More Than a Feeling: Towards a Holistic Understanding of Emotions and Attitudes in Organizational Cybersecurity

Abstract

As digital transformation accelerates, cyber threats are becoming more sophisticated and frequent, resulting in significant financial consequences. While humans have traditionally been viewed as the weakest link in cybersecurity, they are increasingly recognized as an integral part of the solution in organizational security. Emotions and attitudes significantly influence human behavior - therefore, understanding these factors in the context of cybersecurity is essential for protecting organizations. This doctoral thesis explores emotions and attitudes in cybersecurity holistically by (1) identifying the emotions and attitudes related to organizational cybersecurity, (2) understanding the factors that contribute to emotions and attitudes in organizational cybersecurity, (3) investigating factors that can improve cybersecurity-related emotions and attitudes, and (4) applying reflections on emotions as a method to reshape how employees are viewed and how they are engaged within organizational cybersecurity contexts. To meet these goals, four studies were conducted. In the first study, we examine the diverse range of emotions employees experience regarding organizational cybersecurity, expanding beyond the traditional focus on fear. Through a qualitative survey of 112 participants and in-depth interviews with 26 employees, we identify (partially conflicting) emotions and their causes in individual, interpersonal, and organizational factors. Our findings highlight behavioral, social, and cognitive consequences of these emotions on security perceptions and actions, leading us to propose a framework for understanding cybersecurity-related emotions and recommendations for promoting secure behavior through a human-centered approach that enhances employee well-being. The second study explores how social and emotional dynamics affect users’ engagement with security behaviors using an online survey of 496 participants. We find that social support and emotionally resonant interventions encourage greater adoption of security practices. Engagement is influenced not only by knowledge but also by emotions and social interactions, leading us to advocate for interventions that address these dimensions. In the third study, we examine employees’ attitudes toward cybersecurity through interviews and focus groups with 17 participants. The results show which components contribute to cybersecurity attitudes and which factors, particularly (social) experiences and individual factors, shape attitudes toward cybersecurity. In addition, we highlight the needs users have in order to develop positive attitudes toward cybersecurity. The fourth study looks at how employees interact with cybersecurity in daily organizational life. Through interviews with 20 participants, we identified key points of contact, such as policy awareness and training. Mapping our insights onto the NIST Cybersecurity Framework (NIST-CSF) reveals gaps in employee communication and emotional considerations. We offer recommendations for a holistic, employee-focused approach to organizational cybersecurity strategy. Central findings of this doctoral thesis encompass (1) a framework mapping security-related emotion, their causes and consequences, (2) a framework displaying influencing factors of security attitudes alongside their components, (3) a taxonomy of factors fostering positive attitudes and positive high-arousal emotions, and (4) insights for security practitioners, management, and researchers are provided, along with a discussion of the study’s limitations. The doctoral thesis concludes by suggesting research avenues, such as exploring specific stakeholders within cybersecurity, like the emotional experiences of security practitioners, to promote favorable workplace conditions and improve mental health in this domain.