The Role of Organizational Culture in Cybersecurity: Building a Security-First Culture
-
Michael Mncedisi WILLIE Council for Medical Schemes, Policy Research and Monitoring, Pretoria, South Africa
In today's digital age, organizations have harnessed unprecedented connectivity and technological advancements, leading to enhanced efficiency and productivity. However, this progress has also exposed businesses to a multitude of cyber threats, including data breaches, ransomware attacks, and social engineering exploits. This research explores the relationship between organizational culture and cybersecurity practices, emphasizing the importance of fostering a security-first culture within organizations. While technical measures are crucial, neglecting the role of organizational culture can hinder effective cybersecurity.
The study is grounded in the theory of planned behaviour and the cultural dimensions theory, providing a solid theoretical foundation. Moreover, the investigation delves into the Denison organizational culture model, particularly focusing on the role of participation in nurturing a security-first culture. This becomes particularly relevant when assembling collaborative, inclusive, and communication-driven multi-disciplinary teams. Leadership emerges as a pivotal aspect in establishing a security-first culture. The onus lies with executive leadership at the highest echelons of the organization. However, it is concerning that in certain well-established companies, some senior executives continue to perceive cybersecurity as the sole responsibility of the IT department, overlooking its leadership significance.
© 2023 The Author(s). Published by RITHA Publishing. This article is distributed under the terms of the license CC-BY 4.0., which permits any further distribution in any medium, provided the original work is properly cited.
Willie, M. M. (2023). The Role of Organizational Culture in Cybersecurity: Building a Security-First Culture. Journal of Research, Innovation and Technologies, Volume II, 2(4), 179-198. https://doi.org/10.57017/jorit.v2.2(4).05
Article’s history
Received 14th of September, 2023; Revised 5th of October, 2023; Accepted for publication 25th of October, 2023; Available online: 26th of October, 2023. Published as article in Volume II, Issue 2(4).
[1] Adekoya, O. D., Adisa, T.A., and Aiyenitaju, O. (2022). Going forward: Remote working in the post-COVID-19 era. Employee Relations, 44(6), 1410-1427. https://doi.org/10.1108/ER-04-2021-0161
[2] Akter, S., Uddin, M. R., Sajib, S., Lee, W. J. T., Michael, K., and Hossain, M. A. (2022). Reconceptualizing cybersecurity awareness capability in the data-driven digital economy. Annals of Operations Research, 2(1), 1-26. https://doi.org/10.1007/s10479-022-04844-8
[3] Alawida, M., Omolara, A. E., Abiodun, O. I., and Al-Rajab, M. (2022). A deeper look into cybersecurity issues in the wake of Covid-19: A survey. Journal of King Saud University -Computer and Information Sciences, 34(10), 8176-8206. https://doi.org/10.1016/j.jksuci.2022.08.003
[4] Alowais, S., Armeen, I., Sharma, P., and Johnston, A. (2022). Cyber hygiene practices across cultures: A cross cultural study of the US and Saudi Arabia based Information systems users. Procedia Computer Science, 219, 744–750. https://doi.org/10.7759/cureus.33211
[5] Alshahrani, A. (2017). Power distance and individualism-collectivism in EFL learning environment. Arab World English Journal, 8(2). https://dx.doi.org/10.24093
[6] Alvarez-Dionisi, L. E. (2019). Implementing a cybersecurity culture. https://www.isaca.org/resources/isaca-journal/issues/2019/volume-2/implementing-a-cybersecurity-culture
[7] Amankwah-Amoah, J., Khan, Z., Wood, G., and Knight, G. (2021). COVID-19 and digitalization: The great acceleration. Journal of Business Research, 136, 602-611. https://doi.org/10.1016/j.jbusres.2021.08.011
