Developing cybersecurity culture to influence employee behavior: A practice perspective
Introduction
Due to the ever increasing reliance on information and information systems in modern business processes, the strategic interests of organizations have never been more vulnerable to cybersecurity attacks, which can result in catastrophic consequences such as the leakage of trade secrets and intellectual property, or the disruption of mission-critical systems (Bada et al., 2019; Willison et al., 2018). Recent security reports show that a significant proportion of cybersecurity breaches are caused by employee noncompliance with organizational information security policies (NTT Security, 2019; SANS, 2018). Security researchers have consistently argued that building a cybersecurity culture is essential to change attitudes, perceptions, and instil good security behaviors (Da Veiga et al., 2020; Wiley et al., 2020).
Cybersecurity culture is “contextualized to the behavior of humans in an organizational context to protect information processed by the organization through compliance with the information security policy and an understanding of how to implement requirements in a cautious and attentive manner as embedded through regular communication, awareness, training and education initiatives.” (Da Veiga et al., 2020). This recent and comprehensive description of security culture highlights the importance of regular communication and security education, training and awareness (SETA) initiatives in developing a cybersecurity culture.
Our review of the literature revealed that there is consensus amongst professionals and academics that in order to develop a cybersecurity culture, organizations should exceed the minimal compliance approach to SETA (AlHogail, 2015; ENISA, 2017, 2018). To go beyond the traditional SETA offered by many organizations in the form of annual computer-based training, organizations need to put considerable investments into implementing transformative changes in order to develop a cybersecurity culture (Alshaikh et al., 2018, 2019; Carpenter, 2019; OECD, 2015).
Although considerable progress has been made in defining cybersecurity culture, proposing frameworks, and identifying the factors that influence cybersecurity culture in organizations (AlHogail and Mirza, 2014; Da Veiga et al., 2020; Nel and Drevin, 2019), it remains unclear how organizations can in fact implement practices to develop their cybersecurity culture (Carpenter, 2019; Park and Chai, 2018). We argue that there is still a need to further investigate practices and initiatives that organizations can implement to develop a cybersecurity culture.
Therefore, this paper aims to contribute to existing literature by identifying key initiatives that three Australian organizations have implemented to develop cybersecurity culture and explain why these key initiatives can be effective in building cybersecurity culture. This paper provides practical guidance on how can organizations develop a cybersecurity culture.
This paper presents an exploratory study of the practices of three Australian organizations that have taken the initiative to transform their SETA from a compliance-based approach to developing a security culture that influences employee security behavior. These three organizations were chosen because they collaborated closely with one another during the development of their cybersecurity culture and thus have a similar shared experience. Further, all three organizations operate in the financial sector, which faces greater challenges and more sophisticated attacks on information infrastructure than those faced by organizations in other sectors; between April to June 2019 the financial sector was ranked second amongst the top five sectors for data breaches (Office of the Australian Information Commissioner, 2019).
The remainder of the paper is structured as follows: first, the background section presents a brief overview on information security culture. Second, the research methodology is explained, and a description of the three-case study is provided. Third, the results and analysis of the case study including key initiatives to develop cybersecurity culture are presented, followed by a framework of the key initiatives to develop cybersecurity culture and a discussion of why these initiatives can be effective. Finally, we conclude with a discussion of the theoretical and practical implications for the development of their cybersecurity culture and a direction for future work.
Section snippets
Background: cybersecurity culture
There is consensus in the literature on the need for organizations to develop cybersecurity culture to protect their information assets (Shedden et al., 2016; Chia et al., 2002; Da Veiga and Eloff, 2010; Ruighaver et al., 2007). The process of establishing cybersecurity culture has gained significant focus in cybersecurity literature with early work in the area aimed at establishing and understanding the concept (e.g., Furnell and Thomson, 2009; Schlienger and Teufel, 2002; Van Niekerk and Von
Research methods
An interpretive case-study approach was adopted to conduct the research. The choice of organizations for this multiple case study was based on four key criteria: (1) they had similar practices and approaches to the development of SETA; (2) their experience of transforming SETA program was fresh and they have started the process around the same time; (3) there was a strong collaboration and knowledge sharing culture amongst the three SETA managers in the three organizations; and (4) SETA
Case study results
A qualitative data analysis approach was adopted in this study as per (Neuman, 2006). The interviews were transcribed, and detailed analysis was undertaken to gain an understanding of what managerial activities the participants undertake to transform their SETA programs and develop cybersecurity culture. The collected data was coded sentence-by-sentence to identify themes and subthemes. The grounded theory analysis technique was employed to analyse the data. A coding process was used to
Discussion: from compliance to building culture
The findings of this study revealed how three organizations have implemented five key initiatives to improve their cybersecurity cultures. The identification of these five initiatives (see Fig. 3) provides useful guidance to organizations for transforming their SETA program from those which are merely compliance focused to those which genuinely build cybersecurity culture by influencing and changing employees’ behaviors. This section discusses the five key initiatives and the underlying reasons
Conclusion
This study has reported the transformation of SETA programs on three Australian organizations from compliance to building a cybersecurity culture. The study has identified five key initiatives that organizations have implemented to improve their security culture to influence and change employees’ behaviors. The five key initiatives include: identifying key cybersecurity behaviors; establishing a cybersecurity champion network; developing a brand for the cybersecurity team; building a
CRediT authorship contribution statement
Moneer Alshaikh: Conceptualization, Methodology, Writing - original draft, Writing - review & editing, Data curation, Formal analysis.
