Reflections

At the beginning of the module The Human Factor, an overview of human behaviour was created, which has an influence on the design of computing systems in the context of cyber security. People's abilities and limitations and their impact on usable security were highlighted, and the potential danger of insider threats was highlighted. On the one hand, the overview that was conveyed in the first unit was linked to topics that had already been dealt with in other modules. The threat of insider misconduct was analyzed in the Secure Software Development module and it was determined that this threat represents one of the greatest dangers in terms of cyber security. On the other hand, the existing knowledge was expanded, since, for example, the misconduct of insiders was separated into malicious and unwanted and the socio-psychological aspects were analyzed and characteristics of malicious insiders were discussed based on behaviour. In addition, psychological aspects of human behaviour in the context of cyber security were discussed for the first time. Cyber security operates in a sphere of human interactions, so a central aspect of security concerns must be examined and shaped in the context of human behaviour, cognitive abilities, learning processes and human boundaries. The Security, Functionality and Usability Triangle is an interesting approach here, which makes it clear that security mechanisms are subject to various requirements, which must be considered in order to guarantee security at the same time as being accepted and applied for the users. It is therefore important for me to emphasize that a system or an application can only achieve the best possible security if there is acceptance for the security implementations. This first unit therefore provides a good basis for me to undertake in-depth considerations of the human factor in cyber security in the next units and, in addition to the technical skills acquired in the previous modules, to develop in-depth knowledge of social, psychological and socio-economic aspects of cyber security and to network this with my already developed skills in this subject area.

The subject of this unit was the study of human behaviour and its influence on cyber security. A focus was placed on the psychological and cognitive properties of human thinking and behaviour and it was identified which design considerations can be applied to support human behaviour in terms of safety aspects in order to reduce risks. During the seminar, the influence of passwords in the context of cognitive behaviour was discussed. The in-depth discussion of psychological aspects that influence the design of applications was extremely revealing, as the focus was on the user and his usage behaviour. Jonson (2021) has illustrated that small changes in the design of applications can have a large impact on usability and can thus lead to a more secure application. Viewing this in the context of human abilities and limitations is of great value, since a projection of the usage behaviour of the user of the finished product can already take place in the design phase and fundamental wrong decisions can be prevented. The discussion about secure passwords during the seminar picked up on a central aspect in relation to cyber security and human behaviour in this context. It was interesting to note that when it comes to passwords, there are a variety of policies being put in place by different companies, some of which counteract the psychological aspects of having secure yet easy-to-use passwords. It can therefore be concluded that although passwords are the most common authentication method and have been used and improved for decades, there is still great scope for development in order to provide users with practical yet secure password generation. Furthermore, an interesting debate was the use of password managers, which due to the need for diverse passwords by users, represents a solution to create a large number of different passwords and at the same time not be cognitively overwhelmed. The counter-argument to these services, which is based on security threats in the event of a data leak, is a valid one and shows that there is often no absolute security and that security and usability must always be weighed up. This has also been shown by considering other authentication methods such as fingerprint scanners, iris scanners and graphic passwords. While the security of biometric authentication methods can be rated as comparatively high, they have disadvantages in terms of costs and sources of interference. The idea of graphic passwords is quite an interesting approach, but it shows great dangers when considering human behaviour and optical-visual processing mechanisms, since these are easy to guess due to psychological behaviour. Although two-factor authentication can be considered one of the best approaches, it has disadvantages in terms of usability, since an additional end device is required to use it. It can therefore be stated that there is no solution for all situations and this can be confirmed especially when considering passwords and authentication methods.

• Johnson, J. (2021) Designing with the Mind in Mind Simple Guide to Understanding User Interface Design Guidelines. 3rd ed. Waltham, MA: Morgan Kaufmann.

In this unit, mental models were examined in the context of user perceptions and approaches to designing usable security. Furthermore, the concept of accessibility and its implications were reflected, whereby the core aspects of the last seminar were taken up. In order to be able to plan how an application or digital function is used in practice, you have to put yourself in the shoes of the potential behaviour of the users. This is a difficult process as people act on the basis of different mental models that influence how they act in certain circumstances. The consideration and reflection of mental models was revealing to see the multitude of aspects that have to be taken into account in order to create suitable designs for user-friendly and secure applications. It was particularly important to emphasize that special attention must be paid to usability and user-friendliness for people with disabilities. This poses a challenge for most people, as it is difficult to put oneself in the individual situation of persons with disabilities and to consider the critical points of an application's design in this context. In my opinion, studies and surveys offer the best insights for programmers and cyber security specialists, since for people with disabilities not only the respective disability but also the mental model that may accompany it influences usage preferences and behaviour. Another focus was on the design and thus the usability of applications in the context of the user, but also on security aspects. The UX books offer many insights and recommendations that should be considered in order to make the application as easy and clear as possible for the user (Hartson & Pyla, 2012; Hartson & Pyla, 2018). When reflecting on the aspects mentioned in the two books, it is noticeable that they coincide with Johnson's (2021) psychological arguments and supplement them in your recommendations. It is interesting to see how diverse the design of an application has to be considered in order to maximize user-friendliness and thus also have a positive influence on cyber security.