[8] Baham, D. (2021). The role of leaders in creating a cybersecurity culture. https://insights.pecb.com/leaders-creating-cybersecurity-culture/
[9] Battisti, E., Alfiero, S., and Leonidou, E. (2022). Remote working and digital transformation during the COVID-19 pandemic: Economic–financial impacts and psychological drivers for employees. Journal of Business Research, 150, 38-50. https://doi.org/10.1016/j.jbusres.2022.06.010
[10] Blum, D. (2020). Strengthen security culture through communications and awareness programs. In: Rational Cybersecurity for Business. Apress, Berkeley, CA. https://doi.org/10.1007/978-1-4842-5952-8_4
[11] Bulgurcu, B., Cavusoglu, H., and Benbasat, I. (2010). Information security policy compliance: An empirical study of rationality-based beliefs and information security awareness. MIS Quarterly, 34(3), 523–548. https://doi.org/10.2307/25750690
[12] Cacciattolo, K. (2014). Understanding organisational cultures. European Scientific Journal, 2, 1–7. https://eujournal.org/index.php/esj/article/view/4782
[13] Cano, J. (2021). Organizational culture for information security: A systemic perspective on the articulation of human, cultural, and social systems. https://www.isaca.org//media/files/isacadp/project/isaca/articles/journal/ 2021/volume-3/organizational-culture-for-information-security_joa_eng_0621.pdf
[14] Chang, S. E., and Lin, C. (2007). Exploring organizational culture for information security management. Industrial Management & Data Systems, 107 (3), 438-458. https://doi.org/10.1108/02635570710734316
[15] Chia, P. A., Maynard, S. B., and Ruighaver, A. B. (2002). Understanding organizational security culture. Pacis, 1-23. https://people.eng.unimelb.edu.au/seanbm/research/PacisChiaRuighaverMaynard.pdf
[16] Chigada, J., and Madzinga, R. (2021). Cyberattacks and threats during COVID-19: A systematic literature review. South African Journal of Information Management, 23(1), 1-11. https://dx.doi.org/10.4102/sajim.v23i1.1277
[17] Choi, J., Kaplan, J., and Lung, H. (2017). A framework for improving cybersecurity discussions within the organization. McKinsey.com. https://www.mckinsey.com/~/media/McKinsey/Business%20Functions/Mc Kinsey%20Digital/Our%20Insights/A%20framework%20for%20improving%20cybersecurity%20discussions%20within%20organizations/A-framework-for-improving-cybersecurity-discussions-within-organizations.pdf
[18] Connolly, L., Lang, M., Gathegi, J., and Tygar, J.D. (2016). The effect of organizational culture on employee security behavior: A qualitative study. In N. Clarke and S. Furnell (Eds.), 10th International Symposium on Human Aspects of Information Security and Assurance (HAISA), pp. 33-44. Frankfurt: Plymouth University.
[19] Corriss, L. (2010). Information security governance: Integrating security into the organizational culture. GTIP '10: Proceedings of the 2010 Workshop on Governance of Technology, Information and Policies, ACM, 35–41. https://doi.org/10.1145/1920320.1920326
[20] Cortina, K. S., Arel, S., and Smith-Darden, P., J. (2017). School belonging in different cultures: The effects of individualism and power distance. Frontiers in Education, 2, 274387. https://doi.org/10.3389/feduc.2017.00056
[21] Cremer, F., Sheehan, B., Fortmann, M., et al. (2022). Cyber risk and cybersecurity: A systematic review of data availability. Geneva Papers on Risk and Insurance Issues and Practice, 47, 698–736. https://doi.org/10.1057/s41288-022-00266-6
[22] Da Veiga, L. V., Astakhova, A., Botha, A., and Herselman, M. (2020). Defining organisational information security culture - Perspectives from academia and industry. Computers & Security, 92, 101713. https://doi.org/10.1016/j.cose.2020.101713
[23] D'Arcy, J., and Greene, G. (2014). Security culture and the employment relationship as drivers of employees’ security compliance. Information Management & Computer Security, 22 (5), 474-489. https://doi.org/10.1016/j.procs.2022.09.180
