Research focus

Our research focuses on human-centered cybersecurity and privacy. We acknowledge that security technology is important for cybersecurity and privacy. However, we do have plenty of technology. We also have standards, policies, and regulations for how the technology should be used and security governed. Still, security and privacy breaches are as common as ever. The main reason is the human factor, which seems to be at the root of most of those breaches. Intentionally or unintentionally, humans struggle to adopt security and privacy principles and technologies effectively. In broad terms, that is our research area. Examples of more specific directions include:

  • Accessible and usable security and privacy
    • Design of usable privacy and security by default for different online platforms and services. Focus on the best practices and guidelines for implementing privacy and security features that are easy to use, understand, and manage by a variety of users (e.g., consumers and members of an organization).
    • Usability evaluation and user experience of privacy and security, such as online security indicators, privacy policies, privacy settings, or similar.
  • Cybersecurity culture and awareness
    • Design and assessment of training efforts to find out what is effective in different contexts, the long-term effects of training, and adaptation to the needs of different user groups.
    • Development of metrics and procedures for assessment of organizational culture and awareness
    • Policy compliance through user-centric policy development
  • OT/ICS security
    • Cybersecurity awareness, specifically within production and manufacturing, where little research currently exists. Applicability of existing knowledge needs to be explored.
    • Strategies for handling supply-chain threats in industrial environments
  • Incident response
    • Decision-making under stress and cognitive overload, specifically for cybersecurity analysts
    • Effective communication during and after cyber incidents
    • Gamification as an approach to incident response training
  • Information/cybersecurity risk management
    • Implementation in organisations, tool usage, usage of catalogues, the role and extent of the risk analysis in practice.
    • Information classification - subjective judgement, implicit knowledge and documentation.

Previous projects

ICANP External link, opens in new window. - Identifying Cybersecurity Awareness Needs and Perceptions of user groups. The project was running from 2024-2025 and was funded by MSB. The project report can be downloaded HERE. External link, opens in new window.

VISKA External link, opens in new window. - Verktygsstöd för anpassningsbar InformationSKlAssning. The project was running 2022-2023 and was funded by MSB. The project report can be downloaded HERE. External link, opens in new window.