Declaration of Competing Interest
The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.
Acknowledgements
I would like to thank Dr. Jeb Webb and A/Prof Atif Ahmad for their assistance in editing and proofreading this work and for their valuable comments and feedback. Special thanks for the three cybersecurity awarness managers for sharing their knowledge, experiances and journy to build cybersecurity culture in their organizations.
Dr. Moneer Alshaikh is an Assistant Professor at the College of Computer Science and Engineering, Department of Cybersecurity, University of Jeddah, Saudi Arabia. He is also an Honorary Fellow at School of Computing and Information Systems, the University of Melbourne. Moneer worked as a research fellow in cyber security at the Academic Centre of Cyber Security Excellence, School of Computing and Information Systems, the University of Melbourne. Dr Moneer is a Certified Information Security
References (48)
Design and validation of information security culture framework
Comput. Hum. Behav.
(2015)- et al.
Defining organisational information security culture—perspectives from academia and industry
Comput. Secur.
(2020) - et al.
A framework and assessment instrument for information security culture
Comput. Secur.
(2010) - et al.
Chapter 35 – Building a sustainable culture of security
- et al.
From culture to disobedience: recognising the varying user acceptance of it security
Comput. Fraud Secur.
(2009) - et al.
Selecting security champions
Comput. Fraud Secur.
(2011) - et al.
Assessing the impact of security culture and the employee-organization relationship on is security compliance
- et al.
Why there aren't more information security research studies
Inf. Manag.
(2004) - et al.
Organisational security culture: extending the end-user perspective
Comput. Secur.
(2007) - et al.
Information security culture: a management perspective
Comput. Secur.
(2010)
More than the individual: examining the relationship between culture and information security awareness
Comput. Secur.
Information security culture: a definition and a literature review
An exploratory study of current information security training and awareness practices in organizations
Toward sustainable behaviour change: an approach for cyber security education training and awareness
Transformational Security Awareness: What Neuroscientists, Storytellers, and Marketers Can Teach Us About Driving Secure Behaviors
Understanding organizational security culture
Knowledge based concept analysis method using concept maps and Uml: security notion case
Int. Sch. Sci. Res. Innov.
Seeing the forest and the trees: a meta-analysis of the antecedents to information security policy compliance
MIS Q.
Enabling information security culture: influences and challenges for Australian Smes
Current issues of metrics for information security awareness
Understanding nonmalicious security violations in the workplace: a composite behavior model
J. Manag. Inf. Syst.
Cited by (77)
Digital skills at work – Conceptual development and empirical validation of a measurement scale
2024, Technological Forecasting and Social ChangeFortifying healthcare: An action research approach to developing an effective SETA program
2024, Computers and SecurityThe effects of artificial intelligence applications in educational settings: Challenges and strategies
2024, Technological Forecasting and Social ChangeLearning from safety science: A way forward for studying cybersecurity incidents in organizations
2023, Computers and SecurityRemote vigilance: The roles of cyber awareness and cybersecurity policies among remote workers
2023, Computers and Security
Dr. Moneer Alshaikh is an Assistant Professor at the College of Computer Science and Engineering, Department of Cybersecurity, University of Jeddah, Saudi Arabia. He is also an Honorary Fellow at School of Computing and Information Systems, the University of Melbourne. Moneer worked as a research fellow in cyber security at the Academic Centre of Cyber Security Excellence, School of Computing and Information Systems, the University of Melbourne. Dr Moneer is a Certified Information Security Manager and ISO/IEC 27001 Implementer. His research interests include information security management, security awareness, and security behavior change.