Use this URL to cite or link to this record in EThOS:
Title: Responsibilisation, rules and rule-following concerning cyber security : findings from small business case studies in the UK
Author: MacEwan, Neil Finlay
ISNI:       0000 0004 6500 6403
Awarding Body: University of Southampton
Current Institution: University of Southampton
Date of Award: 2017
Availability of Full Text:
Access from EThOS:
Full text unavailable from EThOS. Please try the link below.
Access from Institution:
This thesis is the result of an investigation into the challenges that lie within the governance of small business employees' behaviour towards cyber security. That investigation comprised three stages. The first was an exploration of the political context in which the matter of cyber security sits within the UK. This sought to determine whether cyber security is a policy area where the State continues to push responsibility away from itself and onto non-State actors, as a means of extending and enhancing the governance of situations and environments which have a tendency to produce criminal behaviour (Garland, 1997). More specifically, the research questions explored during this stage were: In the UK, is government discourse responsibilising small businesses, and the people who work within them, for cyber security? If so, how? And with what implications? Answering these questions involved detailed analysis of much government discourse on cybercrime and cyber security. It was found that the UK government continues to employ a responsibilisation strategy in the governance of cybercrime and cyber security. Yet, it has become increasingly frustrated with what it sees as poor risk management by those so responsibilised, such as small businesses. This has caused the government to speak in more judgemental and less tolerant terms on this matter, and thereby also continue to shape victim status in ways that make it increasingly difficult to attain. In turn, this brings consequences which include the danger of victim blaming. The second and third stages of research sought to evaluate that continuing governmental strategy of responsibilisation 'on the ground.' In particular, to learn how small businesses are coping with the 'responsibilisation conundrum' passed on to them by the government: that of getting each of their employees to behave in cyber-secure ways, all of the time. The specific research questions explored during these stages were: Within their everyday working lives, do employees within small businesses practise what their government and their employers preach to them about cyber security? And if not, why not? Answering these questions involved the conduct of case studies within three small businesses. These comprised a five-day Diary Study, followed up by semi-structured Interviewing. Collectively, the findings from these case studies indicated strongly that the government has underestimated the difficulty of that 'responsibilisation conundrum.' Specifically, by showing that the governance of employees' behaviour around cyber security within small businesses, in and beyond the workplace, can be far from straightforward, in a number of ways and for a number of reasons. However, this research has also gone on to demonstrate that this 'responsibilisation conundrum' is even more difficult than has been recognised before, by the government or anyone else. Specifically, because the matter of rules and rule-following behaviour brings greater complexity to it. Two aspects of this research have combined to shed new light on that 'responsibilisation conundrum': Firstly, further findings from those case studies have provided much evidence of the real influences on people's rule-following behaviour around cyber security, the most potent of which were found to be pragmatism ('just getting things done') and consensus ('that's how we all do it here'). And secondly, the first application of Meaning Finitism and Rule Scepticism within the subject of cyber security has challenged strongly some assumptions being made by government and businesses about the efficacy of rules and their use in the governance of cyber security. All of these findings have led to two main recommendations: Firstly, that in future any strategies for governing the human aspects of cyber security should be grounded in people's lived experiences of cyber security within their everyday working lives. And secondly, as part of a solution to the 'responsibilisation conundrum,' a Finitist approach should now be taken to training and otherwise guiding people towards cyber-secure behaviours. Combining a true understanding of the relation between rules and conduct, and a recognition of the multiplicity of cyber security threats, this is an approach that will help shape the behaviour of employees in ways sought but seldom achieved by rule-setting.
Supervisor: O'Hara, Kieron ; Webber, Craig Sponsor: Not available
Qualification Name: Thesis (Ph.D.) Qualification Level: Doctoral
EThOS ID:  DOI: Not available