PhD defence: Volitional Cybersecurity

In this dissertation, we introduce the ‘Volitional Cybersecurity Theory’ (VCS) as a systematic way to think about the adoption of cybersecurity approaches, its management and long-term adherence to it. The theory has been tested in the context of small- and medium-sized enterprises and businesses (SMEs/SMBs). The focus on volitional activities promotes theoretical viewpoints. Also, it explains certain aspects of cybersecurity behaviour, such as behaviour in heterogeneous contexts that has neither been systematically elaborated in prior studies nor been embedded in cybersecurity solutions.

VCS is a cybersecurity-focused theory structured around the core concept of volitional cybersecurity behaviour. It suggests that a context can be classified based on the cybersecurity competence of target groups and their distinct requirements. This classification diminishes the complexity of the context, and is predictive of improvement needs for each class.

In addition, the theory explicates that supporting personalisation, competence, and connectedness to cybersecurity expertise affect the adoption of cybersecurity measures. Also, they lead to more engagement across all classes of the context. Therefore, approaches that ignore these three aspects may lead to poorer acceptance of the value or utility of solutions. Subsequently, it can cause a lack of motivation for adopting cybersecurity solutions and adherence to best practices.