Keywords
Cybersecurity, Work-from-home, User behavior, Micro-segmentation, Usability digital fatigue
-
Views
-
Downloads
How to cite this article
Aarone Mike A, Paul A, Tumuhimbise W et al. A User-Behavior Micro-Segmentation Framework for Cyber security in Work-From-Home Environments [version 1; peer review: awaiting peer review]. F1000Research 2026, 15:1010 (https://doi.org/10.12688/f1000research.182773.1)
NOTE: If applicable, it is important to ensure the information in square brackets after the title is included in all citations of this article.
Export Citation
Sciwheel
EndNote
Ref. Manager
Bibtex
ProCite
Sente
▬
✚
Research Article
A User-Behavior Micro-Segmentation Framework for Cyber security in Work-From-Home Environments
[version 1; peer review: awaiting peer review]
PUBLISHED 25 Jun 2026
OPEN PEER REVIEW
REVIEWER STATUS
This article is included in the Cybersecurity collection.
Abstract
Corresponding author:
Atuhe Aarone Mike
Competing interests:
No competing interests were disclosed.
Grant information:
The author(s) declared that no grants were involved in supporting this work.
Copyright:
© 2026 Aarone Mike A et al.
This is an open access article distributed under the terms of the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.
How to cite: Aarone Mike A, Paul A, Tumuhimbise W et al. A User-Behavior Micro-Segmentation Framework for Cyber security in Work-From-Home Environments [version 1; peer review: awaiting peer review]. F1000Research 2026, 15:1010 (https://doi.org/10.12688/f1000research.182773.1)
First published: 25 Jun 2026, 15:1010 (https://doi.org/10.12688/f1000research.182773.1)
Latest published: 25 Jun 2026, 15:1010 (https://doi.org/10.12688/f1000research.182773.1)
1.0 Introduction
Work-from-home (WFH) refers to the arrangement where university students and staff perform academic and administrative duties from home using digital technologies. In recent years, particularly after the COVID-19 pandemic, WFH has become a critical component of university operations. It allows continuity of teaching, research, and administration but also transfers institutional data security responsibilities to individual users operating from domestic networks (Leal Filho et al., 2025; Wong et al., 2021).
The rise of WFH has brought flexibility and innovation but also heightened cybersecurity risks. Staff now routinely access institutional systems through personal or shared devices and unmonitored home networks, increasing exposure to phishing, ransomware, and unauthorised data access. In resource-constrained university environments, these risks are amplified by limited technical infrastructure, weak enforcement of security policies, and insufficient cybersecurity awareness and support (Asyrofi & Nugraha, 2025; Radha et al., 2024).
Global studies have consistently identified end-user behavior as the weakest link in cybersecurity management. Despite growing investment in awareness programs, compliance and secure behavior remain inconsistent (Alsabri & Al-Hadi, 2025; Moustafa et al., 2021). Regional research in African higher education institutions highlights additional challenges, including poor usability of security systems, high digital fatigue, and limited institutional oversight. Locally, in Uganda, studies have revealed that work from home conditions exacerbate behavioral and contextual weaknesses, as university students and staff rely on unsecured home networks and under-supported devices to perform critical tasks (Ndaba & Gedala, 2024; Yidana et al., 2023).
While previous research has deepened understanding of cybersecurity behavior, little has been done to systematically classify users based on behavioral and contextual realities. A one-size-fits-all approach to cybersecurity awareness fails to account for differences in capability, fatigue, and system usability (Baltuttis et al., 2024; Kannelønning & Katsikas, 2023). Therefore, there is a pressing need for a framework that segments users according to their behavioral and environmental profiles. Such an approach can enable universities to design interventions that reflect actual user experiences rather than uniform compliance expectations (Donekal Chandrashekar et al., 2024).
To address this need, the present study designed a User-Behavior Micro-Segmentation Framework (UBMSF) tailored to the remote work environments of Ugandan higher education institutions. Drawing upon behavioral science and segmentation logic, the framework integrates findings from user behavior analysis with design-science principles to guide context-sensitive cybersecurity management. Specifically the study sought to design a user-behavior micro-segmentation framework; it addressed the following guiding research question:
How can a user-behavior micro-segmentation framework be designed to align with the contextual and operational realities of work from home in Ugandan universities?
