publications

2026

1. T1GER: An Instructional Re-Design of a Cyber Range Exercise in a Commercial Security Operations Center

   Magdalena Glas, Leon Kersten, Tom Mulders, and 2 more authors

   In Proceedings of the 2026 CHI Conference on Human Factors in Computing Systems, Barcelona, Spain, 2026

   DOI
2. Moving Beyond Passwords: Investigating the Effect of Digital Nudges on Passkey Adoption

   Tobias Reittinger, Magdalena Glas, and Günther Pernul

   In Proceedings of the 2026 CHI Conference on Human Factors in Computing Systems, , 2026

   Abs DOI

   Passwords suffer from major usability hurdles that foster insecure practices and undermine cybersecurity. Passkeys were introduced to address these issues, however, adoption remains low. Digital nudges offer a promising way to accelerate passkey adoption, yet research lacks empirical insight about when to nudge and which nudge types and designs are most effective. We therefore employed a mixed-methods approach to examine the impact of nudges on passkey adoption across five touchpoints in the digital user journey: During registration, login, account recovery, while in the settings menu, and during user activity. First, we conducted 15 expert interviews to identify candidate nudges and their design principles. We evaluate these nudges in a randomized controlled trial (RCT) with 3,680 participants on a commercial healthcare platform. Our results indicate that digital nudges can significantly increase passkey adoption when applied at the right touchpoints, encouraging users to move beyond passwords.

3. Insecure by design? A human-centric security perspective on AI-assisted software development

   Magdalena Glas, Christoph Nirschl, Bar Lanyado, and 1 more author

   Computers & Security, 2026

   Abs DOI

   Generative artificial intelligence (AI) tools are increasingly used in software development, improving the efficiency of software developers. However, this adoption introduces notable security challenges. AI/generated code is not secure by default, as it is often based on large-scale training data that includes open-source code of varying quality and trustworthiness. Developers using these tools may be unaware of the associated risks or may place excessive trust in the security of the output. This briefing paper outlines the key security risks associated with generative AI and offers human-centered strategies for mitigation. Since these risks arise not only from how generative AI models are built but also from how humans interact with them, we adopt a human-centric perspective. To this end, we provide recommendations for individuals, organizations, and educators to help harness the potential of generative AI in software development while effectively managing the associated security risks.

2025

1. Motivational factors in cybersecurity: linking theory to organizational practice

   Tobias Reittinger, Magdalena Glas, Sarah Aminzada, and 1 more author

   Information and Computer Security, Jun 2025

   Abs DOI

   This study investigates the application of motivational strategies to encourage security-compliant behavior among employees in organizational cybersecurity, exploring how organizations motivate security-compliant behavior among employees in Germany. This study aims to bridge the gap between theoretical motivational models and practical implementation within organizations.This research uses a qualitative approach, conducting semi-structured interviews with 18 participants from organization of different sizes and sectors in Germany, illuminating the topic from three perspectives: executive managers, security specialists and regular employees. A deductive analysis is applied to coding the interview along intrinsic motivators (competence, relatedness and autonomy) and external motivators (incentives and nudges).This study found that some motivational factors, such as positive incentives like vouchers, and a healthy error culture effectively lead to employees being motivated to follow security guidelines. Conversely, the authors found several aspects that employees perceive as frustrating and ineffective, such as compulsory e-learnings or overcomplex security policies, hindering their intrinsic motivation to contribute to organizational cybersecurity.While existing literature offers insights into specific motivational methods applied within organizations, to the best of the authors’ knowledge, this paper is the first to adopt a broader perspective by analyzing how organizations’ cybersecurity strategies integrate both intrinsic and extrinsic motivational approaches.

2. Securing the Road Ahead: Supporting Decision Making in Automotive Cybersecurity Risk Treatment

   Manfred Vielberth, Robin Siepmann, Magdalena Glas, and 1 more author

   In Availability, Reliability and Security, Jun 2025

   Abs

   In the automotive industry, as in most other sectors, risk management is essential for maintaining a balanced security posture while ensuring reasonable cybersecurity spending. ISO 21434 clearly defines the process for automotive Threat Analysis and Risk Assessment (TARA) for identifying cybersecurity risks. However, it lacks detailed guidance on subsequent risk treatment decision-making, leading to a lack of reproducibility and transparency in automotive projects. To address this issue, we propose a framework that defines a structured decision-making process and provides guidance for experts on suitable cybersecurity control sets. Our framework evaluates all potential control options based on their cost-effectiveness, aiming to mitigate high risks to an acceptable level. Through a case study and interviews with six industry experts, we assessed its feasibility and iteratively refined the framework based on the experts’ feedback.

