Strong cybersecurity culture as efficient firewall for organisations

Back to News

On 6 February 2018 – the international ‘Safer Internet Day’ – ENISA publishes a report providing organisations with practical tools and guidance to develop and maintain an internal cybersecurity culture.

ENISA’s Cybersecurity Culture in Organisations report is based on a multi-disciplinary research, conducted to better understand the dynamics of how cybersecurity culture can be developed and shaped within organisations.

This research draws from different disciplines, including organisational sciences, psychology, law and cybersecurity as well as the knowledge and experiences of large European organisations. The report provides good practices, methodological tools and step-by-step guidance for those seeking to commence or enhance their organisation’s cybersecurity culture programme.

Cybersecurity culture refers to the knowledge, beliefs, attitudes, norms and values of people regarding cybersecurity and how these manifest in interacting with information technologies. It reflects the understanding that the organisation’s actions are dependent on shared beliefs, values and actions of its employees, including their attitude towards cybersecurity.

While many organisations and employees are familiar with related concepts such as cybersecurity awareness and information security frameworks, cybersecurity culture covers a broader scope. The idea behind this concept is to make information security considerations an integral part of an employee’s daily life.

Multiple drivers are responsible for organisations to recognise the need of a cybersecurity culture. First, cyber threat awareness campaigns alone do not provide sufficient protection against ever evolving cyber-attacks. Additionally, technical cybersecurity measures need to be in accordance with other business processes, and, lastly, it is important that employees need to act as a strong human firewall against cyber-attacks.

Against this background, ENISA has conducted research on cybersecurity culture to provide guidance for organisations. As the study’s information is intended to be contextualised to the individual needs and circumstances of each individual organisation, the guidance is applicable to any organisation, regardless of structure, size or industry.

Additionally, the following good practices have been identified, based on the experiences of organisations that have already implemented mature cybersecurity culture programmes:

  • Setting cybersecurity as a standing agenda item at board meetings to underline the importance of a robust cybersecurity culture
  • Ensure that employees are consulted and their concerns regarding cybersecurity practices are being considered by the cybersecurity culture working group
  • Ensure that business processes/strategies and cybersecurity processes/strategies are fully aligned