What Influences People’s View of Cyber Security Culture in Higher Education Institutions? An Empirical Study Tai Durojaiye Information Security Group Royal Holloway University of London Egham, Surrey, United Kingdom Email: Tai.Durojaiye.2019@live.rhul.ac.uk Konstantinos Mersinas Information Security Group Royal Holloway University of London Egham, Surrey, United Kingdom Email: Konstantinos.Mersinas@rhul.ac.uk Dawn Watling Department of Psychology Royal Holloway University of London Egham, Surrey, United Kingdom Email: Dawn.Watling@rhul.ac.uk Abstract—The education sector is considered to have the poorest security culture score amongst many sectors. Human aspects of cyber security including cyber security culture which have often been overlooked in the study of cyber security have not been fully explored in Higher Education Institutions (HEIs). The lack of understanding of cyber security culture, unclear definition of the concept and guidance on how to measure and foster it, are challenges HEIs face. To address this lack of knowledge and understanding, we explore the factors that influence people's view of cyber security culture in UK HEIs. We interviewed senior HEI leaders, academics, professional services staff, and students (19 participants in total) in three UK universities of similar characteristics. We find that communication necessary to influence security culture in HEIs is lacking. There is lack of policies/frameworks in place to guide user behaviour. We also observe that IT expectations are not well defined, and phishing exercises create problems between the IT team and users. There is no onboarding security training and awareness for students which make up the largest percentage of the HEI populace. We recommend that senior HEI leaders invest in training and awareness programmes for IT staff and other users, focusing on communication, engagement, collaboration, and social engineering. We also recommend that senior HEI leaders prioritise the creation and implementation of a cyber security strategy, on which policies and other security efforts could be based. The adoption of these recommendations could influence the mindsets of users towards engaging in safe cyber security behaviours and by doing so improving the culture of security in HEIs. Keywords- Cyber security culture; Higher Education Institutions (HEIs); security behaviour; communication; phishing; training. I. INTRODUCTION The increasing use of technology in the twenty-first century continues to yield huge benefits to nations, organisations, and individuals in their day-to-day activities. Modern technological advancements such as Artificial Intelligence (AI), Internet of Things (IoT), big data, 5G, cloud computing and blockchain have affected different areas of society [1][2]. The application of these technologies has brought improvements to different industry sectors, ranging from medical to education. However, the reliance on technology also has its challenges. The application of the technological advancements in different domains translate into more data being generated. With the increase in the attack surface (that is, the total of all exposures of an information system) [3] due to the abundance of data generated, organisations become easy targets for cyber attacks. Huge volume of data has caused organisations and users to be prime targets for cyber attacks and hackers [4]. Cyber attacks use innovative approaches. Cyber attacks and hackers use different methods, and in some instances, they use advanced technology to prevent staff and students from gaining access to the needed data and networks. This is a major threat in HEIs, where the availability to information could be denied by cyber attacks [5]. According to [5], most UK HEIs are not well prepared to defend their human and information assets from breaches, phishing attacks, and other security vulnerabilities. Users continue to pose a threat to the information assets of HEIs. As the PwC Information Security Breaches Survey [6] reports, three quarters of large organisations suffered staff-related security breaches while for small businesses it was one third, a respective percentage rise of 17% and 9% from 2014 to 2015. When organisations were questioned about the single worst breach suffered, 50% attributed the cause to inadvertent human error. This was a percentage increase of 19% from 2014 to 2015. Human error can be attributed to accidents or negligence. The importance of paying attention to human error is further corroborated by the IBM survey which states that nine out of ten information security incidents are caused by some sort of human error [7]. Thus, it is reasonable to hypothesise that human factors constitute a challenge for HEI leaders too. The approach many organisation leaders have taken to reduce the risk posed by cyber threats is focusing on and increasing their investments on technical controls [8]. Traditionally, the focus of risk mitigation in information security has been on technical solutions. Despite following this approach to defend the organisation ecosystem, cyber security breaches have not declined [9]. While technical solutions offer some protection, it is not a panacea for all cyber security breaches. Hence, this calls for additional defence to be employed [10]. Over the years the approach to information security has evolved and gone through many stages. As study [11] shows, the information security evolution moved from the