

The most relevant regular event is the Security and Human Behaviour workshop.

Introductory Papers

Deception

Security and Usability

See also Alma Whitten's HCISec bibliography.

Social Attitudes to Risk

Behavioral Economics of Security

See also Alessandro Acquisti's privacy economics page.

Miscellaneous Papers

Conferences

The Security and Human Behaviour workshop brings security engineers together with psychologists, behavioral economists and others. See

Decepticon is a conference on deception we organised in August 2015. It brought together people interested in deception, whose publications used to be scattered between APLS, iIIRG, SARMAC, and EAPL conferences, as well as some technical and multidisciplinary events. (See also the forthcoming special issue of Cognitive Science.) Decepticon followed an earlier workshop on deception at Oxford in 2014. The second edition of Decepticon was in 2017; later events are documented here, and the 2023 Decepticon will take place online on December 7-8.

The Symposium On Usable Privacy and Security (SOUPS) is the workshop for research on the usability of security systems. It has been running since 2005; here are the programs (with links to the papers) for 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020, 2021, 2022 and 2023.

The Workshop on the Economics of Information Security (WEIS) has some relevant papers; its focus is the interface between security and economics. Here are the programs (with links to the papers) for 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020, 2021, 2022 and 2023.

Community – People Interested in Security Psychology

Books

Other Resources

Here are some suggestions for further reading: