nl en

Behavioural Change Approaches to Cybersecurity


Admission requirements

  • Only students of the MSc Crisis and Security Management, enrolled in the specialisation ‘Cybersecurity Governance’, can take this course.


In cyber security, end-users are often blamed for data leaks, successful attacks and other incidents. This approach of humans as the ‘weakest link’ suggests that cyber threats can be mitigated by focusing on the behaviour of end-users rather than the way information systems are designed. While basic solutions are easily available in the field, their effectiveness is usually not tested. The importance of collecting meaningful data on the effectiveness of cyber security solutions is felt, but the field lacks experts who are able to provide this much sought-after data. In this course, we will focus on the research skill of how to collect meaningful data that provides insights in the effectiveness of behavioural cyber security solutions, to prepare students for the labour market.

This skill of collecting meaningful data will be embedded in the broader angle of solving cyber security issues that relate to human behaviour. We will draw on theories from various behavioural change fields, including social influence, behavioural economics and nudging theory. Broadly speaking, three themes will be covered:
1. behavioural change techniques; how can we influence people to change their behaviour in both conscious and unconscious ways?
2. assessing cyber security threats from a behavioural change perspective; where can we intervene to reduce the risk and/or possible consequences of a cyber security threat?
3. intervention design for behavioural change solutions regarding cyber security issues; What is the process by which we can determine the best course of action, and how do we measure the effectiveness of any behavioural change intervention in cyber security?

Course Objectives

After finalizing this course, students will be able to:

  1. Based on advanced knowledge and understanding of the principles of academic research, collect meaningful data using common methodologies to measure the effectiveness of cyber security solutions.
  2. Understand, based on advanced knowledge, behavioural change theories from various subfields (e.g. social influence, nudging, behavioural economics).
  3. Identify and apply relevant theoretical frameworks and methodologies, in order to systematically work towards behavioural solutions for cyber security problems using the latest scientific insights.
  4. Devise methods that assess the effectiveness of behavioural change interventions in the cyber security domain.
  5. Provide strategic analysis and advice to decision-makers by making (policy) recommendations based on meaningful collected data on cyber security solutions.
  6. Self-evaluate and reflect after interactive in-class work and individual assignments.


On the right side of the programme front page of the E-guide you will find links to the website and timetables, uSis and Brightspace.

Mode of Instruction

A combination of interactive lectures and activating workgroups (two sessions per week). In the lectures, students will learn the key principles of research, and the relevant concepts and methodologies. In the workgroups, students will practise research design and methods by applying the concepts, testing theories, and analysing empirical material. The workgroups will, amongst others, consist of in-class assignments, team performances, peer review and exercises and feature several compulsory formative (non-graded) assignments that will help the student prepare for the summative (graded) assignments.

Attendance is not mandatory, but highly recommended in order to pass the course. Active participation during the sessions therefore is strongly recommended to pass this course.

Study load:
42 contact hours (lectures and SPOC) and 238 hours of self-study and preparation of assessments.

In this 10 ects course, 4 ects is specifically reserved for the assignment that is going to be part of the portfolio of students, including working on their interim reflection paper as preparation for the final reflection paper. Specific information on the portfolio assignment and the intended learning outcomes that are being acquired will be published in the syllabus of this course.

Assessment method

Students are not obliged to hand in an assignment at the first opportunity in order to make use of the re-sit opportunity. The re-sit assignment will test the same course objectives, but will be different in terms of topics, cases or substance.

SPOC, Pass/Fail
Passing the SPOC is required to pass the course

Group paper, 30% of final grade
Course can be compensated in case of a fail (grade < 5.50), resit not possible.

Individual paper, 30% of final grade
Course can be compensated in case of a fail (grade < 5.50), resit not possible.

Final assignment (exam), 40% of final grade
Grade cannot be compensated, a 5.50 is required to pass the course

Additional, formative (non-graded) assignments are an obligatory part of the course.

The calculated grade of the assignments must be at least 5.50 in order to pass the course
If a student passed an assignment, it is not possible to participate in a re-sit in order to obtain a higher grade. Students are only permitted to resit the 40% assignment if they have a calculated overall course lower than 5.50.

Reading list

A selection of books and articles, to be announced on Brightspace.


Register for every course and workgroup via uSis.
Registration in uSis is possible from four weeks before the start of the course. Some courses and workgroups have a limited number of participants, so register on time (before the course starts). In uSis you can access your personal schedule and view your results.

Leiden University uses Brightspace as its online learning management system. Important information about the course is posted here.
After enrolment for the course in uSis you are also enrolled in the Brightspace environment of this course.


Dr. Tommy van Steen