ENISA published a report providing organisations with practical tools and guidance to develop and maintain an internal cybersecurity culture.
Understanding the dynamics of cybersecurity culture
The Cybersecurity Culture in Organisations report is based on a multi-disciplinary research, conducted to better understand the dynamics of how cybersecurity culture can be developed and shaped within organisations.
This research draws from different disciplines, including organisational sciences, psychology, law and cybersecurity as well as the knowledge and experiences of large European organisations. The report provides good practices, methodological tools and step-by-step guidance for those seeking to commence or enhance their organisation’s cybersecurity culture programme.
The idea behind the concept
Cybersecurity culture refers to the knowledge, beliefs, attitudes, norms and values of people regarding cybersecurity and how these manifest in interacting with information technologies. It reflects the understanding that the organisation’s actions are dependent on shared beliefs, values and actions of its employees, including their attitude towards cybersecurity.
While many organisations and employees are familiar with related concepts such as cybersecurity awareness and information security frameworks, cybersecurity culture covers a broader scope. The idea behind this concept is to make information security considerations an integral part of an employee’s daily life.
“The report not only say that measuring is important, it also gives a number of examples of how to measure security culture on different levels of an organisation – from a full-scale cultural mapping like we do with the CLTRe Toolkit, to measuring specific activities and their outcomes. We recommend a combination of both approaches,” Kai Roer, security culture expert and CLTRe CEO, told Help Net Security.
“The report is easy to read, navigate and use, making it very accessible and easy to implement. I am very happy to see ENISA taking on this role of making their work so easily accessible and applicable. This is another huge step forward for ENISA and their reports – making them available to the practitioners in a way they will actually read and use it,” Roer concluded.
The need for internal cybersecurity culture
Multiple drivers are responsible for organisations to recognise the need of a cybersecurity culture. First, cyber threat awareness campaigns alone do not provide sufficient protection against ever evolving cyber attacks.
Additionally, technical cybersecurity measures need to be in accordance with other business processes, and, lastly, it is important that employees need to act as a strong human firewall against cyber attacks.
Guidance for organisations
Against this background, ENISA has conducted research on cybersecurity culture to provide guidance for organisations. As the study’s information is intended to be contextualised to the individual needs and circumstances of each individual organisation, the guidance is applicable to any organisation, regardless of structure, size or industry.
Additionally, the following good practices have been identified, based on the experiences of organisations that have already implemented mature cybersecurity culture programmes:
- Setting cybersecurity as a standing agenda item at board meetings to underline the importance of a robust cybersecurity culture
- Ensure that employees are consulted and their concerns regarding cybersecurity practices are being considered by the cybersecurity culture working group
- Ensure that business processes/strategies and cybersecurity processes/strategies are fully aligned.