3. Authentic Learning in Organizational Cybersecurity

   Magdalena Glas

   Sep 2025

   Abs

   Cyberattacks against information systems, leading to data breaches, financial losses, and damage to critical infrastructure, pose significant threats to organizations and society. The global shortage of cybersecurity professionals intensifies these challenges, necessitating innovative methods to enhance skill development within organizations. This dissertation examines how authentic learning in cyber range exercises can strengthen the organizational cybersecurity workforce. It identifies use cases, instructional design approaches, simulation methods, and evaluation strategies providing resource-efficient solutions to enhance training effectiveness and improve resilience in digital infrastructures.

4. A model-based framework for developing security-safety incident response plans

   Vahiny Gnanasekaran, Urooj Fatima, Magdalena Glas, and 1 more author

   Int. J. Inf. Secur., Dec 2025

   Abs

   Abstract Cyberattacks are increasingly affecting the safe operation of critical infrastructure (e.g., energy, manufacturing) and potentially endangering production, people, equipment, and the environment. A cyber-incident with physical consequences requires personnel responsible for aggregating log information, analyzing root cause (i.e., cybersecurity), and ensuring the production and safe operation of safety-critical systems (i.e., safety) to collaborate. For this, they must understand their own and each other’s roles in the incident response process, as well as when and how to interact with different roles. To address this problem, this paper proposes a framework that utilizes a model-based approach to illustrate the critical roles and their interactions within a security-safety incident response plan. To demonstrate its applicability, the framework was applied in a qualitative study within the Norwegian oil and gas industry, involving two companies. This research sheds light on the relevance of applying a model-based approach to developing security and safety incident response plans for organizations. It investigates the relevance of using two modeling languages: a general-purpose software systems modeling language, the Unified Modeling Language (UML), and an enterprise process workflow modeling language, the Business Process Modeling Notation (BPMN), for visualizing the security-safety incident response plan. The findings indicate that the modeling languages are suitable and relevant for understanding and discussing the collaboration and coordination of different personnel’s roles during security-safety incident response. The distinct diagrams highlight various aspects, including roles, transmitted information, tasks, and the sequence of tasks. Future work should consider how the diagrams can be applied during the training and learning of the incident response plans.

5. Cyber Ranges: Five Use Cases for Improving Cybersecurity Skills Development in Organizations

   Magdalena Glas, Clara Hilmer, and Günther Pernul

   IEEE Security & Privacy, Dec 2025

   DOI

2024

1. Complex yet attainable? An interdisciplinary approach to designing better cyber range exercises

   Magdalena Glas, Gerhard Messmann, and Günther Pernul

   Computers & Security, Dec 2024

   Abs DOI

   The global shortage of cybersecurity professionals poses a daunting challenge for organizations seeking to protect their assets and data. To counteract this workforce shortage, cyber range exercises (CRXs) can equip individuals with the necessary knowledge and skills to become security professionals. However, the complexity of CRXs tends to overwhelm trainees with little prior cybersecurity experience, resulting in ineffective learning experiences. To address this issue, we take an interdisciplinary approach, leveraging established models on learning and motivation for cybersecurity. In this pursuit, we propose a literature-based framework of six design principles that aim to facilitate CRX designers in creating more effective CRXs. To illustrate the framework’s utility, we introduce a CRX for incident response built upon these principles. To evaluate the effectiveness of this principle-driven CRX design, we conducted a user study with N=89 participants. The results of this study showed that the design provided an engaging learning experience that enabled participants to effectively acquire incident response knowledge and skills.

2. Employee Motivation in Organizational Cybersecurity: Matching Theory and Reality

   Tobias Reittinger, Magdalena Glas, Sarah Aminzada, and 1 more author

   In IFIP International Symposium on Human Aspects of Information Security & Assurance (HAISA 2024), Dec 2024

   Abs

   Cyberattacks pose a persistent threat to organizations worldwide. These attacks often target employees as entry points to organizational systems through tactics like phishing and credential theft. Recognizing employees as an organization’s "last line of defense", motivating employees toward security-compliant behavior becomes paramount. While existing literature investigates theoretical frameworks for enhancing individuals’ motivation, studies regarding their practical implementation within organizational contexts remain scarce. This paper seeks to address this research gap by exploring how organizations motivate and in-centivize security-compliant behavior among employees in Germany. We conducted semi-structured interviews with 18 participants from diverse organizational backgrounds, illuminating the topic from three perspectives: Executive managers, security specialists, and regular employees. Utilizing a classification derived from existing literature, we examine our findings to identify which motivational strategies are currently implemented effectively within organizational contexts. On this basis, we offer a set of actionable recommendations on how organizations can enhance and complement existing motivational strategies.

