nl en

Behavioural Change Approaches to Cybersecurity


Admission requirements

  • Only students of the MSc Crisis and Security Management, enrolled in the specialisation ‘Cybersecurity Governance’, can take this course.


In cyber security, end-users are often blamed for data leaks, successful attacks and other incidents. This approach of humans as the ‘weakest link’ suggests that cyber threats can be mitigated by focusing on the behaviour of end-users rather than the way information systems are designed. While basic solutions are easily available in the field, their effectiveness is usually not tested. The importance of collecting meaningful data on the effectiveness of cyber security solutions is felt, but the field lacks experts who are able to provide this much sought-after data. In this course, we will focus on the research skill of how to collect meaningful data that provides insights in the effectiveness of behavioural cyber security solutions, to prepare students for the labour market.

This skill of collecting meaningful data will be embedded in the broader angle of solving cyber security issues that relate to human behaviour. We will draw on theories from various behavioural change fields, including social influence, behavioural economics and nudge theory. Broadly speaking, three themes will be covered:
1. behavioural change techniques; how can we influence people to change their behaviour in both conscious and unconscious ways?
2. assessing cyber security threats from a behavioural change perspective; where can we intervene to reduce the risk and/or possible consequences of a cyber security threat?
3. intervention design for behavioural change solutions regarding cyber security issues; What is the process by which we can determine the best course of action, and how do we measure the effectiveness of any behavioural change intervention in cyber security?

Course Objectives

After finalising this course, students will be able to:

  1. Based on advanced knowledge and understanding of the principles of academic research, collect meaningful data using common methodologies to measure the effectiveness of cyber security solutions.
  2. Understand, based on advanced knowledge, behavioural change theories from various subfields (e.g. social influence, nudging, behavioural economics).
  3. Identify and apply relevant theoretical frameworks and methodologies, in order to systematically work towards behavioural solutions for cyber security problems using the latest scientific insights.
  4. Devise methods that assess the effectiveness of behavioural change interventions in the cyber security domain.
  5. Provide strategic analysis and advice to decision-makers by making (policy) recommendations based on meaningful collected data on cyber security solutions.
  6. Self-evaluate and reflect after interactive in-class work and individual assignments.


On the right side of the programme front page of the E-guide you will find links to the website and timetables, uSis and Brightspace.

Mode of Instruction

The mode of instruction comprises of a series of interactive sessions (two sessions per week). In these sessions, students will learn the key principles of research, and the relevant concepts and methodologies, as can be applied to the field of behavioural change approaches to cybersecurity. Furthermore, students will practise research design and methods by applying the concepts, testing theories, and analysing empirical material.

Attendance is not mandatory, but highly recommended in order to pass the course. Active participation during the sessions benefits the students in preparing for assessments.

Study load:
42 contact hours (lectures and SPOC) and 238 hours of self-study and preparation of assessments.

In this 10 ects course, 4 ects is specifically reserved for the assignment that is going to be part of the portfolio of students, including working on their interim reflection paper as preparation for the final reflection paper. Specific information on the portfolio assignment and the intended learning outcomes that are being acquired will be published in the syllabus of this course.

Assessment method

Students are not obliged to hand in an assignment at the first opportunity in order to make use of the re-sit opportunity. The re-sit assignment will test the same course objectives, but will be different in terms of topics, cases or substance.

SPOC, Pass/Fail
Passing the SPOC is required to pass the course

Group paper

  • 30% of final grade

  • Resit not possible

  • Grade must be compensated in case of a fail (grade < 5.50)

Individual paper

  • 30% of final grade

  • Resit not possible

  • Grade must be compensated in case of a fail (grade < 5.50)

Final assignment (exam)

  • 40% of final grade

  • Grade must be 5.50 or higher to pass the course

  • Resit possible

Students will also be permitted to resit the 40% final assignment if they have a calculated overall course grade lower than 5.50 or with permission of the Board of Examiners. The individual paper and the group paper need to be compensated.

Transitional Arrangement
Passed partial grades obtained in year 2021-2022 remain valid during year 2022-2023.

Reading list

A selection of books and articles, to be announced on Brightspace.


Register for every course and workgroup via MyStudymap or uSis. Registration for courses is possible from 12 July, 13.00h. Some courses and workgroups have a limited number of participants, so register on time (before the course starts). In uSis you can access your personal schedule and view your results.

Leiden University uses Brightspace as its online learning management system. After enrolment for the course in uSis you will be automatically enrolled in the Brightspace environment of this course.


Dr. Tommy van Steen