An assessment of cybersecurity performance in the Saudi universities: A Total Quality Management approach

Abstract Cybersecurity systems are crucial for safeguarding information assets across various sectors, including government, military, and commercial domains. In Saudi Arabia, cybersecurity has gained significant importance within the national security strategy, resulting in substantial investments in technologies to protect information assets, combat cyber threats, and preserve privacy. In light of Protection Motivation Theory, it is assumed that evaluating the performance of cybersecurity policies and measures (threat appraisal) is vital for their effective implementation (coping appraisal). This study focuses on evaluating the cybersecurity performance of Saudi universities. Employing a mixed-methods design, the study utilizes questionnaires and interviews to collect data. The participants include representatives from 10 Saudi universities, with 107 respondents for the questionnaire phase and 20 participants for the interviews. Diverse job categories and levels within the universities are represented to gather valuable insights from individuals with expertise in cybersecurity and Total Quality Management (TQM) processes. Findings showed that there is room for improvement in the cybersecurity practices of Saudi universities. Only a minority of participants reported regular risk assessments and timely addressing of identified risks. Additionally, participants expressed concerns about the lack of well-defined policies and procedures, insufficient training and awareness programs, and non-compliance with cybersecurity regulations and standards. A significant percentage of participants rated their organization’s cybersecurity performance as average or poor. However, the majority of participants affirmed the importance of cybersecurity in relation to strategic objectives and Total Quality Management. The study stressed the need for comprehensive approaches to cybersecurity, including risk assessment, policy development, training, compliance, and continuous monitoring.


Introduction
With significant advancements in technology, institutions and organizations of all sizes have become increasingly reliant on computers and technology for their operations.However, such an increased reliance also brings a higher risk of being targeted by hackers and cybercriminals seeking to exploit vulnerabilities and hack valuable information.Over the past five years, there has been an unprecedented surge in cyberattacks and cybercrimes (Pellegrino, 2022).The main objective of these attacks is mainly to gain unauthorized access to sensitive information, manipulate data, or cause damage to systems.This malicious intent often involves fraudulent activities like stealing funds, disrupting regular business operations, and pursuing other deceitful motives (Amoroso, 2012).In response to such increasing threats, there has been a significant increase in the demand for robust cybersecurity measures (Green & Green, 2015).As technology continues to play a crucial role in the functioning of government agencies, military forces, and businesses, the importance of cybersecurity systems has become increasingly evident.The widespread reliance on smart technologies and solutions in society has created a high demand for cybersecurity professionals (Flaus, 2019).
Cybersecurity, also known as information security, is a multidisciplinary field within computer science that encompasses various subfields, including software engineering, data science, computer information systems, artificial intelligence (AI), the Internet of Things (IoT), information security, and robotics (Sandhu & Sandhu, 2021).Geers (2011) defines cybersecurity as a discipline within information technology that focuses on protecting individuals, institutions, and systems from digital breaches, unauthorized access, and significant security threats to private data and sensitive information.It is closely associated with concepts such as cybercrime and electronic attacks, which involve using digital technology for illicit activities to gain control over individuals' or organizations' devices or systems, often exploiting vulnerabilities or employing advanced tools (Tehranipoor & Wang, 2011).
The primary objective of cybersecurity is to safeguard digital assets, including data, networks, and information systems, from unauthorized access, manipulation, or destruction.This encompasses protecting against various forms of cyber threats, such as hacking, malware, phishing, ransomware, and social engineering attacks.Implementing robust cybersecurity measures enables individuals and organizations to mitigate risks, maintain system integrity, and protect the confidentiality and availability of their data.Therefore, to achieve effective cybersecurity, several key components and practices must be employed, such as implementing firewalls and intrusion detection systems to monitor and control network traffic, using encryption techniques to secure data during transmission and storage, enforcing strong access controls and authentication mechanisms, regularly updating and patching software and systems, conducting security audits and assessments, and educating users about safe computing practices.
As technology evolves and cyber threats become more sophisticated, the field of cybersecurity continues to advance.Cybersecurity professionals and experts play a vital role in staying ahead of cybercriminals by developing and implementing innovative security solutions, conducting vulnerability assessments, and promptly responding to security incidents.This holistic vision of the severity of cybercrimes and the diverse methods for coping with them is in tune with Protection Motivation Theory (henceforth, PMT) (Rogers, 1975(Rogers, , 1983)).Put simply, PMT proposes that people can protect themselves from any source of danger or threat based on two factors: threat appraisal and coping appraisal.Threat appraisal is mainly concerned with assessing the vulnerability, severity, and seriousness of the current situation.Meanwhile, coping appraisal seeks to identify the most effective methods and techniques to deal with it as well as its cost.
In Saudi Arabia, cybersecurity has emerged as a critical component of the country's national security strategy (Alqurashi et al., 2020).This is primarily due to the rapid development of digital infrastructure and the country's transition towards a digital world.Such a transformation is evident in the global advancements in digital services, robust global networks, information technology systems, and operational technology systems, all of which have been driven by the growth of computer processing capabilities, extensive data storage, communication capabilities, and artificial intelligence (Almomani et al., 2021).Consequently, Saudi Arabia has invested significantly in cybersecurity, utilizing modern technologies to protect information assets, combat cybercriminals, and safeguard the privacy of its citizens, infrastructure, and critical facilities (Dawson et al., 2022).As Saudi Arabia aims to become a smart city with minimal paper usage, the role of cybersecurity professionals in developing appropriate measures to ensure citizen safety from cyber threats and theft becomes even more crucial.
Despite the advancements in cybersecurity systems in recent years, the challenge of protecting computer systems, networks, applications, and software programs from digital attacks persists.In terms of PMT, we assume that the threat-appraisal process would start with the identification and analysis of concurrent threats to information security policies in order to help motivating cybersecurity protection behaviors in the workplace in Saudi Universities (cf.Boss et al., 2015;Posey et al., 2015).Furthermore, to achieve effective cybersecurity in line with the coping-appraisal process, Saudi universities must integrate it into their overall management approach, adopting Total Quality Management (TQM) principles (see Figure 1) to ensure its seamless incorporation into all processes and functions.The underlying premise is that by integrating cybersecurity into TQM, Saudi organizations, namely universities, can continuously monitor and improve their cybersecurity practices to adapt to evolving threats and challenges, ultimately enhancing the overall quality of their products and services.

