Tobias Weickert

tdw35@bath.ac.uk	Year 4 Student – 2019 Intake – Cohort 1 I’m a behavioural scientist with a background in electronics and psychology. My PhD project centres around the application of habit theory to security. I am currently evaluating the theory in the context of security habits surrounding phishing and in reference to the theory of planned behaviour (TPB)—a frequently-used cognitive model in security research. Furthermore, I’m investigating the extent to which lesser-known extensions of the TPB such as the prototype willingness model can improve the model performance of the TPB in cybersecurity research. Other areas of interest include automated qualitative data analysis.
PhD Project	Habits in Cybersecurity A habit is a “memory-based propensit[y] to respond automatically to specific cues, which [is] acquired by the repetition of cue-specific behaviours in [a] stable context” (Verplanken 2018, p.4). Despite having been widely studied in the psychology, the implications of habit theory for the field of cybersecurity have thus far been insufficiently investigated; consequently, this thesis aims to address this gap. Study I is a bibliographic analysis of the use of habit theory in the cybersecurity literature compared to the psychology literature, aiming to more clearly specify areas of cybersecurity where habit theory might be fruitfully applied. Study II involved gathering data on the degree to which common security behaviours are habitual for the average user. Study III then expands on these findings by comparing users’ and security practitioners’ perceptions of the effectiveness of these behaviours. Taken together, Study II and III serve to give an overview of the status quo of security habits with regard to current practices, addressing questions about the prevalence of effective versus ineffective security behaviors, the extent to which these practices are adopted, and the alignment between common habits and optimal security protocols. Study IV explores two important antecedents of security habit formation (perceived response cost and efficacy), providing valuable insights into potential points of leverage for modifying or reinforcing habitual security behaviours. Finally, Study V uses Markov chains to analyse the habits of users interacting with a phishing simulation, with the aim to better understand the sequences of actions and situational cues that lead to desirable and undesirable behavioural responses to phishing emails. This thesis, through its systematic exploration of habit theory in the context of cybersecurity, bridges a critical gap in existing research and lays the groundwork for developing more robust and user-centric cybersecurity strategies. The findings from these studies collectively inform a deeper understanding of the role of habits in cybersecurity behaviour, supporting the creation of interventions and policies that are better aligned with natural user tendencies, ultimately contributing to a more secure digital environment. Supervisors: Professor Adam Joinson (Bath) and Dr Barney Craggs (Bristol)
PhD Poster	View poster here
Events Attended	ACM CCS 2019 https://www.sigsac.org/ccs/CCS2019/ First Annual UK Cyber Security PhD Winter School https://research.ncl.ac.uk/security/newsevents/firstannualukcybersecurityphdwinterschool.html BPS Cyberpsychology Annual Conference 2022 https://www.bps.org.uk/event/bps-cyberpsychology-annual-conference-2022 BASS23 https://crestresearch.ac.uk/bass23/
Publications and Presented Papers	Is cybersecurity research missing a trick? Integrating insights from the psychology of habit into research and practice (https://doi.org/10.1016/j.cose.2023.103130)
Studies completed as part of PhD Thesis	A bibliographic analysis of the usage of habit theory in cybersecurity compared to psychology (see publication A survey of the degree to which popular security behaviours are habitual (draft complete). Expanding on 2., comparing expert and lay perceptions on the effectiveness of popular security behaviours (draft complete). Expanding on 2. and 3., a study on the role of the perceived efficacy and perceived cost of a security behaviour in habit formation (draft complete). A Markov-based analysis of the habits and action sequences of users interacting with a phishing simulation (analysis in progress).
Social Media	https://twitter.com/tobiweickert https://www.linkedin.com/in/tobias-weickert/