Research Update

Nico Ebert

In this Research Update, we present two articles:

  • Article 1 highlights how we can learn from established security disciplines such as aviation and healthcare to develop better reporting systems for cyber incidents.
  • Article 2 shows how risk research can make a decisive contribution to cybersecurity with its findings on perception, communication, and behavior.

Article 1: Learning from safety – What cybersecurity can learn from reporting systems

This article is a review article published in the Journal of Cybersecurity (2025). It summarizes the current state of research, critically evaluates existing knowledge, and develops new perspectives. The research team – including members from ZHAW, the University of Zurich, and ETH Zurich – takes an interdisciplinary approach. Instead of conducting their own experiments, the authors analyze decades of experience in safety research and examine what lessons can be learned for cybersecurity.

The focus is on the question: How can better reporting systems for cyber incidents be developed?
 Although companies today use many technical monitoring systems, manual reporting by humans remains crucial – whether it’s forwarding a phishing email or reporting a vulnerability. But in practice, there are major problems: many incidents go unreported, the channels are unclear, and there is often uncertainty about what is relevant.

The authors therefore suggest taking a cue from “safety science.” Reporting systems have been established for decades in aviation and healthcare, where they have contributed significantly to improving safety.

Methodology

The research team conducted a systematic literature review. Thirty-seven review articles from safety research, primarily in aviation and medicine, were analyzed. These results were evaluated thematically and transferred to cybersecurity. This resulted in a new framework model that combines the different forms of incident reporting into a uniform concept.

Results

The authors present four key findings:

  1. Uniform framework: Different reporting phenomena – from phishing reports and vulnerabilities to legal requirements – can be viewed under a common system.
  2. Expansion of the reporting spectrum: In addition to serious incidents, near misses and latent factors such as security culture or process gaps should also be recorded.
  3. New reporting channels: In addition to internal IT departments and authorities, independent, trustworthy bodies could be created to which employees can report without fear of sanctions.
  4. Design criteria: Successful systems are characterized by voluntariness, confidentiality, protection from penalties, independence, user-friendliness, feedback to reporters, and management support.

Implications

The lesson is clear: cybersecurity can only be strengthened if not only technology but also human and organizational factors are taken into account.

  • More learning instead of just reporting: Systems must enable real knowledge gain, even from minor incidents.
  • Psychological safety: Employees should be able to report without fear.
  • New institutions: Independent bodies can build trust.
  • Raise awareness among legislators: Reporting requirements alone are not enough if trust and protection are lacking.
  • Promote interdisciplinarity: Psychology, organizational research, and security sciences must be equally involved.

Conclusion

Anyone who wants to improve cybersecurity must think beyond purely technical solutions. Effective reporting systems can only be created if they are based on trust, take human behavior into account, and are embedded in management. Security research has shown for decades that this works—now it is time to transfer this experience to the digital world.

Authors: Ebert, N., Schaltegger, T., Ambuehl, B., Geppert, T., Trammell, A., Knieps, M., & Zimmermann, V. (2025). Learning from safety science: designing incident reporting systems in cybersecurity. Journal of Cybersecurity, 11(1), tyaf019.

The full article can be read here

Article 2: Human behavior in cybersecurity – An opportunity for risk research

This article is a commentary piece published in the Journal of Risk Research (2025). It does not present any new data, but rather aims to spark debate. The authors – a team from ZHAW and ETH Zurich – argue that risk research, with its findings on perception, communication, and uncertainty, can make a decisive contribution to cybersecurity.

The focus is on integrating human behavior into cybersecurity. Many cyberattacks – such as phishing or ransomware – depend on human decisions. Nevertheless, risk research has largely been left out of the picture so far. The authors see this as a major missed opportunity and call for the systematic inclusion of key concepts such as types of uncertainty, risk perception, risk compensation, and mental models.

Methodology

The article is a theoretical analysis. The authors build a bridge between risk research and cybersecurity. They show that many proven concepts from risk science can provide valuable insights and use this to derive a research agenda that should inspire future projects.

Results

The focus is on five areas:

  1. Individual risk perception: People often underestimate cyber risks. Target group-specific research can help make training and interventions more effective.
  2. Cognitive, affective, and social perspectives: Emotions, trust, and social contexts influence whether security measures are adhered to.
  3. Decision-making under uncertainty: In the face of dynamic threats, simple, robust heuristics can be more valuable than complex models.
  4. Risk communication: Instead of general warnings, tailored messages that address the mental models of the target groups are needed.
  5. Risk management and governance: Resources must be used in a targeted manner. Policies and rules are only effective if they are compatible with human behavior.

Implications

The message is clear: cybersecurity must take human factors seriously.

  • Research: Interdisciplinary projects should examine how established concepts of risk research can be applied to cyber issues.
  • Practice: Companies should design realistic security strategies that focus on behavior rather than just technology.
  • Policy: Legislators can learn from risk research how to communicate uncertainties and design effective guidelines.
  • Society: Citizens benefit from understandable information that takes their everyday reality into account.

Conclusion

The commentary makes it clear that the major challenges of cybersecurity cannot be solved by technology alone. Human behavior is the decisive factor of uncertainty. Risk research has proven concepts that should be urgently integrated into cybersecurity. This will create a new research agenda that paves the way for human-centered and more effective digital security.

Authors: Schaltegger, T., Ambuehl, B., Bosshart, N., Bearth, A., & Ebert, N. (2025). Human behavior in cybersecurity: an opportunity for risk research. Journal of Risk Research, 1–12.

The full article can be read here