Security habits: designing an at-scale intervention for security fatigue.

The concept of habit is widely studied in the psychological sciences - especially in social psychology. Verplanken (2018, p.4) defines habits as "memory-based propensities to respond automatically to specific cues, which are acquired by the repetition of cue-specific behaviours in stable contexts." This definition casts a habit as a cognitive structure involving a cued response, rather than the act itself. Consequently, this definition sets formal use of the term apart from colloquial use: informally, any act that tends to be repeated can be discussed under that label.

The concept of habit has thus far been insufficiently investigated in the field of cybersecurity. Although - here too - the term is used in casual conversation and research, its exact usage is generally left unspecified. As the wealth of research findings from the psychological sciences only apply to phenomena that can formally be conceptualised in the above terms, the potential implications of these findings for the field of cybersecurity are unclear. The herewith-proposed research consequently aims to explicate differences between prevalent folk models of habit in cybersecurity and formal models of habit in psychology through a qualitative, semi-structured interview-based study. The findings from this initial study will inform further research.