Dr Tommy van Steen

Dr Tommy van Steen

Associate Professor Cybersecurity Governance, Leiden University

PRESENTATION

From awareness to structured solutions

Helping organisations develop successful behavioural cyber security solutions.

IMPACT2025 logo white

Presentation overview

With cybercriminals’ increased attention on human error as an attack vector, organisations need to develop strategies to address behavioural risks if they want to keep their systems secure. The traditional focus on awareness campaigns is not suitable for this goal and other avenues of applying the behavioural sciences to this field need to be explored. The aim is not only to offer solutions that are likely to work, but also to aid organisations in determining whether the implemented solutions have any effect on the behaviour of end-users. This talk outlines the various options that organisations have to address behavioural risks, from nudging and other technical solutions, to training and targeted behavioural change campaigns, as well as discussing potential methods of measuring success.

This talk contributes to this space through two frameworks for practitioners. One of them uses a framework to systematically point to the entity in a position to alter security outcomes. We do so through a game theoretic evaluation of the antecedent question: what if individuals were different? Would that change security outcomes? The other framework provides a shift in the way humans and their needs are captured by systems designers. We bring the two frameworks together to introduce you to an Ethical Responsibilization paradigm. Though we use data breaches as an exemplar for the paradigm, we believe that the frameworks we present in this talk will enable the community to optimally direct their efforts towards entities that can actually make a difference when it comes to security.

Biography

Tommy van Steen is associate professor of cyber security governance in the Institute of Security and Global Affairs of Leiden University. Tommy focuses on organisational and behavioural cyber security. In his research, he works on establishing evidence-based solutions for end-user behaviour change, as well as broader organisational solutions which are developed based on what goes well in organisations.