Responsibilisation, rules and rule-following concerning cyber security: findings from small business case studies in the UK
Responsibilisation, rules and rule-following concerning cyber security: findings from small business case studies in the UK
This thesis is the result of an investigation into the challenges that lie within the governance of small business employees’ behaviour towards cyber security. That investigation comprised three stages. The first was an exploration of the political context in which the matter of cyber security sits within the UK. This sought to determine whether cyber security is a policy area where the State continues to push responsibility away from itself and onto non-State actors, as a means of extending and enhancing the governance of situations and environments which have a tendency to produce criminal behaviour (Garland, 1997). More specifically, the research questions explored during this stage were: In the UK, is government discourse responsibilising small businesses, and the people who work within them, for cyber security? If so, how? And with what implications? Answering these questions involved detailed analysis of much government discourse on cybercrime and cyber security. It was found that the UK government continues to employ a responsibilisation strategy in the governance of cybercrime and cyber security. Yet, it has become increasingly frustrated with what it sees as poor risk management by those so responsibilised, such as small businesses. This has caused the government to speak in more judgemental and less tolerant terms on this matter, and thereby also continue to shape victim status in ways that make it increasingly difficult to attain. In turn, this brings consequences which include the danger of victim blaming.
The second and third stages of research sought to evaluate that continuing governmental strategy of responsibilisation ‘on the ground.’ In particular, to learn how small businesses are coping with the ‘responsibilisation conundrum’ passed on to them by the government: that of getting each of their employees to behave in cyber-secure ways, all of the time. The specific research questions explored during these stages were: Within their everyday working lives, do employees within small businesses practise what their government and their employers preach to them about cyber security? And if not, why not? Answering these questions involved the conduct of case studies within three small businesses. These comprised a five-day Diary Study, followed up by semi-structured Interviewing. Collectively, the findings from these case studies indicated strongly that the government has underestimated the difficulty of that ‘responsibilisation conundrum.’ Specifically, by showing that the governance of employees’ behaviour around cyber security within small businesses, in and beyond the workplace, can be far from straightforward, in a number of ways and for a number of reasons.
However, this research has also gone on to demonstrate that this ‘responsibilisation conundrum’ is even more difficult than has been recognised before, by the government or anyone else. Specifically, because the matter of rules and rule following behaviour brings greater complexity to it. Two aspects of this research have combined to shed new light on that ‘responsibilisation conundrum’: Firstly, further findings from those case studies have provided much evidence of the real influences on people’s rule-following behaviour around cyber security, the most potent of which were found to be pragmatism (‘just getting things done’) and consensus (‘that’s how we all do it here’). And secondly, the first application of Meaning Finitism and Rule Scepticism within the subject of cyber security has challenged strongly some assumptions being made by government and businesses about the efficacy of rules and their use in the governance of cyber security.
All of these findings have led to two main recommendations: Firstly, that in future any strategies for governing the human aspects of cyber security should be grounded in people’s lived experiences of cyber security within their everyday working lives. And secondly, as part of a solution to the ‘responsibilisation conundrum,’ a Finitist approach should now be taken to training and otherwise guiding people towards cyber-secure behaviours. Combining a true understanding of the relation between rules and conduct, and a recognition of the multiplicity of cyber security threats, this is an approach that will help shape the behaviour of employees in ways sought but seldom achieved by rule-setting.
University of Southampton
MacEwan, Neil Finlay
281d9970-fb0c-4087-a0d4-544cbc556030
September 2017
MacEwan, Neil Finlay
281d9970-fb0c-4087-a0d4-544cbc556030
O'hara, Kieron
0a64a4b1-efb5-45d1-a4c2-77783f18f0c4
Webber, Craig
35851bbe-83e6-4c9b-9dd2-cdf1f60c245d
MacEwan, Neil Finlay
(2017)
Responsibilisation, rules and rule-following concerning cyber security: findings from small business case studies in the UK.
