It has recently been acknowledged that awareness of cyber security alone is rarely sufficient at strongly engaging individuals in the importance of cyber security. Instead, the most effective way to positively impact security practice is through the creation of a positive cyber security culture.
The notion of cyber security culture is similar to that of organisation culture, which is defined by MIT Professor Edward Schien as the ‘values and beliefs that underpin the norms of expected behaviours that employees may follow’. In this way, a cyber security culture means that certain norms and expectations are present in an organisation in terms of cyber security. This could be positive, seeing people engaging in good cyber security practice and reporting incidents, or could be negative, with people often finding ways around policies and not reporting incidents. The type of security culture an organisation has will massively impact what employees view as normal and acceptable behaviour, influencing how they behave as individuals in regard to cyber security.
Security culture can be improved through an understanding of good practice, and what behaviours are needed within the organisation to apply this. Cultural assessments can help to determine where things could be changed, and where awareness should be raised. In many cases, the introduction of champion programmes can be hugely beneficial, giving people someone to turn to when unsure about an aspect of cyber security. Ultimately, creating a strong cyber security culture will embed good practice at the root of an organisation, forming a space where cyber security is taken seriously and is well understood and appreciated as a norm.