CIR Program Management
Cyber Security Mindset and Culture
A cyber security mindset is defined as a pattern of attitudes, beliefs and values that motivate individuals to perform activities that secure themselves and their network of users continuously.
A significant matter can be viewed differently due to individuals having different mindsets or ways of thinking. Based on the individual’s way of thinking, information is processed subjectively, shaping their choices or actions. Hence, a balance between exaggerating and underestimating cyber security threats has to be reached to incorporate a high level of security and convenience when using information assets.
A cyber security culture is developed when employees consider cyber security when utilising information assets. Cyber security is a top priority regardless of the functionality of the information assets. Users understand the importance and requirements of keeping information assets secured from the influence of cyber criminals and are fully aware of their responsibility in achieving this objective.
1. Current Situation
Users of information assets have developed a justified level of trust through their experience with them. Overall, their opinions on the information assets are positive, increasing their trust in using them, especially when users are unaware of the potential cyber security threats that can attack their systems.
Old or routine habits such as using the same passwords for multiple accounts are commonly preferred due to convenience or usability factors, which neglect the cyber security aspect.
Additionally, the lack of knowledge on how sophisticated the information assets are and how cybercriminals can exploit them to launch a successful cybersecurity attack can be very detrimental to the organisation’s overall cybersecurity level. Based on these factors, employees do not have a cyber security mindset.
2. Developing the Cyber Security Mindset
The chances of an absolute cyber security solution being developed are slim. Cyber security remains a “cat and mouse game” between the organisations addressing cyber security threats and the cybercriminals launching cyber security attacks.
Hence, organisations should develop measures to deal with cyber security continuously. With the pervasive and rapidly developing nature of cyber security, policies and practices should be aimed at developing a mindset (W. Dutton, 2017) that guides employees of organisations to secure their information assets continuously, such as acquiring technical skills and knowledge.
The rise of dialogue opportunities regarding cyber security mindset might guide organisations in the right direction. The focus of cyber security shifts from the generation of fear campaigns to the development of methods that users feel is effective in securing their information assets daily.
Organisations should not create a list of habitual practices for employees to execute daily, as the list can become a target for cybercriminals to exploit. Instead, users are more inclined to challenge cyber criminals by placing trust in bottom-up user innovation processes and social pressure in response to security threats, making cyberspace safer.
To create a proficient mindset within the organisation, research should shift away from information regarding safe practices to information focusing on the challenges and behaviour of users.
The key player within an organisation that follows the developed mindset to incorporate cyber security into daily operations is the users. By studying information from the users' perspective, policies and procedures can be developed to create a mindset where users can align cyber security with their daily operations.
3. Developing the Cyber Security Culture
With the cyber threats landscape developing rapidly, organisations cannot afford to have their employees as their weakest link where human error creates multiple opportunities for cybercriminals to exploit to launch a successful cyber security attack. Developing a cyber security culture (Avast, 2017) is a readily achievable objective, provided that the appropriate processes and practices are developed and implemented.
Everybody within the organisation has a role to play in effectively managing cybersecurity incidents. Employees, at all times, should be able to identify and protect the organisation’s information assets, detect incidents and execute response procedures as documented in the plan and recover CBFs as fast as possible.
A flexible and dynamic approach to cyber security has to be taken by organisations to deal with the ever-changing cyber threatscape. The cyber security culture (Veltsos, 2017) should be incorporated into the performance of daily processes and not as an additional framework. Education, training and review activities should be conducted continually and involve everybody.
Emphasis should be placed on individual responsibility as everybody has a vital and ongoing role in effectively managing cyber security incidents.
Below are some tips for creating a cybersecurity culture:
3.1 Source of Motivation
Different employees have different interests. Developing a culture that engages the employees based on their interests and relevance to daily operations will reduce the number of successful cybersecurity attacks, as the security concerns of the employees are addressed, equipping them with the knowledge to better protect themselves from cybercriminals.
3.2 Create Competition
Healthy competition within the organisation increases the engagement level of the employees, encouraging them to take cyber security more seriously. The competitive spirit motivates employees to adopt security practices when performing daily operations.
Additionally, best security practices can be disseminated across the organisation to compete to see which component has the best security to secure its information assets.
3.3 Gaining Allies
Managing cyber security incidents does not only lie on the shoulders of the cyber security team. The entire organisation has to be involved so that everybody is aware and practising the same procedures to secure their information assets, minimising the vulnerabilities that cybercriminals can utilise to exploit.
3.4 Incentivize Employees
Rewarding employees for their initiatives and efforts in effectively managing cyber security incidents increase the organisation’s motivation level, increasing its ability to tackle cyber security threats. On the flip side, the organisation should not punish employees who have failed to adhere to documented procedures. It decreases motivation and creates a fear of making mistakes among the employees.
4. Conclusion
With the rapid advancement and increased dependency on information assets, organisations must ensure that their CIR plan remains relevant to continuously manage cyber security attacks efficiently. If the contents of the plan are neglected, the plan becomes obsolete, making the organisation susceptible to newly developed forms of cyber security attacks. As the plan has become outdated, potential impacts suffered by the organisation will be catastrophic.
Related Topic for CIR Program Management
| Back To: Rationale for Lack of Cyber Security Prioritisation | Plan Maintenance | Training and Awareness |
 |
 |
 |
| Advanced Testing and Exercising | Audit | Cyber Security Mindset and Culture |
 |
 |
|
Do You Want to Continue BCM Training onsite or online?
![[BL-3-Catalog] What Specialist Level Blended Learning Courses that are Available?](https://no-cache.hubspot.com/cta/default/3893111/4b22a53c-6e3e-4b9e-8c2a-888423f1d26c.png)
![[BL-5-Catalog] What Expert Level Blended Learning Courses that are Available?](https://no-cache.hubspot.com/cta/default/3893111/fe175db3-7f57-4636-bf09-e9a836aa5478.png)
Goh, M. H. (2017). A Manager's Guide to Business Continuity Management for Cyber Security Incidents, 2nd Edition. GMH Pte Ltd.
Reference: Chapter 10 Program Management 10.7 Cyber Security Mindset and Culture
Note: This version was the draft 2nd Edition being updated in 2023. The numeric in the square bracket [X-X] cross-refers to the actual chapter and section in the 1st Edition.
