Cybersecurity in Higher Education Institutions: Awareness, Policy, and Experience on Employee Behaviour

<p>The digital transformation of higher education institutions (HEIs) has introduced unprecedented connectivity and operational efficiency, but it has also heightened their exposure to cyber threats. South African HEIs, in particular, face increasing vulnerability due to their reliance on technology, openness, and diverse user communities. This study examines the influence of the institutional cybersecurity environment on employee cybersecurity-compliant behaviour (CCB), emphasising the critical roles of awareness, policy engagement, and experience. Drawing on Protection Motivation Theory and the Theory of Planned Behaviour, a conceptual model was developed to explore how cybersecurity awareness, policy familiarity, and prior experience shape employees’ attitudes, subjective norms, perceived behavioural control, threat appraisal, and self-efficacy—ultimately driving CCB. Empirical data from 283 HEI employees were analysed using structural equation modelling, ANOVA, and post hoc procedures. Findings reveal that employees with greater awareness of institutional cybersecurity policies demonstrate significantly stronger cybersecurity competencies. The institutional environment has a positive influence on key behavioural constructs, with perceived behavioural control, threat appraisal, and self-efficacy emerging as direct predictors of compliant behaviour. These insights underscore the importance of cultivating a cybersecurity-conscious culture within HEIs. To address these challenges, the study proposes a holistic framework for enhancing employee CCB in South African HEIs. Recommendations include elevating cybersecurity to a strategic management priority, fostering top-level leadership commitment, implementing engaging and inclusive awareness programs, maintaining continuous communication, and nurturing a supportive learning environment. Monitoring and iterative improvement of these initiatives are essential to ensure effectiveness and sustained engagement. This research contributes to the growing body of knowledge on cybersecurity behaviour in educational contexts by offering institution-specific insights and practical strategies. By aligning technological solutions with human-centric approaches, South African HEIs can strengthen their cybersecurity posture and mitigate risks associated with employee vulnerabilities—ultimately safeguarding sensitive data, institutional reputation, and academic continuity.</p>