2.0 Methodology
2.1 Research design
This study employed a quantitative descriptive research design to investigate cybersecurity behavior and design a user-behavior micro-segmentation framework. The quantitative approach enabled the systematic analysis of behavioral, contextual, and usability-related factors influencing cybersecurity outcomes. The design was appropriate for identifying measurable relationships and deriving behavioral profiles from large-scale user data. To ensure theoretical grounding, the research was guided by the Theory of Planned Behavior (TPB) (Ajzen, 1991) and integrated Design Science Research (DSR) principles (Peffers et al., 2007) to translate empirical findings into a validated framework artefact.
2.2 Population and sampling
The study population comprised of student, academic and administrative staff from selected Ugandan universities that had formally implemented remote or hybrid work frameworks. These institutions were chosen to reflect varying levels of digital maturity and resource availability. A stratified random sampling technique was adopted to ensure adequate representation across job categories, age groups, and levels of digital engagement. Stratification enabled the capture of behavioral variation among users performing different institutional roles. Out of the targeted respondents, 216 valid responses were obtained, which provided a statistically meaningful basis for quantitative analysis.
2.3 Instrument design and reliability
Data were collected through a structured questionnaire that captured both behavioral and contextual indicators of cybersecurity practice. The instrument consisted of five major sections:
1. Demographic Information
2. Cybersecurity Behavioral Practices (password management, safe browsing, device configuration, file handling, and network use)
3. Usability Difficulty and Digital Fatigue
4. Behavioral Constructs from the Theory of Planned Behavior (TPB) – including attitude, subjective norms, perceived behavioral control, and behavioral intention
5. Perceived Environmental Constraints and Institutional Support
All items were measured using a five-point Likert scale ranging from 1 (strongly disagree) to 5 (strongly agree). The questionnaire underwent a pilot test to assess reliability and internal consistency. The resulting Cronbach’s alpha of 0.901 indicated excellent reliability, suggesting that the instrument consistently measured the intended constructs.
2.4 Data analysis procedures
Data analysis followed a multi-stage process to identify behavioral patterns and inform framework development. Descriptive statistics were first computed to evaluate respondents’ cybersecurity performance across key domains such as password hygiene, browser safety, device management, and network practices.
Subsequently, inferential analyses were conducted using correlation and multiple regression to identify significant predictors of cybersecurity behavior, including usability difficulty and digital fatigue. Clustering analysis (k-means) was then applied to segment users into groups exhibiting similar behavioral tendencies. This segmentation provided empirical evidence for the framework’s structural logic, highlighting user heterogeneity and vulnerability patterns within the remote work environment. All analyses were performed using SPSS v25, with statistical significance evaluated at p < 0.05.
2.5 Ethical considerations
Ethical integrity guided every stage of this study. The study was conducted in accordance with the principles of the Declaration of Helsinki for research involving human participants. Participation was voluntary, and written informed consent was obtained from all respondents prior to data collection. To safeguard anonymity, no personal identifiers were collected, and all responses were securely stored in encrypted formats accessible only to the research team. Ethical clearance was obtained from the Mbarara University of Science and Technology Research Ethics Committee (MUST-REC), approval number MUST-2025-400.
2.6 Theoretical and design foundations
The methodological foundation of this study combined behavioral theory and human-centred design logic. The Theory of Planned Behavior (TPB) provided a predictive lens for understanding user intention and action, focusing on attitude, subjective norms, and perceived behavioral control as determinants of secure behavior. However, the study extended TPB by introducing contextual moderators, namely, usability and digital fatigue, that condition how perceived control translates into action.
The design orientation of the research was guided by principles of Human-Centred Design (HCD) and User-Centred Security Design (UCSD). These paradigms emphasise that effective cybersecurity systems must be developed around human capabilities, cognitive limits, and contextual realities rather than purely technical efficiency. HCD guided the interpretation of human factors, such as usability, fatigue, and perceived behavioral control, while UCSD informed the design implications and development of the User-Behavior Micro-Segmentation Framework (UBMSF). Together, these frameworks grounded the study in both behavioral theory and user-oriented security practice, ensuring that the resulting framework is not only evidence-based but also responsive to the lived realities of remote respondents in Ugandan universities.
