Why many organizations are struggling to build and sustain a cybersecurity culture

Successful cybersecurity cultural programs require ongoing support and financial and human resources allocated to the program.

This article sheds light on why global organizations are struggling to build and sustain a cybersecurity culture. The reasons listed below are based on the research performed by the author, as well as the practical experience gained from supporting organizations to build a cybersecurity culture. The three key reasons why organizations today are struggling to build and sustain a cybersecurity culture are:

• Cybersecurity cultural change is approached in an ad-hoc way and not in a systematic manner. 
• Cybersecurity teams are failing to prove the value of cybersecurity in general and cybersecurity culture in particular.
• The approach to building a cybersecurity culture is too general and doesn’t take national cultural differences into account. 

This article has been outlined according to these three reasons. 

This article is the second one in a three-series article. The previous article argued why a cultural change program is essential for an effective cybersecurity program. The subsequent article will provide a roadmap on how to start building and sustaining a cybersecurity culture.

A need for a systematic approach

Cybersecurity culture is about ensuring appropriate intrinsic beliefs (attitudes, normative beliefs and perceived control to perform a task) and behaviors throughout an organization. Systematically approaching cybersecurity culture ensures the following: 

• There is a strategy for performed activities in order to raise cybersecurity awareness, change beliefs and behaviors. 
• Goals and behavioral risks to be addressed are clearly defined together with defined repeatable steps on how to achieve the defined goals. 
• A process to measure impact and progress is established.

One evident benefit of a systematic approach to cybersecurity culture is that it addresses the characterization and diagnosis of behavioral risks or “problems” in a detailed and structured way. In doing so, the right risks are addressed, the employees at risk are identified, and the means to reduce these risks are defined. Another benefit is that by spending more time in the planning and designing phase of a cybersecurity cultural program, you are less likely to encounter unexpected problems during the implementation phase. As a result, cybersecurity cultural strategies will address the top risks of the organization, be relevant to key stakeholders and high-risk groups, and utilize the most efficient means that generate consistent and optimum results in improving cybersecurity.

The answer lies in the need to study the implementation of organizational information security measures and assess their effectiveness in detail. At this stage, it also becomes crucial to assess the knowledge and attitude of members of an organization, regarding the protection of the physical and information assets.
We can derive three explanations for this. First, developing a structured and documented process takes time, and requirements may change while designing the approach. This may render a need for reviewing the behavior-risk analysis that founded the initial requirements. Second, any formalized and structured work to cybersecurity culture is expensive in terms of money and working hours. It’s often easier (and cheaper in the short-term) to involve in developing e-learning modules or finding external guest speakers for the annual Cybersecurity Awareness month in October. Cybersecurity teams are often forced to focus on short-term benefits and quick wins, and struggle to prove long-term value by spending time (and money) in the first phase of establishing a cybersecurity cultural program. This leads to the third explanation, a lack of understanding among decision-makers of the importance of cybersecurity culture and its significant positive impact on the overall cybersecurity posture.

Systematically approaching cybersecurity culture is beneficial for several reasons, but can, as already mentioned, be costly in the short-term, and the value provided can be challenging to prove. Failing to continuously prove value offered by the cybersecurity cultural program will fail to receive ongoing support.

Teams failing to prove the value

Successful cybersecurity cultural programs require ongoing support and financial and human resources allocated to the program. However, many organizations are still not receiving sufficient funding for their overall cybersecurity program and even less for their work with cybersecurity culture. Why is this the case for many cybersecurity teams? One explanation is that many cybersecurity teams fail to measure and report the effects of their cybersecurity cultural programs.

In fact, EY Global Information Security 2020 showed that 80% of Nordic organizations say that they cannot quantify the effectiveness of their cybersecurity spending to their Boards.¹Cybersecurity culture and behavior are often seen as vague concepts and challenging to concretize. Therefore, it can be difficult to know where and how to measure cybersecurity culture and quantitatively capture outcomes. However, cybersecurity culture and its outcomes in terms of sensitizing everyone such that security is anchored in the culture in a structured way in everyday thinking, can be and should be measured. If not, organizations will fail to provide executives with facts that show the value of the cybersecurity cultural program. Consequently, weakening the cybersecurity team or giving them no reason to receive ongoing cybersecurity cultural program support. 

