Elsevier

Computers & Security

Volume 98, November 2020, 102003
Computers & Security

Developing cybersecurity culture to influence employee behavior: A practice perspective

https://doi.org/10.1016/j.cose.2020.102003Get rights and content

Abstract

This paper identifies and explains five key initiatives that three Australian organizations have implemented to improve their respective cyber security cultures. The five key initiatives are: identifying key cyber security behaviors, establishing a 'cyber security champion' network, developing a brand for the cyber team, building a cyber security hub, and aligning security awareness activities with internal and external campaigns. These key initiatives have helped organizations exceed minimal standards-compliance to create functional cyber security cultures. This paper discusses why these initiatives have been effective and provides practical guidance on their integration into organizational security program

Introduction

Due to the ever increasing reliance on information and information systems in modern business processes, the strategic interests of organizations have never been more vulnerable to cybersecurity attacks, which can result in catastrophic consequences such as the leakage of trade secrets and intellectual property, or the disruption of mission-critical systems (Bada et al., 2019; Willison et al., 2018). Recent security reports show that a significant proportion of cybersecurity breaches are caused by employee noncompliance with organizational information security policies (NTT Security, 2019; SANS, 2018). Security researchers have consistently argued that building a cybersecurity culture is essential to change attitudes, perceptions, and instil good security behaviors (Da Veiga et al., 2020; Wiley et al., 2020).

Cybersecurity culture is “contextualized to the behavior of humans in an organizational context to protect information processed by the organization through compliance with the information security policy and an understanding of how to implement requirements in a cautious and attentive manner as embedded through regular communication, awareness, training and education initiatives.” (Da Veiga et al., 2020). This recent and comprehensive description of security culture highlights the importance of regular communication and security education, training and awareness (SETA) initiatives in developing a cybersecurity culture.

Our review of the literature revealed that there is consensus amongst professionals and academics that in order to develop a cybersecurity culture, organizations should exceed the minimal compliance approach to SETA (AlHogail, 2015; ENISA, 2017, 2018). To go beyond the traditional SETA offered by many organizations in the form of annual computer-based training, organizations need to put considerable investments into implementing transformative changes in order to develop a cybersecurity culture (Alshaikh et al., 2018, 2019; Carpenter, 2019; OECD, 2015).

Although considerable progress has been made in defining cybersecurity culture, proposing frameworks, and identifying the factors that influence cybersecurity culture in organizations (AlHogail and Mirza, 2014; Da Veiga et al., 2020; Nel and Drevin, 2019), it remains unclear how organizations can in fact implement practices to develop their cybersecurity culture (Carpenter, 2019; Park and Chai, 2018). We argue that there is still a need to further investigate practices and initiatives that organizations can implement to develop a cybersecurity culture.

Therefore, this paper aims to contribute to existing literature by identifying key initiatives that three Australian organizations have implemented to develop cybersecurity culture and explain why these key initiatives can be effective in building cybersecurity culture. This paper provides practical guidance on how can organizations develop a cybersecurity culture.

This paper presents an exploratory study of the practices of three Australian organizations that have taken the initiative to transform their SETA from a compliance-based approach to developing a security culture that influences employee security behavior. These three organizations were chosen because they collaborated closely with one another during the development of their cybersecurity culture and thus have a similar shared experience. Further, all three organizations operate in the financial sector, which faces greater challenges and more sophisticated attacks on information infrastructure than those faced by organizations in other sectors; between April to June 2019 the financial sector was ranked second amongst the top five sectors for data breaches (Office of the Australian Information Commissioner, 2019).

The remainder of the paper is structured as follows: first, the background section presents a brief overview on information security culture. Second, the research methodology is explained, and a description of the three-case study is provided. Third, the results and analysis of the case study including key initiatives to develop cybersecurity culture are presented, followed by a framework of the key initiatives to develop cybersecurity culture and a discussion of why these initiatives can be effective. Finally, we conclude with a discussion of the theoretical and practical implications for the development of their cybersecurity culture and a direction for future work.