Total Quality Management
TQM is a management approach that prioritizes the continuous improvement of organizational processes and products or services by involving all members of an organization in a collective effort to meet or exceed customer expectations (Kaynak & Rogers, 2013).In the context of universities, TQM entails applying this approach to enhance the quality of education and services provided to students, faculty, staff, and other stakeholders (Lewis & Smith, 1994).That is why in this paper, we assume that the vitality of the TQM processes relies upon the accurate appraisal of possible threats and offering solutions to cope with such threats.This philosophy represents the core of PMT which operates through seven subconstructs as shown in Figure 2.
To develop protection motivation, we assume that if Saudi universities feel vulnerable to cybercrimes and cyberattacks, they would be easily motivated to adopt protective and preventive behaviors.All measures taken in this regard would add to the total quality of these universities.Yet, implementing TQM in universities necessitates a commitment to quality at all levels of the institution, encompassing teaching, research, administrative processes, and student services (Begum et al., 2020).It involves a relentless pursuit of continuous improvement, aiming to achieve excellence across all aspects of the university's operations.This includes initiatives such as identifying and addressing the needs of students, faculty, staff, and stakeholders, utilizing datadriven decision-making to identify areas for improvement and measure progress toward quality goals, and fostering a culture of continuous improvement (Ross, 2017).
In light of such conceptual integrity, cybersecurity and TQM are interconnected in several ways, as both share a common focus on ensuring the safety, security, and integrity of organizational systems and processes.Firstly, both disciplines require a proactive, preventive approach to risk management.In cybersecurity, this preventive approach involves identifying and mitigating potential vulnerabilities and threats before they can be exploited by attackers.Similarly, in TQM, organizations must identify areas for improvement and implement preventive measures to prevent problems before they arise.Secondly, both cybersecurity and TQM rely on data-driven decisionmaking.In cybersecurity, data is utilized to identify potential threats, monitor system performance, and evaluate the effectiveness of security controls (cf.Taylor et al., 2019).In TQM, data is employed to identify improvement opportunities, measure progress, and make informed decisions regarding resource allocation.Finally, both disciplines emphasize a culture of continuous improvement.In cybersecurity, organizations must continuously adapt their security practices to keep pace with evolving threats and vulnerabilities.Similarly, in TQM, organizations must consistently

Intrinsic reward Extrinsic reward
Coping Appraisal

Response cost
Behavior intention strive to enhance the quality of their products and services to meet the evolving needs of customers and stakeholders.

