CrySP Speaker Series on Privacy

This speaker series is made possible by an anonymous charitable donation in memory of cypherpunks and privacy advocates Len Sassaman, Hugh Daniel, Hal Finney, and Caspar Bowden.

View the list of past and upcoming speakers

Digital fitness instead of blame and entrapment: re-framing "security awareness"

Angela Sasse, Ruhr Universität Bochum

[Download (MP4)] [View on Youtube]

July 23, 2021 11:00am, in Zoom


Security awareness, education and training (SAET) is big business - the amount spent globally on anti-phishing training alone was $1bn in 2020. It is the "first resort" of security practitioners seeking to "fix" people who don't follow the rules because they are "weak" and "careless". This talk will explain why most current activities — which largely consist of information on threats and what behaviors to adopt, deployed in fire-and-forget fashion — is not sufficient to make secure behavior a routine. And why attempts to "motivate" secure behavior through "teachable moments" and persuade people to adopt them through "nudges" ignore well-established knowledge on routine behavior, and what is required to change it. I will present a series of steps that people go through when changing behavior, and show how organizations can support them. Finally, I will make the case for re-branding this activity as digital fitness — a set of good habits for the 21st century.


M Angela Sasse is the Professor of Human-Centred Security at Ruhr University Bochum, which run the largest academic programme in IT Security in Europe. She obtained an MSc in Occupational Psychology and a PhD in Computer Science before joining the Computer Science Department at UCL in 1990, where she still retains a part-time position. The paper Users Are Not The Enemy, co-authored with her student Anne Adams, is one of the founding papers of Usable Security Research.