Measuring Behavioural Cybersecurity: An Overview of Options

As the field of cybersecurity is maturing, there is more attention to the behaviour of end-users in securing data and systems. Awareness campaigns are gaining popularity and behavioural change initiatives are deployed. However, many organisations do not know where to start when attempting to effectively measure the maturity of the behavioural component in their cybersecurity strategy. While some measures, such as knowledge, attitudes and skills are assessed, (objective) measurements of behaviour, and the interplay between these factors are less commonly measured. This paper discusses the importance of measuring behavioural cybersecurity and presents an overview of possible measurements and relevant factors. First, the paper outlines why measuring behavioural cybersecurity is vital in understanding behaviour related problems and coming up with evidence-based solutions. Then, the various measurement levels and current practices are discussed before turning to options regarding these levels. These include both self-reported as well as objective behavioural measurements in addition to attitudes, knowledge and skills. Lastly, some issues surrounding these measurements are discussed including spill-over effects and ethical considerations.