Knowledge experience
Given such affinities between cybersecurity and TQM, the current study seeks to address three main questions: (1) In light of Protection Motivation Theory (PMT), how can the cybersecurity performance of Saudi universities be evaluated?(2) Why and how can cybersecurity policies and measures be integrated in Total Quality Management (TQM) in Saudi universities?And (3) In light of Protection Motivation Theory (PMT), how can the cybersecurity performance of Saudi universities be enhanced?By answering these questions, we aim at: (1) appraising the Saudi universities' performance with regard to cybersecurity measures and processes, (2) mapping the way cybersecurity practices and measures can be integrated through a TQM approach, and (3) offering recommendations regarding the implementation of effective techniques and strategies for promoting the current cybersecurity practices.To collected relative, and representative data to achieve this three-fold objective, both quantitative and qualitative methods are used in the form of a questionnaire survey and interviews to examine users' perceptions regarding the policies and procedures implemented by Saudi universities in the area of cybersecurity.
The rest of this paper is structured as follows.Part 2 provides a brief overview of the approaches substantially implemented to evaluate cybersecurity measures and policies in organizations and institutions in general, with a specific focus on universities.Part 3 outlines the research methods in terms of data collection techniques and the procedures of analysis.Part 4 presents the findings derived from the study.Lastly, Part 5 comprises the discussion and conclusion sections.

Literature review
In recent years, there has been a remarkable advancement in technology and information, necessitating the need for digital solutions to ensure the security of individuals, organizations, and even countries.Consequently, cybersecurity has emerged as a discipline within information and computer sciences to address the outbreak of digital attacks, immune viruses, and cybercrimes.Such attacks and crimes are mainly launched to manipulate the digital systems of individuals and organizations, leading to data control, extortion, theft, and deliberate information sabotage (Middleton, 2017).Cybercrimes encompass organized attacks where victims' digital systems are fully controlled, known as cyberattacks.To protect individuals and institutions against such attacks, a set of crucial cybersecurity measures are often implemented.This process is referred to as "cyber shield" whose mechanism relies on an integrative system for protecting users' privacy, securing communication channels, detecting threats, and securing data recovery.
Indeed, cyberattacks pose a serious threat to individuals, entities, institutions, and even states as they aim to disrupt, destroy, or gain unauthorized access to valuable or sensitive data.In some cases, attacks may target individuals who act as links to other valuable parties or possess difficult-to-penetrate devices or technologies.For example, in 2020, as reported by many news corporations, a university clinic in Germany fell victim to a complete system hack due to a technological vulnerability in one of its devices.
The emergence of cybersecurity not only aims to defend against malicious computer attacks but also involves proactive measures to discover and address system vulnerabilities as soon as they are identified (Taylor et al., 2019).Consequently, there has been increasing interest in cybersecurity within the research and academic communities (Kokaji & Goto, 2022).Cybersecurity systems have played a crucial role in protecting individuals, organizations, and businesses from illegal activities, especially those occurring on the dark web.Such activities not only endanger lives but also expose individuals to legal and ethical repercussions (Daimi & Peoples, 2021).Additionally, cybersecurity systems help countries safeguard the confidentiality of their information, protecting them from penetration by hostile nations and electronic attacks that could lead to economic losses or paralysis, effectively becoming a modern form of warfare (Williams & Fiddner, 2016).
Since its inception, cybersecurity research has focused on creating reliable cybersecurity and cyber deterrence mechanisms, such as firewalls, to counter cybercrime and cyberattacks.Firewalls act as electronic filters within a cybersecurity system, allowing trusted programs and technologies to operate while preventing the infiltration of malicious programs or the exploitation of vulnerabilities (Togay et al., 2022).The underlying principle of firewalls is based on treating all programs as potentially untrustworthy in the cybersecurity realm until their safety is verified through reputable electronic stores.Only programs that have been confirmed as safe are allowed to pass through, while unknown sources are not integrated in the system (Mihalos et al., 2019).
In a similar context, there is a continuous interest in identifying cyber threats that can pose serious problems for organizations and institutions, including universities.The most common types of cyber threats can be summarized as follows:

Malware
Malware refers to complex viruses designed to bypass existing security measures in a system, weakening them and gaining control or modifying sensitive data by exploiting vulnerabilities (Ngo et al., 2020;Usman et al., 2021).

Ransomware virus
Ransomware is a highly dangerous form of electronic attack that occurs frequently in today's digital world.Recent statistics indicate that at least one instance of this type of attack occurs every 10 seconds worldwide (Farhat, 2021).In a ransomware attack, the victim's entire data set is blocked and encrypted, with access only granted after paying a ransom.The perpetrators of these viruses exploit the situation by imposing crippling demands on the victim, especially if the data is sensitive and personal (Shammugam et al., 2021).

