The University of Southampton
University of Southampton Institutional Repository

Responsibilisation, rules and rule-following concerning cyber security: findings from small business case studies in the UK

Responsibilisation, rules and rule-following concerning cyber security: findings from small business case studies in the UK
Responsibilisation, rules and rule-following concerning cyber security: findings from small business case studies in the UK
This thesis is the result of an investigation into the challenges that lie within the governance of small business employees’ behaviour towards cyber security. That investigation comprised three stages. The first was an exploration of the political context in which the matter of cyber security sits within the UK. This sought to determine whether cyber security is a policy area where the State continues to push responsibility away from itself and onto non-State actors, as a means of extending and enhancing the governance of situations and environments which have a tendency to produce criminal behaviour (Garland, 1997). More specifically, the research questions explored during this stage were: In the UK, is government discourse responsibilising small businesses, and the people who work within them, for cyber security? If so, how? And with what implications? Answering these questions involved detailed analysis of much government discourse on cybercrime and cyber security. It was found that the UK government continues to employ a responsibilisation strategy in the governance of cybercrime and cyber security. Yet, it has become increasingly frustrated with what it sees as poor risk management by those so responsibilised, such as small businesses. This has caused the government to speak in more judgemental and less tolerant terms on this matter, and thereby also continue to shape victim status in ways that make it increasingly difficult to attain. In turn, this brings consequences which include the danger of victim blaming.

The second and third stages of research sought to evaluate that continuing governmental strategy of responsibilisation ‘on the ground.’ In particular, to learn how small businesses are coping with the ‘responsibilisation conundrum’ passed on to them by the government: that of getting each of their employees to behave in cyber-secure ways, all of the time. The specific research questions explored during these stages were: Within their everyday working lives, do employees within small businesses practise what their government and their employers preach to them about cyber security? And if not, why not? Answering these questions involved the conduct of case studies within three small businesses. These comprised a five-day Diary Study, followed up by semi-structured Interviewing. Collectively, the findings from these case studies indicated strongly that the government has underestimated the difficulty of that ‘responsibilisation conundrum.’ Specifically, by showing that the governance of employees’ behaviour around cyber security within small businesses, in and beyond the workplace, can be far from straightforward, in a number of ways and for a number of reasons.

However, this research has also gone on to demonstrate that this ‘responsibilisation conundrum’ is even more difficult than has been recognised before, by the government or anyone else. Specifically, because the matter of rules and rule following behaviour brings greater complexity to it. Two aspects of this research have combined to shed new light on that ‘responsibilisation conundrum’: Firstly, further findings from those case studies have provided much evidence of the real influences on people’s rule-following behaviour around cyber security, the most potent of which were found to be pragmatism (‘just getting things done’) and consensus (‘that’s how we all do it here’). And secondly, the first application of Meaning Finitism and Rule Scepticism within the subject of cyber security has challenged strongly some assumptions being made by government and businesses about the efficacy of rules and their use in the governance of cyber security.

All of these findings have led to two main recommendations: Firstly, that in future any strategies for governing the human aspects of cyber security should be grounded in people’s lived experiences of cyber security within their everyday working lives. And secondly, as part of a solution to the ‘responsibilisation conundrum,’ a Finitist approach should now be taken to training and otherwise guiding people towards cyber-secure behaviours. Combining a true understanding of the relation between rules and conduct, and a recognition of the multiplicity of cyber security threats, this is an approach that will help shape the behaviour of employees in ways sought but seldom achieved by rule-setting.
University of Southampton
MacEwan, Neil Finlay
281d9970-fb0c-4087-a0d4-544cbc556030
MacEwan, Neil Finlay
281d9970-fb0c-4087-a0d4-544cbc556030
O'hara, Kieron
0a64a4b1-efb5-45d1-a4c2-77783f18f0c4
Webber, Craig
35851bbe-83e6-4c9b-9dd2-cdf1f60c245d

MacEwan, Neil Finlay (2017) Responsibilisation, rules and rule-following concerning cyber security: findings from small business case studies in the UK. University of Southampton, Doctoral Thesis, 290pp.

