Systematic Review of Factors that Influence the Cybersecurity Culture

Mwim, Emilia N.; Mtsweni, Jabu

doi:10.1007/978-3-031-12172-2_12

Cited by 5 publications

(26 citation statements)

References 48 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The REA began with a scoping phase to 1) identify whether previous systematic reviews had been conducted on measuring CSC and 2) develop an operational definition of CSC. We found only a single published systematic review of factors influencing cybersecurity culture (Mwim & Mtsweni, 2022). However, this review used a limited set of keywords for a comprehensive search and was skewed in its representation of the global evidence base (which may relate to ease of access to studies).…”

Section: Scoping the Cybersecurity Culture Literaturementioning

confidence: 99%

“…We tested search syntax in several electronic bibliographic databases against a reference set of studies (harvested from Mwim & Mtsweni, 2022, see Supplementary Information) that could be considered eligible for the REA. Standard evaluation methods for information retrieval were used to assess the suitability of several databases.…”

Section: Electronic Databasementioning

confidence: 99%

“…It is possible that there are studies that have been missed, though we have taken several steps to combat this. First, the search string was piloted with eligible studies from an identified systematic review (Mwim & Mtsweni, 2022) acting as the gold standard data set. Second, we conducted citation analysis for all included studies and identified further papers from this.…”

Section: Limitationsmentioning

confidence: 99%

See 2 more Smart Citations

Towards a Cybersecurity Culture-Behaviour Framework: A Rapid Evidence Review

Sutton,

Tompson

2023

Preprint

View full text Add to dashboard Cite

A strong organisational cybersecurity culture (CSC) is critical to the success of any cybersecurity effort, and understanding and measuring CSC is essential if it is to succeed. To facilitate the framing and measurement of CSC we conducted a rapid evidence assessment (REA) to synthesise relevant studies on CSC. The systematic search identified 1,768 records. 52 studies were eligible for the final synthesis. Content analysis of the CSC definitions in the eligible studies highlighted that CSC should not be viewed solely as a technical problem but as a management issue too; CSC requires top management involvement and role modelling, with full organisational support for the desired employee behaviours. We identify both theoretically and empirically derived models of CSC in the REA, along with a range of methods to develop and test these models. Integrative analysis of these models provides detailed information about CSC dimensions, including employee attitudes towards CS; compliance with policies; the role of security education, training and awareness; monitoring of behaviour and top management commitment. The evidence indicates that CSC should be understood both in the context of the wider organisational culture as well as in the shared employee understanding of CS that leads to behaviour. Based on the findings of this review, we propose a novel integrated framework of CSC, consisting of cultural values; the culture-to-behaviour link and behaviour itself. We also make measurement recommendations based on this CSC framework, ranging from simple, broad-brush tools through to suggestions for multi-dimensional measures, which can be applied in a variety of sectors and organisations.

show abstract

Section: Scoping the Cybersecurity Culture Literaturementioning

confidence: 99%

Section: Electronic Databasementioning

confidence: 99%

Section: Limitationsmentioning

confidence: 99%

See 1 more Smart Citation

Towards a Cybersecurity Culture-Behaviour Framework: A Rapid Evidence Review

Sutton,

Tompson

2023

Preprint

View full text Add to dashboard Cite

show abstract

“…The culmination of studies reveals that information security culture comprises various components, including beliefs, behaviors, knowledge, attitudes, awareness, intentions, and values, influenced by numerous dimensions and factors which have a big impact on the technology adoption. [19], [20], [21], [22], [23], [24], [25], [26].…”

Section: Introductionmentioning

confidence: 99%

“…Moreover, there is a gap in existing research in the examination of specific information security culture factors which are often clustered within organizational contexts, that significantly influences the adaptation of the ZT model. These factors encompass aspects such as security awareness training, policy and procedure, change management, information security management, security behavioral, communication, compliance, organization culture [20], [27], [28], [29], [30].…”

Section: Introductionmentioning

confidence: 99%

The Role of Information Security Culture in Zero Trust Adoption: Insights From UAE Organizations

Zyoud,

Lebai Lutfi

2024

IEEE Access

View full text Add to dashboard Cite

This study examines the viability of Zero Trust (ZT) models, a burgeoning measure of cybersecurity, in different cultural contexts. The ZT security model is based on the principle of "never trust, always verify" and, unlike traditional models, rejects inherent trust assumptions. The focus is on Middle Eastern culture, specifically the United Arab Emirates (UAE), to examine impact of information security, national and organizational culture, and how these correlates with the adoption of the ZT model. A theoretical model explains the user and organizational behavior towards ZT in the Arab culture, assessed through a survey based on the most important factors of the information security culture. The empirical data was analyzed in the UAE with the participation of 98 cybersecurity professionals from 98 different organizations using SmartPLS4 and PLS-SEM. The overall results indicate that both national and organizational culture, as well as information security culture, are significantly and positively correlated with the adoption of the Zero Trust Architecture (ZTA). This indicates that cultural aspects at different levels of national, organizational, and information security-specific play a crucial role in the decision-making process regarding the implementation of ZT models. The inclusion of the UAE brings a particular cultural element that has unique variations, and practical recommendations to help organizations improve their ZT adoption in line with cultural considerations. These findings are relevant for organizations and policy makers. The inclusion of additional factors, countries, and participants in future research could increase the accuracy of the results.

show abstract