3. Elevating TARA: A Maturity Model for Automotive Threat Analysis and Risk Assessment

   Manfred Vielberth, Kristina Raab, Magdalena Glas, and 2 more authors

   In Proceedings of the 19th International Conference on Availability, Reliability and Security, Vienna, Austria, Dec 2024

   Abs DOI

   The importance of automotive cybersecurity is increasing in tandem with the evolution of more complex vehicles, fueled by trends like V2X or over-the-air updates. Regulatory bodies are trying to cope with this problem with the introduction of ISO 21434, which standardizes automotive cybersecurity engineering. One piece of the puzzle for compliant cybersecurity engineering is the creation of a TARA (Threat Analysis and Risk Assessment) for identifying and managing cybersecurity risks. The more time security experts invest in creating a TARA, the more detailed and mature it becomes. Thus, organizations must balance the benefits of a more mature TARA against the costs and resources required to achieve it. However, there is a lack of guidance on determining the appropriate level of effort. In this paper, we propose a data-driven maturity model as a management utility facilitating the decision on the maturity-cost trade-off for creating TARAs. To evaluate the model, we conducted interviews with seven automotive cybersecurity experts from the industry.

4. Security and Privacy Perspectives on Using ChatGPT at the Workplace: An Interview Study

   Angelika Kimbel, Magdalena Glas, and Günther Pernul

   In IFIP International Symposium on Human Aspects of Information Security & Assurance (HAISA 2024), Dec 2024

   Abs

   The emergence of the artificial intelligence (AI) tool Chat-GPT has created great excitement and unprecedented potential in various fields. Users are increasingly recognizing its benefits in aiding with work-related tasks and are incorporating it into their work routines. However, unconscious use of ChatGPT poses a risk to an organization if employees inadvertently disclose sensitive information. To date, there is a lack of research examining individuals’ perceptions of the security and privacy implications of ChatGPT use in organizational contexts. To bridge this gap, this study examines employees’ perceptions of security and privacy-related risks of using ChatGPT for work-related tasks and their strategies to mitigate these risks. Employing grounded theory, we conducted semi-structured interviews with 17 participants from 15 organizations across a range of professions and industries. Our findings indicate that employees have a general awareness of security and privacy-related risks, albeit with some uncertainties and misconceptions. While organizational guidelines for managing these risks are largely absent, participants describe that they employ self-determined strategies to avoid sharing sensitive data.

2023

1. Train as you Fight: Evaluating Authentic Cybersecurity Training in Cyber Ranges

   Magdalena Glas, Manfred Vielberth, and Guenther Pernul

   In Proceedings of the 2023 CHI Conference on Human Factors in Computing Systems, Hamburg, Germany, Dec 2023

   Abs DOI

   Humans can play a decisive role in detecting and mitigating cyber attacks if they possess sufficient cybersecurity skills and knowledge. Realizing this potential requires effective cybersecurity training. Cyber range exercises (CRXs) represent a novel form of cybersecurity training in which trainees can experience realistic cyber attacks in authentic environments. Although evaluation is undeniably essential for any learning environment, it has been widely neglected in CRX research. Addressing this issue, we propose a taxonomy-based framework to facilitate a comprehensive and structured evaluation of CRXs. To demonstrate the applicability and potential of the framework, we instantiate it to evaluate Iceberg CRX, a training we recently developed to improve cybersecurity education at our university. For this matter, we conducted a user study with 50 students to identify both strengths and weaknesses of the CRX.

