A cyber security mindset is defined as a pattern of attitudes, beliefs and values that motivate individuals to perform activities that secure themselves and their network of users continuously.
A cyber security culture is developed when employees consider cyber security when utilising information assets. Cyber security is a top priority regardless of the functionality of the information assets. Users understand the importance and requirements of keeping information assets secured from the influence of cyber criminals and are fully aware of their responsibility in achieving this objective.
Users of information assets have developed a justified level of trust through their experience with them. Overall, their opinions on the information assets are positive, increasing their trust in using them, especially when users are unaware of the potential cyber security threats that can attack their systems.
Old or routine habits such as using the same passwords for multiple accounts are commonly preferred due to convenience or usability factors, which neglect the cyber security aspect.
Additionally, the lack of knowledge on how sophisticated the information assets are and how cybercriminals can exploit them to launch a successful cybersecurity attack can be very detrimental to the organisation’s overall cybersecurity level. Based on these factors, employees do not have a cyber security mindset.
The chances of an absolute cyber security solution being developed are slim. Cyber security remains a “cat and mouse game” between the organisations addressing cyber security threats and the cybercriminals launching cyber security attacks.
Hence, organisations should develop measures to deal with cyber security continuously. With the pervasive and rapidly developing nature of cyber security, policies and practices should be aimed at developing a mindset (W. Dutton, 2017) that guides employees of organisations to secure their information assets continuously, such as acquiring technical skills and knowledge.
The rise of dialogue opportunities regarding cyber security mindset might guide organisations in the right direction. The focus of cyber security shifts from the generation of fear campaigns to the development of methods that users feel is effective in securing their information assets daily.
Organisations should not create a list of habitual practices for employees to execute daily, as the list can become a target for cybercriminals to exploit. Instead, users are more inclined to challenge cyber criminals by placing trust in bottom-up user innovation processes and social pressure in response to security threats, making cyberspace safer.
To create a proficient mindset within the organisation, research should shift away from information regarding safe practices to information focusing on the challenges and behaviour of users.
The key player within an organisation that follows the developed mindset to incorporate cyber security into daily operations is the users. By studying information from the users' perspective, policies and procedures can be developed to create a mindset where users can align cyber security with their daily operations.
With the cyber threats landscape developing rapidly, organisations cannot afford to have their employees as their weakest link where human error creates multiple opportunities for cybercriminals to exploit to launch a successful cyber security attack. Developing a cyber security culture (Avast, 2017) is a readily achievable objective, provided that the appropriate processes and practices are developed and implemented.
Everybody within the organisation has a role to play in effectively managing cybersecurity incidents. Employees, at all times, should be able to identify and protect the organisation’s information assets, detect incidents and execute response procedures as documented in the plan and recover CBFs as fast as possible.
A flexible and dynamic approach to cyber security has to be taken by organisations to deal with the ever-changing cyber threatscape. The cyber security culture (Veltsos, 2017) should be incorporated into the performance of daily processes and not as an additional framework. Education, training and review activities should be conducted continually and involve everybody.
Emphasis should be placed on individual responsibility as everybody has a vital and ongoing role in effectively managing cyber security incidents.
Below are some tips for creating a cybersecurity culture:
Different employees have different interests. Developing a culture that engages the employees based on their interests and relevance to daily operations will reduce the number of successful cybersecurity attacks, as the security concerns of the employees are addressed, equipping them with the knowledge to better protect themselves from cybercriminals.
Healthy competition within the organisation increases the engagement level of the employees, encouraging them to take cyber security more seriously. The competitive spirit motivates employees to adopt security practices when performing daily operations.
Additionally, best security practices can be disseminated across the organisation to compete to see which component has the best security to secure its information assets.
Managing cyber security incidents does not only lie on the shoulders of the cyber security team. The entire organisation has to be involved so that everybody is aware and practising the same procedures to secure their information assets, minimising the vulnerabilities that cybercriminals can utilise to exploit.
Rewarding employees for their initiatives and efforts in effectively managing cyber security incidents increase the organisation’s motivation level, increasing its ability to tackle cyber security threats. On the flip side, the organisation should not punish employees who have failed to adhere to documented procedures. It decreases motivation and creates a fear of making mistakes among the employees.
| Back To: Rationale for Lack of Cyber Security Prioritisation | Plan Maintenance | Training and Awareness |
| Advanced Testing and Exercising | Audit | Cyber Security Mindset and Culture |
| Competency-based Course |
Certification Course | ||
Goh, M. H. (2017). A Manager's Guide to Business Continuity Management for Cyber Security Incidents, 2nd Edition. GMH Pte Ltd.
Reference: Chapter 10 Program Management 10.7 Cyber Security Mindset and Culture
Note: This version was the draft 2nd Edition being updated in 2023. The numeric in the square bracket [X-X] cross-refers to the actual chapter and section in the 1st Edition.