nl en

Behavioural Change Approaches to Cyber Security


Admission requirements

  • Only students of the MSc Crisis and Security Management can take this course.

  • Students will participate on a ‘first come served’ bases, with a maximum number of participants of 30.

  • At least 8 students must enroll for the course to take place.


In cyber security, end-users are often blamed for data leaks, successful attacks and other incidents. This approach of humans as the ‘weakest link’ suggests that cyber threats can be mitigated by focusing on the behaviour of end-users rather than the way information systems are designed. In this course, we will discuss various ways in which we can influence people into behaving more cyber secure. We will draw on theories from various behavioural change fields, including social influence, behavioural economics and nudging theory. Broadly speaking, three themes will be covered: 1) behavioural change techniques; how can we influence people to change their behaviour in both conscious and unconscious ways? 2) assessing cyber security threats from a behavioural change perspective; where can we intervene to reduce the risk and/or possible consequences of a cyber security threat? And 3) intervention design for behavioural change solutions regarding cyber security issues; What is the process by which we can determine the best course of action, and how do we measure the effectiveness of any behavioural change intervention in cyber security?

Course objectives

  1. Students will become knowledgeable regarding behavioural change theories from various subfields (e.g. social influence, nudging, behavioural economics).
  2. Students can structurally work towards a behavioural solution for cyber security problems.
  3. Students will be able to assess and analyse cyber security problems from a behaviour change point of view.
  4. Students are able to apply a range of behavioural change techniques in cyber security situations.
  5. Students will be capable of designing suitable behavioural change interventions aimed at influencing cyber security behaviours and can propose methods to assess the effectivity of these interventions.


On the right-hand side of the programme front page of the E-guide you will find links to the website and timetables, uSis and Blackboard.

Mode of instruction

This course consists of 7 interactive lectures.

Participation in lectures, discussions and exercises is required in order to obtain a grade. One lecture may be missed.

Course Load

Total study load 140 hours

  • contact hours: 21

  • self-study hours: reading, preparing lectures, assignments, etc.: 119

Assessment method

Students have to hand in:

  • an individual paper (50% of final grade)

  • a written exam (50% of final grade)

Both the individual paper and the written exam need to be passed (grade of at least 5,50 each) in order to pass the course. The resit takes the same form.


The corresponding Blackboard course will be made available one week prior to the start of the course.

Reading list

A selection of articles, to be announced on Blackboard.


Register for every course and workgroup via uSis. Some courses and workgroups have a limited number of participants, so register on time (before the course starts). In uSis you can access your personal schedule and view your results. Registration in uSis is possible from four weeks before the start of the course.

Also register for every course in Blackboard. Important information about the course is posted there.


All communication should be directed by e-mail to