5. Establishing a Culture of CyberSecurity – CyberWar, CyberTerror, CyberCrime: A Guide to the Role of Standards in an Environment of Change and Danger

Chapter 5. Establishing a Culture of CyberSecurity


‘It is necessary to create a change in attitudes which change the organizational culture. The cultural change is the realization that IT security is critical because a security failure has potentially adverse consequences for everyone. Therefore, IT security is everyone’s job.’

 --US National Institute of Standards and Technology

When thinking about the term organizational culture, what is the first thing that pops into your mind? Most will respond with something like: ‘It’s how we do things around here.’ That may be true, but it only begins to address the implications of culture.

Whether or not culture can be clearly defined, it is obvious that it exists and impacts how things get done; it critically affects organizational success or failure, determines who fits in and who doesn’t, and expresses the overall mood of the organization. An organization’s, or nation’s, culture will affect how it thinks about cybersecurity – and the development of a culture of cybersecurity[38].

For all its elusiveness, a culture of cybersecurity can have a huge impact on an organization’s environment. This is why so much research has been undertaken to pinpoint exactly what makes an effective cybersecurity culture and how to go about changing a culture that isn’t working. Before any efforts can be undertaken to create a culture of cybersecurity, it is important to understand organizational culture in general and how change is effected.

The foundation is in the organizational culture

The culture of an organization is not simple to identify or define. At its most elementary, organizational culture is the result of mixing the values, ideals, policies, attitudes, processes, and more into a structure that is consistent across the organization. It reflects a unique atmosphere within the organization – often more reflective of a general feeling, than a concrete, definable aspect.

In 1992, Gerry Johnson and Kevan Scholes created a concept called The Cultural Web (see Figure 2). It provides an approach for looking at and changing an organization’s culture by defining six interrelated elements that create the paradigm – as Johnson and Scholes term the organizational environment.

Figure 2. The Cultural Web

As in any other form of cultural change, changes in the structure of the cultural web are needed to adjust the cultural paradigms of organizations into a mode where security becomes inherent to the organizational structure. Policies, internal control systems, and other structures may all require adjustment in order to facilitate cultural change. Finally, a critical secondary factor in achieving real cultural change lies in the modification of individual behaviour throughout the organization in order to provide a support structure for the proposed new policies, procedures, and structures.

The recent activities in cyberwar, cyberterror, and cybercrime indicate that the threat to the information infrastructure has been transformed. What once appeared as an unstructured threat from individual hackers has metamorphosed into structured, hostile assaults on a range of victims, from the innocent individual to elements of critical infrastructures of different nations. Governments and organizations, such as those funded by organized crime are applying substantial resources to back these attacks. A strong, international culture of cybersecurity grounded in a process and policy framework is needed to effectively address this threat environment. Isolated technical or legal solutions have not been effective. Local efforts by individual groups or organizations to confront structured hostile threats have been less than successful, and technology alone has not been adequate to address the systemic vulnerabilities in an information technology-dependent critical infrastructure.

Using the cultural web for creating a culture of cybersecurity

The cultural web can be used to assess the current state of security within an organization, determine the desired state, and identify the path to bridge the two.

To reveal the current picture, each element of the web should be analyzed to determine its position within, and influence on, the organization. Stories provide insight into the beliefs and history of the organization. Company-specific language and images are reflected in the symbols. It is critical to understand where the real power lies in the organization and how decisions regarding security are made. By studying the organizational structure, formal and informal lines of authority can be ascertained, as well as their influence on the security processes within the organization. Analysis of existing cybersecurity control systems will reveal which are well resourced and maintained, as well as provide an insight into the organization’s overall perspective on the level of acceptable control. Finally, rituals and routines provide critical insight into the expectations regarding cybersecurity and behaviours at all levels of the organization.

Taking this information, the next step is to define the desired state of cybersecurity within the organization. Using the same elements, consider the cybersecurity culture that needs to be created. Finally, identify the gaps between the two states and define the steps essential to move from the current state of cybersecurity culture within the organization to the desired state.