3.0 Findings and discussion
3.1 Overview of cybersecurity behavioral performance
Descriptive statistics were computed to evaluate cybersecurity behavior across six domains: password management, safe browsing, device configuration, file handling, network usage, and incident response. Respondents demonstrated moderate adherence to secure practices, with mean scores ranging between 3.21 and 3.78 on a five-point scale, reflecting generally positive yet inconsistent behavior patterns. “Instrument reliability testing yielded Cronbach’s α = 0.901, confirming internal consistency across behavioral and contextual scales and supporting the validity of the aggregated results.”
Password management achieved the highest mean score (M = 3.78, SD = 0.82), as shown in table 1. suggesting greater personal discipline, whereas incident response (M = 3.21, SD = 0.85) was weakest, indicating limited readiness to detect or report security events which also aligns with (Maalem Lahcen et al., 2020). This pattern aligns with prior research showing that awareness alone rarely translates into consistent action. These associations provided the statistical foundation for subsequent regression and clustering frameworks.”
Table 1. Cybersecurity behavioral performance (n = 216).
3.2 Relationships among Key Variables
Pearson’s correlation analysis explored associations between usability difficulty, digital fatigue, and cybersecurity behavior as shown in table 2.
Table 2. Correlations among usability, digital fatigue, and cybersecurity behavior.
| Variables | 1 | 2 | 3 |
|---|---|---|---|
| 1. Usability difficulty | — | ||
| 2. Digital fatigue | 0.54** | — | |
| 3. Cybersecurity behavior | −0.46** | −0.41** | — |
Together, the two frameworks explained nearly 56% of the variance, demonstrating that psychological and contextual dimensions jointly determine secure conduct. Both usability difficulty (r = −0.46, p < .01) and digital fatigue (r = −0.41, p < .01) were significantly and negatively associated with cybersecurity behavior. These relationships suggest that as users face greater interface complexity or prolonged screen exposure, their compliance with secure practices declines. This trend reinforces the contextual dimension of cybersecurity—highlighting that performance is affected not only by knowledge but also by workload and cognitive strain.
3.3 Predictors of Cybersecurity Behavior (TPB Framework)
Two regression frameworks were estimated to determine predictors of cybersecurity behavior. The first framework examined contextual predictors, while the second applied behavioral constructs from the TPB as shown table 3.
Table 3. Multiple regression predicting cybersecurity behavior from usability difficulty and digital fatigue.
| Predictor | B | SE B | β | t | p |
|---|---|---|---|---|---|
| Constant | 4.11 | 0.18 | — | 22.83 | < .001 |
| Usability difficulty | −0.32 | 0.07 | −0.39 | −4.57 | < .001 |
| Digital fatigue | −0.27 | 0.06 | −0.34 | −4.18 | < .001 |
The contextual framework explained 37% of the variance in cybersecurity behavior, confirming that both usability and fatigue independently shape secure conduct. As systems become harder to use or staff experience digital exhaustion, adherence to security practices diminishes, a finding consistent with human–computer interaction studies emphasizing usability as a determinant of cybersecurity outcomes which also aligns with study by (Ifinedo, 2020).
The behavioral framework explained 55.4% of variance, with PBC emerging as the most influential determinant as in table 4. The significance of PBC supports TPB’s assertion that perceived capability strongly predicts behavioral compliance. However, when contextual factors are considered, it becomes evident that usability and fatigue moderate how PBC translates into secure action.
3.4 Behavioral clusters and segmentation patterns
K-means clustering yielded three behavioral clusters (Resilient, Overextended, and At-Risk Users). These statistical clusters were subsequently translated into four operational behavioral segments by incorporating usability and digital fatigue indicators to support framework intervention design as in table 5.
Table 5. Behavioral cluster profiles (K-means output).