Failing to measure starts with failing to define key performance indicators (KPIs) that capture how top risks are being addressed. 

Although many organizations are measuring different aspects of their cybersecurity program, some are failing to define key performance indicators (KPIs) that capture how their most important risks or top risks, are being addressed. In some cases, top risks are not even formally defined, which increases the likelihood of cybersecurity risk management being scattered throughout the organization’s levels. Several consequences are caused by a non-existing or immature measurement and reporting process, which includes a lack of defined KPIs. Three of these are:

• A weak understanding of behavioral risks that should be prioritized: If you cannot measure the problems or risks the organization is facing, you cannot manage them. An ad-hoc approach, which includes non-existing measurements, might lead to wrong prioritizations regarding areas that need improvement.
• Weak connection to other operational, financial and legal risks: Failing to connect findings from measurements to other risks the organization faces, such as legal or financial risks, most likely leads to business executives not understanding the overall business risk caused by inadequate cybersecurity. 
• Non-transparent reporting on cybersecurity risks: The status and progress of the ongoing cybersecurity program, the effectiveness of risk-reducing controls, and the status of how business-critical assets need to be protected. If they are not measured, organizations will fail to transparently report how their cybersecurity program can mitigate the most important threats to the business.

Ineffective and inconsistent reporting of measurement results can also cause failure in providing value. And when reporting is performed, the reports should be executive-friendly and not too technical. Too technical reports will provide limited value to the executives as they provide little input to decision-making. 

Approaches to address general and not national cultural differences

Cybersecurity teams rely on international best practice frameworks, such as ISO 27001 or NIST Cybersecurity Framework, to guide their cybersecurity implementation. Although most frameworks include awareness and cultural aspects, many organizations complement their approach with awareness-specific methods from the SANS Security Awareness Community,² for instance. These frameworks provide good recommendations and guidelines on how to establish a cybersecurity cultural strategy. However, these are general in nature and don’t consider the influence of contextual factors, such as the effect of national cultural differences on cybersecurity outcomes. For example, in some countries, a carrot approach is more effective in motivating staff to alter their behaviors, and in others, a stick approach will more effectively alter staff behaviors. 

Hofstede’s model of national culture is one of the well-established national culture models that explains how values in the workplace are influenced by national culture³.  The model consists of six dimensions⁴ of national culture⁵ and has been empirically tested several times in cybersecurity research, providing strong support for the notion that national cultural factors affect cybersecurity outcomes. 

In a research study, significant differences in how strategies are established were identified when comparing Sweden and the USA, two democracies with well-developed economies but different cultures, according to Hofstede’s national cultural Indices.⁶Among the national cultural dimensions, the cumulative difference is most significant for the individualism versus collectivism dimension (IDV) and masculinity versus femininity (MAS) dimension. 

In collectivistic countries, individuals think it’s more important to consider the group’s interest before themselves and are more likely to adhere to the common cause. In cultures where individualism is stronger, the ties between individuals are loose, and primarily, they are expected to take care of themselves. 

The masculinity dimension is tied to the traditional masculine work role model of achievement, competition, control and power. In a country where masculinity is stronger, success is defined by winning or being the best in the field. Typically, conflicts are resolved at the individual level, and the goal is to win the discussion without negotiation. On the contrary, in feminine society, the dominant values are caring for others, and quality of life is a sign of success. Employees in a more feminine country tend to support each other more and strive for consensus. Decision-making is achieved through involvement, and conflicts are resolved by compromise and negotiation.

Basically, the focus is more on formal change management activities. On the contrary, cybersecurity controls and changes in the US culture may be implemented effectively through formal arrangements, may not require an anchoring process, controls can be more intrusive, and competitions can be used to motivate behavioral change.

No strategy or framework fits all contexts and cultures. Therefore, there are strong reasons to believe that neglecting the influence of national culture is a reason why some organizations fail to build and sustain cybersecurity culture. This is important to acknowledge to develop more effective cybersecurity practices, particularly for organizations operating in a global environment.