Cybersecurity behavior change: A conceptualization of ethical principles for behavioral interventions

The importance of changing behaviors is gradually being acknowledged in cybersecurity, and the reason is the realization that a notable portion of security incidents have a human-related component. Thus, enhancing behaviors at individual level, can bring a significant reduction in security breaches overall. Behavior change refers to any modification of human behavior through some type of intervention. Interventions from behavioral economics and psychology are being increasingly introduced in the field, however, the ethics surrounding such interventions are largely neglected. In this paper, we raise the ethical issues associated with behavioral intervention approaches. We draw on the traditionally more mature field of biomedical ethics and propose six clusters of ethical principles suitable for cybersecurity behavior change. We conducted a survey (N = 141) to identify individuals' perceptions on the proposed ethical principles and validate their perceived usefulness. We analyze an existing intervention in the light of our six-principle conceptualization to showcase how it can be used as a practical apparatus. Our set of ethical principles are aimed for cybersecurity professionals, policy makers, and behavioral intervention designers, and can serve as a starting point for best-practice development in cybersecurity behavior change ethics.