Record type: Thesis (Doctoral)

Abstract

This thesis is the result of an investigation into the challenges that lie within the governance of small business employees’ behaviour towards cyber security. That investigation comprised three stages. The first was an exploration of the political context in which the matter of cyber security sits within the UK. This sought to determine whether cyber security is a policy area where the State continues to push responsibility away from itself and onto non-State actors, as a means of extending and enhancing the governance of situations and environments which have a tendency to produce criminal behaviour (Garland, 1997). More specifically, the research questions explored during this stage were: In the UK, is government discourse responsibilising small businesses, and the people who work within them, for cyber security? If so, how? And with what implications? Answering these questions involved detailed analysis of much government discourse on cybercrime and cyber security. It was found that the UK government continues to employ a responsibilisation strategy in the governance of cybercrime and cyber security. Yet, it has become increasingly frustrated with what it sees as poor risk management by those so responsibilised, such as small businesses. This has caused the government to speak in more judgemental and less tolerant terms on this matter, and thereby also continue to shape victim status in ways that make it increasingly difficult to attain. In turn, this brings consequences which include the danger of victim blaming.

The second and third stages of research sought to evaluate that continuing governmental strategy of responsibilisation ‘on the ground.’ In particular, to learn how small businesses are coping with the ‘responsibilisation conundrum’ passed on to them by the government: that of getting each of their employees to behave in cyber-secure ways, all of the time. The specific research questions explored during these stages were: Within their everyday working lives, do employees within small businesses practise what their government and their employers preach to them about cyber security? And if not, why not? Answering these questions involved the conduct of case studies within three small businesses. These comprised a five-day Diary Study, followed up by semi-structured Interviewing. Collectively, the findings from these case studies indicated strongly that the government has underestimated the difficulty of that ‘responsibilisation conundrum.’ Specifically, by showing that the governance of employees’ behaviour around cyber security within small businesses, in and beyond the workplace, can be far from straightforward, in a number of ways and for a number of reasons.

However, this research has also gone on to demonstrate that this ‘responsibilisation conundrum’ is even more difficult than has been recognised before, by the government or anyone else. Specifically, because the matter of rules and rule following behaviour brings greater complexity to it. Two aspects of this research have combined to shed new light on that ‘responsibilisation conundrum’: Firstly, further findings from those case studies have provided much evidence of the real influences on people’s rule-following behaviour around cyber security, the most potent of which were found to be pragmatism (‘just getting things done’) and consensus (‘that’s how we all do it here’). And secondly, the first application of Meaning Finitism and Rule Scepticism within the subject of cyber security has challenged strongly some assumptions being made by government and businesses about the efficacy of rules and their use in the governance of cyber security.

All of these findings have led to two main recommendations: Firstly, that in future any strategies for governing the human aspects of cyber security should be grounded in people’s lived experiences of cyber security within their everyday working lives. And secondly, as part of a solution to the ‘responsibilisation conundrum,’ a Finitist approach should now be taken to training and otherwise guiding people towards cyber-secure behaviours. Combining a true understanding of the relation between rules and conduct, and a recognition of the multiplicity of cyber security threats, this is an approach that will help shape the behaviour of employees in ways sought but seldom achieved by rule-setting.

Text
Responsibilisation, rules and rule-following concerning Cyber Security: Findings from Small Business Case Studies in the UK - Version of Record
Available under License University of Southampton Thesis Licence.
Download (2MB)

More information

Published date: September 2017

Identifiers

Local EPrints ID: 417156
URI: http://eprints.soton.ac.uk/id/eprint/417156
PURE UUID: 810aff29-55e3-4248-96e6-9242787ab502
ORCID for Kieron O'hara: ORCID iD orcid.org/0000-0002-9051-4456
ORCID for Craig Webber: ORCID iD orcid.org/0000-0003-3900-7579

Catalogue record

Date deposited: 22 Jan 2018 17:30
Last modified: 16 Mar 2024 03:20

Export record

Contributors

Author: Neil Finlay MacEwan
Thesis advisor: Kieron O'hara ORCID iD
Thesis advisor: Craig Webber ORCID iD

Download statistics

Downloads from ePrints over the past year. Other digital versions may also be available to download e.g. from the publisher's website.

View more statistics

Atom RSS 1.0 RSS 2.0

Contact ePrints Soton: eprints@soton.ac.uk

ePrints Soton supports OAI 2.0 with a base URL of http://eprints.soton.ac.uk/cgi/oai2

This repository has been built using EPrints software, developed at the University of Southampton, but available to everyone to use.

We use cookies to ensure that we give you the best experience on our website. If you continue without changing your settings, we will assume that you are happy to receive cookies on the University of Southampton website.

×