Becker, Ingolf;
(2019)
Measuring and Understanding Security Behaviours.
Doctoral thesis (Ph.D), UCL (University College London).
Preview |
Text
thesis-final-online.pdf - Accepted Version Download (3MB) | Preview |
Abstract
Information security embodies the complex interaction between security policies, user perceptions of these policies, productive activity and the security culture in general. The vast majority of organisations consist not solely of data and technology, but have human actors involved in the productive activity, and are thus socio-technical systems. The aim of this thesis is to understand how individuals perceive, understand and react to information security policies, and how they fit into productive tasks, while investigating the viability of measuring each of these aspects. An analytical evaluation and empirical user study in three countries of banking policies evidences difficulties in understanding policies. A second study quantifies actual user characteristics and shows that the assumptions on user behaviour in the policies are unrealistic. Advice attempting to explain security aspects to the general public fail to improve user understanding, and security awareness is promoted without measuring the impact of the interventions. Better understanding and measurements of security culture are needed. This demand is pursued in the remainder of the thesis: in two companies, the results of context-aware surveys that elicit responses to typical scenarios of non-compliant behaviours are evaluated. The responses are used to define the security culture of the company, and to re-frame the notion of Security Champions based on the observed security cultures. Finally, the impact of a change in password policy in a university with over 100,000 users for 17 months is studied. Virtually all users respond positively to the policy change, adopting a more secure password over time in response to a longer password lifetime. This work gives evidence for the benefit of involving users in security decisions. The metrics developed in this thesis allow security to be grounded in the actual circumstances of the organisation and its human actors and security to be evaluated objectively. By involving and empowering individuals, security can become workable and sustainable.
Type: | Thesis (Doctoral) |
---|---|
Qualification: | Ph.D |
Title: | Measuring and Understanding Security Behaviours |
Event: | UCL (University College London) |
Open access status: | An open access version is available from UCL Discovery |
Language: | English |
Additional information: | Copyright © The Author 2019. Original content in this thesis is licensed under the terms of the Creative Commons Attribution 4.0 International (CC BY 4.0) Licence (https://creativecommons.org/licenses/by/4.0/). Any third-party copyright material present remains the property of its respective owner(s) and is licensed under its existing terms. Access may initially be restricted at the author’s request. |
UCL classification: | UCL UCL > Provost and Vice Provost Offices UCL > Provost and Vice Provost Offices > UCL BEAMS UCL > Provost and Vice Provost Offices > UCL BEAMS > Faculty of Engineering Science UCL > Provost and Vice Provost Offices > UCL BEAMS > Faculty of Engineering Science > Dept of Security and Crime Science |
URI: | https://discovery.ucl.ac.uk/id/eprint/10072657 |
Archive Staff Only
View Item |