These statistical clusters were later refined into four operational behavioral segments through integration with usability and digital fatigue indicators. These clusters reveal significant heterogeneity in user capability and risk exposure. “Resilient” users maintain consistent behavior despite contextual strain, while “Overextended” users exhibit fluctuating compliance under high fatigue. The “At-Risk” segment demonstrates persistent usability barriers and weak incident response. The emergence of the Compliant-and-Cautious cluster highlights a proactive user group that could serve as peer champions.
Such segmentation provides empirical justification for the differentiated intervention framework proposed in Section 4. It confirms that cybersecurity management must move beyond general awareness programs to targeted, behavior-specific support mechanisms aligned with each user profile.
3.5 Usability difficulty, cognitive load, and behavioral outcomes
Table 6 presents the regression results examining the influence of usability difficulty and cognitive load on cybersecurity behavior.
Table 6. Regression framework predicting cybersecurity behavior from usability and cognitive Load.
| Predictor | β | SE | t | p |
|---|---|---|---|---|
| Usability Difficulty | 0.421 | 0.069 | 5.10 | < 0.001 |
| Cognitive Load | −0.357 | 0.084 | −4.25 | < 0.001 |
The results demonstrated that usability difficulty was significantly associated with cyber security behaviors, while increased cognitive load negatively affected cyber security practices. Conversely, increased cognitive load negatively affected performance. These findings align with research emphasising the role of human–computer interaction in security compliance (Ifinedo, 2020).
3.6 Impact of digital fatigue on risky behavior
Table 7 presents the correlations between digital fatigue, risky behavior, usability difficulty, and cognitive load.
Table 7. Correlation between digital fatigue and risky behavior indicators.
| Variable | r | p |
|---|---|---|
| Digital Fatigue – Risky Behavior | 0.62 | < 0.001 |
| Digital Fatigue – Usability Difficulty | 0.48 | < 0.001 |
| Digital Fatigue – Cognitive Load | 0.52 | < 0.001 |
Fatigue correlated strongly with risky behavior, usability difficulty, and cognitive overload. This pattern supports the argument that prolonged digital engagement diminishes vigilance and contributes to security lapses. Respondents’ qualitative feedback reinforced this relationship; many acknowledged ignoring warnings or reusing passwords when tired, mirroring similar observations by Nilupú-Moreno and Salas-Riega (2024).
3.7 Emerging behavioral segments
Cluster analysis identified four distinct user segments that informed framework development:
1. Weak-Across-All-Domains – low capability, high usability difficulty; require intensive support.
2. Careless-but-Confident – overconfident users with poor browser safety and minimal adherence to protocol.
3. Fatigued-and-Overloaded – moderate awareness but performance declines under high workload or fatigue.
4. Compliant-and-Cautious – consistently secure users who could serve as peer mentors.
This segmentation validated the heterogeneity of cybersecurity behavior and demonstrated the inadequacy of uniform awareness campaigns. Each segment corresponded to unique intervention needs, providing the empirical basis for the User-Behavior Micro-Segmentation Framework (UBMSF).
3.8 Operational segmentation rules (Implementation Logic)
To operationalise the proposed user-behavior micro-segmentation framework, classification rules were developed by combining four axis scores: behavioral domain average (BDavg), perceived behavioral control (PBC), usability difficulty (US), and digital fatigue (FD). The thresholds were defined using sample-derived percentile cut-offs from the empirical results and validated against qualitative respondent profiles. The rules enable consistent and repeatable segment assignment while allowing temporal movement between segments as fatigue levels and contextual risks change as shown in table 8.
Table 8. Operational segmentation rules and thresholds.
3.9 Discussion of key insights
The collective evidence underscores that cybersecurity behavior is the outcome of an intricate interaction between psychological, technological, and contextual dimensions. Perceived behavioral control remains central, but its efficacy is shaped by usability and fatigue conditions. The findings also demonstrate that users’ behavioral diversity, rooted in differences in confidence, cognitive load, and work context, translates directly into varying risk profiles.
From a theoretical standpoint, these findings extend the Theory of Planned Behavior by incorporating contextual moderators that alter the strength of behavioral determinants. Practically, they validate the principle that behavioral segmentation enhances understanding of user heterogeneity, offering a basis for adaptive, context-sensitive interventions.
