UCL logo

UCL Discovery

UCL home » Library Services » Electronic resources » UCL Discovery

Risk Understanding is not enough: Identifying and leveraging emotional drivers of security behaviour via the 'Behavioural Security Grid'

Beris, ON; (2017) Risk Understanding is not enough: Identifying and leveraging emotional drivers of security behaviour via the 'Behavioural Security Grid'. Doctoral thesis , UCL (University College London).

Full text not available from this repository.

Abstract

In recent years, organisations have been exposed to unprecedented levels of security breaches leading to significant data losses in many cases. In order to mitigate the risks associated with these threats, standards such as ISO 27001 have been devised to ensure organisations have adequate risk management processes in place. Employee non-compliance render these measures ineffective. The results of this research suggest that focusing on improving employee perception of security risks in order to increase security compliance within organisations is not sufficient to improve security behaviour. Identifying and leveraging positive affective drivers may also be relevance in improving employee security compliance behaviour. The three case studies use a novel methodological approach referred to as the Behavioural Security Grid (BSG) to classify employee security behaviour in relation to four quadrants. The BSG is a revised version of the Johari Window originally developed by Luft and Ingham, using the dimensions of Affective Security and Risk Understanding to better understand security behaviour. The findings demonstrate that positive affective responses towards security coupled with positive understanding of security risks imply improved security behaviour. Case Study 1 compares two organisations Company A and B, where Company B demonstrated significantly positive levels of both Affective Security and Risk Understanding, indicating positive organisational security behaviours. Case Study 2, conducted within Organisation C, a Government department, suggests that Positive Risk Understanding is not sufficient to improve security compliance and that Negative Affective Security indicates dissatisfaction with the security provision within the organisation and may signal possible circumvention. Case Study 3 conducted within Organisation D, across Government departments, suggests that employees demonstrating Positive Risk Understanding and Positive Affective Security imply improved levels of security compliance. The validation survey (Study 4) used as a method to triangulate the results for Case Study 3, supports the findings that Organisation D demonstrates a predominantly positive security culture. Overall, the findings indicate that creating cultures demonstrating Positive Affective Security as well as Positive Risk Understanding may be the missing link to increasing employee participation in improving organisational security behaviours.

Type: Thesis (Doctoral)
Title: Risk Understanding is not enough: Identifying and leveraging emotional drivers of security behaviour via the 'Behavioural Security Grid'
Event: UCL (University College London)
Language: English
UCL classification: UCL > Provost and Vice Provost Offices > UCL BEAMS
UCL > Provost and Vice Provost Offices > UCL BEAMS > Faculty of Engineering Science
URI: http://discovery.ucl.ac.uk/id/eprint/1559593
Downloads since deposit
0Downloads
Download activity - last month
Download activity - last 12 months
Downloads by country - last 12 months

Archive Staff Only

View Item View Item