Phishing
Phishing exploits the victim's lack of knowledge about technology or inattention to presented information.Attackers aim to obtain sensitive information, such as credit card details or login passwords for various digital platforms, by tricking victims into sharing such information.Phishing attacks are common in the electronic space and require victims to divulge private information that should not be shared publicly (Bax et al., 2021).In 2020, it was expected that more than 2.1 million websites would solely focus on phishing, accounting for 80% of attacks against people and businesses (Frauenstein & Flowerday, 2020).

Middleman attacks
Middleman attacks are frequently used in cyberattacks where attackers exploit a vulnerable second source on which the victim relies to gain access to the system.Such attacks might include taking advantage of weakly protected Wi-Fi networks and targeting the devices connected to them.Attackers may install harmful software to gain control over the system (Kondracki et al., 2020).

Spear phishing
Spear phishing is a targeted form of cyberattack that focuses on individuals or businesses.Attackers conduct a thorough analysis of the target's security measures, identifying weaknesses that can be exploited to gain access to sensitive information.They then devise a plan to exploit these vulnerabilities and take control of the system (Burns et al., 2019;Shakela & Jazri, 2019).

Advanced long-term sequence
Advanced long-term sequences attack security systems covertly and gradually, remaining unnoticed until significant harm has already been done, thereby taking full control of the system (Saharkhizan et al., 2020).

Denial-of-service attacks
Denial-of-Service Attacks occur when the system is overwhelmed with traffic, messages, and fake users (Shen et al., 2019).This pressure on the servers disables or slows them down, resulting in heavy losses, especially if the attack coincides with peak periods when the company expects high visitor turnout, such as during seasonal sales or after advertising strong competitive offers (Ibtissam et al., 2022).
In parallel with cybersecurity research, various assessment approaches for cybersecurity systems have been developed.Most of the available publications on the cybersecurity policies and measures in Saudi universities focus mainly on exploring students' perceptions and views.For instance, Mohamemd and Bamasoud (2022) explored some techniques to enhance students' cybersecurity awareness to alleviate the threats of cybercrimes, and to develop cybersecurity culture as a part of the Saudi Vision 2030.Findings affirmed that cybercrimes in Saudi Arabia cause three main threats: loss of confidentiality, loss of integrity, and loss of availability.Also, findings showed that Saudi university students lack the appropriate awareness of cybersecurity.Such lack of awareness is attributed to many factors as argued by Alqahtani (2022).Based on data reported from 450 respondents, these factors included the browser security, the password security, and social media activities.
Likewise, Alharbi and Tassaddiq (2021) reported that Saudi university students suffered from diverse cybersecurity issues, including computer viruses, popup windows, forged advertisements, and phishing.Yet, students lacked the essential knowledge about cybersecurity.However, Aljohni et al. (2021) affirmed that students in informatics and computer science have a higher level of cybersecurity awareness.Furthermore, urban students showed better awareness.In response to such lack of cybersecurity awareness, Dawson (2022), based on his assessment of the cyberattacks against Saudi institutions such as Aramco, called for a shift to cyber readiness based on the use of new technologies, the enactment of new laws, and developing a cybersecurity culture through the educational institutions.
Similarly, there is abundant literature on evaluating cybersecurity systems in sectors such as banking (e.g.,), e-commerce (e.g.,), and healthcare (e.g.,).However, there is a notable dearth of research on evaluating cybersecurity systems in universities and educational institutions, as well as their significance in Total Quality Management (TQM) processes.Therefore, the present study aims to bridge this existing gap in the literature by conducting an evaluation of cybersecurity systems in the context of higher education and investigating their integration into TQM processes within Saudi universities.

Methodology
This section discusses the study methodology in terms of the participants, data collection methods, and procedure of analysis.

