Psychology and Security Resource Page

Ross Anderson

A fascinating dialogue is developing between psychologists and security engineers. At the macro scale, societal overreactions to terrorism are founded on the misperception of risk and uncertainty, which has deep psychological roots. At the micro scale, more and more crimes involve deception; as security engineering gets better, it's easier to mislead people than to hack computers or hack through walls. Many systems also fail because of usability problems: the designers have different mental models of threats and protection mechanisms from users. Wrong assumptions about users can lead systems to discriminate against women, the less educated and the elderly. And misperceptions cause security markets to fail: many users buy snake oil, while others distrust quite serviceable mechanisms. Security is both a feeling and a reality, and they're different. The gap gets ever wider, and ever more important.

At a deeper level, the psychology of security touches on fundamental scientific and philosophical problems. The `Machiavellian Brain' hypothesis states that we evolved high intelligence not to make better tools, but to use other monkeys better as tools: primates who were better at deception, or at detecting deception in others, left more descendants. Conflict is also deeply tied up with social psychology and anthropology, while evolutionary explanations for the human religious impulse involve both trust and conflict. The dialogue between researchers in security and in psychology has thus been widening, bringing in people from usability engineering, protocol design, privacy, and policy on the one hand, and from social psychology, evolutionary biology, and behavioral economics on the other. We believe that this new discipline will increasingly become one of the active contact points between computing and psychology – an exchange that has hugely benefited both disciplines for over a generation.

This page provides links to a number of key papers, workshops, the home pages of active researchers, relevant books, and other resources. Complementary pages include my security economics resource page and Alessandro Acquisti's privacy economics page.

The most relevant regular event is the Security and Human Behaviour workshop.

Introductory Papers

Deception

Security and Usability

Social Attitudes to Risk

Behavioral Economics of Security

Miscellaneous Papers

Conferences

The Security and Human Behaviour workshop brings security engineers together with psychologists, behavioral economists and others. See

the papers and the liveblog for SHB 2019;

the papers and the liveblog for SHB 2018;

the papers and the liveblog for SHB 2017;

the papers and the liveblog for SHB 2016;

the papers and the liveblog for SHB 2015;

the papers and the liveblog for SHB 2014;

the papers and the liveblog for SHB 2013;

the papers and the liveblog for SHB 2012;

the papers and the liveblog for SHB 2011;

the papers, liveblog and audio for SHB 2010;

the papers, liveblog and audio for 2009; and

the papers, liveblog and audio for the first meeting in 2008.

Decepticon is a conference on deception we organised in August 2015. It brought together people interested in deception, whose publications used to be scattered between APLS, iIIRG, SARMAC, and EAPL conferences, as well as some technical and multidisciplinary events. (See also the forthcoming special issue of Cognitive Science.) Decepticon followed an earlier workshop on deception at Oxford in 2014. The second edition of Decepticon was in 2017.

The Symposium On Usable Privacy and Security (SOUPS) is the workshop for research on the usability of security systems. It has been running since 2005; here are the programs (with links to the papers) for 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018 and 2019.

The Workshop on the Economics of Information Security (WEIS) has some relevant papers; its focus is the interface between security and economics. Here are the programs (with links to the papers) for 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018 and 2019.

Some relevant papers appear at other conferences including the Workshop on Socio-Technical Aspects of Security.

Community – Home Pages of People Interested in Security Psychology

Books