[24] De Bruijn, H., and Janssen, M. (2017). Building cybersecurity awareness: The need for evidence-based framing strategies. Government Information Quarterly, 34(1), 1-7. https://doi.org/10.1016/j.giq.2017.02.007
[25] De', R., Pandey, N., and Pal, A. (2020). Impact of digital surge during Covid-19 pandemic: A viewpoint on research and practice. International Journal of Information Management, 55, 102171. https://doi.org/10.1016/j.ijinfomgt.2020.102171
[26] Denison, D. R. (1984). Bringing corporate culture to the bottom line. Organizational Dynamics, 13(2), 4-22.10.1016/0090-2616(84)90015-9
[27] Everard, T. (2008). What is cyber security culture and why does it matter for your organization? https://www.pa consulting.com/insights/what-is-cyber-security-culture-and-why-does-it-matter-for-your-organisation
[28] Gilliland, A. (2023). Building a security-first culture: The key to cyber success. https://www.forbes.com/sites/ forbestechcouncil/2023/01/03/building-a-security-first-culture-the-key-to-cyber-success/?sh=39a87c69a10f
[29] Govender, M., and Bussin, M. (2020). Performance management and employee engagement: A South African perspective. SA Journal of Human Resource Management, 18, 19. https://doi.org/10.4102/sajhrm.v18i0.1215
[30] Haleem, A., Javaid, M., Qadri, M. A., and Suman, R. (2022). Understanding the role of digital technologies in education: A review. Sustainable Operations and Computers, 3, 275-285. https://doi.org/10.1016/j.susoc.2022.05.004
[31] Handy, C. (1995). Gods of management, the changing work of organizations. Oxford. Oxford University Press, 254 pp. ISBN: 0195096177, 978-0195096170
[32] Haney, J., and Lutters, W. (2020). Security awareness training for the workforce: Moving beyond "Check-the-Box" compliance. Computer (Long Beach Calif), 53(10). https://doi.org/10.1109/mc.2020.3001959
[33] Hassandoust, F., and Johnston, A. C. (2023). Peering through the lens of high-reliability theory: A competencies driven security culture model of high-reliability organizations. Information Systems Journal, 33(5), 1212–1238. https://doi.org/10.1111/isj.12441
[34] Herath, T., and Rao, H. R. (2009). Protection motivation and deterrence: A framework for security policy compliance in organizations. European Journal of Information Systems, 18, 106-125. https://doi.org/10.1057/ejis.2009.6
[35] Hofstede, G. (2011). Dimensionalizing cultures: The Hofstede model in context. Readings in Psychology and Culture, 2(1). https://doi.org/10.9707/2307-0919.1014
[36] Ismail, N. (2017). The importance of creating a cyber security culture. https://www.information-age.com/importance-creating-cyber-security-culture-5399/
[37] Jalali, M. S., Bruckes, M., Westmattelmann, D., and Schewe, G. (2020). Why employees (Still) click on phishing links: An investigation in hospitals. Journal of Medical Internet Research, 22(1), e16775. https://doi.org/10.2196/16775
[38] Jang-Jaccard, J., and Nepal, S. (2014). A survey of emerging threats in cybersecurity. Journal of Computer and System Sciences, 80(5), 973-993. https://doi.org/10.1016/j.jcss.2014.02.005
[39] Khando, K., Gao, S., Islam, S. M., and Salman, A. (2021). Enhancing employees' information security awareness in private and public organizations: A systematic literature review. Computers & Security, 106, 102267. https://doi.org/10.1016/j.cose.2021.102267
[40] Karlsson, M., Karlsson, F., Åström, J., and Denk, T. (2022). The effect of perceived organizational culture on employees’ information security compliance. Information and Computer Security, 30(3), 382-401. https://doi.org/10.1108/ICS-06-2021-0073
[41] Kozlowski, W. J., and Ilgen, D. R. (2006). Enhancing the effectiveness of work groups and teams. Psychological Science in the Public Interest, 7(3). https://doi.org/10.1111/j.1529-1006.2006.00030.x
