A Cyber-Security Culture Framework for Assessing Organization Readiness

ABSTRACT

This paper presents a cyber-security culture framework for assessing and evaluating the current security readiness of an organization’s workforce. Having conducted a thorough review of the most commonly used security frameworks, we identify core security human-related elements and classify them by constructing a domain agnostic security model. We then proceed by presenting in detail each component of our model and attempt to quantify them in order to achieve a feasible assessment methodology. The paper thereafter presents the application of this methodology for the design and development of a security culture evaluation tool, that offers recommendations and alternative approaches to workforce training programs and techniques. The model has been designed to easily adapt on various application domains while focusing on their unique characteristics. The paper concludes on applications of our instrument on security-critical domains, and its contribution to current research by providing deeper insights regarding the human factor in cybersecurity.

KEYWORDS:

• Cybersecurity culture
• assessment
• awareness
• security behavior

Acknowledgments

This project has received funding from the European Union’s Horizon 2020 research and innovation program under grant agreement No 832907.

Notes

¹ Electrical Power and Energy System.

Additional information

Funding

This work was supported by the European Union’s Horizon 2020 research and innovation program under the EnergyShield project “Integrated Cybersecurity Solution for the Vulnerability Assessment, Monitoring and Protection of Critical Energy Infrastructures” under Grant 832907.