4.0 Transition to framework development
Building on these empirical findings, the next section integrates behavioral and contextual patterns into a coherent analytical structure. The relationships identified among usability difficulty, digital fatigue, and perceived behavioral control provided the foundation for constructing the User-Behavior Micro-Segmentation Framework (UBMSF). This framework translates statistical relationships into an operational framework capable of differentiating user groups according to behavioral tendencies, contextual constraints, and capability levels. In doing so, it bridges quantitative evidence with design-science artefact development, establishing a foundation for sustainable, user-centred cybersecurity management in higher education.
4.1 Framework design and implementation
The development of the framework followed a storyline logic that emerged directly from the data, reflecting the lived experiences of staff working from home rather than treating cybersecurity as a purely technical issue. The results revealed that user capability, confidence, and fatigue interact dynamically with usability and environmental constraints. These insights informed the conceptual foundation of the User-Behavior Micro-Segmentation Framework, which integrates behavioral theory (Ajzen, 1991) with design-science principles (Peffers et al., 2007) to create an adaptive, evidence-based framework for cybersecurity management in higher education.
The framework builds upon the Theory of Planned Behavior (TPB) by incorporating contextual and design-oriented factors relevant to cybersecurity in remote academic environments. In TPB, behavior is driven by attitude, subjective norms, and perceived behavioral control; however, in work-from-home settings, these determinants are shaped by usability and environmental constraints that affect how intention translates into secure action.
Accordingly, this framework introduces two contextual moderators, usability difficulty and digital fatigue, that condition perceived behavioral control and influence behavioral outcomes. Users facing complex systems or cognitive exhaustion may struggle to perform secure actions consistently, even when aware of risks (Ifinedo, 2020; Nilupú-Moreno & Salas-Riega, 2024). Thus, intention alone cannot fully explain cybersecurity behavior in technology-mediated environments. The framework conceptualises cybersecurity behavior as the outcome of interactions among three interdependent dimensions:
1. Psychological Dimension – Attitude toward security, subjective norms, and perceived behavioral control, representing individual motivation and confidence.
2. Technological Dimension – System usability, interface design, and accessibility of institutional platforms influencing user experience and performance.
3. Contextual Dimension – Environmental factors such as digital fatigue, workload, and home network reliability that shape user focus and decision-making.
This integrated framework guided both the measurement of constructs and the interpretation of findings. The framework thus bridges behavioral theory and design practice, forming the theoretical basis for empirical validation in subsequent sections. Figure 1 presents the proposed User-Behavior Micro-Segmentation Framework (UBMSF) illustrating the relationships among behavioral assessment, segmentation, intervention, and adaptive feedback mechanisms.
Figure 1. User Behavior Micro-segmentation framework.
4.2 Evidence-to-Design requirements mapping
The proposed user-behavior micro-segmentation framework was derived from the integration of quantitative results (behavioral domain performance, regression predictors, and correlation patterns) and qualitative thematic insights. The empirical findings were translated into concrete design requirements to ensure that the framework is evidence-driven, operational, and responsive to usability constraints, fatigue dynamics, and environmental limitations in WFH settings. Table 9 presents the mapping between empirical findings and the corresponding framework design requirements
Table 9. Evidence-to-Design Requirements Mapping for the Micro-Segmentation Framework.
