As the human factor remains a significant threat, a holistic approach that engages organizational members by cultivating a cybersecurity culture strengthens cyber resilience. Various commercial and research perspectives introduce frameworks for assessing the cyber security culture deployed alongside technical and administrative controls. This thesis aims to raise the importance of cyber security culture and explore practical aspects of the development and implementation of an assessment tool.
Delving into the literature, a new cybersecurity culture framework based on Schein's model is presented.
Introduction
Given that during literature review it has been established that CSC contributes to cyber resilience, this study has provided evidence on organizational characteristics and whether they influence CSC status. Conducting an investigation regarding Cyber Security (CS) inevitably led to limitations, as the CSC assesses the status of an organization and could ultimately publish information about vulnerabilities that threat actors could take advantage of. On the other hand, although supported by theories to which CSC contributes, cyber resilience could not be assessed practically as this would require the development of an upcycling process that would require recurring assessments.
An effort to unfold all aspects is taking place, including concepts such as definitions, subcultures and culture changes in order to gain a deep understanding of OC primarily and CSC in the future.
Literature review
Introduction
Organizational Culture
- Organizational Culture definition
- Organizational Culture models
- Schein’s three levels in the organizational culture
- Hofstede’s four culture themes & six dimensions
- Cameron and Quinn’s four dimensions
- The Organizational Culture Inventory by Cooke and Lafferty
- Johnson and Scholes cultural web
- Further culture considerations
- External Culture Environment
- Innovation culture
- Subcultures
- Culture change
Values: the second level forms the mindset of the organization's members, which apparently make up individuals' attitudes. In order to assess this type of culture, it is essential to identify any subcultures present within the organization's functions. Real: This is where it starts; it is the initial assessment of where the organization stands.
It is highly unlikely that these values would be useful to an organization's finance or legal department.
Cybersecurity Culture
- The importance of Cybersecurity Culture
- Cybersecurity Culture Definition
- Cultivating Cybersecurity Culture
- Cybersecurity Culture frameworks
- Da Veiga’s Information Security Culture Framework
- Security Culture Framework by Georgiadou et al
- Organizational Cybersecurity Culture Model
- CLTRe Security Culture Framework
- CybSafe’s Culture Assessment Tool
- Kaspersky Lab’s CyberSafety Culture Assessment
- Considerations on CSC frameworks
An essential aspect of OC is nothing more than being instilled in favor of strategy and performance. Artifacts: This element includes visible aspects of the organization, such as network security arrangements and formalized procedures. Shared tacit assumptions: As with Schein's approach, this element includes the instinctive beliefs and inculcated thoughts and perceptions among organizational members that relate to safety.
Assembling a special team of members of the organization will be tasked with monitoring the implementation of the CSC plan in terms of operations, policies and strategy coordination. Next, a business outline must be prepared along with an appropriate risk assessment. The next step is to evaluate the results of the activities carried out and whether they have achieved the relevant objectives.
Whatever the initiation, it must be emphasized that SMT involvement sets a transcendent example for the rest of the organization to follow. Management and governance: This element includes the organization's strategic approach to security. Contrary to the dimensional breakdown of the models introduced for CSC, their research showed.
Beliefs, Values and Attitudes: This is where tacit principles are documented, what members of the organization know and do, but few are able to articulate. Kaspersky Lab (2018), one of the oldest and most recognized cybersecurity companies in the world, developed the CyberSafety Culture Assessment tool.
Research Methodology
Research Objective
Research Design
- Questionnaire
- Preparatory questionnaire assessment
- Sample
Therefore, and considering the research objective approach described in section 3.1, Exploratory is the research type best suited to this study. While considering collecting data as part of the research framework, it is important to choose between the available methods, quantitative, qualitative and mixed methods (McCusker & Gunaydin, 2015). The researcher asks a series of questions to which he seeks answers, and respondents through the questionnaire deliver their answers back to the researcher.
The purpose of the questionnaire is to gather information that the researcher needs to help answer the research objectives (Brace, 2004). Short explanatory texts were provided throughout the questionnaire to ensure that the requirements were accurately described. Whichever of the four questions A, B, C or D collects the most points in all six categories is interpreted as the corresponding type of OC.
However, there is no commercial tool available for free, but some academic questionnaires are available as part of the relevant theoretical foundation. Therefore, a question from Da Veiga et al. 2020) was used along with two others developed by the author to identify organizational members' perceptions of their relevant environment's security resilience. To ensure the adequacy of the questionnaire flow, it was sent to three close people for preparatory assessment before it was published.
Also, feedback was received on the average time for completion, so fifteen minutes before the questionnaire starts is mentioned for each respondent to be aware of. Work in Greece, although the organization may be international because national superstructural factors of CSC would seriously interfere with the research outcome.