University of Southampton, Doctoral Thesis, 290pp.
Record type:
Thesis
(Doctoral)
Abstract
This thesis is the result of an investigation into the challenges that lie within the governance of small business employees’ behaviour towards cyber security. That investigation comprised three stages. The first was an exploration of the political context in which the matter of cyber security sits within the UK. This sought to determine whether cyber security is a policy area where the State continues to push responsibility away from itself and onto non-State actors, as a means of extending and enhancing the governance of situations and environments which have a tendency to produce criminal behaviour (Garland, 1997). More specifically, the research questions explored during this stage were: In the UK, is government discourse responsibilising small businesses, and the people who work within them, for cyber security? If so, how? And with what implications? Answering these questions involved detailed analysis of much government discourse on cybercrime and cyber security. It was found that the UK government continues to employ a responsibilisation strategy in the governance of cybercrime and cyber security. Yet, it has become increasingly frustrated with what it sees as poor risk management by those so responsibilised, such as small businesses. This has caused the government to speak in more judgemental and less tolerant terms on this matter, and thereby also continue to shape victim status in ways that make it increasingly difficult to attain. In turn, this brings consequences which include the danger of victim blaming.
The second and third stages of research sought to evaluate that continuing governmental strategy of responsibilisation ‘on the ground.’ In particular, to learn how small businesses are coping with the ‘responsibilisation conundrum’ passed on to them by the government: that of getting each of their employees to behave in cyber-secure ways, all of the time. The specific research questions explored during these stages were: Within their everyday working lives, do employees within small businesses practise what their government and their employers preach to them about cyber security? And if not, why not? Answering these questions involved the conduct of case studies within three small businesses. These comprised a five-day Diary Study, followed up by semi-structured Interviewing. Collectively, the findings from these case studies indicated strongly that the government has underestimated the difficulty of that ‘responsibilisation conundrum.’ Specifically, by showing that the governance of employees’ behaviour around cyber security within small businesses, in and beyond the workplace, can be far from straightforward, in a number of ways and for a number of reasons.
However, this research has also gone on to demonstrate that this ‘responsibilisation conundrum’ is even more difficult than has been recognised before, by the government or anyone else. Specifically, because the matter of rules and rule following behaviour brings greater complexity to it. Two aspects of this research have combined to shed new light on that ‘responsibilisation conundrum’: Firstly, further findings from those case studies have provided much evidence of the real influences on people’s rule-following behaviour around cyber security, the most potent of which were found to be pragmatism (‘just getting things done’) and consensus (‘that’s how we all do it here’). And secondly, the first application of Meaning Finitism and Rule Scepticism within the subject of cyber security has challenged strongly some assumptions being made by government and businesses about the efficacy of rules and their use in the governance of cyber security.
All of these findings have led to two main recommendations: Firstly, that in future any strategies for governing the human aspects of cyber security should be grounded in people’s lived experiences of cyber security within their everyday working lives. And secondly, as part of a solution to the ‘responsibilisation conundrum,’ a Finitist approach should now be taken to training and otherwise guiding people towards cyber-secure behaviours. Combining a true understanding of the relation between rules and conduct, and a recognition of the multiplicity of cyber security threats, this is an approach that will help shape the behaviour of employees in ways sought but seldom achieved by rule-setting.
Text
Responsibilisation, rules and rule-following concerning Cyber Security: Findings from Small Business Case Studies in the UK
- Version of Record
More information
Published date: September 2017
Identifiers
Local EPrints ID: 417156
URI: http://eprints.soton.ac.uk/id/eprint/417156
PURE UUID: 810aff29-55e3-4248-96e6-9242787ab502
Catalogue record
Date deposited: 22 Jan 2018 17:30
Last modified: 16 Mar 2024 03:20
Export record
Contributors
Author:
Neil Finlay MacEwan
Download statistics
Downloads from ePrints over the past year. Other digital versions may also be available to download e.g. from the publisher's website.
View more statistics