Section snippets

Background: cybersecurity culture

There is consensus in the literature on the need for organizations to develop cybersecurity culture to protect their information assets (Shedden et al., 2016; Chia et al., 2002; Da Veiga and Eloff, 2010; Ruighaver et al., 2007). The process of establishing cybersecurity culture has gained significant focus in cybersecurity literature with early work in the area aimed at establishing and understanding the concept (e.g., Furnell and Thomson, 2009; Schlienger and Teufel, 2002; Van Niekerk and Von

Research methods

An interpretive case-study approach was adopted to conduct the research. The choice of organizations for this multiple case study was based on four key criteria: (1) they had similar practices and approaches to the development of SETA; (2) their experience of transforming SETA program was fresh and they have started the process around the same time; (3) there was a strong collaboration and knowledge sharing culture amongst the three SETA managers in the three organizations; and (4) SETA

Case study results

A qualitative data analysis approach was adopted in this study as per (Neuman, 2006). The interviews were transcribed, and detailed analysis was undertaken to gain an understanding of what managerial activities the participants undertake to transform their SETA programs and develop cybersecurity culture. The collected data was coded sentence-by-sentence to identify themes and subthemes. The grounded theory analysis technique was employed to analyse the data. A coding process was used to

Discussion: from compliance to building culture

The findings of this study revealed how three organizations have implemented five key initiatives to improve their cybersecurity cultures. The identification of these five initiatives (see Fig. 3) provides useful guidance to organizations for transforming their SETA program from those which are merely compliance focused to those which genuinely build cybersecurity culture by influencing and changing employees’ behaviors. This section discusses the five key initiatives and the underlying reasons

Conclusion

This study has reported the transformation of SETA programs on three Australian organizations from compliance to building a cybersecurity culture. The study has identified five key initiatives that organizations have implemented to improve their security culture to influence and change employees’ behaviors. The five key initiatives include: identifying key cybersecurity behaviors; establishing a cybersecurity champion network; developing a brand for the cybersecurity team; building a

CRediT authorship contribution statement

Moneer Alshaikh: Conceptualization, Methodology, Writing - original draft, Writing - review & editing, Data curation, Formal analysis.

Declaration of Competing Interest

The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.

Acknowledgements

I would like to thank Dr. Jeb Webb and A/Prof Atif Ahmad for their assistance in editing and proofreading this work and for their valuable comments and feedback. Special thanks for the three cybersecurity awarness managers for sharing their knowledge, experiances and journy to build cybersecurity culture in their organizations.

Dr. Moneer Alshaikh is an Assistant Professor at the College of Computer Science and Engineering, Department of Cybersecurity, University of Jeddah, Saudi Arabia. He is also an Honorary Fellow at School of Computing and Information Systems, the University of Melbourne. Moneer worked as a research fellow in cyber security at the Academic Centre of Cyber Security Excellence, School of Computing and Information Systems, the University of Melbourne. Dr Moneer is a Certified Information Security

References (48)

  • A. Wiley et al.

    More than the individual: examining the relationship between culture and information security awareness

    Comput. Secur.

    (2020)
  • A. AlHogail et al.

    Information security culture: a definition and a literature review

  • M. Alshaikh et al.

    An exploratory study of current information security training and awareness practices in organizations

  • M. Alshaikh et al.

    Toward sustainable behaviour change: an approach for cyber security education training and awareness

  • Bada, M., Sasse, A.M., and Nurse, J.R.2019. "Cyber Security Awareness Campaigns: Why Do They Fail to Change...
  • P. Carpenter

    Transformational Security Awareness: What Neuroscientists, Storytellers, and Marketers Can Teach Us About Driving Secure Behaviors

    (2019)
  • P. Chia et al.

    Understanding organizational security culture

  • M. Colobran et al.

    Knowledge based concept analysis method using concept maps and Uml: security notion case

    Int. Sch. Sci. Res. Innov.

    (2013)
  • W.A. Cram et al.

    Seeing the forest and the trees: a meta-analysis of the antecedents to information security policy compliance

    MIS Q.

    (2019)
  • S. Dojkovski et al.

    Enabling information security culture: influences and challenges for Australian Smes

  • ENISA. 2017. “Cyber Security Culture in Organisations.” Retrieved from...
  • ENISA. 2018. “Cyber Security Culture in Organisations. European Union Agency for Network and Information Systems..”...
  • T. Fertig et al.

    Current issues of metrics for information security awareness

  • K.H. Guo et al.

    Understanding nonmalicious security violations in the workplace: a composite behavior model

    J. Manag. Inf. Syst.

    (2011)
  • Cited by (77)

    View all citing articles on Scopus

    Dr. Moneer Alshaikh is an Assistant Professor at the College of Computer Science and Engineering, Department of Cybersecurity, University of Jeddah, Saudi Arabia. He is also an Honorary Fellow at School of Computing and Information Systems, the University of Melbourne. Moneer worked as a research fellow in cyber security at the Academic Centre of Cyber Security Excellence, School of Computing and Information Systems, the University of Melbourne. Dr Moneer is a Certified Information Security Manager and ISO/IEC 27001 Implementer. His research interests include information security management, security awareness, and security behavior change.

    View full text