What influences people’s view of cyber security culture in highere institutions? An empirical study

The lack of understanding of cyber security culture, unclear definition of the concept and guidance on how to measure and foster it, are challenges HEIs face. To address this lack of knowledge and understanding, we explore the factors that influence people’s view of cyber security culture in UK HEIs. We interviewed senior HEI leaders, academics, professional services staff, and students (19 participants in total) in three UK universities of similar characteristics. We find that communication necessary to influence security culture in HEIs is lacking. There is lack of policies/frameworks in place to guide user behaviour. We also observe that IT expectations are not well defined, and phishing exercises create problems between the IT team and users. There is no onboarding security training and awareness for students which make up the largest percentage of the HEI populace.