Participants
The current study targeted participants in 10 Saudi universities with the main objective of exploring diverse insights and perspectives from a wide range of educational institutions in Saudi Arabia, thereby allowing for a robust analysis of the data.By targeting participants from various universities, we sought to capture a representative sample that could provide valuable configuration of the current state of cybersecurity practices and their alignment with TQM principles in the Saudi higher education context.To ensure the representativeness of the study participants, we invited male and female participants from different colleges, administrative departments, levels, and work experiences, living in urban and rural regions.Also, the participants included individuals from the Deanships of Quality and IT, who possess valuable insights and expertise related to cybersecurity and Total Quality Management (TQM) processes.
The selection of participants from different job categories and levels within the universities was intended to capture a broad range of perspectives and experiences.This approach allows for a comprehensive exploration of the topics under investigation and provides a deeper understanding of the challenges and potentials associated with cybersecurity in the higher education context.The analysis process of the collected responses was geared towards identifying patterns, themes, and correlations within the data to gain a comprehensive understanding of the participants' perceptions and experiences.The responses received from the participants were carefully examined and analyzed to derive meaningful conclusions regarding the evaluation of cybersecurity systems and their integration into Total Quality Management (TQM) processes.Such analysis serves as the foundation for drawing conclusions and making recommendations regarding the evaluation and enhancement of cybersecurity systems within Saudi universities.

Design
Given the objectives of the current study and to increase the validity and reliability of findings, we employ a mixed-methods research design, i.e., both quantitative and qualitative methods.Therefore, the study incorporates both questionnaires and interviews to collect data.While questionnaires and interviews are commonly used methods in social research, they possess distinct characteristics and offer unique insights.By combining these two methods, a more comprehensive understanding of cybersecurity performance and its relationship to TQM processes in Saudi universities can be achieved.

The questionnaire
The questionnaire is mainly designed and assessed to explore users' perceptions regarding the policies and procedures adopted by Saudi universities.Based on available literature, the questionnaire is formulated with regard to six key performance indicators (KPIs): Risk assessment, policies and procedures, training and threat awareness, compliance and auditing, incident response, and continuous monitoring.The rationale beyond the selection of these KPIs can be illustrated as follows: • Risk Assessment: In relation to the PMT-based process of threat appraisal, evaluating cybersecurity performance necessitates a thorough risk assessment process, identifying potential threats and vulnerabilities that pose risks to the institution's cybersecurity.This assessment helps prioritize areas for improvement and determine appropriate actions to mitigate risks.
• Policies and Procedures: Effective cybersecurity management in government institutions relies on well-established policies and procedures.Such policies should clearly define roles and responsibilities related to cybersecurity, such as incident response plans, access control, and data protection.Regular communication and updates on these policies are essential to addressing changes in the threat landscape.Having clear and timely decisions would ease all the processes of TQM.
• Training and Threat Awareness: Enhancing cybersecurity performance requires training and awareness programs for employees, as they often represent the weakest link in the system.Regular programs help employees identify potential threats, avoid common mistakes, and adhere to established policies and procedures.In so doing, the PMT-based process of coping appraisal would be more effective.
• Compliance and Auditing: Government institutions, including universities, must comply with relevant regulations and standards to maintain cybersecurity performance.Conducting regular audits of cybersecurity controls helps identify non-compliance areas and opportunities for improvement.Additionally, cybersecurity professionals must adhere to legislations and policies related to information security to prevent unauthorized access and misuse.Such legislations and laws vary depending on the specific field or area of cybersecurity protection implementation.
• Incident Response: An efficient incident response plan is crucial for evaluating cybersecurity performance.Government institutions need a well-defined plan outlining the necessary steps to take during a cybersecurity incident.Regular testing ensures the plan's effectiveness.This indicator would help with improving the cycle of threat appraisal.
• Continuous Monitoring: Continuous monitoring is essential to maintaining effective and up-to-date cybersecurity controls.Regular vulnerability assessments, penetration testing, and security audits help identify new threats and vulnerabilities, offering opportunities for enhancing cybersecurity performance.
In light of these KPIs, the questionnaire comprised five statements, each with four distractors.It was administered online to 150 participants via their official emails.Only one answer is accepted for each statement as answers represented different values, e.g., "agreed", "rarely", "occasionally", etc.The statements covered the following issues: the performance of regular risk assessment, the timely prioritization and treatment of risks, offering regular training to support cybersecurity culture, the interrelation between cybersecurity and the institution's strategic objectives, and rating the institution's overall cybersecurity performance.