[42] Li, L., Xu, L., He, W., Chen, Y., and Chen, H. (2016). Cyber security awareness and its impact on employee behaviour. International Conference on Research and Practical Issues of Enterprise Information Systems, 103–111). Springer. https://inria.hal.science/hal-01630550/document
[43] Li, Y., and Liu, Q. (2021). A comprehensive review study of cyber-attacks and cyber security; Emerging trends and recent developments. Energy Reports, 7, 8176-8186. https://doi.org/10.1016/j.egyr.2021.08.126
[44] Maalem Lahcen, R. A., Caulkins, B., Mohapatra, R., and Kumar, M. (2020). Review and insight on the behavioral aspects of cybersecurity. Cybersecurity, 3(1), 1-18. https://doi.org/10.1186/s42400-020-00050-w
[45] Metz, D., Ilieș, L., Nistor, R. L. (2020). The impact of organizational culture on customer service effectiveness from a Sustainability Perspective. Sustainability, 12(15), 6240. https://doi.org/10.3390/su12156240
[46] Michael, K. (2008). Social and organizational aspects of information security management, IADIS e-Society, 9-12 April, Algarve, Portugal pp. 1–8 https://ro.uow.edu.au/cgi/viewcontent.cgi?article=1598&context =infopapers
[47] Morrison, E. W. (2014). Employee voice and silence. Annual Review of Organizational Psychology and Organizational Behaviour, 1(1), 173-197. 10.1146/annurev-orgpsych-031413-091328
[48] Moustafa, A. A., Bello, A., and Maurushat, A. (2021). The role of user behaviour in improving cyber security management. Frontiers in Psychology, 12, 561011. https://doi.org/10.3389/fpsyg.2021.561011.
[49] Nifakos, S., Chandramouli, K., Nikolaou, C. K., Papachristou, P., Koch, S., Panaousis, E., and Bonacina, S. (2021). Influence of human factors on cyber security within healthcare organizations: A systematic review. Sensors (Basel), 21(15), 5119. PMID: 34372354; PMCID: PMC8348467. https://doi.org/10.3390/s21155119
[50] Ong, L.-P., and Chong, C.-F. (2014). Information security awareness: An application of psychological factors – A study in Malaysia. In Proceedings of the 2014 International Conference on Computer, Communications, and Information Technology (pp. 98-101). Atlantis Press.
[51] Onumo, A., Awan, I. U., and Cullen, A. J. (2021). Assessing the moderating effect of security technologies on employees' compliance with cybersecurity control procedures. ACM Transactions on Management Information Systems, 12(2), 11. https://doi.org/10.1145/3424282
[52] Perwej, Y., Abbas, S. Q., Dixit, J. P., Akhtar, N., and Jaiswal, A. K. (2021). A systematic literature review on cyber security. International Journal of Scientific Research and Management, 9(12), 669-710. https://doi.org/ff10.18535/ijsrm/v9i12.ec04ff final-03509116
[53] Pollini, A., Callari, T.C., Tedeschi, A. et al. (2022). Leveraging human factors in cybersecurity: An integrated methodological approach. Cogn Tech Work, 24, 371–390. https://doi.org/10.1007/s10111-021-00683-y
[54] Rathod, N.N. (2023). Building a cybersecurity culture: Strategies for awareness and training. https://www.soci nvestigation.com/building-a-cybersecurity-culture-strategies-for-awareness-and-training/
[55] Reegård, K., Blackett, C., and Katta, V. (2019). The concept of cybersecurity culture. Proceedings of the 29th European Safety and Reliability Conference, 4036-4043. https://doi.org/10.2991/ccit-14.2014.27
[56] Reid, R., and van Niekerk, J. (2014). From information security to cyber security cultures organizations to societies.10.1109/ISSA.2014.6950492
[57] Rohan, R., Pal, D., Hautamäki, J., Funilkul, S., Chutimaskul, W., and Thapliyal, H. (2023). A systematic literature review of cybersecurity scales assessing information security awareness. Heliyon, 9(3). https://doi.org/10.1016/j.heliyon.2023.e14234
[58] Safa, N. S., Sookhak, M., Von Solms, R., Furnell, S., Ghani, N. A., and Herawan, T. (2015). Information security awareness: An application of psychological factors – a study in Malaysia. Computers & Security, 53, 65-78. http://dx.doi.org/10.1016/j.cose.2015.05.012
[59] Samurai XDR. (2023). Global threat intelligence report.
