Cybersecurity attitudes in higher education institutions: A behavioural analysis of faculty and staff in the United Arab Emirates

Cybersecurity in higher education institutions (HEIs) is increasingly recognized as a behavioral and organizational challenge, not solely a technical one. This study investigates the perceptions, awareness, and attitudes of faculty and staff in UAE HEIs toward cybersecurity policies and practices, with a focus on how institutional communication, policy frameworks, and cultural dynamics shape behaviors. Semi-structured interviews were conducted with academic and administrative staff, generating rich qualitative data that were analyzed thematically. The findings reveal three dominant themes. First, cybersecurity training and communication are often symbolic, generic, and disconnected from daily professional contexts, limiting their ability to enhance coping appraisal. Second, misalignment between policy and practice results in frustration and circumvention, as rigid protocols undermine perceived behavioral control and conflict with academic autonomy. Third, organizational culture and peer dynamics play a decisive role in shaping norms of compliance or non-compliance, with weak cultural embedding leaving security viewed as an IT department responsibility rather than a shared institutional value. These findings were integrated into a conceptual model grounded in Protection Motivation Theory (PMT), the Theory of Planned Behavior (TPB), and the COM-B framework. The model demonstrates how institutional mechanisms and cultural factors converge on employee attitudes, which in turn drive secure or insecure behaviors. The study advances theoretical understanding of cybersecurity as a behavioral phenomenon and offers practical recommendations for HEIs, including role-specific training, participatory policy design, and cultural embedding. By addressing attitudinal drivers, HEIs in the UAE can build more resilient cybersecurity cultures in increasingly complex threat landscapes.