Cognitive dissonance in cybersecurity – a review and research agenda

Purpose This paper aims to provide an outline and description of cognitive dissonance theory (CDT); an overview of cognitive dissonance interventions; a high-level view of CDT research; a review of existing mentions of cognitive dissonance and studies meaningfully applying CDT to cybersecurity; and suggestions for future research. Design/methodology/approach The authors conducted a general review of cognitive dissonance research and three literature reviews of cognitive dissonance at a high level, cognitive-dissonance interventions and cognitive dissonance in cybersecurity. Findings Cognitive-dissonance theory is compact and widely applicable. Cognitive-dissonance theory paradigms provide a basis for interventions across domains. Awareness of cognitive dissonance is relatively widespread in the cybersecurity literature. Many publications mentioned cognitive dissonance in passing. However, less than 13% of publications meaningfully focused on cognitive dissonance. Research limitations/implications CDT provides concepts and techniques to develop further insight into the cybersecurity attitude–behaviour gap. These have the potential to help bridge the gap and thereby increase cybersecure behaviour. Such interventions should be designed and evaluated in future research. Originality/value This paper makes an original contribution to cybersecurity research by identifying: cognitive-dissonance paradigms that form the potential basis for interventions to increase cybersecure behaviour; cybersecurity areas that potentially benefit from such interventions and other areas in which cognitive-dissonance theory has been meaningfully applied; and directions for future research, most notably focusing on how to apply cognitive-dissonance-based interventions.