Abstract

     This paper presents a cyber-security culture framework for assessing and evaluating the current security readiness of an organization’s workforce. Having conducted a thorough review of the most commonly used security frameworks, we identify core security human-related elements and classify them by constructing a domain agnostic security model. We then proceed by presenting in detail each component of our model and attempt to quantify them in order to achieve a feasible assessment methodology. The paper thereafter presents the application of this methodology for the design and development of a security culture evaluation tool, that offers recommendations and alternative approaches to workforce training programs and techniques. The model has been designed to easily adapt on various application domains while focusing on their unique characteristics. The paper concludes on applications of our instrument on security-critical domains, and its contribution to current research by providing deeper insights regarding the human factor in cybersecurity.

Introduction

     Information Security is a multidisciplinary area of study and professional activity focusing on safeguarding and protecting Information Technology against a variety of dangers and threats.1,2 Initially, information security was characterized by a rather technical approach best left to the technical experts. 3 Even at this early stage, people responsible for implementing information security, identified the need for top management becoming involved. This led to a second phase where information security was incorporated into organizational structures and Information Security Managers were appointed.4 Security policies and procedures were drafted creating the need to understand their effectiveness and assess their results. But most importantly, revealing that there were other elements of information security that had been disregarded up until then. Information security standardization, certification and assessment were introduced along with an effort to understand and address the human element as an important security factor.5

     An organization’s biggest threat to privacy and security, even if not acknowledged, are considered to be their own staff. 6 Employee security awareness is a key link to an organization’s security chain since even the most well-guarded corporation is defenseless with no security culture. 7,8 This term, “security culture,” soon dominated in the era and was attributed various definitions.9 The vast majority of them agree that it “exists when every participant in the information society, appropriately to their role, is aware of the relevant security risks and preventative measures, assumes responsibility and takes steps to improve the security of their information systems and networks

Conclusion and future work 

     Research trend appears to be moving from a technical approach of information security to a socio-cultural approach.53,96,97 Technical simulations and real-time testing of information systems, mathematical models, analytics, and risk assessments make room to behavioral, organizational, and criminological theories as to the basis of the cybersecurity evaluation.

     The security culture framework presented in this paper manages to combine the pros and mitigate the cons of both scientific approaches while underlining the importance of human factor in the security chain.9 Its iterative nature allows closely monitoring and constantly evaluating an organization’s cyber-security culture which, as a living mechanism, adapts and evolves to the continuously demanding technological environment of this century