| Evidence source | Empirical finding/justification | Design requirement | Framework feature/implementation |
|---|---|---|---|
| Behavior domain means ( Table 1) | Domain performance varies | Profiling must be multi-dimensional | Segmentation uses BDavg + domain-specific triggers |
| TPB regression ( Table 4) | PBC strongest predictor | Integrate user confidence/control into segmentation | Include PBC in rule set |
| Usability regression ( Table 3) | Usability predicts behavior | Reduce cognitive friction | Simplified security flows |
| Cognitive load regression | Cognitive load reduces behavior | Lower security burden | Reduce prompts/authentication steps |
| Fatigue correlations ( Table 7) | Fatigue linked to risky behavior | Implement fatigue-aware controls | Scheduling rules |
| Qualitative Theme 1 | Authentication overload | Improve usability | Simplified login flows |
| Qualitative Theme 2 | Vigilance drops late | Reduce non-urgent prompts | Dynamic segmentation |
| Qualitative Theme 3 | Overconfidence despite risky browsing | Address optimistic bias | Simulated phishing/nudges |
| Qualitative Theme 4 | Training quickly forgotten | Continuous practical training | Segment-tailored training |
| Qualitative Theme 5 | Shared devices/unstable environments | Default-safe options | Device hardening policies |
| Qualitative Theme 6 | Segmentation acceptable if privacy respected | Transparency/governance | Privacy safeguards |
4.3 Purpose of the Framework
The framework connects the behavioral patterns identified in the analysis with targeted intervention strategies, allowing universities to differentiate cybersecurity responses according to user capability, motivation, and contextual constraints. The framework also provides actionable guidance for system design. Enhancing usability—through streamlined authentication, harmonized digital platforms, and context-sensitive prompts—emerges as a critical strategy for supporting secure behavior. Similarly, recognizing fatigue dynamics enables institutions to schedule security updates, prompts, or training activities at optimal times, reducing cognitive overload and prompt fatigue.
4.4 Operational logic of the average behavioral score
Table 10: presents the logical flow of the Average Behavioral Score (ABS) process within the segmentation engine of the User-Behavior Micro-Segmentation Framework (UBMSF).
Table 10. Operational logic of the average behavioral score (ABS) in the segmentation engine.
4.5 Functional description of the user behavior micro-Segmentation framework (UBMSF)
The User Behavior Micro-Segmentation Framework (UBMSF) is a dynamic, user-centred model developed to enhance cybersecurity management in remote and hybrid higher-education environments. It continuously evaluates user behavior, classifies individuals into behavioral micro-segments, and applies targeted interventions to promote sustained secure practices. The framework integrates behavioral science, contextual analysis, and adaptive feedback loops to address the human dimension of cybersecurity in a systematic and evidence-based manner.
At its analytical core lies the Average Behavior Score (ABS), a composite metric that quantifies each user’s cybersecurity posture. The ABS aggregates performance across multiple behavioral domains, including password management, file handling, browser safety, and network use, to generate a standardized indicator of behavioral consistency and risk exposure. By combining this behavioral measure with contextual factors such as usability difficulty and digital fatigue, the ABS enables the Segmentation Engine to produce precise user profiles. These profiles capture how users behave, why they behave that way, and how their behavior changes over time, forming the foundation for adaptive, data-driven cybersecurity management.
The framework operates through four interlinked modules:
1. Assessment Module – Collects user behavior data across digital hygiene dimensions such as password practices, device management, and browser safety. These observations are synthesized into the ABS, creating a behavioral fingerprint for each user.
2. Segmentation Engine – Uses the ABS and contextual modifiers to classify users into four micro-segments based on their behavioral tendencies:
a) Weak Across All Domains – limited capability and inconsistent secure practices.
b) Careless but Confident – high self-perceived competence but frequent risky shortcuts.
c) Fatigued and Overloaded – motivated users whose secure behavior declines under workload or fatigue.
d) Compliant and Cautious – consistently secure users who maintain high compliance and serve as peer models.
3. Intervention and Guidance Module – Aligns each segment with tailored interventions:
a) Weak users receive Guidance and Simple GUIs to simplify secure behavior.
b) Careless users are supported through Nudges and Simulations that reveal risk consequences.
c) Fatigued users benefit from Fatigue-Aware Automation, which reduces cognitive burden.
d) Compliant users are reinforced through Light Mentorship to sustain engagement.
e) These interventions collectively reduce friction, correct unsafe habits, and reinforce positive cybersecurity behavior.
4. Monitoring and Feedback Module –Tracks behavioral improvements over time through usability metrics, fatigue reduction, and incident trends. Users who demonstrate steady improvement move through the YES-loop toward Sustained Secure Behavior, while those showing persistent risk are re-segmented for renewed support. This cyclical process ensures continuous learning and behavioral adaptation.
By integrating quantitative behavior scoring (ABS) with qualitative segmentation and adaptive feedback, the UBMSF transforms cybersecurity management from a uniform awareness model into a personalized, evidence-driven process. It provides universities and organizations with a scalable mechanism to understand user heterogeneity, anticipate risk, and foster sustainable secure conduct across diverse user populations.
