Using Psychological Theories and Usable Security to Understand Cyber-Security Perceptions and Behaviours Within an Organisation; a Case Study of a Law Firm.

Cyber-security practice is dominated by a focus on attempting to remove “the human” from cyber-security processes, with industry often creating policies that constrain and monitor individuals. Moreover, most existing cyber-security research employs quantitative methods of inquiry and analysis, which has resulted in a lack of qualitative cyber-security research within organisations. Positioned in usable security scholarship, this thesis uses psychological theories (PMT, the EPPM and the TPB) to explore cyber-security culture, perceptions, biases and behaviour within the context of a single organisation. This research presents and reports on a case study of a global law firm. Interviews and focus groups were conducted with 40 participants, who were all employees of this firm. Research findings emerged through an interpretative thematic analysis of focus group and interview data. Through this analysis, four distinct themes were constructed and, hence, form the core of the present thesis. More specifically, these themes comprised (1) organisational perceptions of security culture, (2) the individual human element, (3) perceptions of cyber security training and policies, and (4) the COVID-19 pandemic and the move to remote working. Throughout this work, these themes are put into conversation with psychological theories, heuristics and biases, alongside usable security scholarship, to deepen interpretation and understanding of research findings. By discussing these findings with relevance to psychological theories and usable security, this thesis demonstrates the benefits of positioning the research within these domains to understand cyber-security perceptions and behaviours in a qualitative research context. This thesis shows how academia and industry can work together to conduct human-focused cyber-security research within organisations. The theoretical, methodological and empirical contributions of these findings are discussed, together with suggestions for future research.