• Hartson, R. & Pyla, P. S. (2012) The UX Book. Available from: https://0-www-sciencedirect-com.serlib0.essex.ac.uk/book/9780123852410/the-ux-book?via=ihub= [Accessed 01 July 2022].
• Hartson, R. & Pyla, P. S. (2018) The UX Book Second Edition. Available from: https://0-www-sciencedirect-com.serlib0.essex.ac.uk/book/9780128053423/the-ux-book?via=ihub= [Accessed 01 July 2022].
• Johnson, J. (2021) Designing with the Mind in Mind Simple Guide to Understanding User Interface Design Guidelines. 3rd ed. Waltham, MA: Morgan Kaufmann.

This week's focus was on essays by fellow students, which talk about the human factors and associated threats in the context of implementing an ASMIS (see individual essay). The essays of two other participants of the module were reflected (see peer reviews). The task of this unit was particularly interesting, as it was possible to create an insight into the variety of aspects and lines of argument that can be chosen to illuminate the human factor and psychological theories in the context of cyber security. The individual focal points that were chosen showed the diversity that the area of the human factor in cyber security occupies. It was particularly noticeable that passwords and authentication methods were a central aspect for a large number of the students. On the one hand, I can fully confirm the importance of authentication methods and understand that multidimensional considerations must be made in order to sufficiently illuminate the intertwining of advantages and disadvantages in this context. On the other hand, I was surprised at how clear the assessment of my fellow students was in this regard. In most cases, a multi-factor authentication method has emerged as the best, and often the only, solution option. In my opinion, however, it must be noted that in addition to the multitude of advantages in terms of security that an MFA emanates from, there are also some negative aspects in terms of usability and practicability. Therefore, I am of the opinion that the arguments mentioned in this context are correct, but have not been considered critically enough, since the associated disadvantages could also have been weighed up. This shows me that in some cases it can be difficult to take a neutral and unbiased position in order to critically weigh up the advantages and disadvantages.

The aim of the unit was to provide an overview of aspects of cyber security interventions and to highlight ethical concerns in the design of applications. A focus was placed on the usability of applications by people with disabilities. Cyber Security Aware Training (CSAT) is one of the most important interventions to educate users on how to use cyberspace safely (Kamerer et al., 2020). However, some thoughts have to be considered in order to be able to achieve effective and sustainable success through the training programs. The reflection of aspects that have to be considered for this were interesting and helpful in order to include the human factor, which is at the centre of the training and to be able to design measures that are perceived as motivating and helpful. The focus here is on the realization that purely content-related considerations in the development of CSAT do not meet the needs of those to be trained and therefore great potential is not used. The same results were obtained when looking at user behaviour and the challenges of using applications and the Internet in relation to the disabled. When designing applications, the usability of those with a disability is often not sufficiently considered. In my opinion, one reason for this can be found in the fact that the developers of applications are often not familiar with the living conditions of disabled people. Since they themselves do not have a disability, it can be difficult to understand and predict the influence of the disability on usability. The consequences of disabilities on the usability of applications are simply not taken into account, since this is not in the developer's horizon of experience. However, it is of fundamental importance to take these into account in order to create included applications that can be used easily and safely by all users.

• Kamerer, J. L., & McDermott, D. (2020). Cybersecurity: Nurses on the front line of prevention and education. Journal of Nursing Regulation, 10(4), 48-53. Available from: https://reader.elsevier.com/reader/sd/pii/S2155825620300144?token=948A746154B22584D708E1334E5917543D9391C80DCD09C3B89C2B1CC3EC4DEAD419B8974923349BE7ADD530DBF38005&originRegion=eu-west-1&originCreation=20220713083113 [Accessed 13 July 2022].

The conclusion of the module was an examination of mental models in the context of user behavior. Techniques that contribute to risk communication were highlighted. Furthermore, a presentation was created, which analyzes reduction approaches to the threats from human factors listed at the beginning of the module. The development of mental models and persona can make a significant contribution to considering the security aspects of an application during the development process in order to be able to create a better end product. The focus here is on taking into account the usability, functionality and security triangle. It was interesting to see the large number of aspects that had to be taken into account in order to be able to respond to the central application requirements of the respective application. In my opinion, such considerations relating to humans in dealing with technical functions are of great importance, since technology and software are developed so that humans can use them. A purely theoretical approach to how an application will work and how it should be used is not sufficient, since people do not generally aim to use an application as the developer intended. People want things to be able to be used easily and quickly with as little previous knowledge as possible, since any additional effort means work for the user that is potentially bypassed. This assumption leads to the conclusion that, on the one hand, the design of the application must take this into account. On the other hand, there is also the consequence that users must be taught how to use it safely and this should be done on a basis that conveys the personal benefits of using it safely to the users. I think that intrinsic motivation and positively oriented communication promises greater success than can be achieved through reprisals. These assumptions could be confirmed by my investigations and elaborations in the presentation. Through exemplary investigations of influencing factors, which should be taken into account in the context of the ASMIS, some topics could be developed and discussed. However, it must be noted that the factors mentioned in the presentation are only a sample selection, since a large number of other aspects could have been listed.