The interviews
Since all the data elicited through the questionnaire is quantitative and sometimes lacks in-depth, detailed answers, interviews would fill in this lacuna.Interviews in the current study aim at offering a thematic content analysis of the aspects characteristic of the universities' cybersecurity performance.These interviews were conducted with a total of 20 participants through online meetings including at 2 representatives for each university.During the interviews, the participants were asked a series of questions offering a thematic analysis of the various aspects of cybersecurity.These thematic foci included internal and external threats, the importance of a comprehensive vision, diversity in cybersecurity approaches, different types of threats, the potentials and challenges of cybersecurity, the relationship between cybersecurity and strategic objectives, the integration of cybersecurity into Total Quality Management (TQM) processes, and ways of improving cybersecurity performance.Furthermore, the interview questions were designed to elicit indepth responses from the participants, providing valuable insights into their perspectives, experiences, and recommendations regarding cybersecurity practices in Saudi universities.
Such a methodological triangulation based on the incorporation of questionnaires (quantitative) and interviews (qualitative) helped to gather comprehensive insights into cybersecurity performance and its integration into TQM processes within Saudi universities.Triangulation "gives a more detailed and balanced picture of the situation" (Feldman et al., 2018, p. 14).That is, the questionnaire allows for a broader perspective, while interviews provide in-depth understanding and contextual information.In other words, the quantitative data obtained from the questionnaire survey provides a broader understanding of users' perceptions, while the qualitative data from the interviews offers richer and more nuanced insights from experts in the field.The combination of these methods enhances the overall validity and reliability of the study's findings.

The questionnaire
The questionnaire was administered to 150 persons in the 10 universities, but only 107 participated.Table 1 below summarizes participants' responses to the five statements.
In response to statement (1), [My university performs risk assessments to identify potential cybersecurity threats and vulnerabilities], only 37% of the participants agreed that their university performs regular risk assessments to identify potential cybersecurity threats and vulnerabilities.The majority of the participants, around 38%, indicated that risk assessments are rarely conducted, possibly indicating a lack of emphasis on proactive cybersecurity measures.Approximately 4% of the participants stated that risk assessments are conducted occasionally, such as once or twice a year, indicating a low level of attention to cybersecurity risks.Also, 4% of the participants mentioned that risk assessments are conducted semi-regularly, possibly on a quarterly or biannual basis, showing weak commitment to monitoring and addressing potential risks.Around 11% of the participants reported that risk assessments are conducted frequently, such as monthly or every few months, demonstrating a proactive approach to cybersecurity management.Finally, approximately 6% of the participants confirmed that risk assessments are conducted regularly and consistently, indicating a strong focus on proactive risk identification and mitigation.
In response to the statement (2), [My university prioritizes and addresses the identified risks in a timely manner], only 43% of the participants strongly agreed that their universities prioritize and address identified risks in a timely manner.Similarly, 41% of the participants agreed that their university has well-defined policies and procedures for managing cybersecurity.Regarding statement (3), [My university provides training and awareness programs on cybersecurity to employees …………], only 36% of the participants agreed that their organization offers regular training and awareness programs on cybersecurity to employees.Furthermore, 40% of the participants agreed that their organization complies with relevant regulations and standards for cybersecurity regularly and consistently.
With regard to statement (4), [There is a strong relationship between cybersecurity and the strategic objectives of my university], only 48% of the participants stressed that cybersecurity is strongly related to the strategic objectives of their universities.Similarly, only 44 % of the participants agreed.This means that the majority of the participants believe that cybersecurity is among the KPIs of Total Quality Management.
Finally, in response to statement ( 5), [I would rate the overall cybersecurity performance of my university as ……….], participants provided varied responses indicating their perceptions of their university's overall cybersecurity performance.The breakdown of the responses is as follows: Only 16% of the participants rated their university's cybersecurity performance as excellent.They highlighted that their university implements robust measures, policies, and procedures, regularly conducts risk assessments, effectively addresses identified risks, provides comprehensive training and awareness programs, and complies with relevant regulations and standards.
12% of the participants rated their universities' cybersecurity performance as good.They believe that their organization has implemented adequate cybersecurity measures, although there may be some areas for improvement.They perceive that their universities prioritize risk management, conduct regular assessments, and demonstrate a commitment to cybersecurity.24% of the participants rated their university's cybersecurity performance as average.They expressed that their universities implement basic cybersecurity measures, but they feel that there is room for improvement in terms of comprehensive policies, regular risk assessments, and proactive measures.30% of the participants rated their university's cybersecurity performance as poor.They believe that their organization neglects risk assessments, lacks clear policies and procedures, provides inadequate training and awareness programs, and fails to comply with relevant regulations and standards.Finally, 18% of the participants reported that they are uncertain about rating their universities' cybersecurity performance.This could indicate a lack of knowledge or information regarding the university's cybersecurity practices.
The findings of this quantitative analysis suggest that there is a need for improvement in the areas of risk prioritization and timely response to identified risks within the universities where participants are affiliated.The relatively low agreement percentage (43%) regarding the prioritization and timely addressing of identified risks indicates that a significant portion of the participants feel that their universities may not be effectively managing and mitigating cybersecurity risks in a timely manner.This finding is crucial since delays in addressing risks can leave organizations vulnerable to potential threats and vulnerabilities.Furthermore, the low agreement percentage (41%) regarding well-defined policies and procedures for managing cybersecurity highlights a potential gap in the implementation and communication of cybersecurity measures within the participants' universities.This finding implies that there might be a need for universities to strengthen their policies and procedures to enhance cybersecurity management practices.Well-defined policies and procedures are essential for providing clear guidelines and instructions to employees, thereby ensuring consistency in cybersecurity practices, and mitigating potential security gaps.Relatedly, improving risk prioritization and timely response requires organizations to establish effective incident response plans, allocate appropriate resources, and foster a culture of proactive risk management.It is crucial for Saudi universities to regularly assess and update their policies and procedures to align with industry best practices, emerging threats, and regulatory requirements.Enhancing communication and training initiatives can also contribute to raising awareness among employees about the importance of cybersecurity and their roles in maintaining a secure environment.
These findings imply that Saudi universities are entitled to recognize the critical role of cybersecurity in achieving their strategic objectives and quality management goals.By incorporating cybersecurity as an integral part of the strategic planning process and including it as a measurable KPI in the TQM system, organizations can ensure that cybersecurity receives the necessary attention, resources, and focus for effective implementation.Equally important, enhancing the relationship between cybersecurity and strategic objectives involves integrating cybersecurity considerations into organizational decision-making processes, resource allocation, and risk management practices.It requires raising awareness among stakeholders about the significance of cybersecurity and its alignment with the university's mission and goals.In so doing, organizations can enhance their cybersecurity resilience, protect critical assets, and contribute to the overall success and sustainability of their universities.

