Developing a Cybersecurity Culture: Current Practices and Future Needs

Back to Spotlight

We know that cybersecurity culture is important in combatting cyber attacks that exploit human factors. But are there common patterns researchers have identified that contribute to cybersecurity culture? And how do companies measure their cybersecurity culture? This academic research article provides answers.


  • Let’s start with the basics – a definition of cybersecurity culture. One definition is that it is “the human attributes, such as behaviours, attitudes and values, that contribute to the protection of all kinds of information in a given organisation.”
  • Systematically analysing ten years of academic research, this article discovers common themes and factors that contribute to cybersecurity culture. The top four factors?
  1. Top management support, leadership, or involvement
  2. Security policy
  3. Security awareness
  4. Security training
  • You can’t improve something you can’t measure. So how can companies measure their cybersecurity culture?
  • In practice, this is mostly done with employee questionnaires that ask questions like “I believe I have a responsibility regarding the protection of ABC’s information assets,” or “I know what the risk is when opening emails from unknown senders, especially if there is an attachment.”
  • Other approaches include sending phishing emails to track how many people have clicked on an attachment.


Why does this matter for businesses?

  • Many serious cyberattacks in the past have relied on company employees as the weak link to gain access to corporate networks
  • Every enhancement in cybersecurity culture makes the lives of attackers more difficult – and reduces the risk of cyberattack
  • The factors this study highlights are themselves not new. But the study provides an indication on what factors are most important in building cybersecurity culture


You can read the full article here (Note: behind paywall)