Cultivating Compliance
: Building a Robust Information Security Culture in Higher Education Institutions Through Organisational Culture

Student thesis: Doctoral ThesisDoctor of Philosophy (PhD)

Abstract

Information security threats have been seen to severely impact higher education institutions (HEIs), with over 61 major incidents 2020-2023 in the UK alone, with numerous accounts of attacks globally on the sector. These implications might manifest in adverse effects on the institutions, such as reputational damage and financial loss, or on employees, such as disruptions to workflow, research projects, or mental well-being. HEIs have invested heavily in advanced technology to mitigate or eliminate these security threats. However, it is well known that the primary role in safeguarding organisations from such threats lies with employees in terms of their compliance with information security policies (ISPs). Unfortunately, HEIs worldwide still face an alarming pattern of noncompliance among their employees.

The literature has suggested that cultivating a robust information security culture can improve employees' compliance with ISPs. Despite this, recent data shows that this culture remains relatively weak in HEIs. Further, the literature indicates that there is still uncertainty regarding which factors are essential to build and nurture a desirable security culture at HEIs, possibly exacerbating the problem. Moreover, the role of the broader organisational culture that underlies the security culture has not been investigated in the higher education setting.

To address gaps in the literature, through a mixed-methods approach with participants in the United Kingdom (UK) and Saudi Arabia (SA), the two primary locations of this research, this thesis identifies the key factors of the culture of information security within HEIs, examines the relationships between this culture and the organisational culture, and examines the potential impact of both cultures on employees' compliance behaviours within the HEI setting.

This thesis offers three key contributions to the literature, being:
1- validation of seven key factors, previously attributed in other geographies, that are present in developing an information security culture among HEI employees in the UK and SA,
2- evidence of the true positive impact of organisational culture upon the inherent security culture within HEIs, and
3- a model of compliance behaviour which integrates cultural aspects and explains their effects on shaping HEI employee compliance with security policies.

This thesis, in its conclusion, offers up practical guidance to leaders and security professionals on how to implement the seven key factors of information security culture along with a how to approach organisational culture with appropriate strategies to help foster a robust information security culture within HEIs and promote good compliance with security policies and procedures.
Date of Award17 Jun 2025
Original languageEnglish
Awarding Institution
  • University of Bristol
SupervisorMarvin Ramokapane (Supervisor) & Barnaby Craggs (Supervisor)

Cite this

'