Use this URL to cite or link to this record in EThOS:
Title: Risk Understanding is not enough : identifying and leveraging emotional drivers of security behaviour via the 'Behavioural Security Grid'
Author: Beris, O. N.
ISNI:       0000 0004 7224 7694
Awarding Body: UCL (University College London)
Current Institution: University College London (University of London)
Date of Award: 2017
Availability of Full Text:
Access from EThOS:
Full text unavailable from EThOS. Restricted access.
Access from Institution:
In recent years, organisations have been exposed to unprecedented levels of security breaches leading to significant data losses in many cases. In order to mitigate the risks associated with these threats, standards such as ISO 27001 have been devised to ensure organisations have adequate risk management processes in place. Employee non-compliance render these measures ineffective. The results of this research suggest that focusing on improving employee perception of security risks in order to increase security compliance within organisations is not sufficient to improve security behaviour. Identifying and leveraging positive affective drivers may also be relevance in improving employee security compliance behaviour. The three case studies use a novel methodological approach referred to as the Behavioural Security Grid (BSG) to classify employee security behaviour in relation to four quadrants. The BSG is a revised version of the Johari Window originally developed by Luft and Ingham, using the dimensions of Affective Security and Risk Understanding to better understand security behaviour. The findings demonstrate that positive affective responses towards security coupled with positive understanding of security risks imply improved security behaviour. Case Study 1 compares two organisations Company A and B, where Company B demonstrated significantly positive levels of both Affective Security and Risk Understanding, indicating positive organisational security behaviours. Case Study 2, conducted within Organisation C, a Government department, suggests that Positive Risk Understanding is not sufficient to improve security compliance and that Negative Affective Security indicates dissatisfaction with the security provision within the organisation and may signal possible circumvention. Case Study 3 conducted within Organisation D, across Government departments, suggests that employees demonstrating Positive Risk Understanding and Positive Affective Security imply improved levels of security compliance. The validation survey (Study 4) used as a method to triangulate the results for Case Study 3, supports the findings that Organisation D demonstrates a predominantly positive security culture. Overall, the findings indicate that creating cultures demonstrating Positive Affective Security as well as Positive Risk Understanding may be the missing link to increasing employee participation in improving organisational security behaviours.
Supervisor: Not available Sponsor: Not available
Qualification Name: Thesis (Ph.D.) Qualification Level: Doctoral
EThOS ID:  DOI: Not available