4.6 User segmentation logic
Based on the empirical results, four principal behavioral segments were derived as indicated in table 11:
Table 11. User segmentation logic.
These segments reflect the empirical observation that motivation, social norms, and habitual patterns drive behavior more strongly than technical proficiency alone.
4.7 Policy and practical relevance
The framework moves beyond generic awareness programs by embedding behavioral and contextual insight into cybersecurity management. It provides institutions with an evidence-based mechanism for allocating resources and designing interventions that reflect actual user realities. Regular reassessment ensures adaptability as technologies and work conditions evolve, supporting a continuous-improvement cycle rather than static compliance.
4.8 Theoretical significance
The framework operationalises TPB by integrating environmental moderators, usability and fatigue, into its predictive structure and by applying Design Science Research logic to transform behavioral evidence into an artefact for real-world use. It thereby bridges the gap between behavioral theory and applied cybersecurity design, offering a scalable, context-aware framework suitable for higher-education environments.
The User-Behavior Micro-Segmentation Framework described above was empirically validated using the behavioral dataset collected from university staff working in remote and hybrid environments. This validation sought to determine whether the relationships identified in the conceptual framework, particularly those involving usability difficulty, digital fatigue, and perceived behavioral control, were statistically significant and consistent across user segments. The following section presents the quantitative results and statistical analyses that informed the development of the framework’s segmentation logic and intervention strategies.
The framework therefore unites theoretical reasoning and empirical observation into a single interpretive structure. Having outlined how behavioral segments and contextual moderators interact, the next section interprets these results in light of existing cybersecurity behavior theory. The Discussion elaborates on how these findings extend the Theory of Planned Behavior and what they imply for both institutional practice and user-centred security design.
5.0 Conclusion and implications
5.1 Summary of key findings
This study examined cybersecurity behavior among university staff working from home in resource-constrained higher education environments, with the goal of developing a User-Behavior Micro-Segmentation Framework (UBMSF) to guide context-aware cybersecurity management. The findings demonstrated that cybersecurity behavior is neither uniform nor solely dependent on awareness or intention. Instead, it is shaped by a combination of behavioral, cognitive, and contextual factors, most notably perceived behavioral control, usability difficulty, and digital fatigue.
Regression analyses revealed that perceived behavioral control (PBC) was the strongest predictor of secure behavior, confirming that confidence and capability are central to effective cybersecurity practices. However, the influence of PBC was moderated by usability and fatigue—factors that constrained users’ ability to act securely even when they understood security requirements. Clustering analysis identified four behavioral segments—Weak-Across-All-Domains, Careless-but-Confident, Fatigued-and-Overloaded, and Compliant-and-Cautious—which collectively illustrated the diversity of behavioral vulnerabilities within the university workforce.
These results confirmed that generic, one-size-fits-all interventions are ineffective in remote academic contexts. Instead, differentiated strategies based on user segmentation can better align security measures with users’ operational realities and psychological states. The resulting UBMSF provides a structured approach for implementing this principle.
5.2 Theoretical implications
Theoretically, this study extends the TPB by embedding contextual moderators, specifically usability difficulty and digital fatigue, within its predictive framework. Traditional TPB applications assume that behavioral intention directly predicts action; however, the present findings demonstrate that intention alone is insufficient in digitally intensive work environments. Secure behavior is contingent on situational conditions that either enable or constrain perceived behavioral control.
This expanded framework contributes to the emerging field of context-aware cybersecurity behavior research, providing an empirical basis for integrating environmental and usability factors into behavioral theory. The framework also bridges behavioral theory and Design Science Research (DSR) by transforming empirical data into an actionable design artefact. Through this integration, the study advances theoretical understanding of how behavioral constructs can inform the design of adaptive cybersecurity interventions in real-world institutional contexts.