The interview
By means of thematic content analysis, findings showed that the data set collected from the interviews is based on six thematic foci that can be explained as follows:

Internal and external threats
This theme focuses on the challenges posed by both internal and external threats to cybersecurity in Saudi universities.It explores the participants' perceptions of the risks associated with their behavior and actions within the institution, as well as the external risks originating from the digital world.Furthermore, the interviewees emphasized the importance of protecting devices from internal threats in cybersecurity.However, the majority of participants highlighted that internal threats still pose significant challenges to IT departments at their universities.This can be attributed to users' lack of awareness or knowledge in the field of information security.Users may unintentionally activate programs of unknown origin or use tools that compromise their personal security and sensitive information.Additionally, the use of tools containing malicious viruses can jeopardize system integrity.In such cases, cybersecurity measures promptly alert individuals or organizations of potential dangers and prevent harmful actions from occurring.
Equally important, the interviewees widely agreed that safeguarding against external threats is a critical aspect of cybersecurity performance in their institutions.However, most participants expressed concerns about the absence of robust firewalls in their universities to filter external risks arising from digital interactions such risks include dangerous electronic messages, malicious links, viruses, and exploitable system weaknesses or vulnerabilities.Many universities rely on traditional cybersecurity systems for website and email protection, which may not be sufficient to address the evolving threat landscape.

Comprehensive vision
A significant number of interviewees raised concerns that users in their universities lack a comprehensive understanding of the strengths and weaknesses within their IT systems.This lack of awareness hinders the identification of technological gaps and timely problem-solving.In response, interviewees suggested the need for institutions to provide users with insights into the ideal prevention measures and ensure that recurring issues are effectively addressed.

Diversity
Interviewees stressed the importance of cybersecurity systems to effectively address various types of cyber threats and attacks to offer comprehensive solutions.They also emphasized the need for a holistic approach that analyzes, detects, addresses, and prevents all possible types of attacks that could compromise the security and integrity of information.

Types of threats
The interviewees identified several prominent types of threats that significantly impact Saudi universities, causing substantial losses.These threats include, but are not limited to, malware, ransomware viruses, phishing attacks, middleman attacks, spear phishing, and advanced longterm sequence attacks.

Potentials and challenges of cybersecurity
Saudi universities are currently facing a shortage of qualified professionals in the fields of information security and cybersecurity.Despite the growing reliance on information technology, the availability of skilled experts remains a challenge.This shortage poses obstacles to effectively addressing cyber threats and protecting universities portal.