In 2002, the Organisation for Economic Cooperation and Development (OECD) published a set of nine complementary principles for creating a culture of security among all individuals responsible for implementing, using, and protecting information systems and networks. These steps can be used as an integral part of the analysis based on the cultural web.

  • Principle # 1 –Awareness. ‘Participants should be aware of the need for security of information systems and networks and what they can do to enhance security.’

  • Principle # 2 –Responsibility. ‘All participants are responsible for the security of information systems and networks.’

  • Principle # 3 –Response. ‘Participants should act in a timely and co-operative manner to prevent, detect and respond to security incidents.’

  • Principle # 4 –Ethics. ‘Participants should respect the legitimate interests of others.’

  • Principle # 5 –Democracy. ‘The security of information systems and networks should be compatible with essential values of a democratic society.’

  • Principle # 6 –Risk Assessment. ‘Participants should conduct risk assessments.’

  • Principle # 7 –Security Design and Implementation. ‘Participants should incorporate security as an essential element of information systems and networks.’

  • Principle # 8 –Security Management. ‘Participants should adopt a comprehensive approach to security management.’

  • Principle # 9 –Reassessment. ‘Participants should review and reassess the security of information systems and networks, and make appropriate modifications to security policies, practices, measures and procedures.’

What is immediately observable about these guidelines? None of them refer to a technical solution and none of them are directly related to an expense. Fostering a culture of cybersecurity obviously takes work and it does take money, but it doesn’t take as much of either as one might think. The one thing it does require is firm commitment by management and members of the organization to do the right thing.

Senior leaders and middle managers must shift from their tasks of providing day-to-day guidance to providing long-term decision-making and strategic thinking. Rather than being limited only by what they know, leaders must embrace the paradigm of an open mind, constantly evaluating inputs from a variety of sources.

By establishing a culture of cybersecurity that stresses open-mindedness and flexibility to address emerging challenges, the cybersecurity structure itself will become increasingly dynamic and responsive.

Fortunately, the foundations for this culture of cybersecurity may already exist. A generation is being raised hearing the words quality, assurance, continuous improvement, change, and innovation – creating a culture that places value on change, innovation, and critical thinking.

Finally, it is vitally important that all those involved in protecting critical information infrastructures realize that organizational change is not a one-time activity that ceases when the final recommendation is implemented. Encountering this environment will require continuous evaluation and acceptance of change. One way to encounter sweeping and rapid change is through the establishment of standards-based best practices that evolve through the continuous evaluation of their effectiveness.

A culture of cybersecurity starts at the top

If cybersecurity is not a priority at the executive level, it is much less likely to be successful. The right tone must be set by the organization’s leaders; otherwise, the cybersecurity programme efforts will always struggle. The true culture of security ensures the alignment of cybersecurity with the overall business strategy, integrates cybersecurity seamlessly into every business process, and instils in each member of the organization a sense of participation in the task of cybersecurity vigilance.

Business strategy and cybersecurity – can they be aligned?

The short answer is: yes. In order to achieve true business and security alignment, cybersecurity must be viewed as a business enabler rather than a hindrance to productivity. The three fundamental concepts of cybersecurity focus on the prevention of disruption, loss of information, and damage to reputation. Each of these fundamentals ties directly into the organization’s productivity, profitability, and reputation.

The bottom line is that money talks. Every executive or organizational leader understands cost models, efficiency, and a business case. Statistical and financial models demonstrate that spending money on security prevention actually results in cost savings, year after year, and in some cases, even within the first year.

Making cybersecurity a part of the process

One of the best ways to create a culture of cybersecurity is to ensure that cybersecurity is mainstreamed; it must be treated the same as any other business process.