5.3 Practical implications
Practically, the UBMSF offers a systematic method for identifying, categorizing, and supporting users based on their behavioral and contextual profiles. The segmentation logic enables institutions to tailor interventions to specific user groups rather than applying uniform awareness campaigns. For example:
a) Weak-Across-All-Domains users should receive simplified tools, remote assistance, and step-by-step training focused on essential security tasks.
b) Careless-but-Confident users benefit from behavioral nudges, phishing simulations, and targeted feedback designed to correct overconfidence biases.
c) Fatigued-and-Overloaded users require adaptive security prompts, reduced non-critical notifications, and flexible verification workflows during high workload periods.
d) Compliant-and-Cautious users can serve as peer mentors and departmental security champions, fostering a culture of secure practice.
By implementing such differentiated interventions, universities can optimize resource use while improving behavioral compliance and overall institutional resilience.
5.4 Policy and institutional implications
From a policy perspective, this research supports a shift from compliance-oriented cybersecurity management to a capability-driven framework that prioritizes user empowerment. Universities should embed behavioral segmentation and adaptive support mechanisms into institutional cybersecurity policy frameworks. Decision-makers can use segmentation data to allocate training, monitoring, and technical support resources where they are most needed, improving both efficiency and inclusiveness.
Furthermore, the study highlights the necessity of integrating ethical governance into user monitoring and intervention systems. The UBMSF includes a governance and privacy layer to ensure transparency, consent, and accountability in data-driven cybersecurity initiatives. Institutions adopting this framework should establish clear communication protocols explaining how segmentation data are collected, stored, and used, thereby maintaining trust between staff and administrators.
The evidence also underscores the importance of capacity building in cybersecurity. Policymakers should invest in developing human and technical capacity to sustain adaptive frameworks, ensuring that interventions remain responsive to evolving user behaviors and technological trends.
5.5 Limitations and future research directions
While the study achieved its objective, several limitations merit consideration. The findings are based on self-reported data, which may be affected by social desirability bias. Although psychometric testing confirmed internal consistency (α = 0.90), future studies should complement survey results with behavioral telemetry data, where ethically permissible, to triangulate findings.
Additionally, the segmentation thresholds were derived from a Ugandan higher education sample and may require contextual recalibration when applied elsewhere. Future research should test the UBMSF in diverse institutional and cultural contexts to validate its generalizability. Longitudinal studies could also examine how behavioral segments evolve over time, providing insights into the dynamics of fatigue, motivation, and capability in cybersecurity behavior.
Finally, further research should explore how artificial intelligence and predictive analytics can be integrated into the framework’s Monitoring and Analytics component to enable real-time adaptation and precision support for users.
5.6 Conclusion
In conclusion, this study developed and validated a User-Behavior Micro-Segmentation Framework (UBMSF) tailored to the cybersecurity management needs of universities operating in remote and resource-constrained environments. The framework addresses the critical gap between user diversity and institutional cybersecurity strategy by translating empirical behavioral evidence into a structured, adaptive management framework.
The research demonstrates that effective cybersecurity extends beyond technical solutions; it depends on human capability, usability, and contextual alignment. By adopting micro-segmentation and context-aware design, universities can transform cybersecurity from a compliance challenge into a participatory process that builds user confidence, sustains secure behavior, and strengthens institutional resilience.
Download
Export To
metrics
| Views | Downloads | |
|---|---|---|
| F1000Research | - | - |
|
PubMed Central
Data from PMC are received and updated monthly.
|
- | - |
Citations
CITE
how to cite this article
Aarone Mike A, Paul A, Tumuhimbise W et al. A User-Behavior Micro-Segmentation Framework for Cyber security in Work-From-Home Environments [version 1; peer review: awaiting peer review]. F1000Research 2026, 15:1010 (https://doi.org/10.12688/f1000research.182773.1)
NOTE: If applicable, it is important to ensure the information in square brackets after the title is included in all citations of this article.
track
receive updates on this article
Track an article to receive email alerts on any updates to this article.
Open Peer Review
Current Reviewer Status:
AWAITING PEER REVIEW
AWAITING PEER REVIEW
Key to Reviewer Statuses
VIEW
HIDE
ApprovedThe paper is scientifically sound in its current form and only minor, if any, improvements are suggested
Approved with reservations
A number of small changes, sometimes more significant revisions are required to address specific details and improve the papers academic merit.
Not approvedFundamental flaws in the paper seriously undermine the findings and conclusions
Comments on this article Comments (0)