Ways of improving cybersecurity performance
To enhance cybersecurity in Saudi universities, interviewees recommended: • prioritizing cybersecurity as a top priority and implementing measures to block attacks, leveraging global experiences and best practices • fostering partnerships between Saudi universities studying cybersecurity and leading European universities to ensure the adoption of advanced curricula • establishing specialized teaching programs in cybersecurity under the guidance of experienced instructors.These programs should focus on developing students' theoretical and technical skills and provide practical training to align with industry demands.
• encouraging the Ministry of Education to direct universities to form specialized cybersecurity teams in each college to address the rising number of electronic attacks.
• developing cybersecurity programs in Saudi universities that adhere to international standards, meeting the needs of the labor market, and providing global educational resources and practical laboratories.
The results of the current study on evaluating cybersecurity performance in Saudi universities can be related to previous studies in several ways.Firstly, the study contributes to the existing literature by focusing specifically on the evaluation of cybersecurity systems in the context of universities and educational institutions.While there is prolific research on the evaluation of cybersecurity systems in various sectors such as banking, e-commerce, and healthcare, very little has been done in the context of universities.Therefore, this study fills a gap in the literature by shedding light on cybersecurity performance and its integration into Total Quality Management (TQM) processes in Saudi universities.
Secondly, results align with previous research that emphasizes the importance of comprehensive cybersecurity measures.It highlighted the significance of risk assessment, policies and procedures, training and awareness, compliance and auditing, incident response, and continuous monitoring in evaluating cybersecurity performance.These themes are consistent with the broader literature on cybersecurity which underscores the need for a holistic approach to protect sensitive data, mitigate risks, and respond effectively to cyber threats.
Furthermore, the study results corroborate the importance of addressing internal and external threats in cybersecurity.Participants emphasized the challenges posed by internal threats, such as user ignorance or lack of awareness regarding information security, which aligns with previous studies highlighting the role of human factors in cybersecurity vulnerabilities.Similarly, participants highlighted the criticality of protecting against external threats, including the need for capable firewalls and robust cybersecurity systems to filter risks originating from the digital world.These findings are consistent with prior research that emphasizes the significance of safeguarding against both internal and external threats to ensure robust cybersecurity.
Moreover, the study results underscored the need for cybersecurity awareness, training, and infrastructure development in universities.These results are in line with previous studies that emphasize the importance of cybersecurity education and training programs for employees, students, and faculty members.The study also highlighted the need for cybersecurity governance and alignment with strategic objectives, which resonates with research emphasizing the integration of cybersecurity into organizational strategies and objectives.

Conclusions & recommendations
In conclusion, cybersecurity plays a vital role in supporting the development of cloud technology services by creating a protective barrier that instills user confidence in the efficiency and security of data storage.This confidence encourages users to invest in these services with peace of mind, leading to their increased adoption and utilization.Furthermore, prioritizing cybersecurity on websites and services provides service providers with a competitive advantage.Users are more inclined to engage with secure websites, particularly those involving payment gateways or the sharing of sensitive and personal information.By paying attention to cybersecurity, service providers can attract and retain customers by offering a safe and trustworthy online environment.
The evaluation of cybersecurity performance in Saudi universities necessitates a comprehensive approach that encompasses various aspects.These aspects include risk assessment, the establishment of effective policies and procedures, training and awareness programs, compliance and auditing, incident response planning, and continuous monitoring.By adopting this holistic approach, Saudi universities can better safeguard sensitive data, protect critical infrastructure, and enhance their overall cybersecurity performance.Moreover, the relationship between cybersecurity and Total Quality Management (TQM) lies in their shared focus on risk management, datadriven decision-making, and continuous improvement.By incorporating TQM principles into their cybersecurity practices by applying the constructs of PMT, Saudi universities can establish a proactive and comprehensive cybersecurity program that safeguards their assets and meets the expectations of stakeholders.
As Saudi universities strive to excel in cybersecurity, several strategic objectives should be pursued.Cybersecurity awareness needs to be included as a strategic objective in the universities' plans and aligned with their overall strategic vision.It is crucial to provide cybersecurity awareness training to students, employees, and faculty members to enhance their understanding and adherence to cybersecurity best practices.Additionally, the development of robust cybersecurity infrastructure, enforcement of cybersecurity governance, and alignment of cybersecurity initiatives with the Kingdom's Vision 2030 should be key considerations.Further to this, this study emphasized the importance of cybersecurity evaluation, integration with TQM processes, and the implementation of strategic objectives in Saudi universities.By addressing these aspects, Saudi universities can enhance their cybersecurity capabilities, protect valuable data and assets, and contribute to the broader national objectives of cybersecurity advancement.
Figure 1.Principles of Total Quality Management (TQM).