Demjaha, Albesë;
(2023)
Co-design and modelling of security policy for cultural and behavioural aspects of security in organisations.
Doctoral thesis (Ph.D), UCL (University College London).
Preview |
Text
Final_Post-viva changes_PhD Thesis_Albese Demjaha_UCL.pdf - Accepted Version Download (4MB) | Preview |
Abstract
Organisations have historically applied a technology-oriented approach to information security. However, organisations are increasingly acknowledging the importance of human factors in managing secure workplaces. Having an effective security culture is seen as preferable to enforced compliance with policy. Yet, the study of security culture has not been addressed consistently, either in terms of its conceptual meaning or its practical implementation. Consequently, practitioners lack guidance on cultural elements of security provisioning and on engaging employees in identifying security solutions. To address existing problems relating to security policy in respect of organisational culture, this thesis explores behavioural and cultural aspects of organisational security. We address gaps in human-centred research, focusing on the lack of work representing real-world environments and insufficient collaboration between researchers and practitioners in the study of security culture. We address these gaps through analytical work, a novel co-design methodology, and two user studies. We demonstrate that current approaches to security interventions mirror rational-agent economics, even where behavioural economics is embodied in promoting security behaviours. We present two case studies exploring the dynamics between security provisioning and organisational culture in real-world environments, focusing on distinct groups of users — employees, security managers, and IT/security support — whose interactions are understudied. Our co-design methodology surfaces the complex, interconnected nature of supporting workable security practices by engaging modellers and stakeholders in a collaborative process producing mutually understood and beneficial models. We find employees prefer local support and assurances of secure behaviour rather than guidance without local context. Trust-based relationships with support teams improve engagement. Policy is perceived through interactions with support staff and by observing everyday workplace security behaviours. We find value in engaging with decision-makers and understanding their decision-making processes. We encourage researchers and practitioners to engage in a co-design process producing multi-stakeholder views of the complexities of security in organisations.
| Type: | Thesis (Doctoral) |
|---|---|
| Qualification: | Ph.D |
| Title: | Co-design and modelling of security policy for cultural and behavioural aspects of security in organisations |
| Open access status: | An open access version is available from UCL Discovery |
| Language: | English |
| Additional information: | © The Author(s). This is an open access article distributed in accordance with the Creative Commons Attribution Non Commercial (CC BY-NC 4.0) license, which permits others to distribute, remix, adapt, build upon this work non-commercially, and license their derivative works on different terms, provided the original work is properly cited, appropriate credit is given, any changes made indicated, and the use is non-commercial. See: http://creativecommons.org/licenses/by-nc/4.0/. |
| UCL classification: | UCL UCL > Provost and Vice Provost Offices > UCL BEAMS UCL > Provost and Vice Provost Offices > UCL BEAMS > Faculty of Engineering Science UCL > Provost and Vice Provost Offices > UCL BEAMS > Faculty of Engineering Science > Dept of Computer Science |
| URI: | https://discovery-pp.ucl.ac.uk/id/eprint/10173397 |
Archive Staff Only
 |
View Item |
