Towards a cybersecurity culture-behaviour framework: A rapid evidence review

IF 4.8 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security Pub Date : 2024-09-10 DOI:10.1016/j.cose.2024.104110

Anna Sutton, Lisa Tompson

{"title":"Towards a cybersecurity culture-behaviour framework: A rapid evidence review","authors":"Anna Sutton, Lisa Tompson","doi":"10.1016/j.cose.2024.104110","DOIUrl":null,"url":null,"abstract":"<div><p>A strong organisational cybersecurity culture (CSC) is critical to the success of any cybersecurity effort, and understanding and measuring CSC is essential if it is to succeed. To facilitate the framing and measurement of CSC we conducted a rapid evidence assessment (REA) to synthesise relevant studies on CSC. The systematic search identified 1,768 records. 59 studies were eligible for the final synthesis.</p><p>Thematic analysis of the CSC definitions in the included studies highlighted that CSC should not be viewed solely as a technical problem but as a management issue too; CSC requires top management involvement and role modelling, with full organisational support for the desired employee behaviours. We identify both theoretically and empirically derived models of CSC in the REA, along with a range of methods to develop and test these models. Integrative analysis of these models provides detailed information about CSC dimensions, including employee attitudes towards CS; compliance with policies; the role of security education, training and awareness; monitoring of behaviour and top management commitment. The evidence indicates that CSC should be understood both in the context of the wider organisational culture as well as in the shared employee understanding of CS that leads to behaviour.</p><p>Based on the findings of this review, we propose a novel integrated framework of CSC consisting of cultural values, the culture-to-behaviour link, and behaviour itself. We also make measurement recommendations based on this CSC framework, ranging from simple, broad-brush tools through to suggestions for multi-dimensional measures, which can be applied in a variety of sectors and organisations.</p></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"148 ","pages":"Article 104110"},"PeriodicalIF":4.8000,"publicationDate":"2024-09-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.sciencedirect.com/science/article/pii/S0167404824004152/pdfft?md5=e920da67cc55971b81e8e1ee8a0dd0d0&pid=1-s2.0-S0167404824004152-main.pdf","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computers & Security","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0167404824004152","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

A strong organisational cybersecurity culture (CSC) is critical to the success of any cybersecurity effort, and understanding and measuring CSC is essential if it is to succeed. To facilitate the framing and measurement of CSC we conducted a rapid evidence assessment (REA) to synthesise relevant studies on CSC. The systematic search identified 1,768 records. 59 studies were eligible for the final synthesis.

Thematic analysis of the CSC definitions in the included studies highlighted that CSC should not be viewed solely as a technical problem but as a management issue too; CSC requires top management involvement and role modelling, with full organisational support for the desired employee behaviours. We identify both theoretically and empirically derived models of CSC in the REA, along with a range of methods to develop and test these models. Integrative analysis of these models provides detailed information about CSC dimensions, including employee attitudes towards CS; compliance with policies; the role of security education, training and awareness; monitoring of behaviour and top management commitment. The evidence indicates that CSC should be understood both in the context of the wider organisational culture as well as in the shared employee understanding of CS that leads to behaviour.

Based on the findings of this review, we propose a novel integrated framework of CSC consisting of cultural values, the culture-to-behaviour link, and behaviour itself. We also make measurement recommendations based on this CSC framework, ranging from simple, broad-brush tools through to suggestions for multi-dimensional measures, which can be applied in a variety of sectors and organisations.

查看原文本刊更多论文

建立网络安全文化行为框架：快速证据审查

强大的组织网络安全文化（CSC）对任何网络安全工作的成功都至关重要，要想取得成功，了解和衡量 CSC 至关重要。为促进对 CSC 的界定和衡量，我们进行了快速证据评估 (REA)，以综合有关 CSC 的相关研究。通过系统检索，我们发现了 1,768 条记录。对所纳入研究中的 CSC 定义进行的专题分析强调，CSC 不应仅被视为一个技术问题，也应被视为一个管理问题；CSC 需要最高管理层的参与和角色示范，并需要组织对员工期望行为的全面支持。我们在 REA 中确定了从理论和经验中得出的 CSC 模型，以及开发和测试这些模型的一系列方法。对这些模型的综合分析提供了有关 CSC 各方面的详细信息，包括员工对 CS 的态度；对政策的遵守；安全教育、培训和意识的作用；对行为的监控以及高层管理者的承诺。有证据表明，CSC 应从更广泛的组织文化以及员工对 CS 的共同理解中加以理解，而员工对 CS 的共同理解会导致行为。我们还根据这一 CSC 框架提出了衡量建议，其中既有简单、粗略的工具，也有多维度的衡量建议，可适用于不同行业和组织。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Computers & Security 工程技术-计算机：信息系统

CiteScore

12.40

自引率

7.10%

发文量

365

审稿时长

10.7 months

期刊介绍： Computers & Security is the most respected technical journal in the IT security field. With its high-profile editorial board and informative regular features and columns, the journal is essential reading for IT security professionals around the world. Computers & Security provides you with a unique blend of leading edge research and sound practical management advice. It is aimed at the professional involved with computer security, audit, control and data integrity in all sectors - industry, commerce and academia. Recognized worldwide as THE primary source of reference for applied research and technical expertise it is your first step to fully secure systems.