Evripidou, Stefanos;
(2025)
Exploring the Development of
Security Culture in Companies that
Use Operational Technology.
Doctoral thesis (Ph.D), UCL (University College London).
![[thumbnail of Evripidou_10216982_Thesis.pdf]](https://discovery.ucl.ac.uk/style/images/fileicons/text.png) |
Text
Evripidou_10216982_Thesis.pdf Access restricted to UCL open access staff until 1 June 2026. Download (3MB) |
Abstract
Operational Technology (OT) refers to software and hardware used to control physical processes in industrial, automation, and transport settings, often forming the backbone of critical infrastructure. The increased cybersecurity risk faced by OT due to its increased connectivity and digitalisation, along with various institutional pressures such as regulation, have driven companies that use OT to improve their cybersecurity practices. One socio-technical approach to address the cybersecurity risk is to develop a culture of security. However, the development of a security culture in OT environments remains underexplored, despite the criticality and risk associated with OT cybersecurity. Therefore, this work aims to understand how companies that use OT develop their security culture, addressing this research gap. To explore this, we conducted 72 interviews with practitioners in OT cybersecurity-related roles and analysed the collected data using reflexive thematic analysis. Our findings highlight multiple factors that affect OT cybersecurity practices and the development of security culture at three different levels: institutional, organisational, and operational. At the institutional level, we underline how the threat landscape, the regulatory landscape, and the security industry shape OT cybersecurity beliefs and practices. At the organisational level, we demonstrate the role of senior management and the security function in mediating various external and internal pressures and fostering cybersecurity change. Notably, we also identify three common challenges that hamper OT cybersecurity practices at the intersection of OT and IT-based functions. Finally, at the operational level, we explore how factors such as the prioritisation of values such as safety, operational realities, and the occupational pathways of OT personnel affect the mindsets of OT personnel. As a result, we identify several cybersecurity misperceptions reinforced by these factors. Overall, this research provides a comprehensive analysis of the cybersecurity challenges faced by companies that use OT in the development of their security culture, contributing to both academic research and industry practice. We conclude this thesis with recommendations on how OT security practices and culture can be improved and provide avenues for future research.
| Type: | Thesis (Doctoral) |
|---|---|
| Qualification: | Ph.D |
| Title: | Exploring the Development of Security Culture in Companies that Use Operational Technology |
| Language: | English |
| Additional information: | Copyright © The Author 2025. Original content in this thesis is licensed under the terms of the Creative Commons Attribution-NonCommercial 4.0 International (CC BY-NC 4.0) Licence (https://creativecommons.org/licenses/by-nc/4.0/). Any third-party copyright material present remains the property of its respective owner(s) and is licensed under its existing terms. Access may initially be restricted at the author’s request. |
| UCL classification: | UCL UCL > Provost and Vice Provost Offices > UCL BEAMS UCL > Provost and Vice Provost Offices > UCL BEAMS > Faculty of Engineering Science > Dept of Computer Science |
| URI: | https://discovery.ucl.ac.uk/id/eprint/10216982 |
Archive Staff Only
 |
View Item |
