View Item 
        •   Utrecht University Student Theses Repository Home
        • UU Theses Repository
        • Theses
        • View Item
        •   Utrecht University Student Theses Repository Home
        • UU Theses Repository
        • Theses
        • View Item
        JavaScript is disabled for your browser. Some features of this site may not work without it.

        Browse

        All of UU Student Theses RepositoryBy Issue DateAuthorsTitlesSubjectsThis CollectionBy Issue DateAuthorsTitlesSubjects

        Framework for Assessing Secure Information Behavior in Organizational Context

        Thumbnail
        View/Open
        MBI Thesis___6449077___Framework for Assessing Secure Information Behavior in Organizational Context.pdf (1.473Mb)
        Publication date
        2025
        Author
        Haan, Tjerk de
        Metadata
        Show full item record
        Summary
        In the context of increasing cyberthreats and the widespread use of shadow IT, organisations increasingly recognise the need to address the human dimension of cybersecurity. Despite the growing investment in Security Education Training and Awareness (SETA) programmes, many initiatives do not achieve meaningful behavioural change among employees. This study investigates how organisations can assess and categorise prevalent employee Mental Models (MMs) toward Shadow IT usage, to enhance cybersecurity culture and tailor awareness efforts more effectively. Drawing on the concept of MMs, internal representations that shape an individual’s reasoning and decisions, this research develops a novel framework that combines theoretical taxonomies with practical assessment strategies. A narrative literature review and semi-structured interviews with cybersecurity experts and researchers informed the framework. The study focuses mainly on extending traditional security axonomies by obtaining metrics related to employee Knowledge, Attitudes, and Behaviour (KAB) dimensions through various elicitation approaches. The findings highlight that inaccurate or incomplete MMs can lead to risky behaviour, such as the unintentional use of unauthorised technologies. However, when identified and categorised, these models offer valuable insight into how and why individuals perceive security threats. The proposed framework enables organisations to systematically measure subjective and objective proxy indicators, providing a more holistic and data-informed approach to cybersecurity awareness.
        URI
        https://studenttheses.uu.nl/handle/20.500.12932/49358
        Collections
        • Theses
        Utrecht university logo