ENISA published a report providing organisations with practical tools and guidance to develop and maintain an internal cybersecurity culture.

Understanding the dynamics of cybersecurity culture

The Cybersecurity Culture in Organisations report is based on a multi-disciplinary research, conducted to better understand the dynamics of how cybersecurity culture can be developed and shaped within organisations.

This research draws from different disciplines, including organisational sciences, psychology, law and cybersecurity as well as the knowledge and experiences of large European organisations. The report provides good practices, methodological tools and step-by-step guidance for those seeking to commence or enhance their organisation’s cybersecurity culture programme.

The idea behind the concept

Cybersecurity culture refers to the knowledge, beliefs, attitudes, norms and values of people regarding cybersecurity and how these manifest in interacting with information technologies. It reflects the understanding that the organisation’s actions are dependent on shared beliefs, values and actions of its employees, including their attitude towards cybersecurity.

While many organisations and employees are familiar with related concepts such as cybersecurity awareness and information security frameworks, cybersecurity culture covers a broader scope. The idea behind this concept is to make information security considerations an integral part of an employee’s daily life.

“The report not only say that measuring is important, it also gives a number of examples of how to measure security culture on different levels of an organisation – from a full-scale cultural mapping like we do with the CLTRe Toolkit, to measuring specific activities and their outcomes. We recommend a combination of both approaches,” Kai Roer, security culture expert and CLTRe CEO, told Help Net Security.

“The report is easy to read, navigate and use, making it very accessible and easy to implement. I am very happy to see ENISA taking on this role of making their work so easily accessible and applicable. This is another huge step forward for ENISA and their reports – making them available to the practitioners in a way they will actually read and use it,” Roer concluded.

The need for internal cybersecurity culture

Multiple drivers are responsible for organisations to recognise the need of a cybersecurity culture. First, cyber threat awareness campaigns alone do not provide sufficient protection against ever evolving cyber attacks.

Additionally, technical cybersecurity measures need to be in accordance with other business processes, and, lastly, it is important that employees need to act as a strong human firewall against cyber attacks.