Developing a cyber security culture: Current practices and future needs. Issue 109 (October 2021)
- Record Type:
- Journal Article
- Title:
- Developing a cyber security culture: Current practices and future needs. Issue 109 (October 2021)
- Main Title:
- Developing a cyber security culture: Current practices and future needs
- Authors:
- Uchendu, Betsy
Nurse, Jason R.C.
Bada, Maria
Furnell, Steven - Abstract:
- Highlights: A systematic review of the last ten years of research on security culture. Top management support, security policy, awareness/training key to building culture. Developing a security culture requires in-depth knowledge of organisation and employees. Questionnaires and surveys often used to measure culture, but have their weaknesses. Few security culture frameworks/approaches have been evaluated in the real-world. Abstract: While the creation of a strong security culture has been researched and discussed for decades, it continues to elude many businesses. Part of the challenge faced is distilling pertinent, recent academic findings and research into useful guidance. In this article, we aim to tackle this issue by conducting a state-of-the-art study into organisational cyber security culture research. This work investigates four questions, including how cyber security culture is defined, what factors are essential to building and maintaining such a culture, the frameworks proposed to cultivate a security culture and the metrics suggested to assess it. Through the application of the PRISMA systematic literature review technique, we identify and analyse 58 research articles from the last 10 years (2010-2020). Our findings demonstrate that while there have been notable changes in the use of terms (e.g., information security culture and cyber security culture), many of the most influential factors are similar. Top management support, policy and procedures, and awarenessHighlights: A systematic review of the last ten years of research on security culture. Top management support, security policy, awareness/training key to building culture. Developing a security culture requires in-depth knowledge of organisation and employees. Questionnaires and surveys often used to measure culture, but have their weaknesses. Few security culture frameworks/approaches have been evaluated in the real-world. Abstract: While the creation of a strong security culture has been researched and discussed for decades, it continues to elude many businesses. Part of the challenge faced is distilling pertinent, recent academic findings and research into useful guidance. In this article, we aim to tackle this issue by conducting a state-of-the-art study into organisational cyber security culture research. This work investigates four questions, including how cyber security culture is defined, what factors are essential to building and maintaining such a culture, the frameworks proposed to cultivate a security culture and the metrics suggested to assess it. Through the application of the PRISMA systematic literature review technique, we identify and analyse 58 research articles from the last 10 years (2010-2020). Our findings demonstrate that while there have been notable changes in the use of terms (e.g., information security culture and cyber security culture), many of the most influential factors are similar. Top management support, policy and procedures, and awareness for instance, are critical in engendering cyber security culture. Many of the frameworks reviewed revealed common foundations, with organisational culture playing a substantial role in crafting appropriate cyber security culture models. Questionnaires and surveys are the most used tool to measure cyber security culture, but there are also concerns as to whether more dynamic measures are needed. For practitioners, this article highlights factors and models essential to the creation and management of a robust security culture. For research, we produce an up-to-date characterisation of the field and also define open issues deserving of further attention such as the role of change management processes and national culture in an enterprise's cyber security culture. … (more)
- Is Part Of:
- Computers & security. Issue 109(2021)
- Journal:
- Computers & security
- Issue:
- Issue 109(2021)
- Issue Display:
- Volume 109, Issue 109 (2021)
- Year:
- 2021
- Volume:
- 109
- Issue:
- 109
- Issue Sort Value:
- 2021-0109-0109-0000
- Page Start:
- Page End:
- Publication Date:
- 2021-10
- Subjects:
- Cybersecurity culture -- Information security culture -- Security awareness -- Organisational culture -- Management -- SMEs -- Business -- Behaviour -- Psychology
Computer security -- Periodicals
Electronic data processing departments -- Security measures -- Periodicals
005.805 - Journal URLs:
- http://www.sciencedirect.com/science/journal/01674048 ↗
http://www.elsevier.com/journals ↗ - DOI:
- 10.1016/j.cose.2021.102387 ↗
- Languages:
- English
- ISSNs:
- 0167-4048
- Deposit Type:
- Legaldeposit
- View Content:
- Available online (eLD content is only available in our Reading Rooms) ↗
- Physical Locations:
- British Library DSC - 3394.781000
British Library DSC - BLDSS-3PM
British Library HMNTS - ELD Digital store - Ingest File:
- 18463.xml