Beris, Odette Nicole;
(2017)
Risk Understanding is not enough: Identifying and leveraging emotional drivers of security behaviour via the 'Behavioural Security Grid'.
Doctoral thesis (Ph.D), UCL (University College London).
Preview |
Text
Beris_OBerisPostViva-150617.pdf Download (2MB) | Preview |
Abstract
In recent years, organisations have been exposed to unprecedented levels of security breaches leading to significant data losses in many cases. In order to mitigate the risks associated with these threats, standards such as ISO 27001 have been devised to ensure organisations have adequate risk management processes in place. Employee non-compliance render these measures ineffective. The results of this research suggest that focusing on improving employee perception of security risks in order to increase security compliance within organisations is not sufficient to improve security behaviour. Identifying and leveraging positive affective drivers may also be relevance in improving employee security compliance behaviour. The three case studies use a novel methodological approach referred to as the Behavioural Security Grid (BSG) to classify employee security behaviour in relation to four quadrants. The BSG is a revised version of the Johari Window originally developed by Luft and Ingham, using the dimensions of Affective Security and Risk Understanding to better understand security behaviour. The findings demonstrate that positive affective responses towards security coupled with positive understanding of security risks imply improved security behaviour. Case Study 1 compares two organisations Company A and B, where Company B demonstrated significantly positive levels of both Affective Security and Risk Understanding, indicating positive organisational security behaviours. Case Study 2, conducted within Organisation C, a Government department, suggests that Positive Risk Understanding is not sufficient to improve security compliance and that Negative Affective Security indicates dissatisfaction with the security provision within the organisation and may signal possible circumvention. Case Study 3 conducted within Organisation D, across Government departments, suggests that employees demonstrating Positive Risk Understanding and Positive Affective Security imply improved levels of security compliance. The validation survey (Study 4) used as a method to triangulate the results for Case Study 3, supports the findings that Organisation D demonstrates a predominantly positive security culture. Overall, the findings indicate that creating cultures demonstrating Positive Affective Security as well as Positive Risk Understanding may be the missing link to increasing employee participation in improving organisational security behaviours.
Type: | Thesis (Doctoral) |
---|---|
Qualification: | Ph.D |
Title: | Risk Understanding is not enough: Identifying and leveraging emotional drivers of security behaviour via the 'Behavioural Security Grid' |
Event: | UCL (University College London) |
Open access status: | An open access version is available from UCL Discovery |
Language: | English |
UCL classification: | UCL > Provost and Vice Provost Offices UCL > Provost and Vice Provost Offices > UCL BEAMS UCL > Provost and Vice Provost Offices > UCL BEAMS > Faculty of Engineering Science UCL > Provost and Vice Provost Offices > UCL BEAMS > Faculty of Engineering Science > Dept of Computer Science |
URI: | https://discovery.ucl.ac.uk/id/eprint/1559593 |
Archive Staff Only
View Item |