Often the alignment of cybersecurity to the common business mission encounters fundamental barriers. First and foremost, cybersecurity silos have developed in many organizations, reinforcing the perception that cybersecurity is a necessary evil that does not make a direct contribution to the organization’s overall strategic goals. In order to change this perception, cybersecurity must reflect these basic precepts:

  • Security must be recognized as a fundamental contributor to the organization’s business goals.

  • Security must be one of the recognized enterprise processes, owned and managed by the organization and focusing on more than just technology.

  • Security must be part of process improvement and managed, measured and continuously improved.

Instilling a sense of participation

At Yahoo, the cybersecurity team is called ‘the Paranoids’ and Arturo Bejar, the department head, has the title of Chief Paranoid Yahoo. This hints to the fact that Yahoo regards cybersecurity as an integral part of the security culture. Yahoo has a large official security staff, but more importantly, various departments employ cybersecurity ambassadors, affectionately known as ‘local paranoids’. These ambassadors of cybersecurity, who may not be part of the full-time security team, provide cybersecurity support within their local organizations. In other words, Yahoo has created a sense of cybersecurity belonging without compromising the notion that cybersecurity is critical to their business operations.

One of the basic foundations of making cybersecurity part of the culture and obtaining the willing co-operation of the organization’s members is to remove the stereotype of the foreboding security official whose vocabulary is largely limited to no. Rewards for security contributions are important and Yahoo recognizes this by naming Yahoo members who support security in a tangible way as ‘Super Paranoids’. They not only get the title, but also a reward, company-wide publication of their contribution, and a direct meeting with senior company leadership.

Yahoo provides an excellent example of instilling a sense of cybersecurity responsibility across all levels of the organization – all the while incorporating the message into the overall culture of the organization.

Incorporating cybersecurity into the culture can be an enormous task and may involve challenging established ideas and methods of doing business that have become part of the corporate cultural memory. Achieving such a fundamental change demands a consistent and coherent approach that takes advantage of all the communication paths available within an organization. Be aware that informal communication paths are as important, if not more important, than the more formal channels. If, for example, the wrong message is passed on during water cooler conversations, months of hard work to establish a cultural acceptance of cybersecurity change can be compromised.

Consequently, it is critical to capitalize on all means for modifying cultural values by using both informal channels, as well as methods that are more formal and structured.

There are many references on the formal methods for communicating the goals of cybersecurity awareness and integrating it into the organizational culture. Many of these references concentrate on the security awareness programmes themselves and on training in basic security skills. The classic, formal approach to instituting a culture of cybersecurity within an organization is through the design and delivery of a cybersecurity awareness programme, often tailored to the specific needs of the organization. Although cybersecurity awareness training alone cannot substitute for the use of both formal and informal communication channels, an awareness programme still constitutes an important tool in changing attitudes towards cybersecurity within the enterprise culture.

The Yahoo initiative provides an excellent example of using more informal mechanisms for introducing cultural change. Informal communication is extremely important, because it occurs frequently and at multiple levels within the organization. Language used to describe the goals of security can be very important, and the informal paths can be useful for demystifying the terminology associated with cybersecurity and making it more relevant to individuals within the organization.

Discussions about cybersecurity can very quickly become obscured and confusing because of its often specialized terminology and the complex nature of many of the tools used to solve particular problems (for example, digital signatures, firewalls, and intrusion detection systems). As a result, members of the organization may view cybersecurity as a complex and highly-specialized discipline – one that surely does not involve them. Such a perspective is highly unlikely to encourage participation. Thus, an important step in involving users in the process and creating cultural cybersecurity change is to get over the language barrier. Security personnel can assist by orienting discussions around the core concepts, which are really not too difficult for the average person to comprehend. So, while a non-security specialist might find it difficult to understand the technology behind a digital signature, he/she would certainly appreciate the need for preserving the integrity of their data.


[38] Although this discussion centres on a culture of cybersecurity, there is a realization that an effective cybersecurity programme must reflect and will benefit from an organizational culture of security in general.