Software
Results
Descriptive statistics
- Demographics
- Organization related questions
- Organizational Culture tool
- General security questions
Almost 95% of the participants have a higher education degree or a Bachelor's, Master's or Doctorate degree. The seniority of the participants is distributed at all levels; however, middle and high level make up almost 50% of the respondents accounting for about 20% and 29% respectively. Answers regarding the industry of the participants have been varied; however, none have been accepted for the life sciences.
The larger amount is attracted to Data Infrastructure, Telecom with around 18.5% of the total and the Public Sector with 16.5% of the total responses. Out of all participants, 45% work in an organization that operates exclusively in Greece, while the rest, 55%, work for an international organization that operates in Greece. The OCAI tool to assess the OC is based on the A, B, C and D answers given by the participants.
The mean scores of dominant OC from each response were calculated and shown in Figure 4.9. About 50% of the participating OCs were exposed as hierarchy, indicating that half of the participating organizations represented the OCs of control, process, efficiency and accuracy. Induction training is considered the industry standard for educating new members about security and other aspects of the organization.
Regarding how respondents prefer to receive information security messages, results provided a prevailing 108 out of 156 responses attributed to email messages. Hard copy documents Electronic documents Faxes Business discussions Telephone conversations Emails Voicemail messages Documents stored on mobile devices Instant messaging conversations (eg Viber, Whatsapp) Information published on the internet or intranet All of the above.
Statistical analysis
- Reliability analysis
- Evaluation of CSC and CS Resilience
- Assumptions
- Chi-square tests analysis
- Hypothesis 1
- Hypothesis 2
- Hypothesis 3
- Hypothesis 4
- Hypothesis 5
- Factor analysis
- Confirmatory Factor Analysis
Anyway, in this research a more straightforward approach should be implemented, and therefore CSC is evaluated based on three rankings by summarizing all results of fifteen responses, 15-34.9 "Poor average" and 55- 75 "Enough." The same rationale was used for the CS resilience perception set of questions, where the respective summary of results provides three categories, 3-6.9 "Weak", 7-10.9 "Average" and 11-15 "Sufficient.". first hypothesis examines the possible existence of a relationship between the KDS and the organization's size.The relevant Chi-square test was performed, and the following results from tables 4.18 and 4.19 were provided.
Since P-value is greater than α (0.05), we do not accept the hypothesis, and therefore there is no statistically significant relationship between the organization's size and the CSC status. The second hypothesis examines whether there is a relationship between the presence of a CISO within the organization and the relevant KDS status in place. Therefore, we accept the Hypothesis and therefore there is a statistically significant relationship between the presence of a CISO and the CSC status.
There is therefore no statistically significant relationship between the OC type and the CSC status. The fourth hypothesis examines the relationship between CS resilience, as perceived by the organization's members, and the CDS status. There is a statistically significant relationship between the status of the CDS as perceived by organizational members with the CDS status.
Therefore, we accept the hypothesis and consequently there is a statistically significant relationship between the status of CS as perceived by organizational members with CSC status. The fifth and final hypothesis examines whether a relationship exists between the organization's industry and CSC. The appropriate Chi-square test was performed and the following results from Tables 4.26 and 4.27 are given.
Since the P value is lower than the α value (0.05), we accept the hypothesis, and therefore there is a statistically significant relationship between the organization's industry/activity and CSC status.
Reflecting on the process to reach the results
Here, too, the possibilities for organizations are limitless; they can use customized intranet portals or commercial solutions that best suit their needs. Together with the discovered relevant factors and consideration of organizational elements, this is essential feedback for improving the questionnaire in the next evaluation cycle, which returns to the development step. The process described above introduces an upgrade tool where the organization constructs a custom questionnaire, and while the unbounded goal is to assess CSC, the tool is further processed to improve the next time it is used.
Conclusions
- Theoretical implications
- Practical implications
- Limitations
- Future research
One of the most unequivocal is confirming the relationship between the presence of the CISO and the CSC status. ENISA has already advanced the role of CISO within an organization in all directions, including stakeholders, SMT and members, and has also ensured a clear responsibility of the ambassador who carries the message of “the way we do things” , indicating a direct relationship with CSC ( Cybersecurity Culture in Organizations, 2017 ). Another result of the questionnaire indicates that CSC status is statistically related to the relevant industry of the organization.
Considering the development of the CS field where MITER ATT&CK is currently a standard in developing countermeasures based on characteristics such as location of operation and industry, this result may be of great importance. This shows that regardless of the size and "how we do things here" identity of the organization, CSC should always be a priority. Although this is a very subjective result of the results provided, it is important as it highlights the human aspect of trust.
Retrieved November 26, 2020 from https://www.ocai-online.com/about- the-Organizational-Culture-Assessment-Instrument-OCAI. Assessment of locomotive syndrome among older individuals: A confirmatory factor analysis of the 25-question Geriatric Locomotive Function Scale.