[60] Schein, E. (2004). Organizational culture and leadership (3rd ed.). San Francisco, CA: Jossey-Bass. 45A pp. ISBN-10: 0787975745, ISBN-13: 978-0787975746
[61] Schoenmakers, K., Greene, D., Stutterheim, S., Lin, H., and Palmer, M. J. (2023). The security mindset: Characteristics, development, and consequences. Journal of Cybersecurity, 9(1). https://doi.org/10.1093/cybsec/tyad010
[62] Shaiq, H. M. A., Khalid, H. M. S., Akram, A., Ali, B. (2011). Why not everybody loves Hofstede? What are the alternative approaches to the study of culture? European Journal of Business and Management, 3(6), 101.
[63] Sharma, S., and Aparicio, E. (2022). Organizational and team culture as antecedents of protection motivation among IT employees. Computers & Security, 120, 102774. https://doi.org/10.1016/j.cose.2022.102774
[64] Shore, L. M., Randel, A. E., Chung, B. G., Dean, M. A., Holcombe Ehrhart, K., and Singh, G. (2018). Inclusion and diversity in work groups: A review and model for future research. Human Resource Management Review, 28(2), 176-189. https://doi.org/10.1016/j.procs.2022.01.138
[65] Tariq, U., Ahmed, I., Bashir, A. K., and Shaukat, K. (2023). A critical cybersecurity analysis and future research directions for the Internet of things: A comprehensive review. Sensors, 23(8), 4117. https://doi.org/10.3390/s23084117
[66] Tasheva, I. (2021). Cybersecurity post-COVID-19: Lessons learned and policy recommendations. European View. https://doi.org/10.1177/17816858211059250
[67] Ubowska, A., and Królikowski, T. (2022). Building a cybersecurity culture of the public administration system in Poland. Procedia Computer Science, 207, 1242-1250. https://doi.org/10.1016/j.procs.2022.09.180
[68] Uchendu, B., Nurse, J. R., Bada, M., and Furnell, S. (2021). Developing a Cyber security culture: Current practices and future needs. ArXiv. https://doi.org/10.1016/j.cose.2021.102387
[69] Vyas, L. (2022). “New normal” at work in a post-COVID world: Work–life balance and labour markets. Policy and Society, 41(1), 155-167. https://doi.org/10.1093/polsoc/puab011
[70] Wiley, A., McCormac, A. (2020). More than the individual: Examining the relationship between culture and Information Security Awareness. Computers and Security, 88. https://doi.org/10.1016/j.cose.2019.101640
*** Economic Commission for Latin America and the Caribbean (ECLAC). (2021). Digital technologies for a new future (LC/TS.2021/43), Santiago.
*** EU Agency for Network and Information Security (ENISA). (2017). Cyber security cultures in organizations. https://www.enisa.europa.eu/publications/cyber-security-culture-in-organisations/@@download/fullReport
*** IEA (2021). Enhancing cyber resilience in electricity systems, IEA, Paris. Link, License: CC BY 4.0
*** McKinsey & Company. (2020). Digital McKinsey and Global Risk Practice Cybersecurity in a Digital Era. https://www.mckinsey.com/~/media/mckinsey/business%20functions/risk/our%20insights/cybersecurity%20in%20a%20digital%20era/cybersecurity%20in%20a%20digital%20era.pdf