Security Behaviours and Risk Quantification (available)

Starting Date: July 2020
Duration: 20 weeks (5 full-time in summer & 15 part-time in Autumn Term)
Time commitment: Full-time / Part-time
Prerequisites: Statistics, behavioural studies

Project background

Cybersecurity is the practice of defending computers, servers, mobile devices, electronic systems, networks, and data from malicious attacks. Apart from improving the infrastructure and hardware through better technology, one of the most important security aspects is the risk assessment of potential breaches, in an ever increasingly complex threat landscape.

Most current risk assessment methods do not follow a quantitative approaches, but rather rely on extremely subjective qualitative approaches, which have been proven suboptimal and counterproductive for the decision-making process. D. Hubbard and R. Seiersen suggested a different direction towards cybersecurity, based on quantification of risk in their book “How to measure anything in Cybersecurity Risk”. Their approach makes use of mathematical methods while incorporating the security expert’s judgement, and has been shown to provide substantially better results.

The subjective element of the human factor, however, can still negatively affect the risk management process due to, for example, overconfidence of experts in assessing threats. Research results, e.g. by D. Kahneman and A. Tversky, suggest that a “calibration” process can significantly improve the decision-making skills of trained individuals. This is based around the concept of the dual process theory, which suggests that any thought can be attributed to one of two systems: the impulsive and low effort System 1, and the reflecting, computationally expensive System 2. The aim of the aforementioned calibration procedure is to minimise potential exposure to behavioural biases.


The goal of this project is to review the existing risk management methodologies used, as well as to seek further utilising mathematical tools to aid the decision-making process. Furthermore, considering the results of behavioural theories, we aim to propose further research experiments to improve or formalise existing models (e.g. the Hubbard or the Fogg model), focusing on points in the model’s architecture that include the human component. The results will inform the exponentially expanding field of cyber risk management and cyber behaviour.

Who is eligible?

Ideally, the student should have some understanding of mathematical and statistical analysis, although specific knowledge of specialised software is not vital. Furthermore, the student should have willingness to study some relevant literature on risk management / experimental & behavioural economics / psychology and related topics.

Note: it is most important that you – as an applicant – are eager to learn new  theories, tools or methods needed, than having this specialised knowledge beforehand. That is, you are not expected to know specific tools for the analysis or a specific programming language, but it is important to have a curiosity and eagerness to learn.