Use this URL to cite or link to this record in EThOS:
Title: Measuring and understanding security behaviours
Author: Becker, Ingolf
ISNI:       0000 0004 7965 0427
Awarding Body: UCL (University College London)
Current Institution: University College London (University of London)
Date of Award: 2019
Availability of Full Text:
Access from EThOS:
Full text unavailable from EThOS. Please try the link below.
Access from Institution:
Information security embodies the complex interaction between security policies, user perceptions of these policies, productive activity and the security culture in general. The vast majority of organisations consist not solely of data and technology, but have human actors involved in the productive activity, and are thus socio-technical systems. The aim of this thesis is to understand how individuals perceive, understand and react to information security policies, and how they fit into productive tasks, while investigating the viability of measuring each of these aspects. An analytical evaluation and empirical user study in three countries of banking policies evidences difficulties in understanding policies. A second study quantifies actual user characteristics and shows that the assumptions on user behaviour in the policies are unrealistic. Advice attempting to explain security aspects to the general public fail to improve user understanding, and security awareness is promoted without measuring the impact of the interventions. Better understanding and measurements of security culture are needed. This demand is pursued in the remainder of the thesis: in two companies, the results of context-aware surveys that elicit responses to typical scenarios of non-compliant behaviours are evaluated. The responses are used to define the security culture of the company, and to re-frame the notion of Security Champions based on the observed security cultures. Finally, the impact of a change in password policy in a university with over 100,000 users for 17 months is studied. Virtually all users respond positively to the policy change, adopting a more secure password over time in response to a longer password lifetime. This work gives evidence for the benefit of involving users in security decisions. The metrics developed in this thesis allow security to be grounded in the actual circumstances of the organisation and its human actors and security to be evaluated objectively. By involving and empowering individuals, security can become workable and sustainable.
Supervisor: Not available Sponsor: Not available
Qualification Name: Thesis (Ph.D.) Qualification Level: Doctoral
EThOS ID:  DOI: Not available