2. Cyber Range Exercises: Potentials and Open Challenges for Organizations

   Magdalena Glas, Fabian Böhm, Falko Schönteich, and 1 more author

   In Human Aspects of Information Security and Assurance, Dec 2023

   Abs DOI

   The shortage of skilled cybersecurity professionals poses a significant challenge for organizations seeking to protect their assets and data. To address this shortage, onboarding and reskilling employees for cybersecurity positions becomes a daunting task for organizations. Cyber ranges mirror digital infrastructures to provide a realistic yet safe environment for cybersecurity training. To date, the potential of cyber ranges has been leveraged primarily in academic education. This paper investigates how cyber range exercises (CRX) can enhance the onboarding and reskilling of cybersecurity professionals in organizations. To this end, we conducted semi-structured interviews with seven cybersecurity professionals from organizations in different industry sectors in Germany and India. Our findings indicate that the main potential of CRXs lies in conveying universal cybersecurity concepts that are transferable to the particular systems, technologies and tools of an organization. Thereby, CRXs represent a promising complement to existing organizational training strategies. Challenges to overcome were identified in establishing an organizational CRX infrastructure, building the necessary competencies to conduct the exercises, and ensuring the comparability of CRXs to validate personal competence development.

3. Improving cybersecurity skill development through visual programming

   Magdalena Glas, Manfred Vielberth, Tobias Reittinger, and 2 more authors

   Information & Computer Security, Feb 2023

   DOI

2022

1. Visual Programming in Cyber Range Training to Improve Skill Development

   Magdalena Glas, Manfred Vielberth, Tobias Reittinger, and 2 more authors

   In Human Aspects of Information Security and Assurance, Feb 2022

   Abs DOI

   Cyber range training is a promising approach to address the shortage of skilled cybersecurity experts in organizations worldwide. Seeking to make the training of those experts as efficacious and efficient as possible, we investigate the potential of visual programming languages (VPLs) for training in cyber ranges. For this matter, we integrate the VPL Blockly into an existing cyber range concept. To evaluate its effect on the learning process of the trainees we conducted a user study with an experimental group using the VPL and a control group using textual programming. The evaluation results demonstrated a positive impact of the VPL on the trainees’ learning experience. The trainees in the VPL group achieved equally good learning outcomes as those in the control group but rated the subjective workload as lower and perceived the training as more interesting.

2. ForCyRange: An Educational IoT Cyber Range for Live Digital Forensics

   Sabrina Friedl, Magdalena Glas, Ludwig Englbrecht, and 2 more authors

   In Information Security Education - Adapting to the Fourth Industrial Revolution, Feb 2022

   Abs DOI

   The Internet of Things (IoT) is finding increasing application in different areas, whether for private users or in industrial plants. The IoT increases the attack surface for Advanced Persistent Threats (APTs) due to insufficiently secured IoT devices and networks. The heterogeneous structure of the IoT poses several new challenges for the application of IoT forensics (IoTF). Due to limited resources and storage capacity on the devices, the application of traditional forensics is not possible. Therefore, the nature of these IoT devices urges forensic experts to extract and analyze possibly relevant data in a real-time manner from running devices by applying Live Digital Forensics (LDF). Although LDF investigations are not commonly applied in the IoT context yet, IoTF could benefit largely from a combined arms approach with LDF. Thus, security experts with sufficient skills and knowledge will be required to perform such procedures. Addressing the challenge to equip future forensic experts with these skills and knowledge, we propose a concept for an educational IoT Cyber Range for LDF for postgraduate cybersecurity learners. For a realistic learning experience, we outline the simulation of a simplistic, underlying IoT system. In order to create an environment that is as realistic as possible, we describe an illustrative scenario that serves as a motivational story. Following the scenario, learners carry out several tasks of an IoTF investigation for solving the scenario.

2021

1. A Digital Twin-Based Cyber Range for SOC Analysts

   Manfred Vielberth, Magdalena Glas, Marietheres Dietz, and 3 more authors

   In Data and Applications Security and Privacy XXXV, Feb 2021

   Abs DOI

   Security Operations Centers (SOCs) provide a holistic view of a company’s security operations. While aiming to harness this potential, companies are lacking sufficiently skilled cybersecurity analysts. One approach to meet this demand is to create a cyber range to equip potential analysts with the skills required. The digital twin paradigm offers great benefit by providing a realistic virtual environment to create a cyber range. However, to the best of our knowledge, tapping this potential to train SOC analysts has not been attempted yet. To address this research gap, a concept of a digital twin-based cyber range for SOC analysts is proposed and implemented. As part of the virtual training environment, several attacks against an industrial system are simulated. Being provided with a SIEM system that displays the real-time log data, the trainees solve increasingly complex tasks in which they have to detect the attacks performed against the system. Thereby, they learn how to interact with a SIEM system and create rules that correlate events aiming to detect security incidents. To evaluate the implemented cyber range, a comprehensive user study demonstrates a significant increase of knowledge within SIEM-related topics among the participants. Additionally, it indicates that the cyber range was subjectively perceived as a positive learning experience by the participants.